Potential ramifications of the DNC hack

With help from Eric Geller, Martin Matishak and Kate Tummarello

AFTER THE DNC ATTACK — The blockbuster news that Russians reportedly hacked the Democratic National Committee to get opposition research on Donald Trump and other information inflamed GOP criticism of Hillary Clinton’s private email server. But it had a host of security ramifications, not just political ones. MC spoke to, or heard from, a range of experts on the meaning of it all:


— WHAT’S THE IDEA? The most direct motive for the attack is the one with a historical precedent. The Russian groups suspected of being behind the hack having long used cybertheft to gather intel on U.S. and Western policies, whether from current leaders or potential future ones, said John Hultquist, head of FireEye’s cyber espionage division. That information — potentially procured by Russian cybercriminals looking to curry favor with the government — might then be used during a key moment in negotiations to get an edge, said Scott Borg, the director of the independent U.S. Cyber Consequences Unit. Why focus on opposition research about Trump, specifically? Trump, as a political newcomer, is less familiar as an international figure, said Alan Wade, a former CIA chief information officer and advisory board member for Darktrace. And Justin Harvey, chief security officer of Fidelis Cybersecurity, said no one should rule out the possibility that any data stolen is being sold on the black market, too.

— POOR DEFENSES DON’T HELP: Harvey said that as a nonprofit, the DNC and similar organizations wouldn’t have much to spend on information security. And because presidential campaign organizations physically move around so much and feature so many people coming and going, they’re fundamentally difficult to secure, Hultquist said. “It is highly likely that both DNC and RNC have long-standing breach issues, it appears that the DNC simply discovered this incident,” said Alexander Heid, chief research officer at SecurityScorecard.

— CHANGING NATURE OF THE THREAT: “If initial reporting is true, we’re seeing how ‘sophistication’ applies more to how hackers maintain persistent access, not to how they gain access to systems and networks in the first place,” said Michael Sulmeyer, director of Harvard Belfer Center’s cybersecurity project and a former Defense Department senior cyber policy adviser. Ray Rothrock, CEO of RedSeal, said the hack shows that the real battlefield in cyberspace isn’t on the company’s perimeter defenses, but inside its network.

— WHAT’S THE GOVERNMENT ROLE? Asked if the FEC or another agency should take a stronger hand in safeguarding political campaign organizations, top Senate Homeland Security Democrat Tom Carper said that responsibility instead lies with the likes of the DNC and RNC. Asked the same, Rep. Will Hurd, who chairs the Oversight Subcommittee on Information Technology, said: “I don't know if we have the time to look at that, with the limited number of days that we have,” but “as this unfolds and we learn more about the specific hack, that's something [to look at]." For her part, Clinton said the incident reinforced that cybersecurity is an issue that she “will be absolutely focused on” should she win the presidency. “Because whether it’s Russia, or China, Iran or North Korea more and more countries are using hacking to steal our information, to use it to their advantage,” she said on Telemundo. The Trump campaign referred questions to the Secret Service.

The New York Times had some Clinton/Trump tidbits: “A senior government official said Hillary Clinton’s presidential campaign, based in Brooklyn, also appeared to have been targeted, but it was not clear whether it lost any data.” And: “Paul Manafort, Mr. Trump’s campaign chairman, previously advised pro-Russian politicians in Ukraine and other parts of Eastern Europe, including former President Viktor F. Yanukovych of Ukraine.”

HAPPY WEDNESDAY and welcome to Morning Cybersecurity! The person who did the “American Ninja Warrior” course in a T. Rex suit deserves all of the things. Send thoughts, feedback and especially your tips to [email protected] and follow @timstarks, @POLITICOPro and @MorningCybersec. Full team info below.

TODAY: HOUSE HOMELAND PANEL TACKLES INFO SHARING LAW — Implementation of last year’s cybersecurity information sharing law has some hitches but overall is “off to a good start,” Matthew Eggers, the Chamber of Commerce’s executive director of cybersecurity policy, will tell a House Homeland Security subcommittee today, according to his written testimony. Eggers will observe that some companies are still reluctant to participate because they don’t entirely trust the government, despite the promise of liability protections. Other witnesses from USTelecom, CA Technologies and Soltra will alternately tell the panel that there needs to be clarification about the definition of “personally identifiable information;” that operational improvements must be made to make data sharing smoother; and that there should be more guidance on the scope of the liability protections. But today also brings a deadline on additional policies and procedures from the Homeland Security and Justice departments, which the witnesses say could clear up remaining mysteries.

“As chairman of the House Homeland Security subcommittee on cybersecurity, I’m committed to ensuring the Cybersecurity Act of 2015 is being implemented efficiently and effectively as Congress intended,” Rep. John Ratcliffe said in a statement. “While we all know this law is no silver bullet that can singlehandedly address all our cybersecurity challenges, this hearing will help us build on the efforts already in place and set the stage for the next phase of cybersecurity legislation we’ll need as the cyber landscape continues to evolve.”

THE HIDDEN COSTS OF AN ATTACK — The true impact of a cyberattack is vastly underrated because of lesser-noticed, long-term damage done by things like increased insurance premiums or lost contract revenue, according to a new paper out today from Deloitte. Emily Mossburg, principal in Deloitte's Advisory Cyber Risk Services and leader of its Resilient practice, said that what surprised her about the study is how much of the damage is either hidden or unseen (the vast majority of it) and how far into the future that damage can stretch (five years or more). Using hypotheticals with fictitious companies, but based on real-life information, one U.S. health insurer that suffered a data breach spent $21 million over three years to improve customer protection, but lost out on $830 million in contract value over five years.

COST OF DOING BUSINESS? — The average cost of a data breach is now $4 million, a nearly 30 percent increase over the past three years, according to a new analysis by IBM Security and the Ponemon Institute out today. That comes out to approximately $158 for every record that is lost or stolen. Broken down by industry, health care is the most expensive sector to be breached in for the second year in a row, with a price tag of $355 per record, almost double the average. Education comes in second, at just over $246, and while the hospitality industry has been in the spotlight lately, the cost per record there only comes out to $139, putting it at No. 11 out of the top 16 sectors worldwide. The public sector came in last, with $80 for every compromised record.

STATE AND LOCAL HOOKUP — A New York lawmaker wants to encourage the Department of Homeland Security to more quickly share cyber threat information with local governments and the private sector. A bill introduced this week by Rep. Daniel Donovan would amend the Homeland Security Act of 2002 to add "cybersecurity risk information" to a broader set of information that DHS processes from and sends to state and local governments and so-called fusion centers. The bill would also instruct DHS's National Cybersecurity and Communications Integration Center to share its analyses of cyber threats with fusion centers, and it would add cybersecurity enhancement to the list of approved uses of DHS grant money. Donovan added similar language to legislation last week during a House Homeland Security Committee markup.

CORNYN PUSHES INFO COLLECTION AMENDMENT AFTER ORLANDO — In the wake of the shooting in Orlando over the weekend, Senate Majority Whip John Cornyn took to the Senate floor Tuesday to argue in favor of his email privacy bill amendment that would increase the information available to the FBI through national security letters. He urged lawmakers to “get serious about giving the FBI the tools they need and also to fight and crush ISIS and its dangerous ideology where it resides,” and said his amendment “would help FBI agents get access to critical information faster to prevent terrorist attacks.”

Cornyn told our friends at Morning Tech that he would be willing to drop that amendment — which has stalled the bill in the Judiciary Committee — only if the measure gets signed into law as part of another bill, such as the intelligence authorization bill. He said ECPA reform sponsors Sens. Patrick Leahy and Mike Lee have a position that is “not sustainable” in regards to his amendment. “We all support a warrant for content standard, but we’re not going to have that unless we enter into some conversation about how to deal with my amendment.”

RECENTLY ON PRO CYBERSECURITY — Reps. Peter DeFazio and Randy Forbes are preparing to ask the Obama administration to investigate Chinese investment in U.S. railcar manufacturing, citing the vulnerability of remote monitoring systems and China’s record in cyberspace. … Sens. Steve Daines and Mark Warner asked the leaders of the House and Senate Armed Services panels to include language elevating U.S. CYBERCOM into a full combatant command in the final fiscal 2017 defense authorization bill. … Warner, with Sen. Cory Gardner, also announced the launch of the Senate Cybersecurity Caucus. … Leaders of the House Oversight Committee demanded an overdue Census Bureau data security report from the Commerce Department. … The Justice Department indicted a Chinese citizen for allegedly stealing source code from his former employer.

REPORT WATCH

— Booz Allen Hamilton is out today with a briefing that compiles data on the growing threat to critical infrastructure, from the volume of attacks to the increased use of spearphishing to initiate them.

QUICK BYTES

— Distil Networks notes that the 2016 Online Trust Audit found 97 percent of the websites evaluated can’t combat advanced bots, and government websites are especially bad at it.

— DHS’s representative at the U.S.-China cybercrime talks likes how they’ve gone. Reuters .

— Apple is updating file encryption. The Hill .

— Cyber will be a big challenge for the next administration, Rep. Blake Farenthold says. Nextgov .

— Tens of millions more user passwords out the window, this time across a range of sites. Motherboard .

— Some 100,000 Air Force investigative records have been lost, due to database corruption. Ars Technica .

— Was that Jordanian news item about Saudi royalty funding portions of Clinton’s campaign a hack? Gawker .

— The State Department has thousands of “zombie accounts” that could render the agency vulnerable to hackers. Nextgov .

— Cyber is now officially one of the NATO war domains, joining air, land, sea and space. ABC .

— “Regulators to Tighten Cyberdefenses as Attacks in Asia Increase.” The Wall Street Journal .

That’s all for today. You could really go down a hole watching these T. Rex suit videos …

Stay in touch with the whole team: Cory Bennett ( [email protected] , @Cory_Bennett ); Bryan Bender ( [email protected] , @BryanDBender ); Eric Geller ( [email protected] , @ericgeller ); Martin Matishak ( [email protected] , @martinmatishak ) and Tim Starks ( [email protected] , @timstarks).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks