Google security official on election threats, spearphishing

More from the DNC on its post-2016 cybersecurity boost — ABA updates breach guidance for lawyers

MC recently caught up with Mark Risher, director of product management at Google with an emphasis on security and privacy. A few highlights:

 Election security threats are broader than one country or one group of people, Risher said. “One of the headlines that shows up often is this focus on Russia and the Democrats in 2016. That oversimplifies,” he said, referring to Google’s recently reported alerts to Hill staffers and lawmakers that state-sponsored hackers targeted their Gmail accounts. While Risher’s team doesn’t put much effort into attribution, he said that “tactics, techniques and procedures tend to go viral once a group sees something working.”

—The Senate sergeant-at-arms should defend senators’ and staffers’ personal email accounts, he said, commending a proposal from Sen. Ron Wyden. Since people don’t segment their digital lives, and work and non-work communications blend together, someone’s personal email account is a worthy thing to protect, he said. And there’s precedent in the sergeant-at-arms’ ability to provide additional physical security, Risher said.

— Spearphishing-oriented attackers are getting deeper into “high-value customizing and tailoring the message, then being persistent about it,” he said. While undisclosed zero-day attacks get plenty of attention, the bigger problem is the sheer continual effort of constant spearphishing emails that only need to break through once, he said. What to do about it? Multi-factor authentication gets a bad rap from earlier attempts at adoption as being too time-consuming, but Google is finding that its latest offerings are catching on due to the minimal work required, Risher said.

HAPPY THURSDAY and welcome to Morning Cybersecurity! Trash pandas should be funny, not scary. Send me your thoughts, feedback and especially tips at, and be sure to follow @POLITICOPro and@MorningCybersec. Full team info below.

YOUR 2018 MIDTERMS HQ: The countdown is on. Policy professionals know the 2018 midterms represent more than keeping track of winners and losers. The outcome of high-stakes contests could dramatically alter the course of policymaking across the country. Go beyond election night with POLITICO Pro’s 2018 Midterms HQ. Read more.

POLITICO IS PARTNERING WITH THE MILKEN INSTITUTE to bring a special edition of the POLITICO Pulse newsletter to the Milken Institute Future of Health Summit. Written by Dan Diamond, the newsletter will take readers inside one of the most influential gatherings of global health industry leaders and innovators as they tackle today’s most pressing health challenges. The newsletter will run Oct. 23-24. Sign up today to begin receiving exclusive coverage on Day One of the summit.


ANYTHING WE SHOULD KNOW? — In an effort to reduce the threat of supply chain attacks, the Democratic National Committee is adding robust security clauses to its contracts with third-party vendors that require those vendors to report cyber incidents and allow the DNC to conduct penetration tests. The committee’s contractors “know that this is now part of the deal,” DNC CTO Raffi Krikorian said. “So they want to have a good relationship with us, which requires transparency on any security defenses and any potential security breaches.” Under Krikorian’s leadership, the DNC has also opened new lines of communication with its vendors; they now participate in group chats with DNC security staff on the encrypted messaging apps Signal and Wickr.

In the new story for Pros containing information that didn’t make it into Eric’s other DNC story, Krikorian also discussed:

— Modeling smart cybersecurity practices for other Democratic organizations: “We have a particular way of standardizing our email packages. And we’re absolutely willing to open-source almost anything we do [in] the security space in the hope that other people adopt it.”

— Plans to harmonize technology across multiple committees, which would save money and reduce the need to retrain party workers who move between the committees. With some organizations using Microsoft for email and some using Google, Krikorian said, “we now spend twice the amount of effort securing two different platforms.”

— His frustration that talks broke down with Republicans about putting hacked material off-limits on the campaign trail. That “dismayed” him, he said, “because I think our real goal here is to change the incentive of any potential hackers.” Pros can read more here.

FACEBOOK WHODUNNIT — “Facebook Inc. believes that the hackers who gained access to the private information of 30 million of its users were spammers looking to make money through deceptive advertising, according to people familiar with the company’s internal investigation,” The Wall Street Journal reported Wednesday. “The preliminary findings suggest that the hackers weren’t affiliated with a nation-state, the people said.” Read on.


FERC AGENDA TODAY — From our friends at Morning Energy: The sole rulemaking on today’s Federal Energy Regulatory Commission agenda revisits the agency’s effort to tighten cybersecurity standards around equipment and software used on the electric grid. Standards-writers at the North American Electric Reliability Corp. responded with a package of changes in September 2017, but a few months later regulators issued a proposed rule that called for more areas to be covered. The initial set of changes excluded a suite of system types, including Electronic Access Control and Monitoring Systems. FERC said that certain EACMS be covered by the new standard and that risks to other excluded systems, Physical Access Controls and Protected Cyber Assets, be studied. A final rule seems likely today.

WHITE SHOE, MEET BLACK HAT — Lawyers must notify their clients of data breaches that could have compromised their confidential information, the American Bar Association reiterated in newly released guidance for attorneys. The ABA’s “formal opinion” lists six of the group’s rules that relate to data security issues, including a lawyer’s obligation to “protect trust accounts, documents and property the lawyer is holding for clients or third parties,” per a press release. It covers issues relating to former clients and lawyers’ obligations in those situations, and it recommends that lawyers prepare incident response plans for cyber incidents. “The decision whether to adopt a plan, the content of any plan, and actions taken to train and prepare for implementation of the plan, should be made before a lawyer is swept up in an actual breach,” the opinion warns.

Law firms are juicy prizes for hackers because of the wealth of secret information they hold. More than one-fifth of law firms experienced a cyber incident in 2017, according to an ABA survey published in February. One of the most famous breaches surfaced in April 2016, when a coalition of journalists published documents stolen from the Panamanian firm Mossack Fonseca that shined a spotlight on the corruption of many of the firm’s clients. In July 2017, the ABA spotlighted a court case that revolved around a Chicago law firm’s use of vulnerable timekeeping software and a subsequent breach of its clients’ data.

TROVE OF TERRIBLE TWITTER TROLLS — These trolls failed, accordingto an Atlantic Council analysis of the trove of data Twitter released Wednesday. In the U.S., they didn’t move public debate or appear to change any behavior, the think tank said in an analysis of the more than 10 million tweets from suspected Russian and Iranian trolls. Most of the bogus social media posts were about divisive topics and Donald Trump. But even though those don’t appear to have moved the needle on specific issues, the Atlantic Council still said the trolls’ activity still showed that the U.S. remains deeply vulnerable to online disinformation because online filter bubbles promote hyper-partisan content. The Tech team has more.

WHO TO TRUST? — The Center for Democracy and Technology and several VPN providers are launching an initiative to better define what a trustworthy VPN should look like. The initiative, “Signals of Trustworthy VPNs,” lists a series of questions that a VPN provider should be able to answer, such as specifics about its data collection practices, security protocols and history of participation with law enforcement.

CYBER RED CROSS, ANYONE? — It might be time for a cyber version of the International Red Cross, a pair of academics proposed at Lawfare on Wednesday. “A cyber-ICRC would focus on providing assistance to victims of major cyberattacks or incidents wherever needed around the world as well as helping affected citizens and enterprises recover from cyberattacks and their impacts,” wrote Herb Lin, a senior research scholar and fellow at Stanford University, and Elaine Korzak, a professor at the Middlebury Institute. But the pair left open certain questions, such as whether only companies would serve on the new body.

FDA CYBER GUIDANCE HITS — FDA’s recent barrage of cyber actions continued Wednesday with the introduction of a much-awaited draft guidance on medical device cybersecurity.

The guidance, which updates a previous crack at the subject in 2014, gives more detail about how manufacturers should be treating cybersecurity as they develop, review and deploy devices. The agency divides the device world in two: devices that connect to computers or networks, which are probably more risky from a cybersecurity perspective; and devices that don’t.

The former group has to step its game up with elevated defenses and communicate those defenses to regulators and customers, in part through a “Cybersecurity Bill of Materials” that includes information like what type of operating system a device runs. The agency also advises developers to make sure only authorized users can access the most sensitive information and functions of a device.

Reactions to the guidance were mostly positive. Zach Rothstein, the digital health lead of device trade group AdvaMed, told Morning eHealth that after a first pass through the guidance, he is pretty pleased. “We’re all really happy with how FDA has taken a leadership role around medical device cybersecurity,” he said, before praising the agency’s collaboration with manufacturers, researchers, “ethical hackers” and others.

Rothstein was particularly pleased about the bill of materials section, which he said was welcome after the WannyCry ransomware epidemic. During that attack, he noted, hospital executives would want to know — for example — whether their devices ran Windows XP (as the malware specifically attacked devices running that operating system). At that time, the task was laborious; with the bill of materials implemented, executives should find the task of figuring out which of their devices ran such an operating system fairly manageable. (The tricky part, he allowed, was keeping the bill of materials information within a tight circle — one wouldn’t want the bad guys getting that data.)

Mari Savickis, the vice president of federal affairs for CHIME, a trade group repping CIOs, was also pleased, praising the FDA’s statement that the inclusion of a cyber plan would make the agency predisposed to approving or clearing a device. “We are very grateful that the FDA is focusing on cybersecurity more and that they have labeled these threats risks to patient safety,” she said.