By signing up, you acknowledge and agree to our Privacy Policy and Terms of Service. You may unsubscribe at any time by following the directions at the bottom of the email or by contacting us here. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

A look at the two parties’ cyber platforms

With help from Martin Matishak

Editor’s Note: Weekly Cybersecurity is a weekly version of POLITICO Pro’s daily Cybersecurity policy newsletter, Morning Cybersecurity. POLITICO Pro is a policy intelligence platform that combines the news you need with tools you can use to take action on the day’s biggest stories.Act on the news with POLITICO Pro.

Quick Fix

— Election security and consumers’ digital rights are two of the starkest divides between the latest Democratic and Republican party platforms.

— A public-private supply chain task force will release a suite of recommendations next week to help organizations better manage their digital risks.

— A Trump administration official repeated the assertion that Iran was trying to hurt President Donald Trump with emails that demanded that people vote for him, but did not provide evidence.

HAPPY MONDAY and welcome to Morning Cybersecurity! You had one job, NASA probe. As always, send your thoughts, feedback and especially tips to [email protected], and be sure to follow@POLITICOPro and@MorningCybersec. Full team info below.

Campaigns

MAJOR CONTRASTS IN PARTIES’ CYBER STANCES — Trump and Vice President Joe Biden have said very little about cybersecurity during the campaign, but the Democratic and Republican Party platforms offer a few hints about the parties’ priorities. With a week to go before Election Day, the National Security Archive released a report on Monday comparing the discussions of cybersecurity in the 2020 Democratic platform and the current Republican platform. (Republicans affirmed their 2016 platform at their 2020 convention by opting not to replace its text.)

Democrats want to enact strong consumer privacy and security standards, an increasingly important issue as more people entrust more of their data to tech companies. In their platform, Democrats promise to update the Obama administration’s Consumer Privacy Bill of Rights proposal with “strong national standards to protect consumers, employees, patients, and students from data breaches.” As Cristin Monahan of the National Security Archive notes, that proposal “was roundly criticized from privacy advocates and technology companies alike,” with the former calling a toothless product of an industry-captured Commerce Department and the latter warning that it would hurt innovation.

Republicans focused their privacy and security attention on discussing the harms of encryption. Their platform touts “the government’s legitimate need to access encrypted information” and the way encryption can protect bad actors. Senate Republicans recently introduced a bill to outlaw end-to-end encryption, which immediately drew scorn from technologists who have been fighting such efforts for decades. Evidence suggests that encryption is less of a hurdle to law enforcement than critics of the technology claim, and the current expert consensus is that it is impossible to design sufficiently secure warrant-compatible encryption.

Democrats also homed in on election security, marking a contrast with the Republicans. In their document, Democrats promised to “increase investments to help state and local governments upgrade election technology” and “increase oversight of private election vendors.” These priorities appear in House Democrats’ SAFE Act (H.R. 2722), but Monahan noted some experts’ suggestion that “the legislation does not provide enough specificity to truly engender election security.” Meanwhile, the Republicans’ platform does not address election security, despite being written at the height of Russia’s 2016 intervention.

MORE HELP KEEPING HACKERS OUT — Detailed recommendations for protecting supply chains from hackers are coming soon from a CISA-led task force. At a U.S. Chamber of Commerce event Friday, the group’s industry co-leads, Robert Mayer of USTelecom and John Miller of the Information Technology Industry Council, described four task force working group reports that will be published on Nov. 6.

Group one addressed how to report risks without lawsuits. Some organizations may want to report potentially risky suppliers but are afraid of being sued. The working group identified three potential areas of liability resulting from that kind of notification — anticompetitive behavior, false information, and breach of obligations of confidentiality — and created a framework that companies can follow to safely share such warnings, as well as an analysis of ways for policymakers to reduce legal uncertainty.

Group two focused on helping organizations assess their suppliers’ riskiness. The team organized its existing list of almost 200 types of threats into categories that make them easier to understand. It also updated its list of threat scenarios with “concrete, practical examples that can be used to inform procurement actions,” Miller said.

Group three worked on trusted-entities lists. It further developed its guidance for creating “qualified bidder lists” and “qualified manufacturer lists” — essentially lists of companies that are considered trustworthy enough to become suppliers. The working group studied how the Pentagon, GSA and other agencies were implementing these lists, which helped its members understand when and how they could be useful. From there, the working group began “developing evaluation criteria” that organizations can use to make their own lists, Mayer said.

Group four looked at vendor security audits. It combined the other groups’ insights into a template that companies can use to examine vendors’ supply chain security practices. Mayer said that the group “produced a flexible and agile template to answer key questions … and analyze comparative risk among all types and sizes of organizations.”

As POLITICO first reported, CISA and its industry partners have agreed to reauthorize the supply chain task force for six more months beginning in January, enabling the working groups to complete their current activities while policymakers assess how to move forward.

Election Security

STANDING BY THEIR STORY — Robert O’Brien, Trump’s national security adviser, reassured Americans on Sunday that their votes are safe from hackers, but he also repeated an unverified claim about the goal of the Iranian agents who allegedly sent intimidating emails to Democratic voters. The messages threatened the recipients with harm if they didn’t vote for Trump, but on CBS’ “Face the Nation,” O’Brien described the emails as “an Iranian effort to hurt the president.” Director of National Intelligence John Ratcliffe first made that claim while revealing the alleged Iranian campaign, earning immediate scorn from Democratic lawmakers who pointed out that the message warned people to support Trump, not oppose him.

Trump has repeatedly dismissed claims of Russian election interference as a hoax and infuriated the national security community with flattering comments about Russian President Vladimir Putin, but O’Brien maintained that the Trump administration would not tolerate Putin or any other world leader disrupting the ongoing contest. There will be “severe consequences to anyone who attempts to interfere with our elections on Election Day,” O’Brien said on CBS, declining to elaborate on what that meant.

LOCAL GOVERNMENTS IN THE CROSSHAIRS — In case you missed on Friday: Hackers have hit several local governments in Louisiana with malware in recent weeks, reigniting fears about election system breaches in the leadup to Election Day. The malware found on Louisiana computer systems has been linked to the North Korean regime in the past, but it has also appeared on a public code repository, making attribution harder. The Louisiana National Guard stepped in to help end the outbreak, and there is no sign of any impact to election systems, but the incident is part of a recent trend that has worried U.S. officials. As cyber criminals increasingly turn their attention to local governments, officials are trying to determine whether the hackers are working with foreign adversaries seeking to undermine U.S. stability.

GET MOVING ON THIS — “Longstanding cybersecurity weaknesses” are one of the biggest management challenges facing the Transportation Department, auditors said in a report publicized on Friday. “Addressing internal control weaknesses will be key to protect information and systems from attacks and other compromises that may pose risks to safety or taxpayer dollars, including DOT’s large infusion of CARES Act funding,” the department’s inspector general said. The report recommended that DOT officials implement security reviews for their cloud services, improve annual security trainings and develop better contingency plans. According to the IG, DOT has yet to implement 51 cybersecurity recommendations from its most recent Federal Information Security Management Act audit.

POKING THE BEAR — In another signal to Moscow ahead of Election Day, the Treasury Department on Friday announced sanctions on a Russian government lab for helping to create Triton, the first malware strain designed to attack the safety components of industrial control systems. “The Russian Government continues to engage in dangerous cyber activities aimed at the United States and our allies,” Treasury Secretary Steven Mnuchin said in a statement about the action against the Central Scientific Research Institute of Chemistry and Mechanics in Moscow. “This Administration will continue to aggressively defend the critical infrastructure of the United States from anyone attempting to disrupt it.”

Triton was used in an attack that targeted safety instrumentation systems at a petrochemical plant in Saudi Arabia in 2017. The employment of Triton malware “against our partners is particularly troubling given the Russian government’s involvement in malicious and dangerous cyber-enabled activities,” Treasury said.

The sanctions came the day after the Treasury announced sanctions against five Iranian organizations, including the elite Islamic Revolutionary Guard Corps, for allegedly attempting to influence the 2020 U.S. election. The punitive measure is the follow-up to last week’s disclosure by senior national security officials that Iran was behind a series of menacing emails to U.S. voters.

TWEET OF THE WEEKEND — Just when you thought ransomware couldn’t get more despicable.

Quick Bytes

— The Washington Post: Biden’s campaign is overstating the evidence of Russian involvement in the story of his son’s laptop.

— The New York Times looks at the hacker group that has been targeting state and local governments.

— CyberScoop: Foreign cyber threats aren’t just coming from the Big Four.

— Atlanta Journal-Constitution: Georgia disabled the password feature on its e-poll books.

— The Evening Sun: A ransomware attack has crippled computers in a New York county, and officials aren’t paying the ransom.

That’s all for today.

Stay in touch with the whole team: Eric Geller ([email protected],@ericgeller); Bob King ([email protected],@bkingdc); Martin Matishak ([email protected],@martinmatishak); and Heidi Vogt ([email protected],@heidivogt).

Follow us on Twitter

Heidi Vogt @HeidiVogt
Maggie Miller @magmill95
John Sakellariadis @johnnysaks130
Joseph Gedeon @JGedeon1

Eric Geller is a cybersecurity reporter at POLITICO, where he covers the federal government’s cyber defense activities.

His beat ranges from Cybersecurity and Infrastructure Security Agency’s network protection programs and the Commerce Department’s research and standards development work to the FBI’s hack investigations and the State Department’s digital diplomacy strategies. He also writes about the White House’s oversight of these activities and the ways in which the federal government partners with state and local governments and the private sector, from election security to supply chain risk management.

Eric began his journalism career in October 2014 at the Daily Dot, where he covered technology policy and served as an editor during the morning shift. His reporting there increasingly focused on cybersecurity, from the Office of Personnel Management hack to the high-profile encryption battle between Apple and the Justice Department after the San Bernardino, Calif., terrorist attack. At the height of the encryption debate, he interviewed then-FBI Director James Comey about the bureau’s position on the issue.

Eric’s first day at POLITICO was June 14, 2016, when news broke of a suspected Russian government hack of the Democratic National Committee. Since then, he has spearheaded POLITICO’s election security coverage and reported on a range of major incidents, including the SolarWinds cyber espionage campaign and the Colonial Pipeline ransomware attack.

Eric grew up just outside of Washington, D.C., and graduated from Kenyon College in Gambier, Ohio, in 2014 with a degree in political science. When he isn’t writing about cybersecurity, he’s either reading the latest Star Wars novel or tweeting bad puns.

A look at the two parties’ cyber platforms

Quick Fix

Campaigns

Election Security

Quick Bytes

Follow us on Twitter

Follow Us

Monday, 5/13/24

Monday, 5/6/24

Monday, 4/29/24

Monday, 4/22/24

Monday, 4/15/24

‘A Governor Who Doesn’t Seem to Have Much Interest in Governing Arkansas’

‘Political Malpractice’: The Debate Commission Chief Thinks Trump Blew It

America’s presidential debate boss thinks Biden upended tradition … and duped Trump

Trump attacks Biden and CNN over debates during Minnesota GOP event

Biden’s team had a few demands for a Trump debate. A major one: No crowd.