Securing Democracy Dispatch

Federal and state officials address vulnerabilities ahead of midterm elections: The Department of Homeland Security (DHS) hosted a three-day “National Election Cyber Exercise” to “identify best practices and areas for improvement in cyber incident planning, preparedness, identification, response, and recovery.” Forty-four states and the District of Columbia participated in the exercise, which included simulating a range of digital threats like spear phishing attacks on election officials, social media manipulation, and denial-of-service attacks on election websites. DHS Secretary Kirstjen Nielsen said in a statement that the simulated campaign helped to “test our ability to respond to cyber incidents that could potentially [affect] an election … and build strong communication and incident response plans across the election community.” Separately, House sponsor of the Securing America’s Elections Act of 2018 Rep. Tulsi Gabbard (D-HI) voiced concern following the August 10-12 DEF CON hacking convention, which uncovered a host of vulnerabilities in voting machines. Rep. Gabbard pointed out that, “These vulnerabilities erode voter confidence and expose our election outcomes to manipulation.” (DHS, Congress.gov, SC Magazine)

Documents reveal series of cyberattacks in California’s congressional race: On August 15, Rolling Stone reported that FBI agents have investigated a series of cyberattacks over the past year that targeted Democratic candidate Hans Keirstead, who ran against Russia-friendly Rep. Dana Rohrabacher (R-CA) in a primary on June 5. Keirstead’s campaign manager Kyle Quinn-Quesada told Rolling Stone that the campaign decided to go public about the attacks in order to increase voter awareness. Rolling Stone journalist Andy Kroll reported that “the volume and sophistication of the cyberattacks … strongly suggest the hacker(s) had done research and had a good deal of technical savvy.” Meanwhile, California election officials invited DHS to hack their voting systems to test their security, but Joe Holland, Santa Barbara County’s recorder-assessor and president of the state association of election officials said that the government’s team “couldn’t do it.” Hacking into California’s voting system and altering votes is considered difficult since state law prohibits voting machines from being hooked up to the internet. However, when it comes to voter registration lists, Matt Bishop, a UC Davis computer science professor, explained that “hackers could break into those … They could create chaos by disenfranchising voters.” Reuters reported that 36 out of 50 U.S. states have now adopted government-approved equipment that allows the federal government to see inside state computer systems that manage voter data or voting devices “in order to root out hackers.” (Rolling Stone, Twitter, The Los Angeles Times, Reuters)

Facebook under fire for its ads policies: Facebook faced criticism of its advertisement policies last week, including in the form of a lawsuit by the owner of an aromatherapy fashion wear business. Citing her own research and testimony from former Facebook employees, Danielle Singer, owner of Kansas-based Therapy Threads, alleges in the lawsuit that Facebook inflates its “potential reach” figures, which indicate how many users are targeted by an advertisement, in order to convince advertisers to purchase more ads. In addition, The New York Times reported that Facebook’s microtargeting technique, which advertisers can use to target as few as 20 specific users on the platform, is coming under scrutiny in both the United States and Europe, as it “can be exploited to polarize and manipulate voters.” According to the article, many of the concerns stem from the Russian Internet Research Agency’s (IRA) use of microtargeting to interfere in the 2016 U.S. presidential election. (East Bay Times, The New York Times)

Investigators dig into fake social media accounts and pages: In July, Facebook announced that it had uncovered a political influence campaign on its platform that may have sought to interfere in the 2018 midterm elections. Last week, Jonathan Albright, a researcher at Columbia University’s Tow Center for Digital Journalism, and Sheera Frenkel of The New York Times outlined the activities of one of these pages, named “Black Elevation.” The page accumulated almost 140,000 likes and coordinated protests in multiple cities across the United States, which “mirrored previous efforts by the IRA.” While Facebook did not directly link the pages it suspended to Russia’s IRA, the Atlantic Council’s Digital Forensic Research Lab (DFRLab) identified “Russian traces” in the subset of the suspended pages that Facebook shared with the organization in its three-part publication (Part One, Part Two, Part Three). In similar news, on August 13, CNN profiled an amateur troll hunter who has a passion for tracking down Russian troll accounts on various social media platforms. Josh Russell, a 39-year-old systems analyst and programmer at Indiana University, has identified dozens of previously overlooked Russian-linked accounts, and has shared extensive notes about his findings on his Reddit and Twitter pages in real time. (The New York Times, DFRLab, CNN)

China tests cyber capabilities amid global trade negotiations: Former Deputy Director for Counterintelligence at the CIA, Mark Kelton, wrote this week, “The Chinese intelligence storm bearing down on the U.S. has long since announced itself, building from that portentous breeze to a truly gale force.” The quote is part of a larger piece by Kelton on China’s growing espionage capabilities, published during a week marked by a number of exposés on cyberattacks attributed to actors within China. U.S. security analysts confirmed last week that computers traced to China’s Tsinghua University were responsible for probing security vulnerabilities in U.S. energy and communications companies, as well as the Alaska state government in the weeks before and after Alaska’s trade mission to China. Meanwhile, concerns that the Belt and Road Initiative is serving as a pretext for increased Chinese espionage continue to escalate, as cybersecurity firm FireEye reported a possible probing attempt against Malaysian companies and state agencies affiliated with the project. In both cases, it is believed that the attackers sought to gain information that would provide an advantage to China in upcoming trade negotiations. (The Cipher Brief, The Financial Times, Reuters)

Putin discusses Nord Stream 2 with Merkel in visit to Germany: Russian President Vladimir Putin visited Germany over the weekend where he discussed a variety of topics with German Chancellor Angela Merkel, including the Nord Stream 2 pipeline project. Reuters reported that Merkel reiterated her expectation that Ukraine maintain its role as a transit country for Russian gas traveling to Europe after the completion of the project. However, Putin reportedly insisted that transit through Ukraine would have to make sense economically, claiming, “Nord Stream 2 is exclusively an economic project.” But U.S. government officials and foreign policy experts contest this claim, including Senator John Barrasso (R-WY), who on July 18 introduced the Energy Security Cooperation with Allied Partners in Europe (ESCAPE) Act of 2018, which encourages U.S. energy exports to Europe and would mandate sanctions on persons who invest or aid in the construction of Russian energy export pipelines. In an op-ed from July 27, Barrasso accused the Kremlin of using Nord Stream 2 and other pipeline projects to increase Europe’s energy dependence on Russia, which he called “a political and economic weapon.” In June, ASD’s Brittany Beaulieu and Alexander Roberds wrote that Nord Stream 2 is “a pipeline for both Russian gas and Russian influence, allowing the Kremlin to more easily manipulate internal European politics to suit Russia’s purposes.” (Reuters, Senate.gov, The Washington Post, Alliance for Securing Democracy)

Russia improves surveillance capabilities: After discovering Russian military spy software inside hundreds of thousands of home routers in the United States in May, the Justice Department asked Americans to reboot their routers to stop the attack. However, according to Senior Advisor to the Director of the National Security Agency and former White House Cybersecurity Coordinator Rob Joyce, “The Russian malware is still there.” Defense One reporter Patrick Tucker explained that the presence of Russian malware on the routers “could enable the Kremlin to steal individuals’ data or enlist their devices in a massive attack intended to disrupt global economic activity or target institutions.” Meanwhile, Assistant Secretary for the Bureau of Arms Control, Verification and Compliance at the State Department, Yleem D.S. Poblete, warned that a Russian satellite displaying “very abnormal behavior” has raised concerns in the United States. Poblete explained that, “Russian intentions with respect to this satellite are unclear and are obviously a very troubling development,” and that the United States has “serious concerns” that Russia is developing anti-satellite weapons. Russia dismissed the comments as “unfounded, slanderous accusations based on suspicions.” Additionally, The Moscow Times revealed that Russia’s Investigative Committee has reportedly bought Chinese surveillance equipment “allowing it to hack into thousands of cell phone models, including Apple and Android devices.” The cellphone scanners are reportedly “able to access Telegram, Skype and Viber message history; acquire Facebook and Twitter data; and break into Apple and Android devices.” (The New York Times, Defense One, State.gov, BBC, The Moscow Times, The Daily Beast)

ASD’s director Laura Rosenberger joined Samantha Jo Roth on Bay News 9 to discuss cybersecurity threats ahead of the mid-terms: “An adversary doesn’t actually need to get in there and change votes in order to instill doubt and chaos in people’s minds.”

ASD’s Laura Rosenberger appeared on the Australian Broadcasting Corporation’s “Planet America” to discuss election security in the lead up to the 2018 mid-terms. In response to the recent steps taken by Congress to bolster election security, Rosenberger commented, “Until we really have a coordinated, whole of government approach, led by the White House with clear deterrent signaling from the president to those who seek to undermine us and working across all the different agencies, it’s going to remain ad hoc and not frankly at the level we need to defend our country.”

Early in the week, accounts tracked by the Hamilton 68 dashboard focused on a variety of international subjects, including the bombing of civilians in Yemen, alleged migrant violence in Sweden, and the arming of far-right paramilitary groups in Ukraine. However, as the week progressed, the accounts coalesced around two main domestic developments: the firing of FBI agent Peter Strzok, and President Trump’s revocation of the security clearance of former CIA Director John Brennan. The pro-Kremlin accounts seized on these events to praise Trump and to push conspiracy theories criticizing former U.S. officials. By the end of the week, accounts returned to discussion of the QAnon conspiracy theory, driving #qanon back to the top of the dashboard. The pro-Kremlin accounts’ recurrent focus on QAnon is indicative of the central role that conspiracy theories play in attempts to undermine domestic confidence in institutions.

“We all have an important part to play in defending our democracy against future attacks … The security of our elections should not be partisan — it should be both parties’ top priority. Our democracy depends on it.”

– Chief Security Officer of the Democratic National Committee Bob Lord in USA Today, August 14, 2018

Last week, password analyst Mark Burnett revealed that the “codes” that have played a large part in developing the popular QAnon conspiracy theory, which alleges that U.S. President Donald Trump and Special Counsel Mueller are cooperating to bring down an international criminal conspiracy, are actually just the result of random typing. Analysis of “codes” propagated by followers of the QAnon theory indicates that the messages are “just random typing by someone who might play an instrument and uses a qwerty keyboard,” according to Burnett, a security consultant and experienced password analyst. As described by Burnett, the author behind the codes is “likely simply typing keys randomly with his left hand and right hand where they rest.” QAnon content has been heavily promoted by pro-Kremlin accounts tracked by the Hamilton 68 dashboard.

The views expressed in GMF publications and commentary are the views of the author alone.