The Democratic presidential field for 2020 hasn’t talked much about cybersecurity, but one candidate wants to change that.
John Delaney, a former House member from Maryland, has proposed creating a new Cabinet-level cybersecurity department if he’s elected. And he wants other candidates to start talking more about an issue that roiled the 2016 presidential election when Russian hackers compromised Democratic databases in an effort to sink the candidacy of Hillary Clinton.
“I want the Democratic Party to talk more about the stuff that matters to most Americans, and I think things like digital privacy and cybersecurity matter to a lot of people,” Delaney told me. “People feel really vulnerable out there and their government doesn’t do anything to help them.”
The new cybersecurity department would be in charge of most of the civilian government’s cybersecurity efforts, including helping state and local governments secure their election systems and working with the private sector, Delaney told me. In other cases, it would be responsible for helping other agencies ensure their data and computer networks are secure.
“When you’re thinking about the main risks going forward, it’s hard to think this isn’t one of the top five risks and the fact that the president of the United States doesn’t have someone sitting around the Cabinet table whose sole purpose is to defend us against those threats is an indefensible position,” he said.
Delaney isn’t the only 2020 candidate who is making cybersecurity part of his pitch, but other Democrats in the race to challenge President Trump have focused more narrowly on securing elections after the Russian hacking operation and disinformation campaign spread on social media platforms like Facebook.
All of the 2016 Democrats have vowed not to use hacked materials in their campaigns — with some caveats. And Sens. Kamala Harris (Calif.) and Amy Klobuchar (Minn.) have both made their push for legislation to require paper ballots or backups a talking point at campaign events.
Delaney is polling in the low single digits in Iowa but hopes that proposing solutions to big problems can boost his standing with voters. His other major policy proposals include a national strategy for artificial intelligence and a Peace Corps-style initiative focused on combating climate change.
“I think what most Americans say is they want someone who’s focused on where the world is going and has real solutions, which is what I’m trying to do,” he said.
Delaney’s interest in cybersecurity was partly sparked by the 2015 Office of Personnel Management breach, which compromised the sensitive security clearance information of more than 20 million current and former federal government employees — a large portion of them from his Maryland congressional district.
His proposal for a cybersecurity department could help prevent the next OPM breach, he said — by making protecting government networks a higher priority and by placing someone in the Cabinet whose sole job is to ensure there is enough money and sufficient resources to guarantee that protection.
The idea of a cybersecurity department has been batted around for years and the leaders of the Senate Homeland Security Committee are mulling a similar idea this Congress. The idea also has plenty of critics, however, including Suzanne Spaulding, who formerly led the Homeland Security Department division that’s the government’s lead cybersecurity agency now.
Spaulding argued in a December paper with national security scholar Mieke Eoyang that creating a cybersecurity department would be an unnecessary and confusing bureaucratic shuffle that wouldn’t improve government’s cybersecurity posture and might even make it worse.
They pointed to some simpler changes they say have significantly improved government’s cybersecurity — such as a new law allowing DHS to mandate that other agencies adopt cybersecurity protections. The paper, which came out before Delaney’s proposal, was bluntly titled: “Bad Idea: Creating a U.S. Department of Cybersecurity.”
Delaney brushed off those concerns, however, saying people in government “don’t like change” and routinely “defend the status quo.”
“We can all agree this is a massive threat and it’s growing,” he said. “The government … and private sector would benefit immensely from a [Cabinet-level] agency focused on it.”
During a wide-ranging interview, Denaley expressed support for most Democratic positions on cybersecurity issues.
He’s deeply concerned about the possibility of Kremlin hackers interfering in 2020, he said, and favors tying federal grants to state and local election offices to requirements they meet minimal cybersecurtiy requirements and use paper ballots.
He also supports Trump administration efforts to limit the Chinese telecom Huawei’s role in building next-generation global 5G wireless networks out of concerns it could help Beijing spying efforts. And he considers Chinese state-sponsored theft of American companies’ intellectual property far more dangerous than the trade deficit that prompted the president’s push for heavy tariffs on Chinese goods.
Delaney also said he generally supports the Trump administration’s efforts to cow the nation’s digital adversaries by launching more offensive hacking operations — but worries about Trump’s hesitance to criticize Russia for its efforts to undermine the 2016 election.
“In general, they’ve discounted Russian interference in the election for all the obvious reasons and that has set a bad tone at the top for dealing with that threat,” he said.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED, PATCHED, PWNED
PINGED: President Trump seemed to join the 2020 Democratic presidential candidates Monday in pledging not to use information that was hacked or provided by foreign adversaries to attack campaign rivals.
But the president also claimed that he never used hacked materials in 2016 — which is not true — seeming to undermine the pledge.
During the 2016 campaign, Trump repeatedly spoke on the trail about information hacked from the Democratic National Committee and the Clinton campaign and even urged Russia — which intelligence agencies say was behind the hacking operation — to search out more dirt on his Democratic opponent.
A reporter asked Trump about the Democratic pledge during a question-and-answer session with Hungarian Prime Minister Viktor Orbán and Trump replied: “Well, I never did use [it]. As you probably know, that’s what the Mueller report was all about. They said, ‘No collusion,’” the Associated Press’s Jill Colvin reported.
He then added: “And I would certainly agree to that. I don’t need it. All I need is the opponents that I’m looking at. I’m liking what I see.”
The Mueller report focused on whether Trump campaign officials knowingly cooperated with Russian hacking and disinformation operations and whether the president obstructed justice — not whether his campaign used hacked material.
Democratic candidates have all pledged not to use hacked material against opponents, but some have included caveats — such as if the information has been vetted and reported by the media.
PATCHED: Sen. Ron Wyden (D-Ore.) is pressing for more information from a voter registration software company whose systems may have been compromised by Russian hackers during in 2016, freelance reporter Kim Zetter reported for Politico.
That company, VR Systems, has consistently maintained it was never hacked, but both a 2017 indictment and the redacted version of the Mueller report describe Russian hackers installing malware on the networks of a company that fits VR’s description, Zetter reported.
In a letter to the company, Wyden asks for evidence backing up VR’s claim that it wasn’t breached.
“The company told Politico that in 2017, after The Intercept published an NSA document that suggested it had been targeted by the Russian hackers, it engaged top security firm FireEye to conduct a forensic examination of its own systems and network,” Zetter reported.
“Based on analysis by FireEye, there was never an intrusion in our EVID servers or network,” Ben Martin, chief operating officer for VR Systems, told Politico. “We disagree with the Special Counsel report because top cyber security experts, along with the Department of Homeland Security, have tested our network multiple times since 2016 and they found no indication of a breach or installation of malware on our company network.”
The company “declined to provide a copy of that report or an executive summary of the findings to Politico,” Zetter reported.
PWNED: A hacking tool that was likely created by the Israeli spyware firm NSO group compromised numerous WhatsApp users – without the users downloading any malware, the Associated Press’s Frank Bajak and Raphael Satter reported.
The Financial Times attributed the spyware to NSO group and a WhatsApp official made a point of not refuting that attribution, Bajak and Satter reported.
“The malware was able to penetrate phones through missed calls alone via the app’s voice calling function, the spokesman said. An unknown number of people — an amount in the dozens at least would not be inaccurate — were infected with the malware, which the company discovered in early May,” Bajak and Satter reported.
WhatsApp put out a patch that fixes the issue soon after they discovered it.
Military attorneys prosecuting a Navy SEAL charged with killing an Islamic State prisoner in Iraq in 2017 “installed tracking software in emails sent to defense lawyers and a reporter in an attempt to discover who was leaking information to the news media,” the Associated Press’s Brian Melley reported, citing lawyers who said they received the corrupted messages.
“The defense attorneys said the intrusion may have violated constitutional protections against illegal searches, guarantees of lawyer-client privilege and freedom of the press, and may constitute prosecutorial misconduct,” Melley reported.
Defense attorneys for the SEAL, Andrew Gallagher, are asking a judge to force prosecutors to reveal who authorized the surveillance operation, Melley reported. Timothy Parlatore, one of the defense attorneys, told the AP: “I’ve seen some crazy stuff but for a case like this it’s complete insanity.”
More cybersecurity news from the public sector:
Cybersecurity news from the private sector:
THE NEW WILD WEST
Cybersecurity news from abroad: