A newsletter briefing on cybersecurity news and policy.

with research by Aaron Schaffer

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! I hope everyone had a great and relaxing Memorial Day weekend. Here's Robert Frost's “Not to Keep” on the hidden costs of war. 

Below: The Post's tech columnist Geoffrey A. Fowler collected all the privacy policies for apps on his phone — they were nearly twice the length of “War and Peace.” Also, the United States finalized restrictions of some hacking tools, aligning the U.S. government with more than 40 other nations.

Georgia’s voting machines recorded votes properly – but they have hacking vulnerabilities that went undiscovered for years.

The findings are from a recent review of the voting machines and represent a mixed bag for people concerned about foreign and domestic interference in U.S. elections. 

First, the good news: There’s no evidence any of the vulnerabilities have been used to alter votes in any elections, as my colleagues Ellen Nakashima and Amy Gardner report. Most of the vulnerabilities are also quite difficult to exploit, requiring hands-on access to the voting machines. And they’re likely to be caught by standard security protocols in election offices. 

But: The vulnerabilities in the Dominion Voting Systems-brand machines remained undetected for years. They might not have been discovered now if not for a long-running lawsuit over the security of Georgia’s machines during which University of Michigan computer scientist J. Alex Halderman was given a chance to examine the machines on behalf of the plaintiffs in the case. 

Such independent reviews are still relatively rare — and election security advocates warn vulnerabilities in other voting systems could still be waiting out there undiscovered. 

Halderman’s findings were verified by the Cybersecurity and Infrastructure Security Agency (CISA), which is in the process of notifying more than a dozen states that use the machines about the vulnerabilities and mitigation measures they should take, according to Ellen and Amy who got an advance look at the CISA advisory. 

The CISA advisory details nine flaws in versions of Dominion’s ImageCast X machine. The advisory is expected to be publicly released next week after states have reviewed it. Halderman’s report remains sealed as part of the Georgia lawsuit, which argues the state should abandon its machines because of security concerns in favor of hand-marked paper ballots. 

A review commissioned by Dominion and conducted by the Mitre Corporation, a federally funded research and development center, reached similar conclusions to CISA, Georgia Secretary of State Brad Raffensperger (R) told my colleagues. That report, which was concluded Friday, hasn’t been released yet. 

The disclosures come after Tuesday’s primary elections in Georgia, which saw record turnout for a midterm primary and no evidence of tampering with voting machines

The report highlights a major challenge in election security right now. 

The challenge has been exacerbated by election fraud conspiracy theories spread by former president Donald Trump and his allies, whose claims are unfounded but have nevertheless sparked a wave of distrust in election systems. 

Dominion machines played an outsize role in many of Trump’s false claims. Georgia was also ground zero for Trump’s pressure campaign to overturn election results. Multiple audits upheld President Biden’s narrow victory in the state and yet Trump urged Raffensperger in a phone call to “find” enough votes to make him the winner. 

There’s also a heightened threat of malicious insiders — mostly adherents of Trump’s lies — who work in election offices and might have an easier time exploiting some of the election machine vulnerabilities that would be far more difficult for an outsider. 

Mesa County, Colo., clerk Tina Peters was indicted on a charge of trying to secretly copy hard drives from Dominion Voting Systems equipment. Despite her legal troubles, Peters is seeking the Republican nomination to be Colorado’s top election official — one of many adherents to Trump’s election lies seeking such offices across the country.

Election officials and companies have always taken a balancing-act approach to security. They accept some vulnerabilities that would be more difficult for hackers and other bad actors to exploit to ensure other priorities such as making elections operate efficiently or be accessible to people with disabilities or who speak different languages. 

They also expect that some purely technical vulnerabilities will be counteracted by procedural safeguards such as keeping machines locked down when they’re not in use. 

Here’s Gabriel Sterling, a top Georgia election official: “Both the CISA and Mitre reports show what reasonable people already know — if bad actors are given full and unfettered access to any system, they can manipulate that system. That is why procedural, operational, and legal election integrity measures are crucial.”

But the balance has swung far in the direction of security since 2016 and the trend seems unlikely to slow down. 

Our tech columnist Geoffrey A. Fowler collected all the privacy policies for the apps on his phone. Combined, they ran nearly twice the length of “War and Peace” — far too long for users to read, understand and meaningfully consent to them. 

His conclusion: “We the users shouldn’t be expected to read and consent to privacy policies. Instead, let’s use the law and technology to give us real privacy choices.” 

Geoffrey has several suggestions in his latest “We the Users” column:

The U.S. government officially imposed a rule this month designed to limit exports of hacking tools to China, Russia and other countries of concern.

The regulation is aimed at limiting exports that will fuel the hacking arms race while making sure cross-border cybersecurity collaboration isn’t stymied. My colleague Ellen Nakashima described the rule at length in October, when the Commerce Department first announced it 

The regulations cover newer hacking tools like NSO Group’s Pegasus spyware. NSO has said it doesn't sell its software to China or Russia, and requires its clients to only use its spyware for law enforcement or counterterrorism purposes. 

They were also designed to cover software made in the United States that could be used to develop hacking tools elsewhere. Such exports would require a special Commerce Department license under the rules. 

Russian oligarchs including sanctioned aluminum magnate Oleg Deripaska hired Israeli private investigator Aviram Azari for intelligence and surveillance services to get an upper hand in legal disputes, lawyers representing journalist Scott Stedman told a federal court. Reuters’s Raphael Satter first reported on the filing.

Azari, in turn, purchased “surveillance and cyber intelligence services from India, Israel, and elsewhere” to do the dirty work, Stedman wrote in a filing. 

Stedman’s legal filings shed light on the usually opaque international hacking-for-hire marketplace employed by some prominent but unscrupulous businesspeople. 

The claims come amid a high-profile legal battle between Stedman, the founder of investigative journalism site Forensic News, and the British security consultant, Walter Soriano. Soriano has sued Stedman in the United Kingdom, alleging that “Stedman’s reporting on him — which he claims is inaccurate — amounted to illegal data collection,” my colleague Reed Albergotti reported in March.

REvil prosecutions reach a 'dead end,' Russian media reports (CyberScoop)

How censoring China’s open-source coders might backfire (MIT Technology Review)

Why we can expect more hacking of politicians’ phones (Politico)

A $90 million DeFi exploit on Terra went unnoticed for seven months (The Block)

This is Kona. He just discovered the sound activated lights. Not sure what to do with his powers. 13/10 pic.twitter.com/VbCs7MsLdM

Thanks for reading. See you tomorrow.