With help from Eric Geller and Martin Matishak
Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— South Carolina voters are fixing to put ballot-marking devices to the test on Saturday, the first statewide presidential primary using them.
— The RSA Conference wraps today. MC collected thoughts from leading industry figures on the Trump administration’s cybersecurity policies, election security and more.
— How much messier can the race to reauthorize an expiring surveillance program get? Don’t underestimate the congressional capacity for messiness, dear readers.
HAPPY FRIDAY and welcome to Morning Cybersecurity! Today your MC host and Eric bid adieu to San Francisco. We’re taking our leather jackets and our curtains and going home. Send your thoughts, feedback and especially tips to firstname.lastname@example.org. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
BRING ON THE BMDs — South Carolina’s primary on Saturday isn’t just a make-or-break moment for former Vice President Joe Biden’s campaign; it will also be a high-profile test of the electronic voting machines that are in vogue right now as replacements for paperless devices. South Carolina is the first state on the primary calendar in which all voters will use these ballot-marking devices, as Eric reports in a story out this morning for Pros.
Last year, it became one of the first all-paperless states to completely switch to paper-based machines. But these devices are controversial in the election security community, because they still rely on computers to accurately print ballots — and research shows that most voters don’t double-check these printouts before casting them. As Eric explains, between South Carolina’s voting machines and its questionable voter check-in technology, the state’s primary will offer several opportunities for potential hacking or malfunctions.
RSAC: THIS IS THE END — It’s the last day for the RSA Conference, and Penn & Teller close the show, for some reason. (On Thursday, by the way, we wrote about news involving the cyber moonshot project.)
ASSESSING THE FIELD — Former NATO Supreme Allied Commander James Stavridis, a keynote speaker at RSAC, gave President Donald Trump mixed grades on cybersecurity in a chat with MC. “The executive branch is not doing everything it should be doing in terms of securing the election,” he said. “At DoD the admin is doing a pretty good job.” The Cybersecurity Maturity Model Certification, a set of standards for Pentagon contractors, “is a terrific initiative and a big step.” But the election security thing is big; “at DHS, I don’t see enough of a press,” Stavridis said, and there are numerous stalled election security bills where “the president could pick up the phone and call Mitch McConnell and say, ‘Send me that bill.’”
Not that Stavridis thinks Trump’s potential Democratic opponents are showing him enough either. “I’m dismayed by the lack of conversation about it. If you burrow into their websites, you can find their policies,” he said. “[Pete] Buttigieg has been the most articulate. It’s a bit of a generational issue. He’s a digital native.”
WHAT IT’S LIKE BUILDING BRIDGES — Election officials and cybersecurity experts haven’t always seen eye to eye, and in recent years the relationship has been strained. Matthew Olney, director of threat intelligence and interdiction for Cisco’s Talos team, has been trying to change that dynamic. He’s been flying around the country meeting with state and local election officials and offering his advice. On the sidelines of RSAC on Thursday, Olney and his colleague Sean Frazier from Cisco’s Duo Security division chatted with Eric about this brave new world. “We’re not here to dictate or preach or scorn,” Olney said. “We’re really here to find partnerships with folks that are looking to improve, and across the board we’re seeing it.”
— Election security is an “inverted pyramid” in which the most targeted organizations have the fewest resources and least capability, Olney said. Counties do the most hands-on election work, but counties know the least about threat actors and are the most financially constrained. “The places where all the focus is [are] also the [places] least capable of dealing with it,” Olney said.
— Speaking of resources … states desperately need more predictable federal funding. One secretary of state told Olney that “they would take less money from the federal government if it was guaranteed to be consistent across time.”
— Sunk costs: Some states are locked into relationships with vendors that predate widespread security awareness. “A few of the states that we’ve talked to are in longer-term contracts with vendors” that service aging voting machines, Olney said. “The contracts were built at a time when we had a different set of concerns and we weren’t so aware” of security threats. As a result, states must renegotiate with vendors to add security expectations.
— Accuracy is as important as transparency. “I always advocate for more transparency than less,” Olney said. But he also urges officials to nail down all the facts before speaking up about intrusions or vulnerabilities. He tells them, “The worst thing that can happen is, you say something in good faith, it turns out to be incorrect … and then our adversaries will be right on top of you at that point, going, ‘How can you trust these elections? This person doesn’t even know what’s going on. They’re lying to you. Why are you even voting?’ And that’s what they want to have happen.” He praised Ohio and Maryland for how they communicate with voters about security. Clear and accurate messaging “is as much a [defense] as any firewall or patch or anything else that happens,” Olney said. “It’s a patch for our society.”
— Honesty helps soften the blow of failure. In Olney’s view, people freaked out about the Iowa Democratic caucuses because they didn’t understand what was happening and how errors would be fixed. “There was never a point where the integrity of the [caucuses] was really called into question,” he said. “It was all about the chaos around the process, and not having a timely result.” Olney encourages election officials to discuss “what the fallbacks are” in case their process encounters hiccups.
— We’ll have more from Olney and Frazier in Monday’s MC.
— ALSO AT RSAC, AS TOLD TO MC: Even with its massive, ever-expanding scope, the business email compromise threat still might be underrated, said Ryan Olson, vice president of threat intelligence for Unit 42 at Palo Alto Networks. The amount of money stolen is “crazy high,” and the attackers “aren’t doing anything magic” with off-the-shelf tools, he said. “I don’t see it reversing in the near future.” While paying attention to nation-state hackers, “the really bad bad guys,” is helpful because it prepares everyone for the most sophisticated attacks of the future, Olson said. “It’s the medium bad bad guys who really worry me because they’re attacking everyone and making lots of money.”
Josh Lemos, vice president of research and intelligence at BlackBerry Cylance, is spending a lot of time thinking about the “multidimensionality of attacks.” What he means by that is the relationship between one’s personal and work emails or devices, and relationships with vendors. “All of those things are somewhat ephemeral elements of your identity or persona, and we’re not doing a great job of seeing that as a high-dimensionality element of the threat landscape,” he said.
MURKIER AND MURKIER — Sen. Rand Paul (R-Ky.) created confusion on Thursday when he said Trump doesn’t want a clean extension of expiring intelligence powers, casting more doubt that lawmakers will get something done before a March 15 deadline. Asked about the split between his conversation with Trump and Attorney General William Barr’s remarks to senators earlier this week, Paul said there was “misinformation that got out from some people in the administration” about the authorities, contained in Section 215 of FISA.
House Speaker Nancy Pelosi (D-Calif.) was confident that they can pass legislation in time — despite Wednesday’s meltdown over the House Judiciary and Intelligence bill — that ends an NSA surveillance program that collects records of Americans’ telephone calls and text messages in search of potential terrorist links. “One thing that I’m very happy about, because this has been just a painful experience for all these years, is that we will have an end to the data collection by telephone records. … So that will be out,” she said during her weekly press conference. “There’s a will. There’s a way,” said House Minority Leader Kevin McCarthy (R-Calif.). Meanwhile, Reps. Zoe Lofgren (D-Calif.) and Warren Davidson (R-Ohio) called for a vote on their FISA legislation, H.R. 5675.
TWEET OF THE DAY — “Give me the bitcoin or your baby pictures get it.”
RECENTLY ON PRO CYBERSECURITY — House Administration Committee Democrats had some questions for election vendors on their cybersecurity and lobbying practices. … A Trump-appointed judge said she may hold in contempt a Russian firm, Concord Management and Consulting, charged with interfering in the 2016 election. … The Senate sent legislation (H.R. 4998) to the president that would authorize $1 billion for rural carriers to replace Huawei and ZTE equipment. … Huawei has floated investments in Europe to fight off potential bans. … In fact, Huawei announced a manufacturing site in France. … “Consumer privacy advocates are disappointed in the latest draft rules for California’s landmark Privacy Act.”
— The Associated Press had the latest of several polls in recent days illustrating election security anxiety.
— CyberScoop: “DNC tells campaigns to be wary of contact from fake Sanders team account.”
— The Wall Street Journal: The FCC is fining mobile carriers hundreds of millions of dollars for selling location data.
— Reuters: Steven Seagal agreed to pay over $300,000 to the SEC for promoting an investment in a crypto offering.
— ZDNet: Intel reported on its 2019 bugs.
That’s all for today.
Stay in touch with the whole team: Mike Farrell (email@example.com, @mikebfarrell); Eric Geller (firstname.lastname@example.org, @ericgeller); Martin Matishak (email@example.com, @martinmatishak); and Tim Starks (firstname.lastname@example.org, @timstarks).