U.S. officials warn Congress on 2018 election hacking threats

U.S. Secretary of Homeland Security Kirstjen Nielsen speaks to reporters after she, FBI Director Christopher Wray and Director of National Intelligence Daniel Coats briefed members of the U.S. House of Representatives on election security at the U.S. Capitol in Washington, U.S., May 22, 2018. REUTERS/Leah Millis

By David Shepardson

WASHINGTON (Reuters) – Senior Trump administration officials warned Congress on Tuesday of ongoing efforts by Russia to interfere in the 2018 midterm congressional elections as the federal government prepares to hand out $380 million in election security funding to states.

At a briefing attended by about 40 or 50 members of the 435-member U.S. House of Representatives, the heads of FBI, Homeland Security Department and the director of National Intelligence said states and cities overseeing elections need to be prepared for threats.

DHS Secretary Kirstjen Nielsen told reporters she agreed Russia was trying to influence the 2018 elections.

“We see them continuing to conduct foreign influence campaigns,” Nielsen said, but added there is no evidence of Russia targeting specific races.

Nielsen said DHS is watching other countries that have the capability to influence U.S. elections, including China and Iran. “We need to be prepared,” she said.

Chris Krebs, a senior DHS cyber security official, told Reuters that the administration was sending states guidance on how to spend the $380 million approved by Congress in March to help safeguard U.S. voting systems from cyber attacks. The funds are expected to be distributed later this week.

DHS is assisting 48 states with election security. It handed out a chart at the briefing to members that said states need to have auditable systems, spend time on planning, training and drills and they should “consider investing in full system architecture reviews.”

Representative Michael McCaul, who chairs the House Homeland Security Committee, said after the briefing that members are concerned that “not only Russia but possibly other foreign adversaries are now going to start looking at how they can meddle in the midterm elections and we need to be prepared. We were caught off guard last time.”

U.S. intelligence agencies have concluded that Russian leadership at a very high level was involved in the attempt to interfere in the U.S. election in order to boost President Donald Trump’s candidacy.

Russia has denied interfering in U.S. elections.

Several Democrats after the briefing expressed concern that the federal government was not doing enough to safeguard elections.

“It is clear that our government must do more and whatever possible to secure our elections from foreign interference. The integrity of our democracy is at stake,” said Representative Bennie Thompson, the top Democrat on the Homeland Security Committee.

UNPRECEDENTED, COORDINATED

A May 8 U.S. Senate report said that in 2016 “cyber actors affiliated with the Russian Government conducted an unprecedented, coordinated cyber campaign against state election infrastructure.” Russian actors “scanned databases for vulnerabilities, attempted intrusions, and in a small number of cases successfully penetrated a voter registration database.”

The report said in a small number of states, “these cyber actors were in a position to, at a minimum, alter or delete voter registration data.”

Krebs said on Tuesday that DHS wanted states to “increase awareness” and have a “layered defense.”

If a voter’s information was missing, for example, they could request a provisional ballot. “If we do detect something, we can overcome it,” he said.

During the 2016 campaign, hackers stole emails from the personal account of Democratic candidate Hillary Clinton’s campaign chairman and from the Democratic National Committee, and they were used to embarrass Clinton.

Representative C.A. “Dutch” Ruppersberger, said members of Congress need to be aware of cyber risks. “We need to focus on it, make it a priority,” he said.

DHS said in March it is prioritizing election cyber security above all other critical infrastructure it protects.

The agency has said that 21 states had experienced initial probing of their systems from Russian hackers in 2016 and that a small number of networks were compromised, but that there remains no evidence any votes were actually altered.

Representative Adam Schiff, the top Democrat on the Intelligence Committee, told reporters the federal government should quickly alert states if they learn of election system hacking.

He also wants a “real-time communications channel” between the intelligence community and technology companies in order to assure that internet firms are notified if evidence emerges that Russia is creating fake Facebook Inc <FB.O> pages or taking other actions to influence the elections.

(Reporting by David Shepardson; additional reporting by Susan Cornwell; editing by Bill Berkrot)

Tech firms let Russia probe software widely used by U.S. government

A general view shows a building, which houses the office of HP Russia, in Moscow, Russia August 30, 2017.

By Dustin Volz, Joel Schectman and Jack Stubbs

WASHINGTON/MOSCOW (Reuters) – Major global technology providers SAP, Symantec and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, a Reuters investigation has found.

The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported.

In order to sell in the Russian market, the tech companies let a Russian defense agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers.

But those same products protect some of the most sensitive areas of the U.S government, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, against hacking by sophisticated cyber adversaries like Russia.

Reuters revealed in October that Hewlett Packard Enterprise software known as ArcSight, used to help secure the Pentagon’s computers, had been reviewed by a Russian military contractor with close ties to Russia’s security services.

Now, a Reuters review of hundreds of U.S. federal procurement documents and Russian regulatory records shows that the potential risks to the U.S. government from Russian source code reviews are more widespread.

Beyond the Pentagon, ArcSight is used in at least seven other agencies, including the Office of the Director of National Intelligence and the State Department’s intelligence unit, the review showed. Additionally, products made by SAP, Symantec and McAfee and reviewed by Russian authorities are used in at least eight agencies. Some agencies use more than one of the four products.

McAfee, SAP, Symantec and Micro Focus, the British firm that now owns ArcSight, all said that any source code reviews were conducted under the software maker’s supervision in secure facilities where the code could not be removed or altered. The process does not compromise product security, they said. Amid growing concerns over the process, Symantec and McAfee no longer allow such reviews and Micro Focus moved to sharply restrict them late last year.

The Pentagon said in a previously unreported letter  to Democratic Senator Jeanne Shaheen that source code reviews by Russia and China “may aid such countries in discovering vulnerabilities in those products.”

Reuters has not found any instances where a source code review played a role in a cyberattack, and some security experts say hackers are more likely to find other ways to infiltrate network systems.

But the Pentagon is not alone in expressing concern. Private sector cyber experts, former U.S. security officials and some U.S. tech companies told Reuters that allowing Russia to review the source code may expose unknown vulnerabilities that could be used to undermine U.S. network defenses.

“Even letting people look at source code for a minute is incredibly dangerous,” said Steve Quane, executive vice president for network defense at Trend Micro, which sells TippingPoint security software to the U.S. military.

Worried about those risks to the U.S. government, Trend Micro has refused to allow the Russians to conduct a source code review of TippingPoint, Quane said.

Quane said top security researchers can quickly spot exploitable vulnerabilities just by examining source code.

“We know there are people who can do that, because we have people like that who work for us,” he said.

OPENING THE DOOR

Many of the Russian reviews have occurred since 2014, when U.S.-Russia relations plunged to new lows following Moscow’s annexation of Crimea. Western nations have accused Russia of sharply escalating its use of cyber attacks during that time, an allegation Moscow denies.

Some U.S. lawmakers worry source code reviews could be yet another entry point for Moscow to wage cyberattacks.

“I fear that access to our security infrastructure – whether it be overt or covert – by adversaries may have already opened the door to harmful security vulnerabilities,” Shaheen told Reuters.

In its Dec. 7 letter to Shaheen, the Pentagon said it was “exploring the feasibility” of requiring vendors to disclose when they have allowed foreign governments to access source code. Shaheen had questioned the Pentagon about the practice following the Reuters report on ArcSight, which also prompted Micro Focus to say it would restrict government source code reviews in the future. HPE said none of its current products have undergone Russian source code review.

Lamar Smith, the Republican chairman of the House Science, Space and Technology Committee, said legislation to better secure the federal cybersecurity supply chain was clearly needed.

Most U.S. government agencies declined to comment when asked whether they were aware technology installed within their networks had been inspected by Russian military contractors. Others said security was of paramount concern but that they could not comment on the use of specific software.

A Pentagon spokeswoman said it continually monitors the commercial technology it uses for security weaknesses.

NO PENCILS ALLOWED Tech companies wanting to access Russia’s large market are often required to seek certification for their products from Russian agencies, including the FSB security service and Russia’s Federal Service for Technical and Export Control (FSTEC), a defense agency tasked with countering cyber espionage.

FSTEC declined to comment and the FSB did not respond to requests for comment. The Kremlin referred all questions to the FSB and FSTEC.

FSTEC often requires companies to permit a Russian government contractor to test the software’s source code.

SAP HANA, a database system, underwent a source code review in order to obtain certification in 2016, according to Russian regulatory records. The software stores and analyzes information for the State Department, Internal Revenue Service, NASA and the Army.

An SAP spokeswoman said any source code reviews were conducted in a secure, company-supervised facility where recording devices or even pencils are “are strictly forbidden.”

“All governments and governmental organizations are treated the same with no exceptions,” the spokeswoman said.

While some companies have since stopped allowing Russia to review source code in their products, the same products often remain embedded in the U.S. government, which can take decades to upgrade technology.

Security concerns caused Symantec to halt all government source code reviews in 2016, the company’s chief executive told Reuters in October. But Symantec Endpoint Protection antivirus software, which was reviewed by Russia in 2012, remains in use by the Pentagon, the FBI, and the Social Security Administration, among other agencies, according to federal contracting records reviewed by Reuters.

In a statement, a Symantec spokeswoman said the newest version of Endpoint Protection, released in late 2016, never underwent a source code review and that the earlier version has received numerous updates since being tested by Russia. The California-based company said it had no reason to believe earlier reviews had compromised product security. Symantec continued to sell the older version through 2017 and will provide updates through 2019.

McAfee also announced last year that it would no longer allow government-mandated source code reviews.

The cyber firm’s Security Information and Event Management (SIEM) software was reviewed in 2015 by a Moscow-based government contractor, Echelon, on behalf of FSTEC, according to Russian regulatory documents. McAfee confirmed this.

The Treasury Department and Defense Security Service, a Pentagon agency tasked with guarding the military’s classified information, continue to rely on the product to protect their networks, contracting records show.

McAfee declined to comment, citing customer confidentiality agreements, but it has previously said the Russian reviews are conducted at company-owned premises in the United States.

‘YOU CAN’T TRUST ANYONE’

On its website, Echelon describes itself as an official laboratory of the FSB, FSTEC, and Russia’s defense ministry. Alexey Markov, the president of Echelon, which also inspected the source code for ArcSight, said U.S. companies often initially expressed concerns about the certification process.

“Did they have any? Absolutely!!” Markov wrote in an email.

“The less the person making the decision understands about programming, the more paranoia they have. However, in the process of clarifying the details of performing the certification procedure, the dangers and risks are smoothed out.”

Markov said his team always informs tech companies before handing over any discovered vulnerabilities to Russian authorities, allowing the firms to fix the detected flaw. The source code reviews of products “significantly improves their safety,” he said.

Chris Inglis, the former deputy director of the National Security Agency, the United States’ premier electronic spy agency, disagrees.

“When you’re sitting at the table with card sharks, you can’t trust anyone,” he said. “I wouldn’t show anybody the code.”

(Reporting by Dustin Volz and Joel Schectman in Washington and Jack Stubbs in Moscow.; Editing by Jonathan Weber and Ross Colvin)

U.S. intelligence study warns of growing conflict risk

US Soldier walks in front of tank in Iraq

By Jonathan Landay

WASHINGTON (Reuters) – The risk of conflicts between and within nations will increase over the next five years to levels not seen since the Cold War as global growth slows, the post-World War Two order erodes and anti-globalization fuels nationalism, said a U.S. intelligence report released on Monday.

“These trends will converge at an unprecedented pace to make governing and cooperation harder and to change the nature of power – fundamentally altering the global landscape,” said “Global Trends: Paradox of Progress,” the sixth in a series of quadrennial studies by the U.S. National Intelligence Council.

The findings, published less than two weeks before U.S. President-elect Donald Trump takes office on Jan. 20, outlined factors shaping a “dark and difficult near future,” including a more assertive Russia and China, regional conflicts, terrorism, rising income inequality, climate change and sluggish economic growth.

Global Trends reports deliberately avoid analyzing U.S. policies or choices, but the latest study underscored the complex difficulties Trump must address in order to fulfill his vows to improve relations with Russia, level the economic playing field with China, return jobs to the United States and defeat terrorism.

The National Intelligence Council comprises the senior U.S. regional and subject-matter intelligence analysts. It oversees the drafting of National Intelligence Estimates, which often synthesize work by all 17 intelligence agencies and are the most comprehensive analytic products of U.S intelligence.

The study, which included interviews with academic experts as well as financial and political leaders worldwide, examined political, social, economic and technological trends that the authors project will shape the world from the present to 2035, and their potential impact.

‘INWARD-LOOKING WEST’

It said the threat of terrorism would grow in coming decades as small groups and individuals harnessed “new technologies, ideas and relationships.”

Uncertainty about the United States, coupled with an “inward-looking West” and the weakening of international human rights and conflict prevention standards, will encourage China and Russia to challenge American influence, the study added.

Those challenges “will stay below the threshold of hot war but bring profound risks of miscalculation,” the study warned. “Overconfidence that material strength can manage escalation will increase the risks of interstate conflict to levels not seen since the Cold War.”

While “hot war” may be avoided, differences in values and interests among states and drives for regional dominance “are leading to a spheres of influence world,” it said,

The latest Global Trends, the subject of a Washington conference, added that the situation also offered opportunities to governments, societies, groups and individuals to make choices that could bring “more hopeful, secure futures.”

“As the paradox of progress implies, the same trends generating near-term risks also can create opportunities for better outcomes over the long term,” the study said.

THE HOME FRONT

The report also said that while globalization and technological advances had “enriched the richest” and raised billions from poverty, they had also “hollowed out” Western middle classes and ignited backlashes against globalization. Those trends have been compounded by the largest migrant flows in seven decades, which are stoking “nativist, anti-elite impulses.”

“Slow growth plus technology-induced disruptions in job markets will threaten poverty reduction and drive tensions within countries in the years to come, fueling the very nationalism that contributes to tension between counties,” it said.

The trends shaping the future include contractions in the working-age populations of wealthy countries and expansions in the same group in poorer nations, especially in Africa and South Asia, increasing economic, employment, urbanization and welfare pressures, the study said.

The world will also continue to experience weak near-term growth as governments, institutions and businesses struggle to overcome fallout from the Great Recession, the study said.

“Major economies will confront shrinking workforces and diminishing productivity gains while recovering from the 2008-09 financial crisis with high debt, weak demand, and doubts about globalization,” said the study.

“China will attempt to shift to a consumer-driven economy from its longstanding export and investment focus. Lower growth will threaten poverty reduction in developing counties.”

Governance will become more difficult as issues, including global climate change, environmental degradation and health threats demand collective action, the study added, while such cooperation becomes harder.

(Reporting by Jonathan Landay; Editing by John Walcott and Peter Cooney)