Innovate. Accelerate. Win.
September 18-19 | Las Vegas and Virtual
#MIMSummit2023 is the frontier for unstoppable innovation. The gathering ground for security leaders looking to redefine what’s possible. The must-see industry event of 2023. Register today and save with special Early Bird rates!
In a stunning turn of events, Israel fails to negotiate stronger encryption controls of a twice-hacked biometric database while simultaneously calling for more biometrics under government control. America has its own baffling encryption problems as the US acknowledges that there’s a safer DNS protocol—but won’t let government agencies use it. Meanwhile, hackers double-harm as constant attacks may also force political campaigns to take permanent cybersecurity costs into account. Will this shorten the legs of smaller candidates? Governments face troubles from within and without as they struggle to define how, if, and when they will use end-to-end encryption—and to what end.
The new campaign money pit: cybersecurity
It’s all fun and games until somebody loses an election.
An added expense
There’s the web presence. The staffers. The travel expenses. The ad spots. All part and parcel of a “to be expected” campaign strategy for US-anything. Stiff, but not unusual.
These days, candidates may have another significant expense to account for—cybersecurity.
Matt Rhoades, former advisor to Mitt Romney’s presidential campaign, shared what happened in the Romney campaign several years back; “We found out in the early fall of 2011, during the primary, that our campaign had been ...hacked by the Chinese.”
All of a sudden, the mood—and the funds—shifted. “Any dollar spent to upgrade our system, which we had to do, was a dollar we didn't spend contacting a voter in New Hampshire or Iowa or South Carolina. And that's the challenge that all these campaigns face.”
Problems of their own
Wickr CEO Joel Wallenstrom told Fox News that he used to skim campaigns for vulnerabilities, then offer to patch them—free of charge. He was refused.
“We were always kind of perplexed by that,” he shared.
It was only later that he found out campaigns were inundated with similar requests, many of them fraudulent. It became a game of “who can you trust,” an already wearisome one in politics.
With so many opportunists looking to cash in at election time, becoming cybersecurity savvy may no longer be an option of the tech-elite.
Should the government subsidize candidate cybersecurity?
This highlights an issue that will only grow in prevalence in the coming years. End-to-end encryption remains a critical defense tactic to thwart hackers. While not a detrimental blow to the Romney campaign, campaign hacking presents an unwieldy problem for small-time candidates who already struggle to rake up votes, cybersecurity costs excluded.
“If you don't provide these resources at cost or in some cases, some of these companies provided their services and their software for free, people just aren't going to do anything about it,” Rhoades went on.
And that’s the issue. Will escalating (and necessary) cybersecurity costs be an inhibitor to the everyman’s candidate, or will cyber safety be just another necessary expense on the campaign trail?
- 86% of IT Security Professionals Say the World Is in a Cyber War
- Venafi Survey: The Negative Impact of Government Mandated Encryption Backdoors
- Why are Government Officials Who Know Next to Nothing About Encryption So Eager to Mandate Encryption Backdoors?
Biometric data pours out of Israeli database. Comptroller says ‘We need more biometric data’
It happened 14 years ago. And then it happened again.
Israel’s Transportation Ministry experienced a data breach revealing sensitive user data, and then in 2017 and 2018, two other incidents occurred which illegally went unreported by the Israeli National Biometric Database Authority.
An issue involving the national voting system also turned public as 6.5 million citizens had their private information leaked under the care of contracted company Elector.
Unfortunately, those incidents only set the stage for further disgrace. Last week, the Transportation Ministry again experienced a pilfering of user data—data that (still) wasn’t properly secured by adequate encryption.
Of the 4.5 million compromised Israeli citizens, 1 million of them were children. The data includes biometric data and facial images.
According to an article in the Jerusalem Post, “Comptroller Matanyahu Englman said that neither database had sufficient protections for privacy or from outside hackers and that those in charge did not even have comprehensive information with which to assess the protections.”
It gets weirder
There was a baffling lack of consistency in the response of the comptroller.
“Interestingly, [the] report did not look at the security of the state’s biometric database," reads the Jerusalem Post article. With the large amount of citizen data held (and routinely compromised), the oversight is inexplicable.
However, something else was highlighted in his report.
Comptroller Englman “criticized over 30 government agencies for failing to streamline their employees toward use of smart cards for access to their offices as opposed to old-fashioned and decentralized methods of access.”
In other words, while we’re at it, shouldn’t we really be putting more biometric data into more government databases? Maybe not.
“Consolidate [more] databases”
Despite the seemingly contradictory talk-track, “The ministry praised efforts by the comptroller to reduce threats to privacy and redundancies in the databases kept by the Transportation Ministry, the private sector and other authorities.”
The Transportation Ministry’s biometric database has been the subject of petitions to the High Court of Justice due to its lack of security measures.
Amidst it all, the ministry noted that “it is working with the Population, Immigration and Borders Authority to consolidate [more] databases into one location.”
With Israeli NSO groups being among the foremost technology experts in the world, Israel certainly doesn’t lack for talent. It remains a mystery that for the past decade and a half, not enough of that has been applied to citizen data protection.
- 7 Data Breaches Caused by Human Error: Did Encryption Play a Role?
- Equifax and Beyond: How Can the Loss of 100 Million+ Records Go Undetected?
- Marriott Data Breach: 500 Million Reasons Why It’s Critical to Protect Machine Identities
Why U.S. government agencies may Lag behind in encrypted DNS
In their April 21 memorandum, the DHS’s Cybersecurity & Infrastructure Security Agency (CISA), reminded CIOs of government agencies that the internal network EINSTEIN is still to be used when processing DNS queries. That excludes use of new, encrypted DNS methods.
The reason, so far, is unknown.
EINSTEIN has gone through a few iterations. In this latest, Version 3 (Einstein 3 Accelerated or Einstein 3A) there are some unique capabilities. It allows the Department of Homeland Security to block access to malicious locations by overriding public DNS records—and gives the DHS full visibility over all DNS queries made on the network.
The risk, for a quick refresher, is that DNS queries are sent in plaintext (never have been encrypted), so it’s vulnerable to getting snooped on, which makes users vulnerable to getting phished (DNS hijacking). Everyone from a traffic spy to your ISP and network provider can see your queries. For the time being, within government networks, this won’t change.
However, as stated in NakedSecurity, “EINSTEIN 3A does tunnel all traffic to and from devices that are physically or virtually connected to agency networks.” While federal agencies can use DoT or DoH as an upstream fallback, it can be argued that those protocols are still party in a cup game in which either an ISP (DNS) or third party like Google (DoT, DoH) can see your DNS send.
Perhaps “EINSTIEN Version 4” will come out with fully encrypted capabilities. Until then, let’s hope the DHS is the only one monitoring federal DNS requests.