The #DataInsecurity Digest | Issue 32

/by

Issue 32 | November 7, 2016

#DataInsecurity Digest: Will Russian hacking undermine results?

By John Breyault (@jammingecono, johnb@nclnet.org)
NCL Vice President of Public Policy, Telecommunications and Fraud

Subscribe here. Tell us what you think.

Editor’s Note: Welcome to this special pre-election edition of the #DataInsecurity Digest! With the election likely to have a major impact on the data security policy landscape, we’re bringing you the Digest two days early. We’ll be back in your inboxes again next Monday, November 14, with our post-election special, featuring reactions to and analysis of the election results from a data security point of view.

What’s the goal of Russian hackers meddling in the U.S. elections? Most experts agree that it would be extremely difficult to successfully pull off a large-scale cyber attack on our distributed voting system. According to federal cybersecurity officials, however, their real aim is to undermine Americans’ faith in the political system and its standing in the world. The concern among many at DHS, FBI and elsewhere is that last month’s massive distributed denial of service (DDoS) attack on Dyn could have just been a test-run for an even bigger attack on Election Day. In other news, if polls are to be believed, privacy and data security advocate Russ Feingold could be back in the Senate in the next Congress. Finally, the FCC’s big vote to require Internet service providers to abide by privacy rules will also have an impact on data security. The FCC’s new role as a data security cop will also be tested thanks to Sen. Mark Warner who wants the agency, along with the FTC and DHS, to examine how Internet of Things (IoT) device security can be improved in the wake of the crippling DDoS attack on Dyn that relied on compromised webcams and other IoT devices.

And now, on to the clips!

—————–

Feds: Russians used Dyn DDoS attack as a “drill” for Election Day. The massive DDoS attack on Dyn that knocked major websites like Amazon and Twitter offline for hours “had all the signs of what would be considered a drill” by Russian hacker, according to former Homeland Security official Ann Barron-DiCamillo. Federal cybersecurity officials expect that such an attack could be perpetrated again on Election Day to sow confusion and distrust of the election’s integrity. Writing for @NBCNews, @KenDilanianNBC reports that “officials fear an 11th hour release of fake documents implicating one of the candidates in an explosive scandal without time for the news media to fact check it.” (Source: NBC News)

FBI agrees: Russia’s goal is to undermine integrity of the political system, not support Trump. As numerous investigations continue into Russia’s attacks on the Democratic National Committee, Clinton campaign chairman John Podesta, and now the Trump campaign’s potential ties to a Russian bank, officials are beginning to conclude that the aim of these cyber attacks is not to elect Donald Trump. Rather, write @EricLichtblau and @stevenleemyers, the consensus developing at the FBI is that the goal was to “disrupt the integrity of the political system and undermine America’s standing in the world more broadly.” (Source: New York Times)

How could hackers suppress the vote? Although the dispersed nature of the U.S. election system makes it next to impossible for hackers to alter the results, some experts are raising the alarm over a potential cyber attack designed to suppress voter turnout. @Incapsula_com cautions that a distributed denial of service attack has been designed to suppress voter turnout by targeting get-out-the-vote carpooling websites, poll locator sites, and online voting platforms. (Source: Imperva Incapsula)

Digital privacy advocate poised to retake Senate seat. Former U.S. Sen. Russ Feingold (D-WI), a longtime digital privacy advocate, and the only U.S. Senator to oppose the U.S. Patriot Act, is enjoying a significant lead according to recent polls. @Reuters reports that, “Privacy advocates and former Feingold staffers said they expected Feingold, if returned to office, to be sympathetic to the privacy concerns of technology companies and civil liberties groups on issues such as encryption and domestic spying, at a time when many lawmakers are being pressured to confront security threats from Islamic State and other militant groups.” (Source: Reuters)

And in non-election news: New FCC rules require ISPs to adopt “reasonable” data security. The impact of new privacy rules on Internet service providers was the focus of much of the analysis of the FCC’s vote on October 27. However, the new rules also require ISPs to abide by rigorous data security and breach notification rules (full disclosure: NCL filed comments in support of the new rules). Fortunately, @HoganLovells provided a quick snapshot of the data security requirements, which require that, “ISPs must take reasonable measures to protect consumer data. ISPs also must notify consumers of data breaches within 30 days unless they determine that no harm is reasonably likely to occur.” Unlike the privacy rules, which take effect next year, the data security and breach notification rules take effect 90 days and six months, respectively, after publication in the Federal Register. (Source: Hogan Lovells)

Sen. Warner: FCC, FTC, DHS should investigate DDoS attacks. Sen. Mark Warner (D-VA), co-founder of the Senate Cybersecurity Caucus, wants three federal agencies to examine how IoT devices are being used to power massive DDoS attacks. Last month, the so-called Mirai botnet, reportedly powered by an army of compromised IoT devices, took down many popular Internet sites, including Twitter and Spotify. “The weak security of many of the new connected consumer devices provides an attractive target for attackers, leveraging the bandwidth and processing power of millions of devices, many of them with few privacy or security measures, to swamp internet sites and servers with an overwhelming volume of traffic,” wrote Warner. (Source: KrebsOnSecurity.com)

Upcoming events

January 12, 2017 – PrivacyCon – Washington, DC
The FTC will host its second PrivacyCon conference “to continue and expand collaboration among leading whitehat researchers, academics, industry representatives, consumer advocates, and the government to address the privacy and security implications of emerging technologies.”

May 24, 2017 – Planning for the Future: A Conference About Identity Theft – Washington, DC
The FTC will host an all-day conference to take a comprehensive look at how identity theft has evolved over the last decade and what can be done to address this challenge in the future. The conference will be used to gather input from academics, business and industry representatives, government experts and consumer advocates. Participants will look at the current state of identity theft, examine potential future challenges, and discuss how to address these issues.

National Consumers League
Published November 7, 2016