General Curtis Scaparrotti, the top U.S. general in Europe, told members of the Senate Armed Services Committee Thursday he does not believe the U.S. is prepared to combat Russian cyberthreats.
CNN:
"I don't believe there is an effective unification across the interagency with the energy and the focus that we could attain."
(...)
"Typically, when you look at their (Russia's) disinformation, their social media, it is generally targeted at the undermining of Western values, confidence in that government, confidence in their governmental leaders, almost always subtly just hedging away at that," Scaparrotti said.
"Because of today's capabilities and information, where they can use multiple platforms and generate great volume, it can really undermine a nation," Scaparrotti told the lawmakers, "because all they have to do is just sow some confusion primarily, sow enough confusion so there is distrust in the government."
He added that, "it's not an uncommon thing to see," and that it's "subtle but it is constant."
Scaparrotti said Russia's cybertroops have also directed their weapons at US infrastructure.
"I've seen activity related to, you know, infrastructure, reconnaissance, et cetera in the United States, and I'll leave it at that," Scaparrotti said, without offering any more details.
(...)
However, he did say that he does have the resources needed for the US European Command.
Speaking at a conference in Washington, William Evanina, director of the National Counterintelligence and Security Center, said the federal government has not been good about sharing information with federal agencies and states.
“We have not done the best job of informing the rest of the government and private sector of what the threat is,’’ Evanina said. But now “we’re doing much better in’’ trying to share information, he added. Evanina’s center is under the Office of the Director of National Intelligence, which held classified briefings with state election officials in Washington last month.
The National Security Agency is also working with the Department of Homeland Security to “inform the states as to what would be prudent for them to do” ahead of this year’s midterm elections, Greg Smithberger, the agency’s director of capabilities, said in an interview Thursday.
(...)
Evanina also said 90 percent of data breaches that result in information being stolen come from “spear-phishing” attacks that fool people into opening their devices to intrusions.
“As Americans, we have an unbelievable ability not to click a link,’’ he said.
Meanwhile, a bipartisan group of Senators has written a letter to President Trump asking him to update Congress immediately on the status of the nation's overall domestic cyber deterrence strategy, including how far along it is and when it will be complete.
“The lack of decisive and clearly articulated consequences to cyberattacks against our country has served as an open invitation to foreign adversaries and malicious cyber actors to continue attacking the United States,” the senators wrote in the letter ...
(...)
“In congressional hearings over the course of several years, we have heard numerous government officials across party lines from the Department of Homeland Security, the Department of Defense, the State Department, and the National Security Agency each point to the White House when answering which government entity is in charge of formulating our nation’s cyber doctrine,” the lawmakers wrote Wednesday. “To date, despite a rapid increase in cyber activity by both nation-states and non-state actors, no cyber deterrence strategy has been announced.”
(...)
“A strong cyber doctrine by the United States government would serve as a deterrent, which is not only necessary, but critical to our nation’s survival in the digital age,” the senators wrote.
They cited cyber threats to U.S. critical infrastructure as well as “state-sponsored disinformation” targeting the electoral process – an apparent reference to Russian interference in the 2016 presidential election.
On Wednesday, House Homeland Security Committee Chairman Michael McCaul (R-TX) said he fully intends to address the issue of Russian election interference.
McCaul's pledge comes after Rep. Bennie Thompson (R-MS), the top Democrat on the panel, charged that the GOP chairman has failed to adequately act in light of Moscow's meddling in the 2016 presidential race.
(...)
“It seems that the Trump administration and this committee under your leadership are putting the same amount of effort toward this indisputable homeland security threat — none whatsoever,” he asserted.
(...)
McCaul, who has repeatedly condemned Russia for its interference efforts in the 2016 election, pushed back on the panel's ranking member, insisting he takes the threat of election meddling seriously.
“I look forward to working with you to conduct a full hearing on this issue, as it not only was a real impact in the last presidential election but I believe it will be a real event in the midterm 2018 elections,” he said.
Also on Wednesday, Senators Amy Klobuchar (D-MN) and Jeanne Shaheen (D-NH) sent a letter to three of the largest election equipment vendors, "inquiring about the security of their voting machines and whether their companies have been asked to share the source code or other sensitive or proprietary details associated with their voting machines with Russian entities."
From the Senators' press release:
In order to sell their software within Russia, these companies allowed Russian authorities to review their source code for flaws that could be exploited. While some companies maintain this practice is necessary to find defects in software code, experts have warned that it could jeopardize the security of U.S. government computers if these reviews are conducted by hostile actors or nations. U.S. tech companies, the Pentagon, former U.S. security officials, and a former U.S. Department of Commerce official with knowledge of the source code review process have expressed concerns with this practice.
Access to voting machine software is just one part of the problem. A new report from the Brennan Center for Justice says U.S. election systems in general are no better off now than they were in 2016.
CNN:
According to the Brennan Center's analysis, 41 states will be using voting systems that are at least a decade old, an improvement of only three states from 2016, and an estimated 43 states will be using machines that are no longer manufactured, the same number as in 2016.
The concern with the aged equipment is both that it is prone to malfunctions and breakdowns, and also that it can no longer support updated software, which could be a major cybersecurity vulnerability.
While most states use machines that have at least a paper trail, which experts consider a key backup security measure, Brennan finds that 13 states are still using some paperless voting machines and five states use them statewide -- an improvement of only one state since 2016. Virginia recently opted to replace all of its paperless voting systems.
Only three states, however, require post-election audits that verify mathematically that results are likely unaltered. Brennan analysis noted that 13 states are considering requiring such audits, considered the gold standard, but only Rhode Island has enacted such a policy.
The Brennan Center says the federal government needs to give states more money to modernize systems and implement audits.
US not effectively countering Russia cyberthreat, top general says (CNN)
Senators demand cyber deterrence strategy from Trump (The Hill)
GOP chairman pledges to tackle Russian meddling efforts 'head on' (The Hill)
Klobuchar, Shaheen Seek Answers from Election Equipment Vendors to Ensure Security of Voting Machines (press release)
Report: Voting security almost no better than 2016 (CNN)
U.S. Hasn't Shared Enough About Cyber Risks, Official Says (Bloomberg Politics)