Former Facebook security chief says creating election chaos is still easy

As someone who’s had a years-long front row seat to Russia’s efforts influence US politics, former Facebook Chief Security Officer Alex Stamos has a pretty solid read on what we can expect from the 2018 midterms. Stamos left the company last month to work on cybersecurity education at Stanford. “If there’s no foreign interference during […]

As someone who’s had a years-long front row seat to Russia’s efforts influence US politics, former Facebook Chief Security Officer Alex Stamos has a pretty solid read on what we can expect from the 2018 midterms. Stamos left the company last month to work on cybersecurity education at Stanford.

“If there’s no foreign interference during the midterms, it’s not because we did a great job,” Stamos said in an interview with TechCrunch at Disrupt SF on Thursday. “It’s because our adversaries decided to [show] a little forbearance, which is unfortunate.”

As Stamos sees it, there is an alternate reality in which the US electorate would be better off heading into its next major nationwide voting day but critical steps haven’t been taken.

“As a society, we have not responded to the 2016 election in the way that would’ve been necessary to have a more trustworthy midterms,” he said. “There have been positive changes, but overall security of campaigns [is] not that much better, and the actual election infrastructure isn’t much better.”

Stamos believes that it’s important to remember that foreign adversaries can’t dictate the outcome of an election with any kind of guarantee. What they can do — and what he calls his “big fear” — is that they can still mess everything up in a way that calls the entire system into question.

“In most cases, throwing an election one way or another is going to be very difficult for a foreign adversary but throwing any election into chaos is totally doable right now,” he said. “That’s where we haven’t moved forwards. ”

Stamos gave examples of attacks on voter registration sites that lose voter data or denial-of-service attacks on the day of elections.

“With a disinformation campaign at the same time, you can make it so that you have half the country that thinks the election was thrown,” he said.

To a foreign adversary seeking to undermine US democracy, creating that kind of doubt isn’t very technically difficult. Even with no votes changed and no voting systems breached, a little doubt goes a very long way toward accomplishing the same goals as a more sophisticated hacking campaign.

Stamos cites new ad funding disclosures as one substantive change that will help make US democracy healthier, but more efforts need to be taken.

“Russian interference or not, we do not want a future where campaigns and candidates are cutting up the electorate into smaller and smaller pieces — so I think ad transparency is the first step there,” he said.

In some cases, those efforts will require a major shift in the way both the US government and private social media companies have conducted themselves. For one, as he wrote in Lawfare, the US needs “an independent, defense-only cybersecurity agency with no intelligence, military or law enforcement responsibility” rather than a patchwork of agencies each partially responsible for cybersecurity defense.

The news may not be great for 2018, but a strong dose of realism now will amplify the clarion call to do better before 2020.

Valimail offers US election boards, campaigns and voting vendors its email anti-spoofing service for free

Valimail, an enterprise email security firm, announced that it will offer its email protections for free to relevant government workers and campaigns through the 2018 midterms. That offer covers state election boards, voting system vendors and major party U.S. election campaigns including congressional, statewide and gubernatorial candidates. The company will also offer the same email […]

Valimail, an enterprise email security firm, announced that it will offer its email protections for free to relevant government workers and campaigns through the 2018 midterms. That offer covers state election boards, voting system vendors and major party U.S. election campaigns including congressional, statewide and gubernatorial candidates. The company will also offer the same email fraud prevention service, known as Valimail Enforce, to the Democratic National Committee and Republican National Committee at no cost through the 2020 US presidential election.

“Bad actors are trying to disrupt our elections and sow chaos in our democracy,” Valimail CEO and co-founder Alexander García-Tobar said in a statement. “They are targeting email because it is one of the weakest points in digital communications.”

As Valimail observes, spear phishing attempts in which an attacker tricks their target into opening a malicious email are a particular problem. In a spear phishing attack, a hacker can compromise a target’s login credentials by getting them to click on a fraudulent link or just by pretending to be someone they aren’t and obtaining usernames, passwords and other sensitive information. (The suspected Russian government-affiliated attackers who compromised a Gmail account belonging to Hillary Clinton’s 2016 campaign chair John Podesta used spear phishing to achieve their goals.)

Spear phishing attacks often employ email spoofing, a strategy in which the attacker disguises their true identity and makes an email look like it’s coming from a trusted domain. Citing its own research, Valimail notes that 90 percent of cyber-attacks originate in spear phishing and two thirds of those employ a fake “from” address to target potential victims.

Valimail Enforce works prevents this kind of attack with an email authentication system that only allows authorized senders to use a domain name. The company’s email authentication service employs standards like SPF, DKIM and DMARC and is Federal Risk and Authorization Management Program (FedRAMP) authorized, making it easier for government entities to adopt its security tools.

Though no states and campaigns have signed onto the new offering yet, Valimail has been talking with the National Association of State Election Directors and the Department of Homeland Security, the federal agency tasked with coordinating security for election systems — now designated as critical infrastructure — among the states. Valimail follows companies like Cloudflare and Synack in offering its services at no cost to help secure election systems.

Due to the state and local-led nature of US elections, it’s very difficult to ensure that security measures can be uniformly implemented and enforced across the board. It’s too late for the patchwork of post-2016 election security efforts to provide any kind of comprehensive assurance for the 2018 midterms, but private tech companies are stepping in to fill some of the gaps. At the very least, getting some security relationships in place and educating state and local officials on potential precautions should be a useful stepping stone to a more secure elections by 2020.

Facebook and Microsoft briefed state officials on election security efforts today

So much for summer Fridays. Yesterday, BuzzFeed reported that a dozen tech companies, including Facebook, Google, Microsoft and Snapchat, would meet at Twitter headquarters on Friday to discuss election security. For two of them, that wasn’t the only meeting in the books. In what appears to be a separate event on Friday, Facebook and Microsoft […]

So much for summer Fridays. Yesterday, BuzzFeed reported that a dozen tech companies, including Facebook, Google, Microsoft and Snapchat, would meet at Twitter headquarters on Friday to discuss election security. For two of them, that wasn’t the only meeting in the books.

In what appears to be a separate event on Friday, Facebook and Microsoft also met with the Department of Homeland Security, the FBI and two bodies of state election officials, the National Association of State Election Directors (NASED) and the National Association of Secretaries of State (NASS), about their election security efforts.

The discussion was the second of its kind connecting DHS, Facebook and state election officials on “actions being taken to combat malicious interference operations.” The meetings offer two very different perspectives on threats to election security. States are largely concerned with securing voter databases and election systems, while private tech companies are waging a very public war against coordinated disinformation campaigns by U.S. foreign adversaries on their platforms. Social media platforms and election systems themselves are two important yet usually disconnected fronts in the ongoing war against Russian election interference.

“Effectively combatting coordinated information operations requires many parts of society working together, which is why Facebook believes so strongly in the need for collaboration between law enforcement, government agencies, security experts and other companies to confront these growing threats,” Facebook VP of Public Policy Kevin Martin said of the meeting.

“We are grateful for the opportunity to brief state election officials on a recent call convened by DHS and again today as part of our continued effort to develop collaborative relationships between government and private industry.”

Curiously, while Microsoft and Facebook attended the DHS-hosted meeting, it doesn’t look like Twitter did. To date, Twitter and Facebook have faced the most fallout for foreign interference on their platforms meant to influence American politics, though Google was also called to Congress to testify on the issue last fall. When reached, Twitter declined to comment on its absence, though the company was reportedly playing host to the other major tech election security meeting today.

The meeting with state officials sounds like it was largely informative in nature, with Facebook and Microsoft providing insight on their respective efforts to contain foreign threats to election integrity. On Tuesday, Microsoft revealed that its Digital Crimes Unit secured a court order to take down six domains created by Russia’s GRU designed to phish user credentials. Half of the phishing domains were fake versions of U.S. Senate websites.

“No one organization, department or individual can solve this issue alone, that’s why information sharing is so important,” said Microsoft VP of Customer Security and Trust Tom Burt. “To really be successful in defending democracy, technology companies, government, civil society, the academic community and researchers need to come together and partner in new and meaningful ways.”