With help from Eric Geller and Martin Matishak
Editor’s Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecurity’s morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the day’s biggest stories. Act on the news with POLITICO Pro.
— A virtual meeting to discuss Voluntary Voting System Guidelines focused a good deal on a prohibition of internet and wireless connectivity.
— Domains susceptible to tax fraud aren’t adequately protected against impersonation, and at a particularly sensitive time, a study found.
— A court sided with the ACLU in a lawsuit over whether researchers run afoul of federal hacking law when investigating online algorithms that result in discrimination.
HAPPY MONDAY and welcome to Morning Cybersecurity! If only your MC host wrote “Morning Dinosaur,” we’d be on it. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.
VOTING SYSTEM INTERNET BAN UNDER SCRUTINY — New federal voting system guidelines prohibiting internet and wireless connectivity received significant attention on Friday when members of an Election Assistance Commission advisory group explained the broad suite of new guidelines to EAC commissioners and the public during a virtual meeting. If approved, version 2.0 of the Voluntary Voting System Guidelines will require voting machines and ballot scanners to be air-gapped from networked devices, such as e-poll books that access voter registration databases. The new VVSG would also require physical connections instead of Wi-Fi or Bluetooth for peripherals such as keyboards and audio headsets.
The internet and wireless bans “are logical and make sense and definitely could be [accomplished by] election officials,” said Orange County, Calif., elections supervisor Neal Kelley, a member of the EAC’s Technical Guidelines Development Committee. Asked by EAC Commissioner Donald Palmer whether the bans were feasible, Kelley said Orange County and other jurisdictions already use air gaps. The requirements should not “be onerous in any way,” he said.
The NIST staffers who wrote the VVSG provisions “had many discussions surrounding this issue,” said Mary Brady, the head of NIST’s voting system program. Staffers talked to vendors about “what they thought might be workable,” she told Palmer. They also reassured election officials that simple workarounds existed for their most common networking use cases.
Gema Howell, the NIST point person for the VVSG cybersecurity working group, stressed that poll workers could still transmit results over a network — just not directly from voting systems. “This isn’t asking anyone to drive to a separate location,” she said. “The key here is that these systems sit on two separate networks and that the information is manually transferred.”
As the name suggests, VVSG is optional for states to adopt, but many use it as the basis for their regulations. Friday’s session helped kick off a public comment period for VVSG 2.0, which was recently approved by the TGDC and awaits further approval after public review. “I look forward to getting this done so that we can move on to more innovative equipment in our voting systems,” said Commissioner Christy McCormick.
DMARC AND TAX FRAUD — More than three-quarters of the 200 public domains Valimail deemed likely to be impersonated for tax fraud lacked a widely known safeguard, the company said in a report out today. They either lacked Domain-based Message Authentication, Reporting and Conformance records or didn’t enforce DMARC policies. In a time of economic uncertainty, the unemployed might be looking for a quick tax return, making them more vulnerable to scammers, Valimail warned.
HHS GETS MORE VULNERABLE — The cybersecurity preparedness level of the Department of Health and Human Services dipped in the past two weeks as HHS dealt with a cyber incident, among other factors, SecurityScorecard told MC. The other factors that led to HHS’s score drop from 88 to 72, according to CEO Aleksandr Yampolskiy, were “observation of a number of endpoints within their internal environment, using older versions of Internet browsers, indicating slowness in patching”; “multiple databases exposed to the world, which are publicly noticeable”; and “observation of use of end-of-life software, deprecated by the manufacturer.”
DOJ TAKES AN ‘L’ — A U.S. District Court ruled Friday that computer scientists, academic researchers and journalists probing online algorithms that lead to discrimination are not violating the main federal hacking law. The ACLU filed a lawsuit in 2016, Sandvig v. Barr, centered on the “exceeds authorized access” provision of the 1986 Computer Fraud and Abuse Act and violation of websites’ terms of service, something researchers might do by creating multiple accounts to conduct their audits — and that the ACLU said should be protected by the First Amendment.
“This decision helps ensure companies can be held accountable for civil rights violations in the digital era,” said Esha Bhandari, staff attorney with the ACLU’s Speech, Privacy, and Technology Project. “Researchers who test online platforms for discriminatory and rights-violating data practices perform a public service. They should not fear federal prosecution for conducting the 21st-century equivalent of anti-discrimination audit testing.”
ANOTHER VERSION 2.0 — CISA updated its list of essential critical infrastructure workers over the weekend, adding more cybersecurity personnel. In the energy sector, CISA added workers “who are needed to monitor, operate, engineer, and maintain the reliability, safety, environmental health, and physical and cyber security of the energy system.” Under information technology, a group that once mentioned workers “responding to cyber incidents involving critical infrastructure” expanded to include those needed “to preempt,” and “all cyber defense workers (who can’t perform their duties remotely).”
The update expands the categories of workers that CISA advises should maintain a normal work schedule during the pandemic, although CISA’s list is advisory to state, local, tribal and territorial governments. Furthermore, it expands election personnel “to include both public and private sector elections support.” An IT organization last week urged states to adopt the CISA guidance. Outside cybersecurity, the headline-making jobs added involved firearms.
BEFORE YOU RUN CMMC — A coalition of industry trade groups on Friday voiced concerns about the Pentagon’s new digital standards process for contractors — the Cybersecurity Maturity Model Certification. “We are concerned that current plans for implementing CMMC lack sufficient clarity and predictability in key areas, and as a result may unnecessarily generate confusion, delay and associated costs,” the groups said in a letter to Ellen Lord, defense undersecretary for acquisition and sustainment, and acquisition office CISO Katie Arrington.
In particular, the coalition raised concerns about DoD’s “very ambitious” goal of having all contracts adhere to the program by 2025 and the interoperability with other federal agencies. They also sought more information on how the department plans to keep contractors informed about the level of security they must attain under the proposed tier-system.
TWEET OF THE WEEKEND — Oh noes.
RECENTLY ON PRO CYBERSECURITY — The FCC was “pandering” to Congress when it took steps to penalize U.S. carriers that used Huawei equipment, Huawei contended in court. … The FCC fired back that Huawei’s legal arguments were “baseless” and marked by “shallowness.” … “EU’s Vestager urges ‘balance’ in data use during coronavirus crisis.”
— The Guardian: The Saudis appear to have exploited SS7 vulnerabilities to track its citizens as they traveled around the U.S., according to a whistleblower’s data.
— The Wall Street Journal: The U.S. government is using cellphone location data to understand citizens’ movement during the pandemic.
— CyberScoop: Malware by snail mail!
— Zoom removed code that sent data to Facebook following a report from Motherboard.
— ZDNet: “The source code of one of today’s most profitable and advanced ransomware strains is up for sale on two Russian-language hacking forums.”
— ZDNet: A dark web hosting provider was hacked for the second time in 16 months.
That’s all for today.
Stay in touch with the whole team: Eric Geller ([email protected], @ericgeller); Bob King ([email protected], @bkingdc); Martin Matishak ([email protected], @martinmatishak); and Tim Starks ([email protected], @timstarks).