With help from Mike Farrell, Eric Geller, Martin Matishak and Cristiano Lima
Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— Voting in 14 states today presents a range of election security challenges, from risky paperless machines in Tennessee and Texas to an entirely new voting system in Los Angeles County with known vulnerabilities.
— CrowdStrike’s annual global threat report observed changing tactics and targets from the likes of ransomware attackers and Iran.
— Advocacy groups are growing worried that encryption will get mixed up in the debate over Section 230, a law that provides liability protections to internet providers who publish third-party content.
HAPPY TUESDAY and welcome to Morning Cybersecurity! We all could use a friend like this sometimes. Send your thoughts, feedback and especially tips to email@example.com. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
SUPER SECURITY ISSUES — It’s Super Tuesday, and the 14 states voting today will use a wide range of election equipment, from the hand-marked paper ballots that security experts recommend to the paperless machines that still represent a thorn in the side of U.S. election security. As Eric reports, the continued use of old and insecure machines after nearly four years of warnings about foreign election interference highlights the numerous impediments to improving the nation’s voting security posture. Here’s a quick preview of where each state falls (click through to find out why):
— At risk: Oklahoma, Tennessee, and Texas
— Problematic: Arkansas and Utah
— Less secure: North Carolina
— Most secure: Alabama, Colorado, Maine, Massachusetts, Minnesota, Vermont and Virginia
— Wild card: California
The departments of Justice, Defense, State, Homeland Security along with the Office of the Director of National Intelligence, FBI, NSA and CISA issued a joint statement touting their teamwork in advance of Super Tuesday: “The level of coordination and communication between the federal government and state, local and private sector partners is stronger than it’s ever been.” But citizens need to be wary of foreign online influence and up to speed on the voting process. “Our Departments and Agencies are working together in an unprecedented level of commitment and effort to protect our elections and to counter malign foreign influence, but voters have a role to play too,” the statement reads.
California gets its own “wild card” status when it comes to election risks because Los Angeles County voters will use a new system with numerous issues, some disclosed by California’s secretary of state and others identified by outside experts, Kim Zetter reports for POLITICO. The publicly owned system known as the Voting Solutions for All People was nine years in the making and involves a company called Smartmatic — another red flag for election integrity advocates. Previously, the Treasury Department investigated it for potential ties to the Venezuelan government. It also came under scrutiny in the Philippines over alleged election tampering in 2016. Nonetheless, California certified the system for use in today’s primary with some conditions — tight physical security around the back-end programming and vote tallying systems to prevent tampering.
CRIME PAYS — More sinister and targeted cybercrime was a huge factor in 2019, CrowdStrike found in its annual trends report out today, especially via ransomware attacks that increasingly hit governments, sought higher payouts and weaponized data. The smorgasbord of info in the report includes a finding that malware-free attacks, such as the use of stolen credentials for remote logins, were more common in 2019 than malware-based attacks; they made up 51 percent of attacks in 2019 compared to 40 percent in 2018.
The cybercrime spike helped double the average breakout time — defined by CrowdStrike as “the speed from an adversary’s initial intrusion into an environment, to when they achieve lateral movement across the victim’s network toward their ultimate objective” — from 4 hours and 37 minutes to 9 hours, with cybercrime groups relying on staged and stealthier techniques that can take longer to net intellectual property.
Many of the big nation-state threats were consistent in 2019, but Iran made a big shift midyear from focusing on North Africa and the Middle East to the U.S. And while the ransomware spike in the public sector was one of his key takeaways, CrowdStrike’s Tom Etheridge told MC that “it was interesting to see a bit more of an uptick in threat actor behavior that targeted third-party service providers.”
CRITICS: GRAHAM’S SECTION 230 BILL AN ‘ATTACK’ ON ENCRYPTION — Industry watchers are sounding off on an incoming bill from Sen. Lindsey Graham (R-S.C.) that’s poised to threaten tech companies’ prized legal liability shield, calling the effort a thinly veiled attack on end-to-end encryption. The still-to-be-unveiled EARN IT Act would require digital firms to prove to DOJ they are complying with guidelines on combating child exploitation online to maintain their immunity over user-posted content afforded under Section 230 of the Communications Decency Act, according to a draft circulated earlier this year.
But critics say they fear the bill is nothing more than a way to force companies to give law enforcement agencies access to encrypted communications, reviving a heated standoff between the Justice Department and Silicon Valley. “We are thinking that a lot of these best practices … will be another attack on end-to-end encryption,” R Street Institute policy fellow Daisy Soderberg-Rivkin told reporters last week.
Tommy Ross, senior policy director at BSA | The Software Alliance, told MC that while staff working on the legislation said it wasn’t about encryption, it “smells to us a little bit like an encryption bill based on the rhetoric on the same topic coming out of the Department of Justice.” Said Ross: “One of the things that we’ll be seeking is some set of safeguards to prevent best practices coming out of a commission as they envision it from undermining common security best practices, from requiring companies to do things that are cost prohibitive or technically infeasible.”
What to watch for next: Sen. Richard Blumenthal (D-Conn.), who is working with Graham on the legislation, has teased possible changes to the bill since it was leaked in January. And it remains to be seen whether the bill will pick up additional bipartisan support — which could make it the biggest threat to Section 230 in years. Blumenthal told Morning Tech on Monday that he expects the bill to feature bipartisan support, beyond himself and Graham, but declined to comment on timing for an introduction. Spokespeople for Graham and Blumenthal did not offer comment.
A DOUBLE HIT ON ACCUSED HACKERS — Shortly after Treasury on Monday announced sanctions against two Chinese nationals for their alleged role in a 2018 cryptocurrency exchange hack linked to North Korea’s Lazarus Group, DOJ charged the men with laundering $100 million. “The hacking of virtual currency exchanges and related money laundering for the benefit of North Korean actors poses a grave threat to the security and integrity of the global financial system,” U.S. Attorney Timothy Shea of the District of Columbia said of the two men charged, Tian Yinyin and Li Jiadong.
TWEET OF THE DAY — How naive we were.
RECENTLY ON PRO CYBERSECURITY — A group of House members asked their colleagues to oppose attaching surveillance renewal to other, must-pass legislation. … Senate Majority Leader Mitch McConnell (R-Ky.) wouldn’t discuss the qualifications of President Donald Trump’s pick for director of national intelligence, Rep. John Ratcliffe (R-Texas). … Mike Bloomberg’s recent digital moves push the boundary between edgy campaign fare and disinformation. … A federal judge ordered former Secretary of State Hillary Clinton to give a sworn deposition for the first time in connection with her use of a private email account.
— Cybersecurity researcher Kevin Beaumont said Monday that he’s joining Microsoft Threat Protection as a senior threat analyst, where we hope he won’t stop giving us good “tweet of the day” material.
— Good headline, Krebs on Security: “French Firms Rocked by Kasbah Hacker?”
Stay in touch with the whole team: Mike Farrell (firstname.lastname@example.org, @mikebfarrell); Eric Geller (email@example.com, @ericgeller); Martin Matishak (firstname.lastname@example.org, @martinmatishak); and Tim Starks (email@example.com, @timstarks).