Comment: The extreme exposure of our election infrastructure to hacking requires immediate passage of the Freedom to Vote Act, which would patch some of the vulnerabilities. Allegra Dengler
Email your Senator to support election security.
https://publiccitizen.salsalabs.org/sovforthepeople/index.html

https://www.washingtonpost.com/politics/2021/12/15/ransomware-election-security-fights-rocked-2021/

The Cybersecurity 202
Analysis
Ransomware and election security fights rocked 2021
By Joseph Marks
with research by Aaron Schaffer

Below: CISA wants federal agencies to be patched against a major new bug before Christmas, and a Trump ally and conspiracy theorist addressed a panel examining possibilities for Louisiana’s next voting machines.

Little has been done after a doozy of a hacking year

A sign on a gas pump at an Exxon reads “no gas” as demand for gasoline surges following the cyberattack that crippled Colonial Pipeline. (Dustin Chambers for The Washington Post)

Cyber threats hit main street with force in 2021, prompting panic buying at gas stations and sparking fear among average Americans that schools, government offices and other critical services could be brought to a standstill.

Economy-rattling ransomware attacks against Colonial Pipeline, the meat processor JBS and the IT firm Kaseya grabbed the public’s attention and motivated policymakers in a way that years of worsening consumer data breaches and government-backed espionage hacks had failed to do.

“Ransomware elevated the cyber issue in a way I haven’t seen in the 30 years I’ve been doing this,” Chris Painter, the Obama administration’s top cyber diplomat, told me.

And yet

Despite the surge in public interest, comparatively little has been done to combat the ransomware threat.

A bipartisan measure that would merely have required companies to report paying ransoms to hackers failed to become law after a last-minute fight about its scope. Broader congressional mandates for companies to protect themselves against ransomware appear dead on arrival because of Republican opposition to expanding regulations.

Executive branch officials have expanded some cyber requirements in the pipeline, air, rail and banking sectors — but far short of anything that will turn the tide of ransomware attacks. They say they need congressional approval to go further.

The big question for 2022: Can government get its act together to counter ransomware attacks or will things get even worse?

“The question is, do we go back to the old habit of paying attention for a short time and then moving onto something else. I don’t think we can afford that,” Painter said.

Ransomware and the tepid government response to it was just one of the cyber stories that rocked 2021 and is sure to shape 2022 as well.

Here are three others:

1. The fight over 2020 election security will last through 2022 and beyond.

Against all reason, baseless claims by former president Donald Trump and his allies that the 2020 election was stolen didn’t dissipate after President Biden took office. Instead, they gained steam, prompting a partisan and mangled audit in Maricopa County, Ariz., and efforts at similar audits across numerous battleground states.

Those fights are sure to grow more intense in 2022 with candidates who support Trump’s false claims competing for key offices at the state and federal level, including for top election official posts in Arizona, Wisconsin, Georgia and Nevada.

If they win those races, the candidates could spread misleading and false information, and enact changes that experts uniformly say are damaging to election integrity.

If they lose, they could make erroneous claims of election hacking or fraud.

“Things are being set up to call election outcomes into question when they don’t go the way a particular party wants,” Betsy Cooper, director of the Aspen Institute’s Tech Policy Hub, told me.

There’s also the possibility of genuine election interference by foreign powers in 2022.

• Russia is less likely to repeat its 2016 efforts, which intelligence agencies said were aimed at aiding Trump’s candidacy, when the presidency isn’t up for grabs.

• There’s a far better chance of disinformation operations from Russia or Iran aimed at sowing discord among voters and damaging faith in the election outcome as happened in 2020.

“In 2018 and 2020, we were laser-focused on the cyber side,” Matt Masterson, who was a top election security official at the Cybersecurity and Infrastructure Security Agency during that time, told me. “Now it’s a game of dodgeball where there are three balls up in the air and you have to worry about getting hit in the face with the third.”

@mastersonmv
“In 2018 and 2020, we were laser-focused on the cyber side. Now it’s a game of dodgeball where there are three balls up in the air and you have to worry about getting hit in the face with the third.”
Share this

2. Cyber threats from Russia and China are only getting worse.

Those nations have long proved the United States’ most nettlesome cyber foes and 2021 was no exception.

The year opened with a one-two punch. First the fallout from the SolarWinds attack, which U.S. officials attributed to Russia and which compromised reams of information from U.S. government agencies. Then the Microsoft Exchange hack, which compromised more than 100,000 servers worldwide and which U.S. and NATO allies have attributed to China.

So far, a slew of indictments and sanctions have done nothing to alleviate the threat.

Will anything change in 2022? It’s unlikely — especially given rising tensions with both nations — with Russia’s troop buildup on the Ukrainian border and China’s increasing competition with the United States in technology and other sectors.

“My sense is we are in for a tense time,” Suzanne Spaulding, former cyber lead at the Department of Homeland Security, told me.

3. Spyware tests standards in cyberspace.

If there was some good cyber news in 2021, it came last month when Israel tightened its rules to make it tougher for spyware firms to export surveillance technology to autocratic regimes.

The move stops far short of fixing all the problems caused by commercial surveillance tools. And it was a long time coming.

It came roughly four months after The Post and media partners found the Israeli firm NSO Group had routinely sold its Pegasus spyware to government clients that used it to target journalists and human rights activists. It was a month after the Biden administration barred U.S. tech exports to NSO.

Yet it was a victory for the notion that there should be some rules of the road in cyberspace — and that the United States and its allies can draw some cyber red lines that fellow democracies don’t want to be on the wrong side of.

It reflects a Biden administration priority of demonstrating as much international consensus as possible in cyber actions, including hosting 30 nations to discuss ransomware threats in October and joining with allies to denounce China’s Microsoft Exchange hack.

It could be a good harbinger for 2022 and beyond.

“There’s a real opportunity to come up with a whole set of [international] negotiated agreements on spyware, ransomware and a host of other things,” Jim Lewis, a former government cyber official in the State and Commerce Departments, told me. “But that’s going to be with countries that are not Russia and China.”

@james_a_lewis
“There’s a real opportunity to come up with a whole set of [international] negotiated agreements on spyware, ransomware and a host of other things. But that’s going to be with countries that are not Russia and China.”

The keys

Federal agencies have until Christmas Eve to patch the Log4j bug, CISA says
……………………………………………………………………………………………………..

What is the Log4j bug?

https://www.wsj.com/articles/what-is-the-log4j-vulnerability-11639446180

A flaw in widely used internet software known as Log4j has left companies and government officials scrambling to respond to a glaring cybersecurity threat to global computer networks…The bug disclosed last week could enable potentially devastating cyberattacks that span economic sectors and international borders, according to security experts.

……………………………………………………………………………………………………..

That gives agencies just 10 days to find and fix systems that are vulnerable to the bug, which cyber experts say is among the most dangerous in years. CISA isn’t aware of any federal agencies that have been hacked because of the vulnerability, Executive Assistant Director Eric Goldstein said on a call with reporters.

But the damage is coming: “Chinese and Iranian state actors” have already begun exploiting it, according to the cybersecurity firm Mandiant.

On a Monday call, CISA Director Jen Easterly called the bug “one of the most serious I’ve seen in my entire career, if not the most serious.”

Software developers have been frantically updating their systems to patch against the bug. Chinese security researcher Chen Zhaojun, who works for Alibaba’s cloud security team, first reported the bug in late November, Bloomberg’s William Turton, Jack Gillum and Jordan Robertson report.

A Trump ally who claimed the election was rigged addressed a commission charged with revamping Louisiana’s voting system

Phil Waldron said he spoke with Trump’s chief of staff “maybe eight to 10 times.” (Oliver Contreras for The Washington Post)

Phil Waldron, a retired U.S. Army colonel, circulated a proposal to challenge the 2020 election by seizing votes and said he visited the White House after the election. Louisiana Secretary of State Kyle Ardoin (R), who chairs the state’s 13-member Voting System Commission, welcomed Waldron without mentioning his role bolstering arguments that Joe Biden’s victory should not be certified, Emma Brown writes.

Waldron’s 90-minute talk came as the commission works on recommendations for replacing the state’s outdated voting machines that lack paper records. He urged the commission to switch to an entirely paper-based system including counting votes by hand — something experts say could take weeks and is less accurate than machine counting hand-marked paper ballots.

Israeli spyware firm Candiru hired lobbyists to get it off U.S. blacklist

The Biden administration blocked Candiru from receiving U.S. technologies last month along with NSO Group, stating the companies supplied spyware that foreign governments used to “maliciously target” academics, activists, journalists and government officials.

Law firm Arent Fox will work to remove Candiru from the Commerce Department’s Entity List, according to a lobbying filing. Phil English, a Republican who represented Pennsylvania, is registered to work on the contract along with four others from Arent Fox. The law firm did not respond to a request for comment.

The Biden administration wants to crack down on firms like Candiru. At its democracy summit last week, the United States, Australia, Denmark and Norway announced an initiative to develop a code of conduct to guide how nations apply human rights concerns to exports. It also announced new rules severely limiting the sale of hacking tools to China, Russia and other countries of concern.