The CIA, in reporting on Russia’s intervention in the presidential election, determined that the RNC had been breached by Russian hackers during the election, but none of the information stolen from the party had been released, the New York Times reported. Following this report, RNC Chairman Reince Priebus, soon to become White House chief of staff, insisted in two television interviews that “the RNC was not hacked.” He apparently based this analysis on the fact that the FBI had previously reviewed its systems as well as the evidence provided by the “hacking detection systems” that the RNC has in place.

Anyone who confidently, categorically denies that his organization’s computer systems have been breached is either flat-out lying or dangerously delusional. The best-case scenario is the former. If the RNC is, in fact, aware that there are vulnerabilities in its systems (as there undoubtedly are) and is paying attention to whatever evidence the CIA has provided of breaches, then Priebus’ statements could amount to a (perhaps misguided) PR strategy, intended to reassure the public and deter other would-be attackers. (As a general rule, though, boldly claiming that you have never been hacked and trumpeting your infallible “hacking detection systems” is perhaps not the best way to deter potential intruders.)

But if Priebus is telling the truth—if he really has such blind faith in the technical tools that the RNC uses to detect intrusions, and refuses to believe, despite any evidence to the contrary, that those tools could possibly be evaded or that any deeper investigation could reveal things that previous ones had missed—then that’s much worse news. To proudly announce to the world not only that your security monitoring tactics have failed to prevent intrusions detected by other parties but also that you absolutely will not, under any circumstances, ever second-guess or investigate further beyond those tactics is to be ludicrously ignorant of how fallible such tools are.

From a cybersecurity standpoint, the best thing to hope for in a person running a powerful organization—whether it’s a political party or the White House—is someone who will be constantly searching for evidence of breaches and intrusions, someone who understands that the failure to find that evidence is a sign of a weak defense posture, not an absence of adversaries. Blind faith in the protective powers of technical tools is never a good sign—nor is the philosophy that no breach has occurred unless the stolen information has surfaced somewhere else, conclusively confirming a theft.

Many data breaches—especially those directed at governments for the purposes of espionage—do not result in public revelations of stolen information. The only reasons to reveal that you have successfully stolen data are to sell that data, to publicly humiliate or hurt the victims by influencing public opinion, or to extract a ransom from the victims. Often, incidents of political and economic cyberespionage are not motivated by any of these reasons, and the perpetrators therefore sit on their stolen data, quietly using it for their own purposes or waiting until it becomes useful.

Obviously, it’s easier to deny breaches that have no public component and harder to prove definitively that they’ve occurred. But just because the data stolen from the U.S. Office of Personnel Management has not been sold or published online does not mean that breach did not occur, or that it doesn’t matter, or that we should not be thinking about what we can learn from it and how we can better protect government agencies’ networks.

But to do that, you have to be willing to accept that some breaches are determined based on overwhelming evidence, absent any public announcement or confirmation by the perpetrators. Attackers often bypass technical defenses and protection mechanisms, and a slower, more in-depth investigation performed by more sophisticated analysts can reveal things an initial investigation may have missed; the fact that “evidence” of a hack hasn’t been found by the RNC is something to be concerned about, not something to brag about on national television. It’s the kind of thing you brag about when you want to advertise to adversaries not only how poor your network monitoring tools are but also how much false confidence you have placed in them. A government that refuses to accept or believe forensic evidence of data breaches is likely to be a very appealing—and very easy—target.

The post Just Because the RNC Says It Wasn’t Hacked Doesn’t Change Reality appeared first on Zócalo Public Square.

In the next presidential election, we may not be so lucky. With antiquated voting devices at the end of their projected lifespans still in widespread use across the country, the U.S. is facing an impending crisis in which our most basic election infrastructure is unacceptably vulnerable to breakdown, malfunction, and hacking. It’s not just an inconvenience. If the machinery of democracy is called into question, so are its foundations.

Those of us who can recall the presidential election of 2000 know exactly what can happen when faulty technology meets a razor-close election. The Bush-Gore contest came down to just a few hundred votes in Florida, and butterfly ballots and faulty punch card machines left us arguing about hanging, dimpled, and pregnant chads. It left wounds that still afflict the country. In today’s hyperpartisan environment, such a scenario—or even unfounded accusations of a “rigged” election that gained postelection traction—would be far more contentious. Just imagine what it might be like in 2020.

Absent a wholesale replacement of our outdated electoral equipment, this scenario is becoming increasingly likely for our future elections. The problem of aging voting technology reaches nearly every corner of the United States, as we documented in a report released by the Brennan Center for Justice in 2015. Unlike voting machines used in past eras, today’s systems were not designed to last for decades. Although it is difficult to predict how long an individual machine will reliably function, the experts we spoke with generally agree that machines purchased since 2000 have expected lifespans of only 10 to 20 years. (And for most systems, it’s probably closer to 10.) This makes sense: No one expects a laptop to run reliably for more than a decade. Yet on Election Day 2016, 42 states used voting machines that were at least 10 years old, and 13 of those states used ones more than 15 years old. If replacements continue to stall before the next presidential election, many more will surpass their recommended retirement age.

Perhaps even more troubling, these aging machines are particularly vulnerable to hacking. Although the country has made important advances in securing our voting technology in recent years, these older devices often rely on unsupported software (we found machines still operating on Windows 2000) that doesn’t receive the regular security patches that help protect against modern methods of cyberattacks and hasn’t been through the relatively rigorous federal certification program that exists today. What’s more, many of these systems don’t have physical paper trails or ballots to back up the results, meaning there’s no way to independently verify how voters intended to cast their ballots in the case of a suspected hack. Our country’s patchwork of jurisdiction-by-jurisdiction voting systems would make it difficult to manipulate results on a national scale, but hackers could still do considerable damage by tampering with votes in a swing district, stealing records to undermine voter privacy, or just sowing suspicion of a larger conspiracy.

Though voting went relatively smoothly this year, a scattering of issues that popped up during the election hinted at what problems may await if we fail to replace aging equipment. Voters complained of touchscreen calibration errors that “flipped” votes in North Carolina, Texas, Nevada, and Georgia and interfered with selecting straight party tickets in Pennsylvania. Optical scan machines malfunctioned in parts of Michigan and Massachusetts, and a few in Illinois had to be replaced because a “memory card blew.” Although all of these issues appear to have been resolved by delayed or alternate voting methods, that doesn’t mean that glitches like these are unproblematic. It may never be clear how many people didn’t vote in this election because of the wait times. In the 2012 election, one study estimated that between 500,000 and 700,000 failed to vote because of long lines.

These voting machine issues aren’t a surprise. We have heard from dozens of election officials who say they struggle to keep their aging machines running and that replacement parts are increasingly difficult, if not impossible, to find. Some even said they have resorted to eBay to find antiquated parts—from analog modems to dot matrix printer ribbons—to keep their voting systems running. Prior to the election, we surveyed 274 county election officials in 28 states. More than half of the officials said that they would need new machines by the 2020 presidential election, and 80 percent of those said they did not know if or how they would be able to pay for the replacements.

There’s a serious risk that we’ll create a two-tiered voting system—one in which wealthier counties will replace their equipment as needed, while poorer counties will be forced to use aging equipment for much longer than they should. This is a worry that has been voiced by Edgardo Cortés, the commissioner for Virginia’s Department of Elections. In 2014, the state legislature stripped funding for new voting machines from the budget, leaving the cost to localities. In the aftermath, Cortés said, richer counties such as Loudoun and Fairfax bought new equipment, but “smaller, poorer and more rural counties around the state are going to have a tough time.”

At least according to data we collected from four states—Virginia, Ohio, Minnesota, and Colorado—Cortés’ suggestion proved troublingly true. In these states, counties whose election officials purchased or had near-term plans to purchase new machines had an average median household income of $10,000 or more than those that did not. In Colorado, we also found an urban and suburban versus rural divide—counties that replaced machines generally had a higher population density. If only some counties can replace aging voting equipment, it is possible that machine breakdowns could disproportionately affect certain voters—namely, rural or working class and poor voters.

Our political discourse is full of talk of the need for investment in infrastructure such as roads and bridges but almost never includes mention of that infrastructure most critical to a functioning democracy: our voting system. We estimate that the nationwide cost to update voting machines could easily cost $1 billion—in fact this might be a low estimate since replacing machines will likely require the replacement of other incompatible systems. Considering the size and scope of the federal budget, this is a paltry sum. If the expense is shared with the states, it should be a small lift. Lawmakers can start with a smaller, immediate investment prioritizing the aging electronic devices that are, by far, the most insecure.

Unfortunately, to date, there has been a lot of buck-passing, with federal officials arguing this is a responsibility of the states, and with state officials arguing that the burden should fall on counties. But counties and towns have other pressing budgetary needs. The truth is that until there are problems, most citizens don’t think about voting machines. They are far more likely to be concerned about whether their roads are paved, the snow is cleared, and their teachers are paid.

The good news is that at least a few federal officials and experts are paying attention. Last year, Rep. Hank Johnson, D-Ga., introduced a bill that would allocate $125 million in matching grants for states to replace outdated voting equipment. Some—including Secretary of Homeland Security Jeh Johnson and a bipartisan group of security experts that included former National Security Agency director Michael Hayden—have stressed the necessity of securing and investing in our voting systems, as we do critical infrastructure like the electric power grid and nuclear sites. Others, such as computer security expert Bruce Schneier, recommend that the government develop processes for detecting and responding to malfeasance, including standards for fair resolution of an election should tampering be discovered.

Considering all that could have gone wrong, Americans were lucky not to have a major contestation of the results on Nov. 8. We can’t rely on such luck next time. There’s four more years until the next presidential election—and we need to start thinking about this problem now, not just a few days before we cast our 2020 ballots.

The post Vulnerable Voting Machines Are Putting America at Risk appeared first on Zócalo Public Square.

It’s not just the intriguing possibility of Russian involvement. Nor is it that FBI and Department of Homeland Security officials took the notable step of confirming the penetration and warning state election boards to conduct vulnerability scans.

It’s that the targets of the hacks—state and local election data—don’t have the same obvious incentives as attacks before them. Missing are the monetary rewards for the perpetrators of large retail data breaches; lacking is the espionage value of a hack like the massive compromise of data from the Office of Personnel Management. Instead, these intrusions target the system at the heart of our democracy, and the incidents are rightly being treated as a very serious problem. But how do we fix it?

For his part, Department of Homeland Security director Jeh Johnson has discussed the idea of including U.S. voting systems on the list of federally designated “critical infrastructure”—a protective designation it gives to resources such as nuclear power plants, banking and finance systems, and the electrical grid. However, unlike our nuclear or financial systems, both the institutional and network infrastructures that underpin our local elections have been cobbled together in troubling ways. They were done incredibly cheaply, over years and numerous eras of technology, and with virtually no standardization or even minimum security practices.

To be clear, it would actually be very hard for hackers to meaningfully alter a national vote count given our decentralized election systems. (As Johnson himself pointed out after the August state breaches, we’ve got some 9,000 jurisdictions at the state and local level involved in the process.) But changed ballots aren’t the only meaningful consequences that can result from such attacks. Other less clear costs—from weakened public confidence in election results to increased auditing expenses—pose serious concerns. Assessing this impact will be challenging, as will making changes to prevent future hacks. The vulnerabilities exposed by the Illinois and Arizona breaches, and credible concerns about the possibility of new ones, have exposed just how behind state and local governments are when it comes to protecting their systems and data.

Part of the reason for this comes down to serious funding and personnel constraints. Almost all local governments struggle to recruit and retain generally qualified IT professionals, let alone those specializing in cybersecurity. With short supply and high demand, many are unable to pay competitive salaries and often rely on contractors for most or even all of their information security. This wouldn’t be a problem if the local governments knew exactly what they needed and had sophisticated contracting capabilities, but this is often not the case. The most resource-constrained jurisdictions aren’t taking steps to beef up their cyberprotections. And when it comes to electoral processes, these local setbacks become national issues.

The other reason that state and municipal governments have fallen behind on cybersecurity is a phenomenon known as “security debt.” The idea behind the term is that computers and computer networks allowed institutions—companies, organizations, and governments alike—to decrease their costs, increase their efficiency, and shrink their staff levels. The problem is that the upsides of the switchover are front-loaded in the early years of deployment, and this new, efficient way of doing business becomes the norm. Only later, sometimes years down the line, do costs like network vulnerabilities become apparent. Malware and Trojans. Data breaches. Ransomware. Most result from pre-existing or unpatched vulnerabilities. This is the security debt coming due.

The problem is that too many organizations quickly adopted these new systems without sufficiently planning for their inevitable future costs and vulnerabilities. The resulting security debt is especially problematic for local governments, which are often unable to mitigate the unplanned costs in an era where their funding is declining and more is expected of them. And it’s not just electoral processes that have been put at risk. Think of all of the information your municipal government has on you—voting data, tax information, property records, criminal history, driver’s license numbers, Social Security numbers. Think of, if your kids go to public schools, all of the data they have on your children. There’s perhaps no better case study of governments diving into a new system without thinking of security and privacy pitfalls than the fast-paced adoption of educational technology. Few examples have a bigger security debt—what kind of data are these companies collecting? Who can use this sensitive student information? How secure is this data?—than these digital learning tools. The impulse to chase after the newest, shiniest technological aide doesn’t help either.

We expect our local governments to do quite a bit of work for us—from policing to collecting taxes to repairing roads to operating elections. In a modern world, all of those functions require information systems housing large amounts of sensitive data. Frankly, we haven’t thought enough about what goes into these processes. And when we have, we’ve mostly assumed that governments were taking reasonable measures to keep these systems secure. It’s not clear that those were good assumptions.

There are, however, ongoing discussions about how to fix these problems. They include ideas like having local governments consolidate, adopt cloud-computing solutions, outsource to managed security services, or connect with federal and state programs that would pool resource capabilities. All of these, if implemented with care, provide promising potential for future solutions. Until then, we should concede that we will be paying a high “interest” rate on our growing security debt—interest that is likely to manifest as data breaches, intrusions, and emergency costs to respond to incidents and patch vulnerabilities.

It’s also worth noting that, even with good tools, there are no simple answers to these challenges. Federal financial and technical support to better secure local electoral process, for example, are sometimes viewed skeptically. Numerous state election officials have suggested that this represents creeping federal control over their elections, something many don’t want to see. Roadblocks like these pose serious challenges for a nation that relies on selecting leaders at every level at local ballot boxes. As we do so, we’re pushing the operations of our voting infrastructure to the most underfunded, understaffed, and underequipped levels of government.

Justice Louis Brandeis famously described the states as the “laboratories of democracy.” In an age with more of our civic life online and more threats to it from around the world, we certainly have an interesting experiment on our hands.

The post The Hackers Could Be Coming For This Election appeared first on Zócalo Public Square.

At a recent meeting on Capitol Hill, a young Congressional staffer offered the answer. He said: People think that tweeting or commenting online about the surveillance is actually doing something to hold the surveillance accountable. In other words, we’re confused about the connection between transparency and accountability. We haven’t defined the difference between using this era’s technological tools to shine a light on how government works and using this era’s technological tools to hold the government accountable.

And there’s a big difference. Young, tech-savvy people who care about Internet issues love to have hackathons and develop apps and produce investigative data visualizations in the name of transparency, but none of these fashionable things are a substitute for actual governing. And actual governing is hard to find these days. Witness Congress’ failure to pass a budget, the sequester cuts, hostage-taking tactics in the Senate, threats of government shutdown.

Whatever you think of him, NSA whistleblower Edward Snowden has done the service of stopping us and focusing on this point. We now know about the government surveillance, thanks to the transparency he forced upon the government. But what on Earth can we do to make sure the surveillance doesn’t violate the law and people’s rights?

All our transparency tools, it now is clear, were never civic correctives in themselves.

How did we get stuck like this? One reason is that the high-profile innovators in Internet communications produced campaign technology—not governing technology. Campaign technology—like that employed by President Obama’s re-election campaign or petition sites like Change.org—identify people, accelerate communication, and aggregate data. They are modern versions of old campaign tactics—knocking on doors, news cycle management, voter targeting. But, while the embarrassing videos circulated by campaigns, e-mail call-outs to donors, and social media shaming of opponents are effective campaign tactics, they are ineffective as tools for the hard work of making government policy.

Effective policy-making requires something different: trusted personal relationships between policymakers that lead to collaborations that benefit the public.

When you think about things this way, you understand that the problem with over-surveillance at the NSA is not about technology—it’s about a huge policy failure by the humans in Congress. Oversight of policy and agencies is the fundamental role of Congress: It is a wonky, complex, drawn-out process that requires experts, institutional memory, staff who like each other, and Members who will compromise. This work is fundamentally about human relationships, trust, and political capital—negotiating tools that can’t be developed the same way in the digital world.

We can’t bring accountability to the NSA unless we figure out how to give the whole legislative branch modern methods for policy oversight. Those modern methods can include technology, but the primary requirement is figuring out how to supply Congress with unbiased subject matter experts—not just industry lobbyists or partisan think tank analysts. Why? Because trusted and available expertise inside the process of policymaking is what is missing today.

According to calculations by the Sunlight Foundation, today’s Congress is operating with about 40 percent less staff than in 1979. According to the Congressional Management Foundation, it’s also contending with at least 800 percent more incoming communications. Yet, instead of helping Congress gain insight in new ways, instead of helping it sort and filter, curate and authenticate, technology has mostly created disorganized information overload. And the information Congress receives is often sentiment, not substance. Elected leaders should pay attention to both, but need the latter for policymaking.

The result? Congress defaults to what it knows. And that means slapping a “national security” label on policy questions that instead deserve to be treated as broad public conversations about the evolution of American democracy. This is a Congress that categorizes questions about our freedoms on the Internet as “cyber security.”

What can we do? First, recognize that Congress is an obsolete and incapacitated system, and treat it as such. Technology and transparency can help modernize our legislature, but they can’t fix the system of governance.

Activists, even tech-savvy ones, need to talk directly with Congressional members and staff at home. Hackers, you should invite your representatives to wherever you do your hacking. And then offer your skills to help them in any way possible. You may create some great data maps and visualization tools, but the real point is to make friends in Congress. There’s no substitute for repeated conversations, and long-haul engagement. In politics, relationships will leverage the technology. All technology can do is help you find one another.

Without our help and our knowledge, our elected leaders and governing institutions won’t have the bandwidth to cope with our complex world. This will be a steep climb. But, like nearly every good outcome in politics, the climb starts with an outstretched hand, not one that’s poised at a keyboard, ready to tweet.

The post Transparency Is Not Accountability appeared first on Zócalo Public Square.

We need to have a chat, so I trust you’re reading this.

Of course you are; good. Now, let’s see … how should I put this? Look, you’ve done a great job cultivating that whole “spook” image for the past 60 years. Really, you’ve just been terrifyingly adept at creating an environment of ironclad secrecy, even more so than the CIA, who’ve bungled too many overseas jobs to be the omnipotent, untouchable agency they’d like us to think they are.

Times are changing, though. For the past several generations, you’ve been the rulers of all information, with no one to challenge you. Americans just had to trust that the good quiet folk at the NSA were looking out for them, because no one else could handle data on such a large scale. It was a simpler time, back when the Internet was young and the Web was just a seed of an idea, and our idea of “big data” was the Yellow Pages.

There are new kids in town, though; kids who grew up on data. They were raised to dish out and take in as much data as possible, and they do it for fun. To you, Facebook, Twitter, Tumblr, and all the rest of it are the latest places from which to siphon information. To these new kids, it’s home. It’s where they grew up, which is why they’re much better at it, and why you hire so many of them.

Now, what happens when you raise a generation on a steady diet of data, and then try to keep naughty secrets? They’re going to ask questions. They grew up in a world where information was free, and they took advantage of that fact. They learned more about the world around them than could ever be learned in school, and they went online for the answers to the questions their parents and teachers wouldn’t answer. They grew up not just appreciating that information was free, but expecting information to be free.

It gets worse. Not only are you hiring millennials, for whom secrecy is anathema—you’re hiring millennial hackers. And hacking, as you well know, means finding ways of turning technology to serve a purpose other than its intended one. When information isn’t free, these people have the ability and the will to free it.

I know this because I’m one of them. I may not have top-secret clearance and make six figures working for one of your contractors, but Edward Snowden’s demographic profile still hits close to home. When I was a boy, I used to hack into my computer games to add fart sounds to them. I built my own computers. I made my sister’s Teddy Ruxpin say horrible, horrible things. When I get a new phone, its hackability is its number-one buying point.

When I get my hands on a new piece of technology, my first thought isn’t about what it can do—it’s about what it can’t do, and how can I force it to overcome its limitations to do what I want. I then wonder, “Why wasn’t I ‘allowed’ to do this in the first place?” See, we millennial hackers simply cannot take anything at face value. We’re a bit contrarian and stubborn by nature. It’s why we’re good at what we do. The more constraints you place on us (be they workplace, physical, technological, or copyright) the more we feel a need to disregard, challenge, or overcome those constraints.

To be a hacker is to be cynical about whatever “solid” information or limits you’re faced with, to remove layers of consumer sheen or government spin until raw components are laid bare to reconstruct at will. You reward people like me with fat salaries when we do this with technology, so there’s little sense in expecting us not do the same in the rest of our lives—with your policies, rules, information, even with our own personal lives. We tinker, probe, deconstruct, and reassemble for other purposes. One thing we don’t do is blindly put hand to heart and sing “God Bless, America” —unless we’re in a North Korean gulag and it’s a contrarian move.

Do you see the problem? You need my kind of people for our understanding of data, but we don’t necessarily want or need you. You are anathema to our values and expectations. Sure, you’ve got some very smart graybeards who can do some amazing things, but they’re not going to be the bulk of your army for long, if they even still are. You have no choice but to keep hiring these hackers who didn’t grow up having data hidden from them. It’s ironic that you’ve become so reliant on people who really have no business in a tight-lipped, hierarchical quasi-militarized institution. We are the ones you should be snooping on, if only you could snoop without us.

I feel your pain.

Edward Snowden smoked you, and it wasn’t even very hard for him. Now, I know what you’re going to say. “It won’t happen again! We’ll improve security!” Who is going to improve your security? Is it going to be the naval officers you used to hire, respectful of hierarchy and used to a military lifestyle? Or maybe, say, more young, technical lay-people—contractors with the information freedom ideals of the millennial hacker? Yeah, I thought so.

Let’s face it: This isn’t going to be the last time your secrets are aired to the public. It’s probably not even going to be the last time this year that your secrets are aired to the public by another Edward Snowden, because you’ve got countless Edward Snowdens on your payroll whose first—not last—instinct is to blow open your information infrastructure. I mean, you tried to recruit me years ago, for goodness sake. Those confidential recruitment materials that said “For Your Eyes Only” all over them? Yeah, I showed those to everyone I knew, mostly because you were so heavy-handed with all the confidential stuff.

The important thing now is not to panic. No tears. You’re a big, strong, spooky organization, right? You don’t have to clean out your desk. You’ve still got a big role to play in the cyber-warfare of the next several decades. You’re just learning a hard lesson here, and I realize you’re partly being demonized for implementing what the White House and Congress want. However, you have no choice but to keep hiring these young, entitled, informed, data-driven hackers, who pretty soon might not have any secrets to leak because the Snowdens in your midst will have forced you to turn into a fully transparent (but still efficient!) organization.

Now that I think of it, you really should have played up the six-figure salary and Hawaii angle in those recruiting materials you gave me. I would’ve kept your secrets. Really.

Cheers,
Cyrus

The post An Open (Of Course) Letter to My Friend, the NSA appeared first on Zócalo Public Square.