Cybersecurity played a role in most major conflicts of 2018, from U.S. efforts to hold Russia accountable for its attempts to undermine the 2016 election to U.S.-China clashes over trade and technology to the midterm election contest held under a cloud of uncertainty about whether foreign powers were attempting to influence the vote.
There was positive news, especially the Homeland Security Department’s successful work with state and local officials to vastly improve the cybersecurity of election infrastructure in advance of the midterms.
Most of the stories raised red flags, however. China, which reduced its digital theft of U.S. companies’ intellectual property after a 2015 detente, is ramping up again. Sophisticated, possibly nation-state-linked hacking groups also stole personal information from up to 500 million customers at Marriott’s Starwood hotel chain and internal emails from the National Republican Campaign Committee.
The master narrative, according to cyber experts, is this: The United States is getting better at cyber defense, but our adversaries are hitting us as hard as ever in cyberspace and U.S. officials haven’t imposed consequences that will convince them to stop.
That narrative is clearest when it comes to Russia. With uncertainty still swirling about how much the Kremlin’s efforts undermined the 2016 presidential election, Russia could still feel emboldened to sow more chaos in 2020 or earlier, and other U.S. adversaries may follow suit.
“The kind of activity Russia was involved in was way beyond anyone’s idea of what’s permissible, but there have not been significant consequences,” Chris Painter, a former State Department cyber coordinator under President Obama, told me.
“Yes, there were some sanctions and expulsions [of Russian diplomats], but they were a little late and not really strong enough,” Painter said. Those efforts were also “continually undercut” by President Trump’s wavering on whether Russia was responsible for the hacking and influence operation, Painter said.
Here are four big stories that defined cybersecurity in 2018.
Consequences, consequences, consequences
The Trump administration made some efforts to get tough on cyber adversaries this year.
The White House rolled back an Obama-era directive, loosening checks on the military before it launches offensive cyber operations. As he unveiled a national cyber strategy, national security adviser John Bolton promised: “Our hands are not tied as they were in the Obama administration.”
U.S. officials also helped ride herd on coordinated action by the U.S., British and European governments to publicly name and shame Russia for cyber mischief, including the NotPetya cyberattack that wreaked havoc on banks around the world.
Those collective campaigns are a good first step toward an international effort to hold rogue nations responsible for bad actions in cyberspace, Jim Lewis, a former U.S. government official who organized numerous international cyber negotiations, told me. But they’re just a start, Lewis said.
“The one thing that would make a real difference is pushing back on the Russians, and that’s the one thing we’ve been unable to do,” Lewis told me. “Neither the Obama nor the Trump administration figured out how to respond to Russia.”
One step forward, one step back
Domestic cyber policy was also defined by alternating progress and retrenchment this year.
On the positive side, Congress approved legislation to elevate the Homeland Security Department’s cyber and infrastructure protection division into a more operational role and to put congressional authority behind many of its cross-government cyber protection activities.
DHS also launched a National Risk Management Center to tackle longer-range cyber projects, such as studying cyberthreats to national technology supply lines and creating a list of important U.S. shared assets, such as GPS and cellphone networks, that are vulnerable to cyberattacks.
That progress has been offset by other actions, however, such as Bolton’s decision to eliminate the position of White House cybersecurity coordinator, which used to be the administration’s public face on cybersecurity, responsible for balancing all the government’s competing cyber priorities.
“The loss of a cyber coordinator at the White House has made us all less safe,” Suzanne Spaulding, the top DHS cyber official during the Obama administration, told me. “Bolton and his deputy simply don’t have time to be cyber coordinators and to make sure people are talking across all the government stovepipes in a way that’s essential to protect critical infrastructure.”
It’s about the election, stupid
The good election security news this year: Officials assert there was no successful effort by Russia or anyone else to hack U.S. election systems. Congress also allocated $380 million to states to improve cyber protections before the 2020 elections.
The bad news: Despite bipartisan support, Congress failed to pass an election security bill that would require states to follow basic cyber best practices.
That could cause big problems if Russia ramps up its hacking efforts before the 2020 presidential contest, which is bound to be more divisive.
“The electoral system as a whole remains vulnerable,” Michael Daniel, who was White House cybersecurity coordinator during the Obama administration, told me. “Just because we didn’t see a lot of that activity in 2018 doesn’t mean we should become complacent about 2020.”
One oddity of 2018 is that, despite major data breaches at the National Republican Congressional Committee, Marriott, Facebook and Google, there’s not a single breach that defines the year in the same way as the 2013 Target breach, the 2014 Sony hack, the 2015 Office of Personnel Management breach and the 2016 Russian hacks of the Democratic National Committee and Clinton campaign.
That’s partly because, unlike those previous breaches, this year lacked a high-profile hack that fundamentally changed how the public thinks about cybersecurity. The Target breach, by comparison, was the first to bump a big corporate CEO from his job. The Sony breach amounted to a North Korean attempt to interfere with a U.S. company’s First Amendment rights and it was among the first attacks in which an assailant destroyed some data rather than simply stealing it. The DNC breach, of course, upended a U.S. presidential campaign and helped launch Robert Mueller’s probe.
Because of the constant stream of breaches, however, it’s also become harder and harder for each individual break-in to make an impression, Allison Berke, executive director of the Stanford University Cyber Initiative, told me.
Also, banks mostly cover the individual costs of breaches, such as phony credit card charges, and then spread that cost among consumers in the form of higher fees. So, individuals tend not to suffer much more than irritation from any individual breach, no matter how big it is, she said.
“Particularly after Equifax, there’s more fatigue from the average person,” Berke told me. “Their information is out there and it’s going to be breached, and we don’t have the ability to secure it … Every subsequent breach seems like something you can deal with. It’s the same story every time.”
Check back tomorrow when I’ll be looking forward to the big cyber stories of 2019.
Dear Readers: The Cybersecurity 202 is taking a break for the holidays starting on Monday, Dec. 24. We will be back in your inboxes ready to go for 2019 on Jan. 7. Thanks for reading this past year and we hope you, your family and friends have a relaxing and happy holiday season and new year.
While we’re away, check out The Post’s new premier daily podcast, Post Reports. Unparalleled reporting. Expert insight. Clear analysis. Every weekday. Get new episodes online, to your email or in a podcast app: Apple Podcasts | Google Podcasts | Stitcher
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED, PATCHED, PWNED
PINGED: The Trump administration announced sanctions Wednesday against nine officers of Russia’s Main Intelligence Directorate, or GRU, for seeking to interfere in the 2016 election. “The Treasury Department’s Office of Foreign Assets Control said they were engaged in cyberactivities that targeted election systems and political parties,” The Washington Post’s Carol Morello reported. “It said they released stolen documents related to the election, using online personas, and promoted their spread on social media accounts operated by the GRU.” The nine officers were part of the GRU’s Unit 26165 and Unit 74455 and they are also the subjects of an indictment announced in July, according to a news release from the Treasury Department.
Treasury also announced sanctions against other Russian intelligence officers for activities including an assassination attempt against former Russian spy Sergei Skripal and his daughter, and the hacking of the World Anti-Doping Agency and the Organization for the Prohibition of Chemical Weapons. “Treasury also sanctioned the chief accountant for a Russian company that took part in the information war by producing English language news sites such as USA Really, which played up divisive political issues and attempted to stage a political rally in the United States,” my colleague reported.
PATCHED: The House passed a bill Wednesday containing several cybersecurity measures, including a measure to help spot potential national security threats to government supply chains. The legislation would establish a Federal Acquisition Security Councile tasked with overseeing supply-chain cybersecurity when the government purchases IT equipment. Sen. Claire McCaskill (D-Mo.) and Sen. James Lankford (R-Okla.) first introduced the measure this summer.
Additionally, the bill would create a vulnerability disclosure policy at DHS to codify how security researchers can report weaknesses in the department’s computer systems and would require DHS to offer cash rewards for some digital bug reports. Under the legislation, DHS would be required to submit a report to relevant congressional committees after completing a pilot program. The measure has not yet been passed by the Senate.
PWNED: Sen. Maria Cantwell (D-Wash.) and Rep. Frank Pallone Jr. (D-N.J.) demanded that DHS improve the protection of oil and gas pipelines against cyberattacks, Reuters’s Timothy Gardner reported. The lawmakers’ request followed the release of a Government Accountability Office report identifying weaknesses in the way the Transportation Security Administration handles pipeline security. “The GAO issued 10 recommendations for the TSA including implementing a process for reviewing, and if necessary revising, security guidelines at regular intervals,” according to Reuters. “DHS agreed with all the recommendations in the report.”
Cantwell and Pallone requested in a letter to DHS Secretary Kirstjen Nielsen that her department come up with a plan to address the concerns laid out in the report. “Protecting our pipelines, and the people who live and work near them, must be a top priority for our government and I hope this report will prompt the Trump administration to start treating this challenge with the urgency it deserves,” Cantwell said in a statement. The GAO report found that TSA “has no process for determining when to update its guidelines for pipeline operators,” according to a summary of the study.
— Facebook is facing the first lawsuit from regulators in the United States following the Cambridge Analytica scandal. Karl A. Racine, the attorney general for the District of Columbia, sued the social network “mainly for its entanglement” with the political consultancy that gathered data on millions of Facebook users without their consent, The Washington Post’s Tony Romm, Brian Fung, Aaron C. Davis and Craig Timberg reported.
Racine said in a statement that Facebook “failed to protect” its users’ privacy and misled them about how their personal information was being used. “Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission,” Racine said. “Today’s lawsuit is about making Facebook live up to its promise to protect its users’ privacy.”
— More cybersecurity news from the public sector:
Researchers demonstrate the process of remotely bricking a server, which carries serious and irreversible consequences for businesses.
THE NEW WILD WEST
— Canadian Prime Minister Justin Trudeau said his country’s decision to either allow or ban Chinese telecommunications giant Huawei from Canada’s 5G networks will be based on national security and not political considerations, Bloomberg News’s Greg Quinn and Josh Wingrove reported. “There are millions of dollars, billions of dollars at stake in technology and in communications infrastructure, there is also the extraordinary imperative that Canadians and people around the world expect to be kept safe and free from interference and cyber attacks,” Trudeau said.
— Hackers have sought to infiltrate the e-mail accounts of hundreds of human-rights activists and journalists throughout the Middle East and North Africa, according to Amnesty International. The group identified two separate phishing campaigns that it said probably originated from the Gulf region.
In the first, hackers set up phishing pages designed to closely resemble sign-in pages for the secure email services ProtonMail and Tutanota. “If a victim were tricked into performing a login to this phishing site, their credentials would be stored and a valid login procedure would be then initiated with the original Tutanota site, giving the target no indication that anything suspicious had occurred,” Amnesty International said.
The second phishing operation involved bypassing a form of two-factor authentication that uses verification codes for Google and Yahoo email services. “In a completely automated fashion, the attackers managed to use our password to login into our account, obtain from us the two-factor authentication code sent to our phone, and eventually prompt us to change the password to our account,” Amnesty International said.
You can read a step-by-step explanation of this particular phishing technique on Amnesty International’s blog post here.
— More cybersecurity news from abroad:
Days before Trump announces victory over ISIS, officials were preparing for a long engagement:
Watch Obama surprise patients at D.C. children’s hospital:
Bush’s dog, Sully, ready for a return to service: