Axios Codebook

A master lock with ones and zeroes instead of the regular numbers.
June 05, 2018

Welcome to Codebook, the cybersecurity newsletter that is also not the CEO of Starbucks.

Tips? Just reply to the email.

1 big thing: Protecting elections is bringing competitors together

An illustration of DDoS protection, wherein an umprella blocks a flood of cursors.
Illustration: Sarah Grillo/Axios

Several private sector companies have independently begun offering free cybersecurity services to elections since the 2016 polls closed. Two firms, Cloudflare and Google-owned Jigsaw, offer free services that block efforts to overwhelm servers with traffic — but rather than butt heads for the prestige of being most altruistic, they are cooperating.

Why it matters: Competition in the tech industry is a natural law. That it's being sidelined in at least one corner of the business is a sign of just how seriously tech leaders are taking the threat to U.S. elections.

"We have a lot of interaction with Google," said Cloudflare head of policy Alissa Starzak. (Jigsaw is a technology incubator at Google devoted to tackling "global security challenges.") "We actually refer clients to each others' services when they'd be a better fit."

  • Starzak said Cloudflare might refer to Jigsaw because Jigsaw offers campaigns and other groups free protection against the traffic-overload attacks known as distributed denial of service (DDoS) and Cloudflare does not. Jigsaw might refer to Cloudflare because Cloudflare offers a fuller range of DDoS products to choose from (DDoS is Cloudflare's primary business).
  • "It's important to have multiple players working toward the same goal because it encourages innovation," said Jigsaw spokesman Dan Keyserling, via email.

Plenty of work to go around: Election security is run by states and localities, not by the federal government. The U.S. encompasses 8,000 districts and more than 100,000 poling locations. As such, there are a ton of systems that need protection.

  • We've already seen a DDoS attack knock an election website offline this year, before last month's Knox County mayoral primary. Admittedly, the bigger news coming out of those primaries was the Republican winner, 7 foot, 323 pound pro wrestler Kane (nee Glen Jacobs).
  • The move has been tried before. Cloudflare notes that elections websites that haven't been knocked offline have seen traffic spikes consistent with DDoS.
  • "If you are trying to disrupt confidence in voting, if a registration or a reporting web site goes down, people will get suspicious," said Doug Kramer, Cloudflare's general counsel.

2. Synack begins offering free election security tests

Synack announced Tuesday it would start accepting signups for a free election security testing service to help states bolster their ability to detect threats.

Why it matters: During the last election, 4 out of 5 states employed fewer than 15 full time cybersecurity staff for elections.

The details: Synack specializes in croudsourcing security tests using a pre-vetted set of hackers — a closed-enrollment variation of the bug bounty program approach.

  • Synack will cover the "bounty" parts of the bug bounty, cash rewards for enrolled hackers who find security flaws in local election systems. Depending on success, Synack may open a GoFundMe to keep the service free.
  • The testing will be available for public-facing voter registration systems.
  • Synack is one of the vendors behind the well-regarded Hack the Pentagon bug bounty program at the Defense Department.

The background: Anne-Marie Chun, who directs Synack's government services, suggested offering a free service to states in 2016 before the Democratic National Committee hack. Synack decided to pass that year due to concerns there wouldn't be enough interest.

There's enough interest: Synack has been coordinating their offering with a number of different states. So far all but one of the dozen states it contacted have expressed interest. "And that was only because that state didn't have modern enough systems for us to test," said Chun. "They literally drive the votes around in a car."

Private vs. public: Homeland Security offers some security help to states, who may or may not volunteer to take it. But free services like Synack cut dependence on an overworked DHS and allows states that distrust federal election support to seek security from the private sector.

3. Axios poll: Most worry electronic voting machines might be hacked

Data: Survey Monkey poll conducted May 23-26, 2018. Poll methodology; Chart: Andrew Witherspoon/Axios
Data: Survey Monkey poll conducted May 23-26, 2018. Poll methodology; Chart: Andrew Witherspoon/Axios

Two-thirds of Americans (67%) worry electronic voting machines might be "hacked or manipulated," according to a new Axios / SurveyMonkey poll. That's about a third more than the 48% who are concerned paper ballots might be manipulated.

Why it matters: Election security is often billed as a partisan issue, with some states taking considerably more action than other. But the poll shows bipartisan concern nationwide.

Be smart: Part of the risk in ignoring voting machine security is that, even when nothing happens, people will succumb to conspiracy theories. In 2016, a certain breed of Democrats chose to believe that the election results were illegitimate rather than believe their side lost. In the 2018 election, both sides are now primed to believe that's an option.

Be even smarter: Hacking an election machine is easy. Hacking an election is harder. And the bigger the election, the harder it is to hack. It's much easier to change votes on a single machine to sway the race for county coroner than entire states' worth of machines to sway a senate race.

4. Feds take down dark web markets, and they don't bounce back

The FBI felled two major dark web criminal markets last year during "Operation Bayonet." Typically, after these markets are shuttered, the clients and vendors move to new markets. That didn't happen this time, according to new research from Digital Shadows. In the whack-a-mole game, the mole stayed whacked.

The background: Operation Bayonet did something clever. It seized both the largest market in the world, AlphaBay, and an also-massive competitor named Hansa. But rather than close both at the same time, the FBI staggered its response.

  • First it replaced AlphaBay with a note saying the FBI had taken over the site.
  • Concerned customers and vendors moved to other sites, like Hansa.
  • Then the FBI closed Hansa, so it looked like there was nowhere to run, and any effort to reestablish the dark-web market would be wasted.

Self-sabotage: Another dark-web market, Olympus, tried to pick up the displaced clientele, but miscalculated when it promoted itself by hacking another site. "This was deemed to be against the criminal spirit," Digital Shadows analyst Michael Marriott told Axios, and the users stayed away.

Hackers move to forums: Hackers offering stolen information, malware and other services moved to hacker forums and Telegram channels to sell their wares.

Drugs harder to come by: While by no means gone from the internet, online illegal drug sales appear to have decentralized and decreased.

The bottom line: "What we’ve traditionally seen over the past 10 years was when one market went down, another market would bubble up. This time no market bubbled up," said Marriott.

5. What Microsoft's Github acquisition means in security-land

Much of the conversation around Microsoft's purchase of computer code repository GitHub revolves around the potential culture clash — a corporate giant buying the keys to a scrappy open source community. But there are some potential consequences in security worth taking a gander at, too.

Why it matters: GitHub is so big in the coding world that no nation with a software industry could ever block it. Some freedom fighters have weaponized that indispensability.

  • In 2015, the "Great Firewall of China" — the nationwide system China uses to censor the internet — was reconfigured to launch a cyber attack on GitHub. It's widely believed that the attack was a Chinese response to GitHub posting a Chinese translation of the New York Times and a mirror of the anti-Chinese-censorship site
  • GitHub also contains the code for components of several internet privacy applications that could not make it into countries like China without them.

Microsoft wouldn't comment on what happens to material hosted on GitHub if a government asked it to filter certain content from its country. Microsoft is more powerful than Github on the world stage, but an oppressive government also has a lot more levers it can pull to influence a corporation of Microsoft's size.

6. NSA security posters from the 1950s and 1960s

The public records site Government Attic received around 140 historical posters from a Freedom of Information Act request directed at the National Security Agency. Our favorites from this goofy slice of covert Americana are below.

Image: NSA via Government Attic
Image: NSA via Government Attic
Image: NSA via Government Attic

7. Experts don't buy the coal-cyber connection

A key reason the Trump administration has offered for bolstering coal in the U.S. energy portfolio is that keeping coal plants in service would safeguard the country from cyber attacks. Critical infrastructure security experts don't buy it.

What they're saying: "Claiming we should protect coal because of 'cyber' is like claiming we should wear body vests in case of snake bites...The cyber component to this debate though is a distraction," tweeted Robert M. Lee, founder of the critical infrastructure cybersecurity firm Dragos.

8. Odds and ends

Codebook will return Thursday.