DNC measures cybersecurity progress since 2016 breach

EVER AGAIN(?) — With the midterms now just four months away, DNC staffers are getting better at flagging phishing emails, to the point where 80 percent of DNC staffers don’t click the links right away.

“People have such PTSD about what happened in 2016 that there’s a real desire to improve [security] here,” DNC Chief Technology Officer Raffi Krikorian told CyberScoop. Krikorian, who joined the DNC in June 2017 after serving in senior tech roles at Twitter and Uber, distributed a short cybersecurity checklist that includes recommendations like regularly updating smartphone apps, encrypting laptop hard drives and using two-factor authentication. “If we can do the simple things right,” Krikorian said, “than it will have a disproportionally positive effect.” As one threat intelligence analyst pointed out, however, shoring up these basic vulnerabilities “may help against commodity threats but not targeted and persistent adversaries.”

Krikorian’s biggest challenge has been changing the security and technology culture at the DNC, he said on the latest episode of the progressive podcast The Great Battlefield. “Making the party secure and getting over the wounds of the hack of ’16 is a cultural issue,” he said. There is also a lot of “technical debt,” he said, meaning vulnerabilities and inadequacies that have carried over from previous cycles and compounded the problem. “There’s a lack of documentation, there’s a lack of process,” he added. But at the end of the day, “you can have the best technical defenses, but the weakest link could be your people. … So culture change is probably one of the biggest things that we need to execute on.”

Another problem for the DNC, according to Krikorian, is that other Democratic organizations rely too heavily on the national party’s tech team for help. “All other groups have effectively abdicated their responsibilities to think about technology to the [DNC] technology team,” he said on The Great Battlefield. “A lot of what we’ve been trying to do recently is trying to figure out how to push technical thinking back out to every [other] group.” Krikorian also said his team was “definitely underfunded” and that getting donors to pitch in for sorely needed but unsexy tech projects was “one of our biggest challenges.” Even so, he praised DNC Chairman Tom Perez for taking technology seriously: “We have, if not the largest, tied for the largest budget at the party right now. It’s a bigger budget than [has] ever [been] given before to [the] technology team. It’s just, we’ve also found ourselves mired in technical debt.”

HAPPY THURSDAY and welcome to Morning Cybersecurity! Hope you all had a fulfilling day of celebrating Murica. Send your thoughts, feedback and especially tips to tstarks@politico.com, and be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

WE CAN WORK IT OUT — Cybercrime issues like information sharing and law enforcement cooperation may come up during President Donald Trump’s July 16 meeting with Russian President Vladimir Putin, according to a Russian diplomat. “Probably that will be discussed as a bilateral relations issue rather than hacking in general,” Ilya Rogachev, head of the Russian Foreign Ministry’s Department for New Challenges and Threats, told the Russian news agency TASS.

Cooperation between the U.S. and Russia on fighting cybercrime, never particularly robust, has essentially been nonexistent since the U.S. withdrew from a working group following Putin’s invasion of Crimea. Moscow regularly protectsRussian cyber criminals indicted in American courts. After the two presidents’ last meeting, Trump said they had discussed creating “an impenetrable Cyber Security unit,” but he quickly backtracked on the idea after experts savaged and ridiculed the notion. As for the other top cyber issue, election meddling, the Russian foreign ministry still maintains that it’s all a fiction. U.S. officials “believe that we somehow interfered in the election through the unlawful use of information and communications technologies,” Rogachev noted, “although they cannot or do not want to explain what they mean.”

DHS SOLICITS CYBER FEEDBACK — DHS is kicking off its every-other-year assessment of cybersecurity vulnerabilities across the country, in a formal request publishing in the Federal Register today. The Nationwide Cyber Security Review dates back to a fiscal 2010 DHS spending bill, and is designed to help state, local, tribal and territorial governments to manage their cybersecurity risks. Relying on anonymous, voluntary survey responses, “DHS delivers a bi-annual summary report to Congress that provides a broad picture of the current cybersecurity gaps & capabilities of SLTT governments across the nation,” according to the Federal Register notice. Beyond noting the survey time frame starting in October and ending tentatively in December, the Federal Register notice also seeks feedback within 60 days on the kind of information DHS ought to be collecting.

CHARMING KITTEN ON THE PROWL — An Iranian hacking group tried posing as the Israeli cybersecurity firm that detailed some of its operations, according to the company, ClearSky Security. The group, alternately and hilariously known by such names as Charming Kitten or Newsbeef, wanted to conduct spear phishing campaigns against people trying to read ClearSky reports about its hacking operations. “Charming Kitten built a phishing website impersonating our company,” ClearkSky said this week. “They copied pages from our public website and changed one of them to include a ‘sign in’ option with multiple services.” ClearSky appeared to catch Charming Kitten in the act, as the website was never finished and ultimately taken down.

HELLO, IS SOMEONE THERE? — Think your phone is secretly recording you? You may be on to something. A group of Northeastern University computer scientists conducted research to find out whether popular apps were using the phone’s mic to record audio and send it to third parties looking to use that information for targeted ads. Contrary to the views of conspiracy theorists, researchers found no instances of phones surreptitiously recording conversations. But, they did find that some apps could record a phone screen and transmit that information to third parties.

“Of the 17,260 apps the researchers looked at, over 9,000 had permission to access the camera and microphone and thus the potential to overhear the phone’s owner talking about their need for cat litter or about how much they love a certain brand of gelato,” according to Gizmodo. But they didn’t detect any eavesdropping. “The strange practice they started to see was that screenshots and video recordings of what people were doing in apps were being sent to third party domains.” Some companies already boast about this ability. Appsee, a visual analytics platform, claims it can record a user’s every “tap, swipe and action.” Apps that can use Appsee’s screen recording services without being detected — which is a violation of the Google Play Store policy — are raising new concerns about mobile privacy and security. The researchers will present their findings at the Privacy Enhancing Technology Symposium Conference in Barcelona in August.

HUAWEI SEES ALLIES IN FCC DOCKET — From our friends at Morning Tech: The second wave of comments in response to the FCC’s proposal to bar telecom subsidy money from being used to buy equipment or service from companies deemed a threat to national security (read: China’s Huawei and ZTE, Russia’s Kaspersky Labs) arrived earlier this week. And Huawei is telling commissioners to count all the opposition. “Most commenters agree that the FCC’s authority over the Universal Service Fund does not encompass national-security concerns,” the Chinese telecom giant, the only potentially barred company to file in the docket, wrote in 118 pages of comments posted Tuesday. “The comments show that a wide range of alternatives is available to the Commission.” It cited a dozen other commenters opposing the proposal, many of which represent small telecom companies that rely on Huawei’s offerings, and warned the plan could “particularly harm Americans in remote and low-income Areas.”

The Telecom Industry Association, which backs the FCC proposal, countered that U.S. expert agencies have already concluded Huawei is a threat. The trade group, which represents equipment manufacturers, told the commission it sympathizes with those U.S. telecom companies that may be affected but also judged the impact relatively small: “Huawei and ZTE’s combined share of the U.S. wireless infrastructure market appears to … be approximately one half of one percent or less.”

FIRST TIME FOR EVERYTHING — Now there’s proof of police requesting — and apparently successfully using — the iPhone-cracking tool known as GrayKey to unlock devices, Forbes reported. Court documents show that the Special Narcotics Prosecutor for New York employed GrayKey to unlock a pair of iPhones belonging to a suspect accused of selling crack to an undercover officer. The case adds yet another wrinkle to the ongoing encryption debate between the tech community and law enforcement.

RECENTLY ON PRO CYBERSECURITY — The Senate Intelligence Committee found that Russia’s efforts to interfere in the 2016 election went beyond even what U.S. spy agencies revealed. … Election Assistance Commission commissioners, other agency leaders and voting machine makers will testify at the Senate Rules Committee’s election security hearing next week. … A former House Democratic IT staffer who Trump slammed pleaded guilty to fraud, but the Justice Department found no foreign intelligence connection as Republican conspiracy theorists alleged. … Trump tweeted that the NSA’s improper collection of phone record data was a “disgrace,” but tied it to special counsel Robert Mueller’s Russia investigation in a way that went unexplained.

This article originally appeared on Politico.com