A newsletter briefing on cybersecurity news and policy.

with research by Aaron Schaffer

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! I’m light on chatter today, so chat amongst yourselves. I’ll give you a topic: The firewall is neither fire nor a wall. Discuss. 

Below: Russian hacking is continuing and widespread despite the Ukraine war, Microsoft says, and a major privacy bill is imperiled without support from a key senator. 

Sen. Angus King (I-Maine) wants U.S. Cyber Command to keep an eye on the security of U.S. elections. 

King, who was a co-chair of the U.S. Cyberspace Solarium Commission, is pushing a new plan for Cybercom to produce two unclassified reports connected with each biennial election, he told me.

The first will highlight foreign threats to the election beforehand and detail what Cybercom and the rest of the government is doing about them. The second will provide an overall assessment of election security after the election is concluded. 

King inserted a provision requiring those reports in the Senate’s version of an annual must-pass defense policy bill where there were no objections from Republicans or Democrats, he told me. That gives the measure a strong chance of becoming law when the House and Senate hash out their competing versions of the bill, known as the National Defense Authorization Act (NDAA), later this year. 

The bill language has not been made public and the Cybercom provision has not been previously reported. 

King’s measure marks the latest effort to ramp up transparency about election threats and security. 

It comes in the wake of increased alarm about foreign interference in elections and diminishing public faith in the integrity of the voting process — both of which were sparked by Russian interference in the 2016 contest and driven down further by false election fraud and hacking claims propagated by former president Donald Trump and his allies after the 2020 contest.  

“We want to be kept informed of what the threats are, how they're developing, what direction they're taking. We also want to be able to reassure people about the security of our elections,” King told me in an interview. 

An added advantage: The reports could trade on the popularity and perceived trustworthiness of the military to gain broader public acceptance about what’s true and untrue when it comes to election security. 

That could be especially useful in knocking back many of the phony election security concerns boosted by Trump and his allies.

“We're in an unprecedented place in terms of public confidence in elections, and that's due largely to the fact that the former president and many of his followers have just repeated and repeated and repeated assertions about election security in 2020 that just aren't true,” King told me. “Part of what we have to do is rebuild confidence. And one way to do that is to have trusted agencies like Cybercom … provide an independent assessment of these issues.”

Context: Public trust in the military has declined in recent years, but remains far higher than trust in elected officials, journalists and other groups that traditionally talk about election security, according to a recent Pew Research Center poll. 

The report will only be produced in an unclassified version and the goal will be to make it as transparent and accessible to the public as possible, King told me. 

If the report ends up too bland or vague to be useful, King said, he expects Congress to push back until Cybercom shares more. 

The Office of the Director of National Intelligence also produces a post-election security report as required by a Trump-era executive order — but it’s produced as a classified document that’s later converted into a declassified version and is not particularly accessible to a general audience. 

Cybercom has historically been closelipped about its work, but it has become more transparent in recent years — especially about efforts to punch back against interference in U.S. elections. 

In one major example, the command blocked internet access at a Kremlin-backed troll farm, the Internet Research Agency, in advance of the 2018 midterm elections. 

The Internet Research Agency had played a major role in spreading Kremlin disinformation in advance of the 2016 election. Kremlin hackers also probed election systems in multiple states and penetrated voter rolls in at least two states before that election, but there’s no evidence they changed any votes.  

The House version of the NDAA could also include a raft of cyber provisions, Rep. Jim Langevin (D-R.I.) told Aaron. Many of those are recommendations from the Cyberspace Solarium Commission, a congressionally led effort to boost cybersecurity that King co-chaired with Rep. Mike Gallagher (R-Wis.) and which Langevin served on. 

Russian hackers have targeted more than 120 organizations in 42 countries outside Ukraine since the war began, Microsoft said in a report. Nearly two-thirds of the attacks were aimed at countries in the NATO alliance, and attacks on U.S. targets represented 12 percent of the global total.

Context: The data shows that traditional hacking continues even in times of war, and despite no major reports of destructive Russian cyberattacks on U.S. organizations recently.

Details: The targets have spanned government agencies, which amounted to nearly half of the attacks, as well as think tanks, humanitarian groups and even critical infrastructure organizations, according to the company. 

“Since the start of the war, the Russian targeting we’ve identified has been successful 29 percent of the time,” Microsoft said. 

Microsoft is also shifting its focus to foreign disinformation. The company says it’s using more data and staff to analyze how Russia is spreading phony stories, Joseph Menn reports. 

A new Russian Propaganda Index found that the “proportion of propaganda seen by users in Ukraine tripled in the first weeks of the war and rose by 86 percent in the United States,” Joseph writes. The index is designed to measure the online traffic going to “Russian state-controlled and -sponsored news outlets and amplifiers” as a proportion of all online news traffic,” the company said. 

Senate Commerce Committee Chair Maria Cantwell (D-Wash.) says she isn’t close to supporting the legislation, which would let users opt out of targeted ads and sue firms that improperly sell their data, Cristiano Lima reports. Cantwell’s committee controls the fate of the bill in the Senate, and her opposition deals a significant blow to its likelihood of becoming law.

Coming up: House lawmakers have scheduled a subcommittee markup, the first step for advancing the legislation, for today. 

The U.K. legislation would require platforms to quickly report illegal activity, such as child pornography, and enforce new rules around content that isn't illegal but is still deemed harmful, my colleague Cristiano Lima reported in March. But Meta says the bill could force companies to scan all private messages, and ultimately “risks people’s private messages being constantly surveilled and censored,” Bloomberg News’s Thomas Seal reports. 

A major concern is that the bill might force platforms like Facebook and WhatsApp, which encrypt messages so that only the sender and recipient can read them, to undermine encryption to scan messages, according to Meta.

U.K. policymakers have threatened to force messaging apps to scan messages — but only as a last resort. “Tech firms have failed to tackle child abuse and end-to-end encryption could blind them to it on their sites while hampering efforts to catch the perpetrators,” a spokesperson for the U.K. Department for Digital, Culture, Media and Sport told Bloomberg News. 

Dozens of organizations and people have submitted feedback on the legislation. Google’s U.K. subsidiary argued that the bill “could force services to rely excessively on automated tools to identify illegal content, and significant amounts of legitimate content will be removed as a result.”

Stateside: The U.S. Congress has mulled a bill in recent years that would force tech firms to do more to prevent sharing child pornography on their platforms and that critics fear would imperil end-to-end encryption. That bill, dubbed the EARN IT Act, passed the Senate Judiciary Committee but hasn't been taken up by the full House or Senate. 

Pegasus used by at least 5 EU countries, NSO Group tells lawmakers (Politico Europe)

Research questions potentially dangerous implications of Ukraine's IT Army (CyberScoop)

Hacked documents reveal Ecuador's failed effort to take in NSA whistleblower Edward Snowden (Daily Dot)

Intel reveals Putin plan to weasel his way into American hearts (The Daily Beast)

CISA advisory panel wants agency to act on election disinformation, multifactor authentication (CyberScoop)

Today’s second @washingtonpost TikTok features VidCON https://t.co/wWggLFKGsF pic.twitter.com/3LlE5yTZ3o

Thanks for reading. See you tomorrow.