With help from Eric Geller, Mary Lee, Martin Matishak and Alexandra S. Levine
Editor’s Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro’s comprehensive policy intelligence coverage, policy tools and services at www.politicopro.com.
Story Continued Below
— Researchers discovered that most voters fail to check printouts from ballot-marking devices, undermining arguments about relying on them.
— The Aspen Tech Policy Hub and Cybercrime Support Network are announcing an online crime initiative today.
— In advance of a House hearing with election equipment manufacturers, activists posed question lawmakers should consider asking.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! Your MC host can’t get the remix out of his head. Send your thoughts, feedback and especially tips to firstname.lastname@example.org. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
TO CATCH A VOTE ERROR — Most voters don’t check printouts from ballot-marking devices and the ones who do so rarely catch errors, researchers at the University of Michigan said in a paper published today. Their findings, shared exclusively with MC before publication, undercut the argument by advocates of these electronic voting machines that their susceptibility to malfunction or hacking is unimportant because voters can verify their paper printouts before casting them. On the contrary, the study’s authors — University of Michigan computer science professor J. Alex Halderman, five of his graduate students and one high school student — wrote that “the low rate of error detection indicates that misprinting attacks on BMDs pose a serious risk.”
The researchers asked 241 volunteers to vote on BMDs and ensured that one vote on each person’s ballot was misprinted on the paper record. Among volunteers who were not specifically encouraged to look for errors, only 40 percent even looked at their printed ballots before casting them, only 6.6 percent reported an error to a poll worker and only 7.8 percent mentioned finding an error during an exit survey. (The authors found that “interventions” such as signage and poll worker prompts significantly increased these numbers.) “Unless verification performance can be improved dramatically,” the paper’s authors wrote, “BMD paper trails, particularly when used by all in-person voters, cannot be relied on to reflect voter intent if the machines are controlled by an attacker.”
The three major voting machine vendors, each of which sells BMDs, did not provide comments when MC shared the paper with them. A spokeswoman for Election Systems & Software said the company “look[ed] forward to reading the report,” while Dominion Voting Systems and Hart InterCivic did not respond to emails. A spokesman for the Cybersecurity and Infrastructure Security Agency, which has neither recommended or discouraged the use of BMDs, promised to follow up but did not do so.
BUT ALL THE COOL KIDS HAVE IT — Check Point identified multiple alarming vulnerabilities in the wildly popular TikTok app, according to research out today. The company said hackers could access accounts and manipulate user content, including uploading unauthorized videos and deleting content, as well as making private videos public. They were also able to access personal information on users’ accounts. TikTok deployed patches last month after Check Point disclosed those vulnerabilities.
POLITICO also asked Kryptowire, a mobile security firm, to look into potential security issues with the app. The company flagged potential issues such as insecure connections and its use of certain ad libraries. In addition, the Kryptowire researchers raised concerns about the number of permissions TikTok wants from its users.
DIGITAL TEAM-UP — The Cybercrime Support Network and Aspen Tech Policy Hub today will launch a repository for consumers to report online fraud and other digital crimes directly to appropriate law enforcement agencies. The initiative is the result of research that found existing government reporting systems are incomprehensible for many people, including older adults. That conclusion led to a prototype that will serve as the effort’s starting point. Other project collaborators include CISA, the Center for Internet Security and Mississippi State’s National Strategic Planning and Analysis Research Center.
THE ELECTION VENDOR QUESTIONS BEFORE THE HEARING — A coalition of activist groups suggested some questions for voting equipment vendor chiefs set to testify before the House Administration Committee on Thursday, most of them focused on security issues. The National Election Defense Coalition, Public Citizen, Daily Kos and Free Speech For People would like to see panel members ask about whether the companies’ networks or systems have been breached, and if so, whether they reported it to law enforcement or found the culprits. It suggested asking about security upgrades since 2016 and what the companies do to vet employees.
And the lawmakers should seek unredacted Idaho National Laboratories security evaluations of their equipment, as well as information about overseas manufacturing, according to the groups. Some of the questions are specific to individual companies, such as how Election Systems & Software handles remote access software, wireless modems and outdated versions of Microsoft Windows, and who’s on its unadvertised board of advisers — although in some of those cases the activists are curious about whether other companies do anything similar.
SOLARIUM GRAB BAG — The co-chairmen of the Cyberspace Solarium Commission previewed some of their likely recommendations at a Council on Foreign Relations event on Tuesday. They also weighed in on other topics:
— Iran: Tehran could retaliate against the U.S. over the killing of military leader Qassem Soleimani in cyberspace, Sen. Angus King (I-Maine) predicted, most dangerously by disrupting the financial system, something Iran has shown the capability to do, he said. (Elsewhere, DHS leaders briefed House and Senate committees Tuesday about the Iranian threat, a DHS official told MC. That included the cyber threat. And Yahoo News reported on Saudi warnings about Iranian cyberattacks the day of the strikes that killed Solemani.)
— Movies: “I think it’s had a chilling effect on Hollywood,” Rep. Mike Gallagher (R-Wis.) said of the Sony hack. “I do think there is an anxiety in the private sector in general but entertainment industry in particular as a result of some of the recent attacks and the threat and what it can mean about the bottom line.”
— Attribution: “One sort of obvious thing the federal government could do to help the private sector would be to dramatically enhance our attribution capability,” Gallagher said.
FACEBOOK ON THE HILL, DEEPFAKES UNDER THE MICROSCOPE — From our friends at Morning Tech: All eyes are on a House hearing this morning where a Facebook executive and other experts will testify on the threat of online deception, including through deepfakes. The grilling comes just two days after Facebook announced it would remove certain types of deepfake videos, including manipulated media in political ads. The policy update, unveiled in a blog post penned by the executive testifying this morning, Facebook’s vice president for global policy management Monika Bickert, drew backlash from across Washington.
“Although the announcement seemed intended as reassurance ahead of congressional scrutiny,” John Hendel reports for Pros, “the company’s critics were largely unmoved, especially with the 2020 U.S. election on the horizon.” Democrats quick to attack the policy included House Judiciary Antitrust and Competition Subcommittee Chairman David Cicilline (D-R.I.); Sen. Mark Warner (D-Va.), the top Democrat on the Senate Intelligence Committee; Sen. Brian Schatz (D-Hawaii); and the campaign of Democratic presidential candidate Joe Biden.
“As our CEO Mark Zuckerberg has said, we need to develop consistent industry standards on issues such as manipulated media,” Bickert plans to say in her testimony. “We have encouraged the industry through our trade association to work together—specifically on manipulated media—in a more uniform way, pushing for common standards and a consistent approach across platforms.”
VIA THE CES 2020 NEWSLETTER — Our colleague David Pierce, at Protocol, noted that the Tuesday afternoon privacy panel featured a rare area of agreement on encryption, an issue that has pitted privacy safeguards from companies like Apple against federal law enforcement’s demands for access to data.
Apple privacy officer Jane Horvath said health and payment data are crucial things to keep private, one argument for strong encryption: “We need to make sure if you misplace your device, you’re not losing your sensitive data.” Democratic FTC Commissioner Rebecca Kelly Slaughter followed up: “While I am really sensitive to the desire for a backdoor for good, legal reasons, you can’t create a backdoor for the good guys that doesn’t also create a backdoor for the bad guys.”
TWEET OF THE DAY — We suspect this is a common sentiment right now.
RECENTLY ON PRO CYBERSECURITY — The FBI reportedly asked Apple for help unlocking phones connected to the alleged Pensacola, Fla. shooter. … The chairman of the FTC threatened tougher punishments of Facebook and Google over user privacy.
— CyberScoop examined the tension between warranties and patches.
— A veterans group said the Trump administration is ignoring Russian disinformation campaigns targeting vets and troops. The Hill
— Travelex acknowledged a ransomware attack and its stock took a hit. The Wall Street Journal
— “An information disclosure vulnerability affecting Microsoft Access can cause sensitive data from system memory to be unintentionally saved in database files, email security company Mimecast revealed.” Security Week
— Bend, Ore., said it had a Click2Gov-related security incident.
— McAfee found flaws in the McLear Smart Ring and Chamberlain’s MyQ Hub.
— Imperva got a new CEO. CISO Magazine
— Accenture is buying Symantec’s enterprise security unit from Broadcom. Computer Weekly
That’s all for today.
Stay in touch with the whole team: Mike Farrell (email@example.com, @mikebfarrell); Eric Geller (firstname.lastname@example.org, @ericgeller); Mary Lee (email@example.com, @maryjylee) Martin Matishak (firstname.lastname@example.org, @martinmatishak) and Tim Starks (email@example.com, @timstarks).