The Atlantic's James Fallows on how the fight over SCOTUS highlights the media's struggles to cover this political moment.
500 million: that’s the number of Yahoo users whose account information was stolen by hackers. The company recently revealed that it had discovered the 2014 hack — said to be the largest to date of a single company’s network. This comes as reports of state-sponsored hackings are on the rise in the U.S., and concerns are growing over intrusions by countries like Russia into one of our own country’s most sacred systems: our elections. We’ll get the latest on risks to our personal data and to the integrity of U.S. voting.
- Damian Paletta National security and intelligence reporter, The Wall Street Journal
- Laura Galante Director of global intelligence, FireEye: a cyber security company
- Michael Greenberger Founder and director, University of Maryland Center for Health and Homeland Security; professor, University of Maryland Carey School of Law
- Pamela Smith President, Verified Voting: a non-profit group whose mission is to safeguard elections in the digital age
MS. DIANE REHMAnd welcome back. Before we begin our conversation on security breaches happening here in this country, concerns about their effects on our national elections, I want to tell those of you who have been longtime listeners to the program, on May 5, 2007, then House Speaker Newt Gingrich was on this program. Midway through the program, he hung up. We had had no disagreement, there were no problems, he simply hung up.
MS. DIANE REHMWell, I was certainly upset, listeners were furious. The other night, Friday, Saturday night at the Library of Congress Festival for the Book, I was signing books in one aisle, Newt Gingrich and his wife Calista were in the next aisle. As we finished signing books, the former speaker came over to my table with his wife, put out his hand and said, Diane, I want to apologize to you for something I did years ago. I simply did not understand the full range of the program, and therefore I hung up. I want you to know I apologize.
MS. DIANE REHMSo I wanted to convey that to our listeners because I know you were as unsettled as I was about that instance. I may be if not the only, certainly one of the first people in the country, to whom House Speaker Newt Gingrich has ever apologized, and I wanted to let you know.
MS. DIANE REHMNow let's turn to security and what has happened. Damian Paletta, start us off with the Yahoo! breach. What happened?
MR. DAMIAN PALETTAIt's an amazing story. So last week we learned that -- Yahoo! revealed that 500 million of their accounts, of the accounts that you and I and people around the world use, their email accounts, had been hacked into, and information had been stolen, including the names, potentially dates of birth and passwords. They believe that this happened in 2014. They claim that the -- whoever hacked this information is no longer inside their system, but they also allege that it was a state-sponsored attack, suggesting that, they say, a foreign government was involved in stealing this information.
MR. DAMIAN PALETTAThey won't reveal who they believe did it, and they've also been kind of slow to notify people about what the impact might be to them, whether they need to go change all their passwords for their bank accounts, maybe you have the same password for your bank account as you do for your Yahoo! account. So the impact on everyone is really uncertain, it just -- the number is staggering. It's the largest cyberattack by, you know, quantity of anything that we've ever seen around the world.
REHMSo Laura, in addition to its size, what makes this so notable?
MS. LAURA GALANTEI think this is the nail in the coffer for making cybersecurity breaches personal. Over the last two years, particularly in 2015, we saw all these different healthcare breaches, where people's healthcare information was getting hacked. Now we're seeing a totally different scow, right. With email you're now able to see the real facets of people's lives, see the interconnection, potentially, to other accounts that they have, and then the ability for blackmail is obviously huge, too, which we've seen.
REHMAnd how come it took Yahoo! so long to find this out and then us to find out about it?
GALANTEIt's a good question. Now for breaches that we've investigated, we typically see that if the firm discovers their breach themselves, it takes them at least 56 days, so almost two months, before they even find it. Where they're notified by someone else on the outside, which is about half of the companies that we see, it can take them, you know, up to a year to try to find the breach. So no surprise that it took a long time to understand the scope of it, but it is surprising that we're hearing about it so late after the discovery.
REHMSo Michael Greenberger, who takes responsibility for these kinds of breaches? I mean, there have been others, certainly. Who takes responsibility?
MR. MICHAEL GREENBERGERWithin the companies?
GREENBERGERWell that's a very interesting question because for many years, and we're just moving into a different phase of this, big companies like Yahoo! delegated all their worry about cybersecurity to information technology specialists. So the CEO, the CFO, the general counsel, really were not involved in it, and there's a very strong movement now that had gained a lot of success and understanding that this is not simply an information technology problem, that it's -- in the industry it's called the C-sweep, the CEO, the COO, that they must have a big hand in supervising the companies' efforts to make itself secure.
GREENBERGEROne of the moving factors for that is there's an increasing development in the law that the failure to properly protect data could be deemed negligence or actionable.
REHMOn the part of the company itself.
REHMAnd didn't that -- didn't one case involved Neiman Marcus?
GREENBERGERYes, well there actually was a second case like the Neiman Marcus case. Neiman Marcus was in the Seventh Circuit Court of Appeals, and the company tried to dismiss the lawsuit by their customers, saying that they hadn't actually shown harm, all they'd shown was their data was stolen, and they hadn't shown anybody had used it adversely. And the court said no, showing your data is stolen is enough harm to bring the case.
GREENBERGERAnd the Sixth Circuit, which is based around Ohio and Michigan, has issued a similar ruling. Those rulings are a bit controversial because they run against the stream of some Supreme Court precedent, but if I had to bet, but I think they are showing the way that the future in the law is going to go.
REHMSo you've got big Fortune 500 companies who might be able to somehow protect themselves. What about small businesses?
GREENBERGERWell that -- I mean, you have hit the nail on the head. I do a lot of work with commission and our own clientele at my center, and the overwhelming problem is the big companies have the resources to at least try and practice. Small businesses don't have the vaguest idea what's going on, and for that matter nonprofits as well are very much in the dark. They don't have the resources to get on top of this problem.
GREENBERGERAnd all I can say about that is a lot of attention is being paid to that. I am on a Maryland cybercouncil where we are working to develop resources that small businesses and nonprofits can take advantage of to protect themselves, but it's a key problem, and if you can break into a small business, that can lead you to a big business that -- even though it's trying to protect itself.
REHMMichael Greenberger is founder and director of the University of Maryland Center for Health and Homeland Security. Laura Galante is director of global intelligence for FireEye: a cyber security company. Damian Paletta, national security and intelligence reporter for The Wall Street Journal.
REHMSo we're worried about state-sponsored cyberattacks, but still this one caught many people off-guard, how come?
GREENBERGERWell, I think it's a little bit surprising, actually, that it did. You would think a company like Yahoo! that has the personal information of hundreds of millions of people would -- this would be -- you know, they would have the iron fortress to prevent people from getting in.
GREENBERGERAnd that they would have the best in the business. And so I think it's surprising in that respect. I mean, obviously there's been this evolution in cyberattacks. We've been hearing a lot more about the state-sponsored attacks, recently, right. We had China with the Office of Personnel Management last year, we've had the allegations that Russia, the Russian government, was involved in stealing information from the Democratic National Committee and then leaking it out, and here we have this big allegation of a state-sponsored attack into Yahoo!
GREENBERGERWe are at the point, though, we're just getting to be a convenient excuse for companies to say it was another government. How am I supposed to defend myself from Vladimir Putin? How am I supposed to defend myself when the Chinese military...
REHMAnd how do we know if that's truly the case.
GREENBERGERExactly, that's the trick, especially when a company says it's state-sponsored. That's different than saying the government did it. You know, the government -- was the government somehow involved? It's really hard for the public to know, and also this case is different, there's a lot at stake. Yahoo! is trying to sell itself, to be acquired by Verizon. So if this ends up being their fault, there's huge financial implications, and the C-sweep executives could be in big trouble.
REHMAll right, and now let's turn to questions about voting. Pamela Smith joins us. She's president of Verified Voting, that's a nonprofit group whose mission is to safeguard elections in the digital age. And certainly our voting systems are really, really worrisome. What is your overall assessment of what's happening there?
MS. PAMELA SMITHThanks so much. You know, one of your comments about big companies being able to protect themselves, and what about small, really resonated with me because we have elections that are run at the local level all around the country. And counties, especially small counties, often don't have the kinds of resources that larger counties have to safeguard themselves against security attacks, against cybersecurity issues.
MS. PAMELA SMITHWhat we're hearing around the country is that there are a lot of concerns, and people are taking election security seriously. They're taking a lot of steps, there's much action, there's more collaboration and even interagency collaboration than in the past. Election jurisdictions vote -- the majority of voters will vote on a paper ballot this year, and there are still some voters who will vote on voting machines. Typically voting machines are not connected to the Internet, they're not meant to be connected to the Internet. Some jurisdictions have actual prohibitions about that.
MS. PAMELA SMITHBut there -- you know, some voting systems come with connectivity, so that needs to be turned off for elections.
REHMI gather that one of the biggest practical concerns on the ground right now is in regard to recountable voting systems. Explain what they are and why there is so much concern about them.
SMITHThat's right. We look at this as -- from the perspective of the voter, the voter wants to be able to know, to be able to check, on a physical ballot or a hard copy, that their vote was captured the way they intended it. If you're marking a paper ballot, you can check as you go. If you're marking on a voting machine, you can look for a paper printout that is attached to the machine.
SMITHAnd then election officials can use those records of voter intent to check the outcome, To do a recount or an audit, and that's adds a measure of security that is really unparalleled in election. The challenge is we do -- most of the country, as I said, has moved in that direction, but we do still have some jurisdictions that are voting on paperless voting systems, where you don't have that means of going back and doing a sound recount. So that's a concern.
SMITHThe likelihood is that that software on those voting systems will be working fine, and I think election officials are doing a lot to protect physical security. But having -- the gold standard is to be able to go back and re-create the outcome in case anything went wrong, and that's true whether it's malfunction, you know, ballot programming error or some other problem, and it's also true in the case of malfeasance, where someone tried to tamper...
REHMPamela Smith is president of Verified Voting. That's a non-profit group. Their mission is to safeguard elections in the digital age. And you're listening to the Diane Rehm Show. Now it does seem to me that callers would like to join in. Give us a call at 800-433-8850. Send us your email to firstname.lastname@example.org. You can follow us on Facebook or Twitter. You, Laura, had -- there was a hack of systems in Illinois and Arizona just this year in the primary. So, you know, Arizona, Illinois, you think of them a having sophisticated and good, strong voting systems. What happened?
GALANTEWhat we're -- what we're looking at is a kind of race by state and local officials to think through what are the digital equivalents of the security measures that you would put in place at your average voting station, right. And Illinois and the Arizona incidents just illustrate how quickly this has come to be an issue and how much it's worth investigating.
GALANTEBut I think the other dynamic here that we -- that we have to also be aware of is that we're seeing different actors describe information that they have, voter records that they're advertising and other sort of disinformation aspects to this that could wreak just as much havoc as actually getting into a specific voting section, voting machine.
GALANTESo how do we think about the perception management issue that's at hand, as well, if we're going to protect the credibility of the system?
PALETTASure, I think -- I know the thing that U.S. officials are most worried about is not that we're going to have election night returns that show Hillary Clinton won 99 percent of the vote, like an obviously hacked election. What they're concerned about is that there's going to be something weird that happens in Miami-Dade County or something weird that happens in Denver that's going to cast this whole shadow over the whole election, right.
PALETTAIf the computer systems go down in Miami-Dade, who's to say that something funny didn't happen in Cleveland, too, and that's going to lead to some sort of, like, democratic chaos where everyone's sort of questioning whether or not, you know, there's this grander conspiracy afoot. Meanwhile, all they had to do was really hack into one small county system.
REHMYou know, what surprises me, Michael, the Department of Homeland Security has gotten involved, and they have offered to support states who want help to sort of fortify their systems, and only nine states have said yes, we'll take your help.
GREENBERGERYes, that's correct, and what is going on is that obviously the voting responsibility is in the hands of the states. The federal government doesn't run the voting. And what you find is state for state, there's one philosophical view that they don't want a federal takeover of voting, and that's actually been offered by secretaries of state in various states or heads of boards of election.
GREENBERGERBut secondly there is sort of a pride in the job they do, and it's insulting for them, having done this for many years, that somehow all of a sudden they need outside help.
REHMIsn't it more insulting to be hacked than to need help?
GREENBERGERWell unfortunately, except for the Arizona and Illinois experience, we haven't had that. But bear in mind you can be hacked and never know you're hacked, and that is the real problem here.
REHMMichael Greenberger, founder and director of the University of Maryland Center for Health and Homeland Security. We'll take a short break here. When we come back, it's time to open the phones, 800-433-8850.
REHMAnd welcome back. As we talk about online security, the hacking into the Yahoo account and voting security, which so many people are worried about. Here's an email from Ken. He says, I'm a Yahoo member. I've tried contacting Yahoo and AT&T several times to get help in changing my Yahoo password. The automated process to change the password does not work properly and there's no live person for customer service with Yahoo and AT&T just hangs up on me.
REHMOkay, he says, so we've been breached. How do we get help to change our password? Who's responsible? Help. Laura.
GALANTEThis is where we're looking for, you know, some level of notification at the federal level to help companies navigate this, right? We have very few companies who have a full plan of how would you even deal with a breach? From an investor relations side, from a PR side, from a help desk side, which this caller's obviously referring to. Very few companies have thought through their contingency plan for how they operate in a breach like this.
PALETTAYeah, and it's funny, you know, in the kind of 10 or 20 years ago, you would get these notifications from companies. There's -- we have to recall all the salsa that was made in, you know, Alabama. And so, everyone would have to like just throw their salsa away. You can't throw your email account away, right? I mean, so a lot of these people have had their Yahoo accounts probably, 10 or 15 years or longer. And the easiest thing would be just to start over and get a new email account, maybe with more security. But when you have this context going back for decades, it's really, really hard to do that.
REHMAll right, let's open the phones to Susan in Brunswick, Maine. You're on the air.
SUSANOh, hi. I think this is a very interesting discussion and when I heard the news about the Yahoo breach as an issue in their merger with Verizon a week or so ago, I thought to myself, you know, this is ironic. Because I had a Yahoo account -- an email account many years ago, actually. And it was breached so many times, hacked again and again, and the only way you could get help was -- Yahoo was to actually finally cheat through their business services department. Because they don't make a customer service available for this sort of thing.
SUSANAnd I got help and I would change my password and update it and, and almost instantly, it would be hacked again. Finally, I walked away from that account and all of my contacts, business and personal, because there was no way to prevent the hacking from, from happening. And so, you know, I, I happen to know that I'm not the only one in this situation. Many of us went to other, you know, other accounts at Gmail or wherever because this has been a chronic problem at Yahoo.
SUSANAnd I think it's disingenuous for them to claim that oh, suddenly this has happened and there are so many compromised accounts in their system. And it must be some kind of organized whatever. I don't think that's true at all.
REHMAll right. And Laura, if Yahoo is compromised and Susan is moving to Gmail, what's to prevent Gmail from being hacked?
GALANTEWell, what this really, what this really highlights is how incumbent the burden is on companies who are the safeguards of peoples' reputations and personal information to think through what are the right security measures in place? Right? So that's kind of step one that's pretty obvious, here. The other side is we need to get better collectively, too, at what we decide to click on and open and think about. If it looks suspicious, don't click it. We've said that for years, but there is an element of this where, you know, we're on the defense.
GALANTEPeople are thinking of really interesting schemes. One of the ones that we've seen is download an app on your phone and use your Gmail credentials to get into it. Well, was the app legitimate? If the app's -- if the application's not legitimate on your phone, you've just given away your Gmail credentials.
REHMWow. And here's John in Grand Rapids, Michigan with a really important point. John, go right ahead.
JOHNYes, a significant problem that's concerned me greatly over the last 15 years that needs to be addressed is anytime a person wants to find a job today, they have to put, they have to fill out an online job application, put on your social security number, your birth date, all your personal information. And a lot of these companies, in fact, most of them are just small companies that have absolutely no resources and have no idea that they're putting job applicants at risk.
JOHNAnd so, as a consequence, in my case, I won't even, you know, I won't even try to get a job. I can't. It's just too dangerous.
GREENBERGERWell, and that's the concern that was just articulated. I think it's an absolutely correct concern. And people have to understand that, you know, the internet is not a closed, private relationship between you and whoever you're communicating with. Everything that goes on the internet can be discovered. And I think it's incumbent on people who are having these applications available to be sensitive to the fact -- if you lose your social security number, that's a tremendous loss of identity. And can have terrific harm to you, and if it's keeping people from applying for jobs, that's a very serious problem.
REHMOur caller said he had asked potential employers for paper applications and they would not give him one. I want to get back to this question of voting and our concerns about this. If there is general anxiety about this, Damien, I mean, this sort of plays itself into the whole election process. And makes us doubt whether our vote is secure. And then boy, that is the basis of our democracy.
PALETTAAbsolutely. And this is exactly why, quite frankly, a number of US officials, current and former, think that this is a kind of a perfect Russian operation. Russians, the Russian leaders, especially Vladamir Putin, are sick and tired of getting lectured by the US about how we know how to run a democracy and their whole thing is a sham. And what they've done in other countries, in Eastern Europe and also in parts of Europe is to kind of sew doubt in their elections.
PALETTASo if they can do things here to either reveal kind of the inner conversations of the Democratic National Committee to show that there's some kind of hanky panky going on or some sort of deals being cut to oust Bernie Sanders. Or if they can show that there's -- the Secretaries of State are in contact with the Clinton campaign. If they can do things to sew doubt in the American people that this is -- to show this is not a legitimate process, then they've achieved their operation.
PALETTAAnd then they can kind of have whoever ends up winning the Presidency on their back foot when they're starting to deal with Russia in January.
REHMAnd there's another question here, referring to the law. Michael Greenberger, an email from Lou. If a foreign power did hack the 2016 vote, would that constitute an act of war?
GREENBERGERWell, that's a tricky question, and I think a very strong argument can be made that it would. But the problem we're experiencing is how are -- something very bad can happen and it will never be discovered. Just to give you an example, we talked about Yahoo getting, or the Yahoo leak raising issues about getting at voting records. And I told you the states are sort of very confident they don't need help. Well, one of the reasons is they argue, well, we've got 9,000 voting centers and it's all decentralized.
GREENBERGERAnd it's very hard for somebody to get into the system. But what we're seeing is the use of absentee ballots being used to sway elections. Now, you can an absentee ballot and it's a paper ballot. But in some states, you can on email request the absentee ballot, and the absentee ballot can be sent to any email address that you choose. And then, you fill it out and you send it back as paper ballot and we've got a paper ballot, 70 percent, great audit trail, but it's not the real voter's ballot.
GREENBERGERAnd stealing information is who's registered to vote but doesn't vote. Well, I'll have -- I'll request an absentee ballot for that person and in many states, you can get an absentee ballot on that information.
REHMDo we have any information that gives us absolute numbers as to how often that may have been done?
GREENBERGERWell, we know that someone in Florida was indicted for stealing 1500 absentee ballots. Now, when you think, remember, in 2000, Florida was decided by 500 votes.
REHMI do remember.
GREENBERGERSo you don't need a massive attack to alter an election. You go to a battleground state. You go to a county, maybe even just to a voting booth, and you -- by the way, these absentee ballots are often sent in and they have to be transcribed on another ballot. And so the whole secret ballot system goes down the system.
GREENBERGERAnd my -- finally, I would just say my experience was that is the election officials say, it's never happened. You're worrying too much.
REHMAll right. Let's go to Hillsdale, Michigan. Julie, I gather you've had some experience with hacking.
JULIEI have. Thank you for taking my call.
JULIEI'm one of the 5.2 million OPM employees last year that were notified that our entire FBI files with fingerprints were taken. And we are being monitored by some sort of international company. But my thing is, I left 20 years ago and my information was not online. And in my job, I had two credit bureaus done a year, all the years I worked with them. And my stuff is out there, they know the Chinese took it. It is called espionage. And the first 43 years of my life, everything is known by the Chinese now. Including they have my fingerprints. So, it's like I've been told to never go online. (laugh)
JULIEYep. They said because I can't be -- because a lot of the computers are now going to security with fingerprints. And once they figure out how to use fingerprints, they're probably going to go and nab every fingerprint in the world. That's my feeling, but I don't think we should be online with everything if nothing can be secured.
REHMExactly. And the question with each and every step forward this world makes scientifically, you know, is there a step back? Damien.
PALETTAWell, driverless cars, right?
PALETTAI mean, we're hearing so much about that now, and who's to say that the technology's not going to get out in front of the security there? And one of the issues with OPM and with Yahoo, I think, that's really concerning. Obviously, if any of us get an email from someone in Nigeria named John saying have I got a deal for you, we probably know better than to interact. But if you get an email that looks like it's from your cousin Jennifer and she talks about the wedding you went to two weeks ago.
PALETTAAnd, you know, she's in a pinch. She got in a car accident and please don't tell anybody, it gets a lot different when they know so much about you. And you know, how many of us are going to fall for that? Maybe a small percent, but that's all they need for this to work.
GALANTEOr where they have your data and are already asking you to pay a certain sum to get it back. Look at ransomeware. Right? We've seen these extortion plots played out left and right, so how do you think about ways where you're at least aware that your information's been taken before it's held against you?
REHMLaura Galante is with Global Intelligence FireEye. And you're listening to The Diane Rehm Show. Pamela Smith, I want to come back to you. How big a problem do you believe our voting security or lack thereof is?
SMITHYou know, it's a question we get asked lot. Are we more scared this year than in past years? I actually don't think so. There have been a lot of improvements. And there are some safeguards, even for concerns like the absentee ballot issue that was raised. There's an authentication process for ballots when they come in. The bigger concern is what is -- what kind of chaos can be caused by breaches and attacks? I think it's important to know that aside from DHS involvement, which, you know, is basically a gift to jurisdictions who need the extra support.
SMITHSome states are using their own CIOs and CISOs for talent in house to do cyber security risk assessments. All the election officials I've spoken to at state and local levels have been taking additional mitigating steps. There's been good guidance out from the Election Assistance Commission on how to safeguard registration data, for example, as well. But there are things that voters can do, and I think this is something where we can pull together and we can push back.
SMITHYou know, we don't have to look at this as, you know, an existential threat if we all are doing what we can to safeguard, basically, our democracy. And one thing voters can do right now is to check the registration. You know, there are deadlines in states coming up in October and those are states deadlines for registration that you need to be registered by a certain date in order to vote. And if you go online and you check your registration, and you can do this at your local election official's website.
SMITHOr the state website, or you can check canivote.org. You can go to rockthevote. There are lots of ways to check your existing registration. Make sure it's still correct. Make sure there's been no changes, nothing that you didn't authorize, and if you found something, and you let the election official know in time for the deadline, you can still get it corrected in time and be able to vote. That's a really important step.
SMITHIt does one other thing, too. It tells the election official if they suddenly start getting a lot of calls that they may have a problem. So that's an important thing too.
REHMAll right. I have read somewhere that we do not have enough intelligence now to fix this problem. Is that correct in your mind, Michael?
GREENBERGERIt absolutely is correct. First of all, if you just look at the needs of employers, the government, there aren't enough cyber security experts out there...
REHMWith enough knowledge.
GREENBERGER...with enough knowledge. And also, I think on the other end of that, there is a lot of cybersecurity degrees certificates that are offered that I think people in the industry think are questionable and not worth the money that people are spending. And also, the technology is not where it should be. And the final thing I would just say, I am much more worried about this election than was previously announced. In getting an absentee ballot, you have to give authentication information.
GREENBERGERWell, that's what the Yahoo leak is all about, your authentication information is out in the ether. And, and by the way, for social security numbers, on the dark web, you can buy somebody's social security number for 10 or 15 cents a number. Now that's what the states are getting, and then issuing these absentee ballots.
REHMLaura, do you want to comment?
GALANTESure. I think that we also haven't dealt with an election where we have an adversary, potentially the Russian government here, interested in trying to create chaos in the heart of, you know, a US democratic institution, that your vote matters.
REHMAnd Damian, how concerned are you?
PALETTAI'm very concerned. This has been an election where there's been conspiracy theories flying all over the place. And if there's any abnormality on November 8th, people are going to wonder what the heck is going on.
REHMDamian Paletta of the Wall Street Journal, Laura Galante of Global Intelligence FireEye. Michael Greenberger of the University of Maryland. Pamela Smith, she's President of Verified Voting. And we will be watching this throughout this voting season. I'm assuming that each and every one of you will be equally as watchful. Thanks for listening, all. I'm Diane Rehm.
Most Recent Shows
Diane talks with Kendra Pierre-Louis, senior reporter on the podcast "How To Save A Planet," and a former climate reporter for the New York Times.
Diane asks Mary McCord, legal director at the Institute for Constitutional Advocacy and Protection and visiting professor of law at Georgetown University Law Center.
Diane talks with Norm Ornstein, resident fellow at the American Enterprise Institute, about the revelations ain Bob Woodward's new book "Rage," and the other major news events of the week.