With help from Eric Geller, Martin Matishak, Alexandra S. Levine and Doug Palmer
Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— Some states and political organizations are turning to online voting during the pandemic, even as security experts warn about the considerable downsides.
— President Donald Trump’s controversial choice for U.S. intelligence chief is back on the Hill agenda.
— As remote work takes hold, a picture is starting to emerge of the risks posed by working from home.
HAPPY THURSDAY and welcome to Morning Cybersecurity! It sounds stranger than it looks. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
POLITICO Pro is here to help you navigate these unprecedented times. Check out our new Covid-19 Coverage Roundup, which provides a daily summary of top Covid-19 news coverage from across all 16 federal policy verticals as well as premium content, such as DataPoint graphics. Please sign up at our settings page to receive this unique roundup sent directly to your inbox every weekday afternoon.
Sign up for POLITICO Nightly: Coronavirus Special Edition, your daily update on how the illness is affecting politics, markets, public health and more.
TWO NEW STATES MOVE IN ‘WRONG DIRECTION’ — Delaware and New Jersey have decided to let voters with disabilities cast their ballots online in upcoming elections, prompting fears among cybersecurity experts of a wider migration to insecure technology fueled by the coronavirus pandemic. “I hope that other states will exercise caution rather than jumping on the bandwagon,” Dan Wallach, a computer science professor at Rice University, told Eric. “Moving toward online voting,” Wallach added, “is the wrong direction to defend our democracy.” New Jersey and Delaware will join West Virginia, which was already planning to let some primary voters cast ballots online before the pandemic hit.
Public-health concerns sparked by the pandemic have left states scrambling to reorganize their elections, with some urging people to vote by mail and reducing the number of voting precincts they will operate. But other election supervisors are considering more modern options. “When they look at technology solutions, they [see] a lot of solutions that look very enticing,” Washington Secretary of State Kim Wyman said. Some of her colleagues, she said, may think, “Wow, this is going to be so much more efficient.” But Wyman, who ran an internet voting trial in 2000 as a county election director, said states should steer clear of the technology, citing security and transparency concerns.
Cybersecurity experts are nearly unanimous in their opposition to online voting because the internet’s inherent insecurity does not accommodate the unique properties of elections: ballot secrecy and irreversibility. Their widespread condemnation of internet voting has created a stigma that has successfully limited the technology’s spread. Perhaps in light of that stigma, Delaware and its vendor, Democracy Live, claim that their system should not be considered internet voting, even though it is. Pros can learn more about why that’s the case, and why experts say internet voting is dangerous, in Eric’s story.
— AND (PART OF) A THIRD STATE MOVES CLOSER TO ONLINE VOTING: Over the weekend, the Utah GOP’s state convention registered thousands of votes via the controversial mobile app firm Voatz, which has been the subject of studies critical of its security safeguards. But the Utah Republicans were over the moon with how Voatz worked in what the company said might be the largest-ever mobile voting experiment, when earlier county conventions in the state are included.
Derek Brown, chairman of the state party, gushed that the participation rate was higher than an in-person convention two years ago, that the ranked-choice option from Voatz streamlined the process of winnowing down candidates and that users were pretty unanimous in their praise. Security experts told POLITICO they were less worried about using Voatz or other forms of online voting at party conventions than in traditional elections, but questioned the wisdom of the experiment. One said the nature of the convention could pose additional risks, too.
“The threat is probably greater because an attacker may be able to manipulate results by manipulating a smaller number of voters,” said Jeremy Epstein, vice chairman of the Association for Computing Machinery’s U.S. Technology Policy Committee. “It’s easier to have a greater influence.” Voatz said it learned some security lessons from the event, while auditors hired by the state party said they’d look for ways to boost security in the future. Pros can read the whole story from your MC host.
SECOND TIME’S THE CHARM — The Senate Intelligence Committee is looking to hold a confirmation hearing as soon as next week for Rep. John Ratcliffe (R-Texas) to be the country’s next spy chief, our colleague Andrew Desiderio reports with an assist from Martin. A hearing would mark considerable progress from the last time President Donald Trump picked Ratcliffe to be Director of National Intelligence — days after his nomination, Ratcliffe withdrew over allegations he embellished his résumé.
The Texas Republican is sure to face questions about his qualifications for the post, as well as his views on Trump’s longtime, hostile treatment of the intelligence community. Ratcliffe landed on the president’s radar after criticizing the surveillance that led to the probe into ties between the Trump campaign and Russia. He also has some digital chops. As a freshman he snagged the gavel of the Homeland Security Committee’s cybersecurity subpanel, where he worked on the 2015 information sharing law. He also conducted oversight of the nascent CISA and sought to penalize Iranian hackers.
ABSOLUTELY SCATTERSHOT — Since the Covid-19 outbreak, the average employee’s device running Windows 10 is three months behind on applying up-to-date patches and 1 in 4 have a critical security application that’s lacking, Absolute said in its inaugural weekly results today from a remote work and distance learning insights center. The company also reviewed data on 6 million anonymized devices and found that there’s been a 46 percent increase in the amount of sensitive personal data they’re storing. Additionally, Absolute said the pandemic has led to quick but uneven adoption of distance learning.
THE BIG EVENT — There’s a new mobile banking Trojan on the scene “that has real potential to become the next big mobile malware, as it is under constant iterative improvements, abuses a critical operating system feature, and targets financial applications,” Cybereason said in a report out today. EventBot targets across the U.S. and Europe include Paypal Business, Revolut, Barclays, UniCredit, CapitalOne UK, HSBC UK, Santander UK, TransferWise, Coinbase and paysafecard. Its innovations include the ability to bypass multi-factor authentication by reading and stealing text messages.
ONLINE LEARNING, CONT’D — Check Point today disclosed vulnerabilities in three of the most widely used WordPress plug-ins that enable online learning for academic organizations and Fortune 500 companies. The company said the vulnerabilities in LearnPress, LearnDash and LifterLMS — plugins used to turn WordPress websites into learning management systems — could be exploited to steal personal information and money. All three systems patched the vulnerabilities.
MORE TELEWORK HELP FROM THE GOVERNMENT — CISA and the NSA produced a one-page list of telework “do’s and don’ts” on Wednesday, offering advice such as logging off remote connections at the end of the day and avoiding using government-furnished devices for social activity. It’s the latest in a sequence from the NSA and CISA.
PIRACY = MALWARE? — From our friends at Morning Trade: A special section of the U.S. Trade Representative’s annual “notorious markets” report on counterfeit goods, released Wednesday, delves into the connection between online digital piracy sites and malware that is inserted into users’ computers (which could prove more problematic in the Covid-era, with more and more people streaming movies and TV at home). “To avoid malware infections from piracy sites, consumers should rely on legitimate sources of copyright-protected content, such as licensed video streaming providers, and should purchase software and games from licensed vendors,” USTR said.
META: MAKING DEMANDS OF ZOOM, ON ZOOM — From our friends at Morning Tech: Encryption guru Bruce Schneier is joining digital rights advocates on Zoom today to urge the teleconferencing platform to implement end-to-end encryption on video calls. Zoom has seen overnight celebrity during quarantine but continues to play catch-up on privacy and security concerns from Congress, companies and consumers; it has been criticized for marketing itself as an end-to-end encrypted platform when, in fact, that is not the case.
As Zoom spends the next three months addressing some of these issues, privacy and civil rights activists are pushing for CEO Eric Yuan to implement default end-to-end encryption on the platform. Participants on today’s Zoom conference include the Surveillance Technology Oversight Project, Color of Change and Fight for the Future, which launched a campaign this month to pressure Zoom on end-to-end encryption.
TWEET OF THE DAY — Louder for the folks in the back.
— POLITICO: A Senate report said the chamber must take cybersecurity into account with any remote voting plans.
— The Washington Post: A poll found that most Americans are unwilling or unable to use an app to track the coronavirus.
— The Washington Post: “American touting covid conspiracies probably posted WHO, Gates Foundation passwords online, report says.”
— ZDNet: Estonia said state-sponsored hackers breached a local email provider.
— Kaspersky: “Remote spring: the rise of RDP bruteforce attacks.”
That’s all for today.
Stay in touch with the whole team: Eric Geller ([email protected], @ericgeller); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); and Tim Starks ([email protected], @timstarks).