In a stunning turn of events, Israel fails to negotiate stronger encryption controls of a twice-hacked biometric database while simultaneously calling for more biometrics under government control. America has its own baffling encryption problems as the US acknowledges that there’s a safer DNS protocol—but won’t let government agencies use it. Meanwhile, hackers double-harm as constant attacks may also force political campaigns to take permanent cybersecurity costs into account. Will this shorten the legs of smaller candidates? Governments face troubles from within and without as they struggle to define how, if, and when they will use end-to-end encryption—and to what end.
It’s all fun and games until somebody loses an election.
There’s the web presence. The staffers. The travel expenses. The ad spots. All part and parcel of a “to be expected” campaign strategy for US-anything. Stiff, but not unusual.
These days, candidates may have another significant expense to account for—cybersecurity.
Matt Rhoades, former advisor to Mitt Romney’s presidential campaign, shared what happened in the Romney campaign several years back; “We found out in the early fall of 2011, during the primary, that our campaign had been ...hacked by the Chinese.”
All of a sudden, the mood—and the funds—shifted. “Any dollar spent to upgrade our system, which we had to do, was a dollar we didn't spend contacting a voter in New Hampshire or Iowa or South Carolina. And that's the challenge that all these campaigns face.”
Wickr CEO Joel Wallenstrom told Fox News that he used to skim campaigns for vulnerabilities, then offer to patch them—free of charge. He was refused.
“We were always kind of perplexed by that,” he shared.
It was only later that he found out campaigns were inundated with similar requests, many of them fraudulent. It became a game of “who can you trust,” an already wearisome one in politics.
With so many opportunists looking to cash in at election time, becoming cybersecurity savvy may no longer be an option of the tech-elite.
This highlights an issue that will only grow in prevalence in the coming years. End-to-end encryption remains a critical defense tactic to thwart hackers. While not a detrimental blow to the Romney campaign, campaign hacking presents an unwieldy problem for small-time candidates who already struggle to rake up votes, cybersecurity costs excluded.
“If you don't provide these resources at cost or in some cases, some of these companies provided their services and their software for free, people just aren't going to do anything about it,” Rhoades went on.
And that’s the issue. Will escalating (and necessary) cybersecurity costs be an inhibitor to the everyman’s candidate, or will cyber safety be just another necessary expense on the campaign trail?
It happened 14 years ago. And then it happened again.
Israel’s Transportation Ministry experienced a data breach revealing sensitive user data, and then in 2017 and 2018, two other incidents occurred which illegally went unreported by the Israeli National Biometric Database Authority.
An issue involving the national voting system also turned public as 6.5 million citizens had their private information leaked under the care of contracted company Elector.
Unfortunately, those incidents only set the stage for further disgrace. Last week, the Transportation Ministry again experienced a pilfering of user data—data that (still) wasn’t properly secured by adequate encryption.
Of the 4.5 million compromised Israeli citizens, 1 million of them were children. The data includes biometric data and facial images.
According to an article in the Jerusalem Post, “Comptroller Matanyahu Englman said that neither database had sufficient protections for privacy or from outside hackers and that those in charge did not even have comprehensive information with which to assess the protections.”
There was a baffling lack of consistency in the response of the comptroller.
“Interestingly, [the] report did not look at the security of the state’s biometric database," reads the Jerusalem Post article. With the large amount of citizen data held (and routinely compromised), the oversight is inexplicable.
However, something else was highlighted in his report.
Comptroller Englman “criticized over 30 government agencies for failing to streamline their employees toward use of smart cards for access to their offices as opposed to old-fashioned and decentralized methods of access.”
In other words, while we’re at it, shouldn’t we really be putting more biometric data into more government databases? Maybe not.
Despite the seemingly contradictory talk-track, “The ministry praised efforts by the comptroller to reduce threats to privacy and redundancies in the databases kept by the Transportation Ministry, the private sector and other authorities.”
The Transportation Ministry’s biometric database has been the subject of petitions to the High Court of Justice due to its lack of security measures.
Amidst it all, the ministry noted that “it is working with the Population, Immigration and Borders Authority to consolidate [more] databases into one location.”
With Israeli NSO groups being among the foremost technology experts in the world, Israel certainly doesn’t lack for talent. It remains a mystery that for the past decade and a half, not enough of that has been applied to citizen data protection.
In their April 21 memorandum, the DHS’s Cybersecurity & Infrastructure Security Agency (CISA), reminded CIOs of government agencies that the internal network EINSTEIN is still to be used when processing DNS queries. That excludes use of new, encrypted DNS methods.
The reason, so far, is unknown.
EINSTEIN has gone through a few iterations. In this latest, Version 3 (Einstein 3 Accelerated or Einstein 3A) there are some unique capabilities. It allows the Department of Homeland Security to block access to malicious locations by overriding public DNS records—and gives the DHS full visibility over all DNS queries made on the network.
The risk, for a quick refresher, is that DNS queries are sent in plaintext (never have been encrypted), so it’s vulnerable to getting snooped on, which makes users vulnerable to getting phished (DNS hijacking). Everyone from a traffic spy to your ISP and network provider can see your queries. For the time being, within government networks, this won’t change.
However, as stated in NakedSecurity, “EINSTEIN 3A does tunnel all traffic to and from devices that are physically or virtually connected to agency networks.” While federal agencies can use DoT or DoH as an upstream fallback, it can be argued that those protocols are still party in a cup game in which either an ISP (DNS) or third party like Google (DoT, DoH) can see your DNS send.