Cybersecurity and Cyberwarfare

After a presidential campaign scarred by Russian meddling, local, state and federal agencies have conducted little of the type of digital forensic investigation required to assess the impact, if any, on voting in at least 21 states whose election systems were targeted by Russian hackers, according to interviews with nearly two dozen national security and state officials and election technology specialists.

The assaults on the vast back-end election apparatus — voter-registration operations, state and local election databases, e-poll books and other equipment — have received far less attention than other aspects of the Russian interference, such as the hacking of Democratic e-mails and spreading of false or damaging information about Hillary Clinton. Yet the hacking of electoral systems was more extensive than previously disclosed. Beyond VR Systems, hackers breached at least two other providers of critical election services well ahead of the 2016 voting, said current and former intelligence officials, speaking on condition of anonymity because the information is classified. The officials would not disclose the names of the companies.

After a data breach exposes sensitive information, agencies usually offer victims credit monitoring as a catch-all solution to prevent fraud. But a group of lawmakers isn't convinced that strategy always gets the job done. “We are concerned that the popular response may reflect factors unrelated to the actual protection of breach victims,” House Energy and Finance Committee Reps Frank Pallone, Jr., (D-NJ), Diana DeGette (D-CO), and Jan Schakowsky (D-IL) wrote in a letter to the Government Accountability Office. “Reliance on these products after the breach may result in consumers being lulled into a false sense of security.” They requested GAO examine how effective current strategies work for various types of breaches, the extent of the protection each one offers, and the factors agencies weigh in choosing a response to a breach. Lawmakers also would like GAO to see if there are better solutions not currently being offered.

President Donald Trump promised big changes on cybersecurity after his election. During the Obama administration, the nation’s cybersecurity was “run by people that don’t know what they’re doing,” the president said during a post-election press conference. The Trump administration, he promised, would gather “some of the greatest computer minds anywhere in the world” and “put those minds together … to form a defense.” Seven months into the president’s administration, however, analysts are wondering what’s so different.

On most major cybersecurity issues, such as securing federal networks and critical infrastructure, Trump officials are in near lockstep with their Obama-era predecessors. Where they differ, there’s no clear Trump cybersecurity doctrine to explain the divergence. “It’s schizophrenic,” said Peter Singer, a cyber theorist and senior fellow at the New America Foundation. “That may be because of the absence of a strategy or it may be because the chaotic execution of that strategy undermines it.”

The Federal Communications Commission's website already gets a lot of traffic—sometimes more than it can handle. But thanks to a weakness in the interface that the FCC published for citizens to file comments on proposed rule changes, there's a lot more interesting—and potentially malicious—content now flowing onto one FCC domain.

The system allows just about any file to be hosted on the FCC's site—potentially including malware. The application programming interface (API) for the FCC's Electronic Comment Filing System that enables public comment on proposed rule changes has been the source of some controversy already. It exposed the e-mail addresses of public commenters on network neutrality—intentionally, according to the FCC, to ensure the process' openness—and was the target of what the FCC claimed was a distributed denial of service (DDoS) attack. But as a security researcher has found, the API could be used to push just about any document to the FCC's website, where it would be instantly published without screening. Because of the open nature of the API, an application key can be obtained with any e-mail address. While the content exposed via the site thus far is mostly harmless, the API could be used for malicious purposes as well. Since the API apparently accepts any file type, it could theoretically be used to host malicious documents and executable files on the FCC's Web server.

Rep Darrell Issa (R-CA) wants us to get real about how much faith we should put in encryption. Rep Issa argued on an Internet of Things panel that it’s high time for a straight-talk discussion about how secure popular encryption protocols actually are. ‘The former FBI director [James] Comey came before Congress and swore under oath that he had no ability to get what he needed from the San Bernardino bomber [sic] except by forcing Apple to create an active remote backdoor into the problem,’ Issa said. ‘Now a matter of weeks later, an Israeli company for a million dollars gave him the data he wanted.’ And, Issa pointed out, a few weeks after that, a University of Cambridge professor appeared to crack it again. Said Issa, ‘We have to have a real debate about whether encryptions and protections are real and unbreakable.’

I have directed that United States Cyber Command be elevated to the status of a Unified Combatant Command focused on cyberspace operations. This new Unified Combatant Command will strengthen our cyberspace operations and create more opportunities to improve our Nation’s defense. The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries. United States Cyber Command’s elevation will also help streamline command and control of time-sensitive cyberspace operations by consolidating them under a single commander with authorities commensurate with the importance of such operations. Elevation will also ensure that critical cyberspace operations are adequately funded. In connection with this elevation, the Secretary of Defense is examining the possibility of separating United States Cyber Command from the National Security Agency. He will announce recommendations on this matter at a later date.

Shortly after Ajit Pai was named chair of the Federal Communications Commission in February, he said he wanted the agency to be “as open and accessible as possible to the American people." Six months on, the agency is falling short of Pai’s lofty goal in some key areas.

Critics are especially concerned about the FCC’s handling of complaints from the public about internet providers and the causes of a May 7 outage of the public-comments section of the agency’s website. "Chairman Pai promised to make the FCC more transparent, but the early returns aren't looking good," said Sen Ron Wyden (D-OR). "The FCC seems more concerned with helping Big Cable than living up to his promise." Many complaints about a lack of transparency at the FCC relate to the commission’s plan to reverse some of its net-neutrality rules, which prohibit internet providers from favoring some forms of traffic over others. The FCC’s proceeding failed to mention that the agency has received more than 47,000 informal complaints about alleged net-neutrality violations since the rules took effect in 2015.

Democratic lawmakers are calling for an independent investigation into how the Federal Communications Commission responded to a reported cyberattack in May that crippled the agency’s comment filing system. Sen Brian Schatz (D-HI) and House Commerce Committee Ranking Member Frank Pallone Jr. (D-NJ) sent a letter to the Government Accountability Office (GAO) that cast doubt on the FCC’s version of the incident. “While the FCC and the FBI have responded to Congressional inquiries into these [distributed denial of service] attacks, they have not released any records or documentation that would allow for confirmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems,” the letter reads. "As a result, questions remain about the attack itself and more generally about the state of cybersecurity at the FCC — questions that warrant an independent review.”

Sen Brian Schatz (D-Hawaii) and Rep Frank Pallone (D-NJ) called for an independent investigation into the Federal Communications Commission's claim that it suffered DDoS attacks on May 8, when the net neutrality public comments system went offline. "While the FCC and the FBI have responded to Congressional inquiries into these DDoS attacks, they have not released any records or documentation that would allow for confirmation that an attack occurred, that it was effectively dealt with, and that the FCC has begun to institute measures to thwart future attacks and ensure the security of its systems," the lawmakers wrote in a letter to the US Government Accountability Office. "As a result, questions remain about the attack itself and more generally about the state of cybersecurity at the FCC—questions that warrant an independent review."

Sen Schatz and Rep Pallone, the ranking members of the Senate and House Commerce Committees, also said the FCC has not acted to prevent or mitigate the problem of fake comments flooding the net neutrality docket. "[T]aken together, these situations raise serious questions about how the public makes its thoughts known to the FCC and how the FCC develops the record it uses to justify decisions reached by the agency," they wrote to the GAO.

As the number of online comments in the Federal Communications Commission's network neutrality proceeding soars to record highs, groups on both sides of the debate are calling on Congress to investigate mounting allegations of fake public input. The latest allegations come from the conservative-leaning National Legal and Policy Center (NLPC), which said a whopping 5.8 million pro-net neutrality comments submitted between July 17 and Aug. 4 using the same one sentence appear to be fake. The docket has been plagued for months by charges that many of the comments are duplicates, filed under fake names or submitted without the permission of the people who supposedly signed them. The growing controversy is raising questions about how the comments will be used when the FCC mulls a final order. "It's almost unimaginable how anybody thinks this could do any good," NLPC President Peter Flaherty said.