Voting machines, data and information regulation, and an influence campaign.

Summary

By the CyberWire staff

At a glance.

Voting machines with improved security aren't expected in the US until 2026.
Proposed UK data and ICO changes.
A Chinese influence campaign.

More secure election machines aren’t due for the US midterms.

The Washington Post says voting machines designed to meet updated Voluntary Voting System Guidelines (VVSG) probably won’t be rolled out until 2026, according to a status report this week from election equipment vendors. Issued in February by the US Election Assistance Commission (EAC), VVSG 2.0 will guide, and in many cases require, states to boost encryption standards and auditing functionality. The rollout is complicated by budgetary restrictions and the fact that numerous regions recently upgraded their systems. “It’s reasonable to wonder whether the slow pace of change at the EAC and in the vendor community are up to the task of combating a loss of public confidence in elections,” commented OSET Institute executive Edward Perez.

VVSG 2.0 has also drawn criticism for failing to prohibit wireless connectivity in voting machines. Twenty-plus members of Congress wrote to the EAC, “Benign misconfigurations that could enable connectivity are commonplace and malicious software can be directed to enable connectivity silently and undetectabl[y], allowing hackers access to the voting system software.” The EAC indicated that banning wireless connectivity could prove too expensive.

UK’s proposed data and ICO reforms.

The UK’s planned “common sense” Information Commissioner’s Office (ICO) and data protection reforms seem poised to preserve privacy protections despite prioritizing economic growth, contra worries about dramatic divergence from GDPR rules, Computing reports. “Whether that plan survives contact with the real world, of course, remains to be seen,” Computing notes.

“There is no doubt that some aspects of the GDPR do not work well,” Centre for Information Policy Leadership President Bojana Bellamy remarked, “and some areas are unhelpfully obscure. For example…individuals' consent to data processing has been rendered meaningless through overuse; and international data flows have become mired in red tape.” The consultation period on the reforms will wind up in November.

Beijing’s influence campaign.

As we’ve seen, Beijing appears to be moving towards some elements of Moscow’s playbook on both the privateering and disinformation fronts. Reuters breaks down a pro-CCP group’s latest efforts to spread the line that the pandemic originated on US soil and to catalyze in-person anti-racism protests. The effort encompasses “thousands of handles on dozens of sites around the world,” including Google, Twitter, and Facebook, and has thus far obtained minimal traction.

Threat analysts worry, however, about the initiative’s evolving tactics and eventual maturation. “They've clearly got a wide mandate that's global. Someone is giving them pretty broad orders,” said FireEye VP John Hultquist. While the campaign has not yet been attributed to a particular threat group, its content mirrors Chinese state propaganda. ZDNet notes that the operation is “far more extensive than previously believed,” spanning seven languages, thirty social platforms, and forty other known sites.

Selected Reading

Russia Influences Hackers but Stops Short of Directing Them, Report Says (NYTimes) The arrangement allows the Russian government some plausible deniability for attacks, researchers found.

Dark Covenant: Connections Between the Russian State and Criminal Actors | Recorded Future (Recorded Future) The intersection of individuals in the cybercriminal world and officials in the Russian government is well established yet highly diffuse.

U.S. Cyber Czar: Too soon to tell if Russia ransomware has stopped (The Record by Recorded Future) A top U.S. cybersecurity official said on Thursday that it was too soon to tell whether Russian ransomware gangs have let up their assault on U.S. targets.

Cyberangriffe auf Politiker: Generalbundesanwalt ermittelt gegen Putins Hacker (Der Spiegel) Erstmals hat die Bundesregierung Russlands Militärgeheimdienst GRU öffentlich für die Hackerkampagne »Ghostwriter« angeprangert. Nach SPIEGEL-Informationen ermittelt nun auch die Bundesanwaltschaft.

Germany probes claims of pre-election MP hacking by Russia (Yahoo) German federal prosecutors said Thursday they are probing alleged hacking attacks against lawmakers ahead of this month's German election that Berlin has blamed on Russia.

Is the Taliban a Cyber Threat to the West? (SecurityWeek) While the Taliban provides no immediate cybersecurity threat, there is ample potential for it to develop into a major threat on a par with North Korea over the next three to five years

Acting Responsibly in Cyber Space - With Marcus Willett CB OBE - Pentest (Pentest) We spoke to Marcus Willett OB CBE, Ex GCHQ Director of Cyber, to discuss the big issues affecting cyber space, especially state-led operations

US Gov Seeks Public Feedback on Draft Federal Zero Trust Strategy (SecurityWeek) The U.S. government's CISA and OMB are seeking the public’s opinion on draft zero trust strategic and technical documentation.

US Army works through what ‘information advantage’ is and how to achieve it (Defense News) The Army is conducting a series of experiments to figure out the right mix to achieve information advantage for commanders.

Money, mimicry and mind control: Big Tech slams ethics brakes on AI (Reuters) In September last year, Google's cloud unit looked into using artificial intelligence to help a financial firm decide whom to lend money to.

True quantum supremacy and the race to a million qubit chip (Computing) Is quantum supremacy - the moment when conventional computers become obsolete - a fiction?

Brazil’s President Bans Social Networks From Removing Some Posts (New York Times) The new rules in Brazil appear to be the first national policy that restricts how tech companies can control their sites, analysts say.

SECDEF: al-Qaida may seek comeback in Afghanistan (Military Times) The Taliban had provided al-Qaida with sanctuary while it ruled Afghanistan from 1996 to 2001.

Readout of the Political Directors Small Group Meeting of the Global Coalition to Defeat Daesh/ISIS (United States Department of State) Senior diplomatic representatives from the Small Group of the Global Coalition to Defeat Daesh/ISIS met today in a virtual setting to discuss the global campaign against Daesh/ISIS. U.S. Acting Special Envoy for the Global Coalition John Godfrey provided an update on progress in Iraq and Syria, and outlined the Coalition’s focus on defeating Daesh/ISIS global […]

Beyond Forever War (Foreign Affairs) A smarter counterterrorism approach is now within reach.

Easterly Discusses Ransomware Action and Industry Collaboration with U.K. Counterpart (Hstoday) Top cybersecurity officials from the U.S. and U.K. affirmed their commitment to tackling ransomware in their first official face-to-face engagement on September 9 in London. Lindy Cameron, CEO of the U.K.’s National Cyber Security Centre (NCSC) – a part of GCHQ – met with Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA) […]

UK's proposed data and ICO reforms are surprisingly pro-regulation (Computing) There were concerns that reforms could damage privacy and undo the GDPR. Instead, it appears that the government wants to rebuild problem areas while maintaining personal protections

Democrats eye new $1 billion effort to crack down on Big Tech in sprawling economic package (Washington Post) The new funding proposal comes as Democrats work to assemble a $3.5 trillion spending bill

EXCLUSIVE Wide-ranging SolarWinds probe sparks fear in Corporate America (Reuters) A U.S. Securities and Exchange Commission investigation into the SolarWinds Russian hacking operation has dozens of corporate executives fearful information unearthed in the expanding probe will expose them to liability, according to six people familiar with the inquiry.

Should Ransomware Payments Be Made Illegal? (Wall Street Journal) Proponents say it would lead to fewer attacks. Opponents say that organizations need the option to pay. The two sides square off in a debate.