Politico: Experts react to Trump’s Russia hacking remarks
THINK AGAIN, MR. PRESIDENT — President Donald Trump sounded a fresh note of skepticism about Russia’s role in the 2016 election in a recent interview that is drawing jeers from the cybersecurity community. In Reuters interview excerpts published late Wednesday, Trump expanded on his discussion of election meddling with Russian President Vladimir Putin at the G-20. “Somebody did say if he did do it, you wouldn’t have found out about it,” Trump said, without identifying the source of that claim. The president called this “a very interesting point.” The implication: Russian hackers are too talented to have been caught hacking the Democratic National Committee and other mostly liberal targets.
Cybersecurity experts laughed off the argument. “The security and intelligence communities over the years have proven this to be a highly biased and flawed view,” said one experienced security researcher, who like others requested anonymity to candidly criticize Trump. “Defense, and detection, are not only doable but progressing to the point where detection of even the most elite teams is done routinely.” Added a second researcher from a major security firm: “The [intelligence community] can tell you where the hackers sleep. When they say it is Russia, you can take it to the bank.”
Russia often employs advanced techniques, experts said, but even their digital armies are composed of humans who make mistakes. “The fact is, Russian state-sponsored actors have been caught in the past,” John Bambenek, manager of threat systems at Fidelis Cybersecurity, told MC. “Intelligence work is about building confidence in a wide variety of contextual information,” he added, “and the sum total of all of what we know has led to a unanimous consensus of Russian involvement [in the 2016 election] both in the intelligence community and with every private-sector company who was involved in this investigation.”
“The idea that nation-states cannot be detected because they are too elite is a poisonous idea that erodes the morale and efforts of defenders,” said the first cyber researcher. “The adversary is human too and they do not need [to be] inappropriately built up. We catch them all the time and the community is making it harder to be the bad guys.” In the same Reuters interview, the president said that it was unlikely that Putin would have supported his candidacy because Trump is “very strong on cyber.”
A HOUSE DIVIDED AGAINST ITSELF — A new partisan feud has erupted between the Democratic and Republican House campaign arms over election cybersecurity efforts and the use of hacked documents in elections. On Monday, Rep. Ben Ray Luján, the chairman of the Democratic Congressional Campaign Committee, sent his Republican counterpart, Rep. Steve Stivers, a letter asking to “establish a joint plan to protect our committees and keep foreign adversaries and criminal actors out of our elections.” The letter also sought Stivers’ assurance that the National Republican Congressional Committee would not use “stolen or altered documents or strategic information” in the 2018 midterms, as the Republicans did in 2016.
On Thursday, the NRCC blasted the DCCC for sending the letter and refused to address its substantive points. “This letter was delivered by an intern and pushed to the press to generate attention around a cheap political stunt,” NRCC spokesman Jesse Hunt told MC. He also said the Republicans would not “be lectured by a political committee with over a dozen current FEC complaints over their illegal campaign ads from 2016.” Hunt did not respond to a follow-up email about whether the NRCC would rule out using hacked material in 2018.
The DCCC quickly hit back. “This is a disturbingly flippant response to a simple request that we set partisan politics aside and work together to better protect our elections from foreign adversaries and their cyberattacks,” DCCC Communications Director Meredith Kelly said in an email. Kelly told MC that Hunt’s mention of FEC complaints referred to filings by the Foundation for Accountability and Civic Trust. FACT is a conservative nonprofit funded by another group called DonorsTrust that does not reveal its own donors. “This is a partisan complaint-factory,” Kelly said of FACT, “and while their complaints about Democrats to the FEC are very ordinary, the use of materials stolen during a Russian hack [is] not. Crazy for them to compare the two.”
BE ALL THE CYBER THAT YOU CAN BE — Army Cyber Command chief Lt. Gen. Paul Nakasone says the service is moving forward with plans to approve direct officer commissions and make other hires that would allow potential digital warriors to sign up for a tour of duty without the typical prerequisites, like attending a service academy or officer training school. “The Army’s going to move out with this in the coming months,” he said at Defense One’s Tech Summit, citing authorities Congress has granted in recent defense policy bills. “We’re going to need coders, we’re going to need malware and forensics analysts, we are going to need top talent.”
The three-star added that the Army is still “working the actual rules about how we’re going to come in, but I would see that as long as you meet certain standards that are specified by the service, that you have a certain degree of capabilities … coming in as a mid-grade officer or coming in as a civilian is kind of what the future holds for us.” The cyber branch — which is tasked with, among other missions, protecting the Army’s networks — could probably use an extra hand as there are “tens, hundreds of thousands” of hacking attempts on the service’s systems each day, according to Nakasone.
CYBER IN THE DEFENSE BILL — The House made considerable headway on the second tranche of amendments to the fiscal 2018 National Defense Authorization Act. However, with controversial issues like the budget, base closures and transgender service dominating most of the debate time, many remaining cybersecurity provisions were held over until today. Lawmakers did adopt by voice vote a measure from Rep. Dan Kildee allowing the Pentagon to provide extra training for service members so that they don’t fall victim to Russia propaganda or cyber efforts. But others — like an amendment from Rep. Robert Pittenger that would block DoD from entering contracts with telecom firms found to be complicit in North Korean cyberattacks, and another bipartisan measure from Rep. Brendan Boyle expressing a sense of Congress that it’s in DoD’s interests to help Ukraine boost its digital capabilities — were put on the backburner.
Left on the cutting room floor by the House Rules Committee were a number of Democratic-sponsored provisions focused on cybersecurity and Russia, including separate proposals from Boyle and Rep. David Cicilline to prohibit funds for Trump’s briefly floated idea of a joint “cyber unit” with Moscow. The panel also tossed out an amendment from Rep. Don Beyer barring the U.S. from participating in “any” digital agreement with Russia entered into after 2016. The GOP-led committee also scrapped an addendum from Rep. Ted Lieu that would have expressed a sense of Congress that Trump not taking a harder line against alleged Russian hacking after meeting Putin “undermines” U.S. credibility and challenges the country’s “standing with key allies.” Amendments from Rep. Ruben Gallego endorsing the U.S. intelligence community’s assessment that the Kremlin was behind the 2016 digital assault and to set limits on cybersecurity information sharing with Russia were also omitted.
COMING TO A HASC NEAR YOU — The newest member of the House Armed Services Committee pledges to make cybersecurity one of his areas of focus. “The central coast of California is home to numerous military installations that teach foreign languages to our armed forces, research and develop our cybersecurity and technology used on and off the battlefield, and educate and foster leadership skills of the men and women in uniform,” said Rep. Jimmy Panetta, a California Democrat whose appointment to the panel was announced Thursday. “I look forward to working with my congressional colleagues on HASC to maintain the military installations on the Central Coast, promote their educational training and technological innovation, and protect their nearly 15,000 good paying jobs that impact the economy of our communities and the safety of our country.” Panetta is the son of former CIA and Pentagon chief Leon Panetta, who warned extensively about the dire nature of the cyber threat.
DON’T FORGET THE OTHER BIG CYBER-RELATED AUTH — The House Intelligence Committee on Thursday approved a fiscal 2018 intelligence authorization bill by voice vote that requires multiple reports from the director of national intelligence on election meddling. The first directs the DNI to produce a report on Russian plots past and present. The second, attached to the bill as an amendment offered by Rep. Terri Sewell, would require a publicly available report from the DNI on foreign cybersecurity threats to U.S. elections. Another section of the bill seeks an intelligence community report on the viability of a voluntary cyber exchange program between spy agencies and private companies. And yet another tells the intelligence community’s inspector general to produce a report on spy agencies’ roles in the process of disclosing vulnerabilities that the government discovers to the tech world.
CJS MOVES, TOO — In a fiscal 2018 spending bill that the House Appropriations Committee approved by a 31-21 vote Thursday, the FBI would get a nearly 6 percent spending increase from fiscal 2017 to $8.8 billion and a smidge more than Trump budget documents say he wants. The technical standards agency NIST, meanwhile, would take an approximately 10 percent cut from fiscal 2017, but get a total of $865 million, $140 million more than Trump sought. The Commerce, Justice, Science spending measure would also make agencies conduct a supply chain review before buying sensitive information technology systems. "This legislation makes sure that America’s law enforcement agencies have enough money to effectively fight 21st century threats like cybercrime, terrorism and human trafficking,” said Rep. John Culberson head of the subcommittee that wrote the bill.
MINTY FRESH — A Homeland Security Department unit that focuses on protecting industrial control systems conducted more assessments in fiscal 2016 than ever before, according to a report out Thursday. The Industrial Control Systems Cyber Emergency Response Team conducted 130 assessments, compared to 112 the year before. A whopping 43 percent of its assessments were on water and wastewater systems. Next was the energy sector, which accounted for 17 percent of assessments. The most common vulnerability found was boundary protection, such as the risk of undetected and unauthorized activity in critical systems.
OPTIONS FOR SECURING FUTURE ELECTIONS — A pair of cybersecurity experts on Thursday recommended a menu of options to bolster election defenses, starting with the federal government offering funding to states that adopt protective standards that could be generated by the technical standards agency NIST. Writing for POLITICO Magazine, Richard Clarke and Robert Knake also recommended upgrading election machines and ensuring there’s a paper trail for conducting audits. “Russia could well interfere in the 2020 presidential vote, or the 2018 midterm elections just 16 months away,” the pair wrote. “They will be back. And when they are, we better be ready with a plan that’s suited to our current moment.”
“Doubtless there will be others who oppose election-security reforms out of legitimate concerns about federal interference in state responsibilities,” they continue. “But for those who would stand in the way of securing the sanctity of our democratic process, we have a simple question: What would you do to preserve, protect, and defend our democracy and its election system from the new vulnerabilities it has to foreign interference in the cyber age?” The answer: “Deciding to do nothing more than we are now is a decision: It is a decision to allow foreign manipulation of our country by governments that wish us harm.”