Special Report: 2020 U.S. census plagued by hacking threats, cost overruns

Special Report: 2020 U.S. census plagued by hacking threats, cost overruns
By Nick Brown

(Reuters) – In 2016, the U.S. Census Bureau faced a pivotal choice in its plan to digitize the nation’s once-a-decade population count: build a system for collecting and processing data in-house, or buy one from an outside contractor.

The bureau chose Pegasystems Inc, reasoning that outsourcing would be cheaper and more effective.

Three years later, the project faces serious reliability and security problems, according to Reuters interviews with six technology professionals currently or formerly involved in the census digitization effort. And its projected cost has doubled to $167 million — about $40 million more than the bureau’s 2016 cost projection for building the site in-house.

The Pega-built website was hacked from IP addresses in Russia during 2018 testing of census systems, according to two security sources with direct knowledge of the incident. One of the sources said an intruder bypassed a “firewall” and accessed parts of the system that should have been restricted to census developers.

“He got into the network,” one of the sources said. “He got into where the public is not supposed to go.”

In a separate incident during the same test, an IP address affiliated with the census site experienced a domain name service attack, causing a sharp increase in traffic, according to one of the two sources and a third source with direct knowledge of the incident.

Neither incident resulted in system damage or stolen data, the sources said. But both raised alarms among census security staff about the ability of the bureau and its outside security contractor, T-Rex Solutions, to defend the system against more sophisticated cyberattacks, according to five sources who worked on census security, as well as internal messages from security officials that were reviewed by Reuters.

Among the messages, posted on an internal security registry seen by Reuters, was a note observing that T-Rex’s staff lacked adequate forensic capability as recently as June of this year. “In the event of a real-world event such as a significant malware infection,” the team would be “severely limited in its capability to definitively tell the story of what occurred,” the message said.

One of the sources with direct knowledge of the hack involving Russian IP addresses described the internal Census Bureau reaction as a “panic.” The incidents prompted multiple meetings to address security concerns, said the two sources and a third census security source.

Census Bureau spokesman Michael Cook declined to comment on the incidents described to Reuters by census security sources. He said no data was stolen during the 2018 system test and that the bureau’s systems worked as designed.

The work of Pega and T-Rex is part of the bureau’s $5 billion push to modernize the census and move it online for the first time. The project involves scores of technology contractors building dozens of systems for collecting, processing and storing data and training census workers for the once-a-decade count. T-Rex’s security work is projected to cost taxpayers up to $1.4 billion, according to the census budget, making it the largest recipient of the more than $3.1 billion that the bureau set aside for contracts.

The problems with Pega and T-Rex reflect the Census Bureau’s broader struggle to execute the digitization project. The effort has been marred by security mishaps, missed deadlines and cost overruns, according to Reuters interviews over the past several months with more than 30 people involved in the effort.

“The IT is really in jeopardy,” said Kane Baccigalupi, a private security consultant who previously worked on the census project for two years as a member of the federal digital services agency 18F, part of the General Services Administration. “They’ve gone with a really expensive solution that isn’t going to work.”

The potential costs of a hacking incident or a system failure go beyond busted budgets or stolen data. A technological breakdown could compromise the accuracy of the census, which has been a linchpin of American democracy since the founding of the republic more than two centuries ago.

The U.S. Constitution requires a decennial census to determine each state’s representation in Congress and to guide the allocation of as much as $1.5 trillion a year in federal funds. Census data is also crucial to a broad array of research conducted by government agencies, academics and businesses, which rely on accurate demographic statistics to craft marketing plans and choose locations for factories or stores.

In a worst-case scenario, according to security experts, poorly secured data could be accessed by hackers looking to manipulate demographic figures for political purposes. For example, they could add or subtract Congressional seats allocated to states by altering their official population statistics.

The Census Bureau says its information-technology overhaul is on-track. Systems supporting initial census operations – such as creating its address database and hiring workers – are “fully integrated with one another, performance-tested, and deployed on schedule and within budget,” bureau spokesman Cook said.

Cook said that the bureau had conducted a “bug bounty,” a bulletproofing practice in which benevolent hackers are invited to search for vulnerabilities. He called the effort successful but declined to provide details for security reasons.

Lisa Pintchman, a spokeswoman for Cambridge, Massachusetts-based Pega, said the company was selected through a “very rigorous process” and stands by its work. T-Rex, headquartered in Maryland, declined to comment.

The escalating costs and reliability concerns for Pega’s front-end website have prompted the bureau to consider reverting to an in-house system, which remains under construction as a backup, according to three technology professionals involved in the census project. Census spokesman Cook confirmed that the in-house system, called Primus, would be available for use if needed next year.

This exclusive account of the Census Bureau’s technology troubles comes after government oversight agencies have chronicled other security problems, delays and cost overruns.

The Government Accountability Office (GAO), the fiscal watchdog for Congress, has said the 2020 census is at high risk for a breach or system outage that could prevent people from filling out surveys. The GAO has also said the bureau’s information technology systems won’t be fully tested before the census kicks off for almost all Americans on April 1, 2020, and that 15 of the bureau’s systems – including Pega’s data collection mechanism – were at risk of missing development deadlines ahead of the census.

The Inspector General of the Department of Commerce, meanwhile, in October announced plans to audit the bureau’s technology operations, months after identifying mismanagement of its cloud data-storage system that left it vulnerable to hackers.

Cook declined to comment on the audit but said the bureau is poised to “conduct the most automated, modern, and dynamic decennial census in history.”

The effort to move the census online aims to streamline the counting process, improve accuracy, and rein in cost increases as the population rises and survey response rates decline. Adjusting for 2020 dollars, the 1970 census cost $1.1 billion, a figure that rose steadily to $12.3 billion by 2010, the most recent count. The 2020 tally is projected at $15.6 billion, including a $1.5 billion allowance for cost overruns.

The bureau’s technology woes mounted outside the limelight, as Washington focused on the Trump administration’s push to add a question asking census respondents if they were U.S. citizens, part of a larger effort to curb illegal immigration.

The president abandoned that effort in July after the U.S. Supreme Court rejected it, cheering civil rights groups who had worried it would dissuade immigrants from responding and cost their communities political representation and federal dollars. Still, an October 18 study by the nonpartisan Pew Research Center found that more than one-fifth of Hispanics say they may not participate in next year’s census, compared to 12% of whites.

Graphic: Why the Census Matters, https://graphics.reuters.com/USA-CENSUS/010092JZ39N/index.html

‘SINGLE POINT OF FAILURE’

The census technology overhaul got off to a late start, in part because Congress gave the bureau less funding than it requested for most of the decade. Pressed for time, bureau leadership at times prioritized speed over security, according to four people familiar with the bureau’s security operations.

New technology systems, they said, were tested in settings that were vulnerable to hackers despite carrying unresolved risks that had been identified by the bureau’s in-house security team. The testing was authorized by bureau leadership and supported by T-Rex, over the objections of the in-house security officials, who wanted the vulnerabilities fixed first, three of the people said. It stoked internal tensions that ultimately led one security boss to quit his post, the people said.

The Census Bureau’s Cook declined to comment on whether the testing was done over the objections of in-house security officials but said that the bureau follows a strict protocol to minimize risk.

The bureau began rolling out its technology plans in 2014, promising a technological tour-de-force with 52 separate systems. Twenty-seven of them will be used for collecting census data, which include building the website where respondents submit forms and the tools used by door-knockers tasked with nudging stragglers.

Most of the Census Bureau’s $5 billion in technology spending has gone to seven main contractors, who together have tapped another 41 companies as subcontractors, according to public presentations by the Census Bureau in 2018.

Within months of the rollout, government advisors from two outside agencies – the U.S. Digital Service and 18F – began warning officials off the sprawling approach, according to Baccigalupi and five other people familiar with the discussions. The outside advisers urged a simpler system, one that would be easier to defend against hacks and glitches.

The Digital Service was created in 2014 by President Barack Obama after the troubled launch of Healthcare.gov, the website meant to allow Americans to sign up for health insurance under Obamacare. Design flaws left the site overwhelmed by higher-than-expected traffic and prevented many users from registering for weeks. Digital Service officials saw the 2020 census as a potential repeat of that fiasco, two of the people said.

The General Service Administration’s 18F unit – named for the address of its Washington, D.C. office – functions like a private-sector consultant and is paid by agencies seeking technology help.

18F declined to comment for this story, and the Digital Service did not respond to requests for comment.

The debate between Census Bureau leadership and its advisors from the Digital Service and 18F focused on two broad approaches to software production: monolithic versus modular.

A monolithic framework – like the one envisioned by Census Bureau officials – bundles different functions into one system. In the case of the census, that could mean a system that allows people to answer the survey on a website, translates incoming responses into data and stores it. Monolithic systems can be easier to build, but critics say they become hopelessly complex when something goes wrong. A problem with one function can shutdown the whole process.

“It’s a single point of failure,” Baccigalupi said.

In a modular system, by contrast, engineers build different pieces of software for each function, then write code to allow them to interact. While it’s more challenging to move data through different components, the risk of a system collapse is much smaller. If one function breaks, others can still work while it’s repaired.

Census officials brought in 18F and Digital Service consultants on long-term secondments to help with aspects of the project but largely ignored their recommendations to take a more modular approach, said 18F’s Baccigalupi and Marianne Bellotti, a former agent at the Digital Service who consulted on the project in 2017.

“I told them pretty consistently in 2017: If you suffer a denial-of-service attack, I’m not sure your architecture can withstand it,” Bellotti said.

In a denial-of-service attack, a hacker tries to prevent legitimate users from accessing a program, often by overwhelming it with more connection requests than it can process. Any extended outages during the census would reduce response rates, compromising the accuracy of the data and making it more expensive to collect.

Cook, the Census spokesman, did not comment on why the bureau chose a more monolithic approach but said the consultants recommending against that path did not fully understand its systems.

“18F and USDS looked at portions of our systems and provided recommendations, but neither group had an overall understanding of how those systems integrated or their capabilities,” Cook said.

Graphic: Census costs soar to more than $15 billion, https://fingfx.thomsonreuters.com/gfx/editorcharts/USA-CENSUS-TECHNOLOGY/0H001QXF693K/index.html

RISING COSTS

Bellotti and Baccigalupi say they told the bureau repeatedly in 2016 and 2017 that Pega’s technology wasn’t well-suited to its central tasks – building the self-response website and the mobile applications to be used by census door-knockers. Pega’s code, they argued, would require so much customization that the final product would be slow and prone to glitches.

“If you want to build the fastest car in the world, you build that car from scratch,” Baccigalupi said. “You don’t try to customize a tour bus until it’s the fastest car in the world.”

The Census Bureau’s outside advisers from Carnegie Mellon University’s Software Engineering Institute shared the concern and told the bureau in a 2016 memo, which was reviewed by Reuters, that commercial products such as Pega’s “are not designed to meet an organization’s specifications.”

Neither the bureau nor Pega commented on the assertion that the need for customization made the system expensive and unreliable.

Before hiring Pega, the bureau already had a workable system for data collection, built by in-house staff, Baccigalupi said. Starting in 2014, small teams had fashioned prototypes for online responses and mobile apps that seemed to work. The online response prototype, known as Primus, had been built at little cost beyond the salaries of the half-dozen or so coders.

The in-house systems were tested, and Primus was used in a real-world setting during smaller surveys conducted by the bureau. All performed well, John Thompson, who served as Census Bureau director from 2013 to 2017, said in an interview.

In a 2016 public report explaining its choice to go with an outside contractor, the bureau called Pega’s product a “commercial off-the-shelf solution” that could work with minimal alterations. Pega would do what Primus and the in-house mobile apps could do, but cheaper, with an estimated price tag of $84.5 million, compared to the $127 million forecast for building in-house. Pega would also supply other key functions, such as transferring user responses to data storage.

The reality was messier. Pega’s off-the-shelf solution has required so much modification that it has become “unrecognizable,” said one former Census Bureau official involved in the contracting process. In January 2018, the bureau nearly doubled Pega’s cost estimate to $167.3 million. It has spent about $149 million so far.

Contract documents reviewed by Reuters showed about $121 million of Pega’s contract has gone toward “contracting services,” a category that two former bureau contracting officials said typically refers to the labor required to write and customize code. The figure is more than 13 times Pega’s initial estimate for contracting services.

The bureau did not comment on the escalating costs. Pintchman, the Pega spokeswoman, said the work is “on budget” and that “any changes in estimates would be a result of changes in project scope as well as the Census Bureau identifying additional opportunities for us to add value.”

Thompson, who ran the bureau at the time it decided on Pega, described the decision as a “tough call.” While Thompson and his team viewed Primus as capable of scaling up for the 2020 Census, he said the prospects for scaling up the in-house prototypes for census-worker mobile apps were less certain.

As Pega’s problems have become more clear, Census officials have considered reverting to Primus, the in-house system, for data collection, said three sources familiar with the bureau’s thinking. As recently as this summer, they were instructing employees “to build Primus out, in case it was needed,” said one of those people.

SECURITY INCIDENTS

The only full-scale test of the system took place in Providence, Rhode Island, last year. The bureau conducted a kind of dress rehearsal – essentially a mini-census, with respondent data collected and stored online.

That’s when the system was accessed from IP addresses in Russia, the two census security sources said. Other hackers launched a domain name system attack on the website, which one source described as similar to a denial-of-service attack.

The domain name system attack was not as worrisome as what it revealed about the abilities of T-Rex to respond to such a threat, according to five people involved in census security.

T-Rex staffers “didn’t know how to access the cybersecurity defense tools that were in place, and they didn’t know what to look for,” said a person familiar with the operation. This source added that the bureau had purchased a license to use forensic-analysis software, called EnCase, to investigate hacks more than a year earlier, but T-Rex had yet to fully integrate EnCase into the security system when the security incidents occurred.

T-Rex’s security work had encountered trouble early on. The GAO reported that, by June of 2018, Census’ Office of Information Security (OIS) had flagged more than 3,000 security compliance deficiencies, 2,700 of which were related to components being developed by T-Rex.

OIS voiced concern over the flags and recommended addressing the bulk of them before testing, according to two security officials familiar with the matter. But bureau leadership authorized live-testing of the systems anyway to keep the project on schedule, the people said. The bureau’s Office of Information Security chief, Jeff Jackson, quit his post in October out of frustration over his office’s lack of influence on the project, two sources familiar with the matter said. Jackson did not respond to requests for comment.

A June report by the Department of Commerce’s Office of Inspector General called attention to other snafus. It revealed that, for a prolonged stretch in 2018, the bureau lost the codes needed to gain unrestricted access to its Amazon-based cloud data-storage system. Without the codes, the IG reported, the bureau could not have stopped a hacker from accessing or destroying data stored in the cloud.

The IG, in an October 17 letter to Census Director Steven Dillingham, said it would “immediately” begin auditing the bureau’s technology to “determine the effectiveness of security measures.”

Baccigalupi, the former 18F consultant, called the project’s problems to date “infuriating” given the high cost to taxpayers, and said the bureau’s internal staff could have built the systems better and cheaper.

“Those teams are eager to do it,” Baccigalupi said, “and demoralized to see bad and expensive software going out instead.”

(Reporting by Nick Brown; Editing by Richard Valdmanis and Brian Thevenot)

50,000 companies exposed to hacks of ‘business critical’ SAP systems: researchers

FILE PHOTO: People pose in front of a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. REUTERS/Dado Ruvic

By Jack Stubbs

LONDON (Reuters) – Up to 50,000 companies running SAP software are at greater risk of being hacked after security researchers found new ways to exploit vulnerabilities of systems that haven’t been properly protected and published the tools to do so online.

German software giant SAP said it issued guidance on how to correctly configure the security settings in 2009 and 2013. But data compiled by security firm Onapsis shows that 90 percent of affected SAP systems have not been properly protected.

“Basically, a company can be brought to a halt in a matter of seconds,” said Onapsis Chief Executive Mariano Nunez, whose company specializes in securing business applications such as those made by SAP and rival Oracle.

“With these exploits, a hacker could steal anything that sits on a company’s SAP systems and also modify any information there so he can perform financial fraud, withdraw money, or just plainly sabotage and disrupt the systems.”

SAP said: “SAP always strongly recommends to install security fixes as they are released.”

SAP software is used by more than 90 percent of the world’s top 2,000 companies to manage everything from employee payrolls to product distribution and industrial processes.

Security experts say attacks on those systems could be hugely damaging, both for the victim organizations and their wider supply chain. SAP customers collectively distribute 78 percent of the world’s food and 82 percent of global medical devices, the company says on its website.

Sogeti security consultant Mathieu Geli, one of the researchers who developed the exploits released online last month, said the issue concerned the way SAP applications to talk to one another inside a company.

If a company’s security settings are not configured correctly, he said, a hacker can trick an application into thinking they are another SAP product and gain full access without the need for any login credentials.

SAP said customer security was a priority and the vulnerabilities showed the need for clients to implement recommended fixes when they are released. “Security is a collaborative process, so our customers and partners need to safeguard their systems as well,” it said in a statement.

CRITICAL SYSTEMS

Researchers at Onapsis said on Thursday they were naming the exploits “10KBLAZE” because of the threat they posed to “business-critical applications” which, if hacked, could result in “material misstatements” in U.S. financial filings.

Nunez said he would share his company’s ability to detect the vulnerabilities with other security vendors to help secure all SAP users against possible future attacks. Full details here.

Sogeti’s Geli said he created the exploits to prove the danger of the vulnerabilities and released them online in order to help experts test the security of SAP systems.

He said there was a risk they could be used by malicious actors but not people without technical ability, and it was more important for companies to update their security settings.

“We are just pointing out something that is already fixed for SAP but clients maybe are a bit late on,” he said. “We are trying to push that and say: ‘Guys, this is critical, you need to fix it.'”

 

(Reporting by Jack Stubbs; editing by Georgina Prodhan)

Megaphones and more: Mueller details Russian U.S. election meddling

By Doina Chiacu

WASHINGTON (Reuters) – From breaking into computers to paying for a megaphone, Russian efforts to undermine the U.S. political system have been spelled out in detail by Special Counsel Robert Mueller, who has described an elaborate campaign of hacking and propaganda during the 2016 presidential race.

While Mueller has yet to submit to U.S. Attorney General William Barr a final report on his investigation into Russia’s role in the election, the former FBI director already has provided a sweeping account in a pair of indictments that charged 25 Russian individuals and three Russian companies.

Key questions still to be answered are whether Mueller will conclude that Trump’s campaign conspired with Moscow and whether Trump unlawfully sought to obstruct the probe. Trump has denied collusion and obstruction. Russia as denied election interference.

FILE PHOTO: Robert Mueller (R) , serving as Federal Bureau of Investigation director, is seen on a TV monitor at the U.S. Senate Judiciary Committee at an oversight hearing about the FBI on Capitol Hill in Washington, June 19, 2013. REUTERS/Larry Downing/File Photo

FILE PHOTO: Robert Mueller (R) , serving as Federal Bureau of Investigation director, is seen on a TV monitor at the U.S. Senate Judiciary Committee at an oversight hearing about the FBI on Capitol Hill in Washington, June 19, 2013. REUTERS/Larry Downing/File Photo

Here is an explanation of Mueller’s findings about Russian activities and U.S. intelligence assessments of the ongoing threat.

WHAT IS KNOWN ABOUT RUSSIAN “TROLL FARMS”?

On Feb. 16, 2018, Mueller charged 13 Russian individuals and three Russian entities with conspiracy to defraud the United States, wire and bank fraud and identity theft. It said the Internet Research Agency, a Russian-backed propaganda arm known for trolling on social media, flooded American social media sites Facebook, Twitter, YouTube and Instagram to promote Trump and spread disparaging information about his Democratic rival Hillary Clinton. The indictment said the Russian efforts dated to 2014, before Trump’s candidacy, and were intended to sow discord in the United States. [nL2N1Q61CL]

The St. Petersburg-based so-called troll farm employed hundreds of people for its online operations and had a multimillion-dollar budget, according to the indictment. It had a management group and departments including graphics, data analysis and search-engine optimization. Employees worked day and night shifts corresponding to U.S. time zones.

Its funding was provided by Evgeny Prigozhin, a businessman who U.S. officials have said has extensive ties to Russia’s military and political establishment, and companies he controlled including Concord Management and Consulting and Concord Catering. Prigozhin has been described by Russian media as being close to President Vladimir Putin. He has been dubbed “Putin’s cook” because his catering business has organized banquets for Russia’s president.

The Russians targeted Americans with information warfare, adopting false online personas and creating hundreds of social media accounts to push divisive messages and spread distrust of candidates and America’s political system in general, the indictment said. They aimed to denigrate Clinton and support the candidacies of Trump, who won the Republican presidential nomination, and Bernie Sanders, her rival for the Democratic nomination.

HOW WERE AMERICANS UNWITTINGLY RECRUITED?

In Florida, a pivotal state in U.S. presidential elections, the Russians steered unwitting Americans to pro-Trump rallies they conceived and organized. The indictment said the Russians paid “a real U.S. person to wear a costume portraying Clinton in a prison uniform at a rally” and another “to build a cage large enough to hold an actress depicting Clinton in a prison uniform.”

The accused Russians used false Facebook persona “Matt Skier” to contact a real American to recruit for a “March for Trump” rally, offering “money to print posters and get a megaphone,” the indictment said. They created an Instagram account “Woke Blacks” to encourage African-Americans not to vote for “Killary,” saying, “We’d surely be better off without voting AT ALL.” Fake social media accounts were used to post messages saying American Muslims should refuse to vote for Clinton “because she wants to continue the war on Muslims in the Middle East.” Alternatively, they took out Facebook ads promoting a June 2016 rally in Washington, “Support Hillary. Save American Muslims” rally. They recruited an American to hold up a sign with a quote falsely attributed to Clinton that embraced Islamic sharia law, the indictment said.

Some of the accused Russians traveled around the United States to gather intelligence, the indictment said, visiting at least 10 states: California, Colorado, Georgia, Illinois, Louisiana, Michigan, Nevada, New Mexico, New York and Texas.

WHAT ROLE DID RUSSIAN MILITARY OFFICERS PLAY?

On July 13, 2018, Mueller charged 12 Russian military intelligence officers with hacking Democratic Party computer networks in 2016 to steal large amounts of data and then time their release to damage Clinton. The Russian hackers broke into the computer networks of the Clinton campaign and Democratic Party organizations, covertly monitoring employee computers and planting malicious code, as well as stealing emails and other documents, according to the indictment. [nL1N1U90YU]

Using fictitious online personas such as DCLeaks and Guccifer 2.0, the hackers released tens of thousands of stolen emails and documents. The Guccifer 2.0 persona communicated with Americans, including an unidentified person who was in regular contact with senior members of the Trump campaign, the indictment said. Guccifer 2.0 cooperated extensively with “Organization 1” – the WikiLeaks website – to discuss the timing of the release of stolen documents to “heighten their impact” on the election.

On or about July 27, 2016, the Russians tried to break into email accounts used by Clinton’s personal office and her campaign, the indictment said. The same day, candidate Trump told reporters: “Russia, if you are listening, I hope you’re able to find the 30,000 emails that are missing,” referring to emails from a private server Clinton had used when she was secretary of state.

To hide their identity, the Russians laundered money and financed their operation through cryptocurrencies including bitcoin, Mueller’s team said.

IS THE THREAT OVER?

The U.S. intelligence community’s 2019 Worldwide Threat Assessment report cited Russia’s continuing efforts to interfere in the American political system. It stated, “Russia’s social media efforts will continue to focus on aggravating social and racial tensions, undermining trust in authorities, and criticizing perceived anti-Russia politicians. Moscow may employ additional influence toolkits – such as spreading disinformation, conducting hack-and-leak operations or manipulating data – in a more targeted fashion to influence U.S. policy, actions and elections.”

The report said Russia and “unidentified actors” as recently as 2018 conducted cyber activity targeting U.S. election infrastructure, though there is no evidence showing “any compromise of our nation’s election infrastructure that would have prevented voting, changed vote counts or disrupted the ability to tally votes.”

(Reporting by Doina Chiacu; Editing by Will Dunham)

U.S. initiative warns firms of hacking by China, other countries

FILE PHOTO: A Chinese flag flutters at Tiananmen Square in central Beijing, China June 8, 2018. REUTERS/Jason Lee

By Jonathan Landay

WASHINGTON (Reuters) – The Trump administration on Monday launched a drive to push U.S. firms to better protect their trade secrets from foreign hackers, following a slew of cases accusing individuals and companies of economic espionage for China.

U.S. companies hit by recent attacks included Hewlett Packard Enterprise Co and International Business Machines Corp

The National Counter-Intelligence and Security Center, which coordinates counter-intelligence efforts within the U.S. government, launched the outreach campaign to address persistent concerns that many companies are not doing enough to guard against cyber theft.

The Center is worried about cyber attacks on U.S. government agencies and the private sector from China, Russia, North Korea and Iran.

“Top corporate executives and directors should know the intent of our adversaries and what they are trying to do economically to gain the upper hand,” William Evanina, a veteran FBI agent who oversees the center, said in an interview. “We are not saying don’t invest in China or with China, but know the risk.”

The drive targets trade associations across the United States and their members. Videos, brochures and online informational materials describe the threat posed by cyber espionage and other methods used by foreign intelligence services.

One brochure details methods hackers use to break into computer networks and how they create fake social media accounts to deceive people into revealing work or personal details. It outlines ways to protect information, such as researching apps before downloading them and updating anti-virus software.

The first parts of this administration outreach effort called,”Know the Risk, Raise Your Shield,” focused mainly on federal workers. The new phase follows a series of cases announced by the U.S. government against individuals and firms for allegedly stealing government secrets and proprietary information from U.S. companies for China’s benefit.

Nine cases announced since July 2018 included the unsealing last month of an indictment of two alleged hackers linked to China’s main spy agency on charges that they stole confidential government and corporate data. The pair allegedly belonged to a hacking ring known as APT 10.

Evanina said the new campaign also focuses on what he called Moscow’s aggressive, persistent attacks on computer networks of critical U.S. infrastructure, which includes power grids and communications, financial and transportation systems.

China and Russia have repeatedly denied conducting such attacks.

The most serious threats now facing companies, Evanina said, are efforts to plant malicious software in components purchased from suppliers or to substitute counterfeit parts for genuine products.

Companies need to take greater care to counter those efforts and in vetting new hires because of the growing danger of employing people acting for foreign powers, he said.

(Reporting by Jonathan Landay; Editing by David Gregorio)

Chinese hacking against U.S. on the rise: U.S. intelligence official

A staff member sets up Chinese and U.S. flags for a meeting in Beijing, China April 27, 2018. REUTERS/Jason Lee

By Jim Finkle and Christopher Bing

NEW YORK (Reuters) – A senior U.S. intelligence official warned on Tuesday that Chinese cyber activity in the United States had risen in recent months, and the targeting of critical infrastructure in such operations suggested an attempt to lay the groundwork for future disruptive attacks.

”You worry they are prepositioning against critical infrastructure and trying to be able to do the types of disruptive operations that would be the most concern,” National Security Agency official Rob Joyce said in response to a question about Chinese hacking at a Wall Street Journal conference.

Joyce, a former White House cyber advisor for President Donald Trump, did not elaborate or provide an explanation of what he meant by critical infrastructure, a term the U.S. government uses to describe industries from energy and chemicals to financial services and manufacturing.

In the past, the U.S. government has openly blamed hackers from Iran, Russia or North Korea for disruptive cyberattacks against U.S. companies, but not China. Historically, Chinese hacking operations have been more covert and focused on espionage and intellectual property theft, according to charges filed by the Justice Department in recent years.

A spokesperson for Joyce said he was specifically referring to digital attacks against the U.S. energy, financial, transportation, and healthcare sectors in his speech on Tuesday.

The comments follow the arrest by Canadian authorities of Meng Wanzhou, chief financial officer of Chinese telecommunications giant Huawei Technologies, at the request of the United States on Dec. 1. Wanzhou was extradited and faces charges in the U.S. related to sanctions violations.

(Reporting by Jim Finkle and Christopher Bing; Editing by Bernadette Baum)

HSBC discloses customer accounts hacked at its U.S. bank

FILE PHOTO: The HSBC logo is seen on a top roof of the main branch in Beirut, Lebanon July 25, 2016. REUTERS/ Aziz Taher/File Photo

LONDON (Reuters) – Hackers breached some HSBC & HSBA. customers’ accounts in the United States in October and accessed their information, the bank said in a regulatory filing on Tuesday.

It was not immediately clear how many accounts were breached or whether any money was stolen.

“HSBC regrets this incident, and we take our responsibility for protecting our customers very seriously.” an HSBC spokeswoman said. “We have notified customers whose accounts may have experienced unauthorized access and offered them one year of credit monitoring and identify theft protection service.”

(Reporting by Lawrence White; Editing by David Goodman)

What is Russia’s GRU military intelligence agency?

A general view shows the headquarters of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, formerly known as the Main Intelligence Directorate (GRU), in Moscow, Russia October 4, 2018. REUTERS/Stringer

By Guy Faulconbridge

LONDON (Reuters) – The West has accused Russia’s military intelligence agency (GRU) of running what it described as a global hacking campaign, targeting institutions from sports anti-doping bodies to a nuclear power company and the chemical weapons watchdog.

What is GRU and what does it do?

What is the GRU?

Russia’s military intelligence service is commonly known by the Russian acronym GRU, which stands for the Main Intelligence Directorate. Its name was formally changed in 2010 to the Main Directorate (or just GU) of the general staff, but its old acronym – GRU – is still more widely used.

Its published aims are the supply of military intelligence to the Russian president and government. Additional aims include ensuring Russia’s military, economic and technological security.

The GRU answers directly to the chief of the general staff, Valery Gerasimov, and the Russian defense minister, Sergei Shoigu, each of whom are thought to have access to Russia’s portable nuclear briefcase.

Russia’s two other main intelligence and security services were both created from the Soviet-era KGB: the Foreign Intelligence Service, or SVR, and the Federal Security Service, or FSB.

What are the GRU’s capabilities?

According to a Western assessment of GRU seen by Reuters, the GRU has a long-running program to run ‘illegal’ spies – those who work without diplomatic cover and who live under an assumed identity for years until orders from Moscow.

“It has a long-running program of ‘illegals’ reserved for the most sensitive or deniable tasks across the spectrum of GRU operations,” the assessment said.

The GRU is seen as a major Russian cyber player.

“It plays an increasingly important role in Russia’s development of Information Warfare (both defensive and offensive),” according to the Western assessment.

“It is an aggressive and well-funded organization which has the direct support of – and access to – [Russian President Vladimir] Putin, allowing freedom in its activities and leniency with regards to diplomatic and legislative scrutiny,” according to the assessment.

The GRU also has a considerable special forces unit. They are the elite of the Russian military.

“I don’t like rankings but the GRU is in the top levels of this business,” Onno Eichelsheim, director of the Netherlands Defence Intelligence and Security Service, told Reuters. “They are a very real threat.”

What are Western claims about GRU?

– The United States sanctioned GRU officers including its chief, Igor Korobov, for cyber attempts to interfere in the 2016 presidential election. Russia denied meddling in the election.

– Britain said two GRU officers attempted to murder former GRU double agent Sergei Skripal with Novichok. Russia denied any involvement.

– Britain said GRU was behind the BadRabbit attack of 2017, the hack of the Democratic National Committee in 2016, and attacks on the computer systems of both the Foreign Office and the Defence Science and Technology Laboratory in 2018. Russia said the accusations were fiction.

– The Netherlands said it caught four GRU cyberspies trying to hack into the Organization for the Prohibition of Chemical Weapons. It said the same group, known as unit 26165, had targeted the investigation into the downing of Malaysia Airlines flight MH-17.

– The United States charged seven GRU officers with plots to hack the World Anti-Doping Agency which had exposed a Russian doping program.

– GRU played a significant role in the 2014 annexation of Crimea, the conflict in Ukraine and the 2008 conflict with Georgia.

Note: The GRU does not have its own public web site and does not comment publicly on its actions. Its structure, staff numbers and financing are state secrets.

What is GRU’s history?

Russian spies trace their history back to at least the reign of Ivan the Terrible in the 16th Century, who established a feared espionage service.

The GRU was founded as the Registration Directorate in 1918 after the Bolshevik Revolution. Soviet state founder Vladimir Lenin insisted on its independence from other secret services, which saw it as a rival.

While the once mighty KGB was broken up during the 1991 collapse of the Soviet Union, the GRU remained intact.

GRU officers played a significant role in some of the key junctures of the Cold War and post-Soviet history – from the Cuban Missile crisis to Afghan war and the annexation of Crimea.

The public was given a rare chance to see parts of the GRU’s Moscow headquarters when Putin visited it in 2006. He was shown taking part in shooting practice.

(Editing by Richard Balmforth)

Dutch government says it disrupted Russian attempt to hack chemical weapons watchdog

Dutch Minister of Defence Ank Bijleveld speaks during a news conference in The Hague, Netherlands, October 4, 2018. REUTERS/Piroschka van de Wouw

By Anthony Deutsch and Stephanie van den Berg

THE HAGUE (Reuters) – Dutch authorities disrupted an attempt in April by Russian intelligence agents to hack the Organization for the Prohibition of Chemical Weapons, Defence Minister Ank Bijleveld said on Thursday.

At a news conference in The Hague, Bijleveld called on Russia to cease its cyber activities aimed at “undermining” Western democracies.

She noted that the U.S. Department of Justice is expected to issue indictments of suspected Russian spies later on Thursday, in part due to information gleaned from the Dutch operation.

According to a presentation by the head of the Netherlands’ military intelligence agency, four Russians arrived in the Netherlands on April 10 and were caught on the 13th with spying equipment at a hotel next to the OPCW headquarters.

The men were not successful in breaching OPCW systems, the minister said.

At a presentation, Dutch Major General Onno Eichelsheim showed the antennae, laptops and other equipment the men intended to use to breach the OPCW’s wifi network. He said the spies were caught red-handed and attempted to destroy some of their own equipment to conceal what they had been doing.

At the time, the OPCW was working to verify the identity of the substance used in the March attack in Salisbury, Britain, on former Russian spy Sergei Skripal and his daughter Yulia. It was also seeking to verify the identity of a substance used in an attack in Douma, Syria.

The four Russians in the Netherlands were detained in April and expelled to Russia and not immediately prosecuted because the operation was considered military, not police, Eichelsheim said.

The men, who were also believed to have spied on the investigation into the 2014 downing of Malaysia Airlines flight MH17 had planned to travel on from the Netherlands to a laboratory in Spiez, Switzerland used by the OPCW to analyze chemical weapons samples, he said.

They were instead “put on a flight to Moscow,” said Bijleveld.

Eichelsheim warned against being naive and considering the Netherlands as relatively safe from Russian cyber attacks.

Russian military intelligence “is active here in the Netherlands … where a lot of international organizations are (based),” Eichelsheim said.

(Reporting by Toby Sterling; Editing by Janet Lawrence)

U.S. judge will not force Georgia to use paper ballots despite concerns

FILE PHOTO: Georgia Secretary of State Brian Kemp speaks with visitors to the state capitol about the "SEC primary" involving a group of southern states voting next month in Atlanta, Georgia February 24, 2016. REUTERS/Letitia Stein/File Photo

By Gina Cherelus

(Reuters) – A federal judge will not force Georgia to use paper ballots for the November election, citing the potential for last-minute confusion, but expressed concern that the state’s electronic machines could be vulnerable to hacking.

U.S. District Judge Amy Totenberg said in a ruling late on Monday that while it is important for citizens to know their ballots are properly counted, voters also must rely on a smooth process, especially in a fast-approaching election race.

“Ultimately, any chaos or problems that arise in connection with a sudden rollout of a paper ballot system with accompanying scanning equipment may swamp the polls with work and voters – and result in voter frustration and disaffection from the voting process,” Totenberg said in a 46-page decision.

The state’s November contests include a gubernatorial race that is among the most high-profile in the country. Democrat Stacey Abrams faces Secretary of State Brian Kemp, who is responsible for the state’s elections and is named as a defendant in the lawsuit.

If elected, Abrams would be the first black female governor in the United States.

Georgia is one of five states that use touchscreen machines with no paper record.

Voting rights groups and individual voters sued Georgia officials in 2017, alleging that the electronic machines are highly vulnerable to hacking and cannot be audited or verified. The judge’s decision to reject their request to require paper ballots in November does not affect the underlying lawsuit, which will continue.

An attorney for the plaintiffs, David Cross, said that while they were disappointed the judge had not imposed paper ballots for November, her decision was nevertheless a victory because she agreed the current election system is “woefully inadequate and insecure.”

Georgia has used direct-recording electronic (DRE) voting machines exclusively since 2002. The machines have drawn criticism from various advocacy groups and federal agencies, including U.S. Department of Homeland Security officials who called the systems a “national security concern” in March, according to Totenberg.

“Plaintiffs shine a spotlight on the serious security flaws and vulnerabilities in the state’s DRE system,” Totenberg said in the court order.

A representative from Kemp’s office did not immediately respond to a request for comment on Tuesday. Kemp on Monday said that Georgia’s electronic voting machines are secure and that switching to paper ballots would cause “chaos,” according to the Atlantic Journal-Constitution newspaper.

(Reporting by Gina Cherelus in New York; Editing by Joseph Ax and Susan Thomas)

Exclusive: Iran-based political influence operation – bigger, persistent, global

FILE PHOTO: Silhouettes of mobile users are seen next to a screen projection of Instagram logo in this picture illustration taken March 28, 2018. REUTERS/Dado Ruvic/Illustration

By Jack Stubbs and Christopher Bing

LONDON/WASHINGTON (Reuters) – An apparent Iranian influence operation targeting internet users worldwide is significantly bigger than previously identified, Reuters has found, encompassing a sprawling network of anonymous websites and social media accounts in 11 different languages.

Facebook and other companies said last week that multiple social media accounts and websites were part of an Iranian project to covertly influence public opinion in other countries. A Reuters analysis has identified 10 more sites and dozens of social media accounts across Facebook, Instagram, Twitter and YouTube.

U.S.-based cybersecurity firm FireEye Inc and Israeli firm ClearSky reviewed Reuters’ findings and said technical indicators showed the web of newly-identified sites and social media accounts – called the International Union of Virtual Media, or IUVM – was a piece of the same campaign, parts of which were taken down last week by Facebook Inc, Twitter Inc and Alphabet Inc.

IUVM pushes content from Iranian state media and other outlets aligned with the government in Tehran across the internet, often obscuring the original source of the information such as Iran’s PressTV, FARS news agency and al-Manar TV run by the Iran-backed Shi’ite Muslim group Hezbollah.

PressTV, FARS, al-Manar TV and representatives for the Iranian government did not respond to requests for comment. The Iranian mission to the United Nations last week dismissed accusations of an Iranian influence campaign as “ridiculous.”

The extended network of disinformation highlights how multiple state-affiliated groups are exploiting social media to manipulate users and further their geopolitical agendas, and how difficult it is for tech companies to guard against political interference on their platforms.

In July, a U.S. grand jury indicted 12 Russians whom prosecutors said were intelligence officers, on charges of hacking political groups in the 2016 U.S. presidential election. U.S. officials have said Russia, which has denied the allegations, could also attempt to disrupt congressional elections in November.

Ben Nimmo, a senior fellow at the Atlantic Council’s Digital Forensic Research Lab who has previously analyzed disinformation campaigns for Facebook, said the IUVM network displayed the extent and scale of the Iranian operation.

“It’s a large-scale amplifier for Iranian state messaging,” Nimmo said. “This shows how easy it is to run an influence operation online, even when the level of skill is low. The Iranian operation relied on quantity, not quality, but it stayed undetected for years.”

FURTHER INVESTIGATIONS

Facebook spokesman Jay Nancarrow said the company is still investigating accounts and pages linked to Iran and had taken more down on Tuesday.

“This is an ongoing investigation and we will continue to find out more,” he said. “We’re also glad to see that the information we and others shared last week has prompted additional attention on this kind of inauthentic behavior.”

Twitter referred to a statement it tweeted on Monday shortly after receiving a request for comment from Reuters. The statement said the company had removed a further 486 accounts for violating its terms of use since last week, bringing the total number of suspended accounts to 770.

“Fewer than 100 of the 770 suspended accounts claimed to be located in the U.S. and many of these were sharing divisive social commentary,” Twitter said.

Google declined to comment but took down the IUVM TV YouTube account after Reuters contacted the company with questions about it. A message on the page on Tuesday said the account had been “terminated for a violation of YouTube’s Terms of Service.”

IUVM did not respond to multiple emails or social media messages requesting comment.

The organization does not conceal its aims, however. Documents on the main IUVM website  said its headquarters are in Tehran and its objectives include “confronting with remarkable arrogance, western governments, and Zionism front activities.”

APP STORE AND SATIRICAL CARTOONS

IUVM uses its network of websites – including a YouTube channel, breaking news service, mobile phone app store, and a hub for satirical cartoons mocking Israel and Iran’s regional rival Saudi Arabia – to distribute content taken from Iranian state media and other outlets which support Tehran’s position on geopolitical issues.

Reuters recorded the IUVM network operating in English, French, Arabic, Farsi, Urdu, Pashto, Russian, Hindi, Azerbaijani, Turkish and Spanish.

Much of the content is then reproduced by a range of alternative media sites, including some of those identified by FireEye last week as being run by Iran while purporting to be domestic American or British news outlets.

For example, an article run by in January by Liberty Front Press – one of the pseudo-U.S. news sites exposed by FireEye – reported on the battlefield gains made by the army of Iranian ally Syrian President Bashar al-Assad. That article was sourced to IUVM but actually lifted from two FARS news agency stories.

FireEye analyst Lee Foster said iuvmpress.com, one of the biggest IUVM websites, was registered in January 2015 with the same email address used to register two sites already identified as being run by Iran. ClearSky said multiple IUVM sites were hosted on the same server as another website used in the Iranian operation.

(Reporting by Jack Stubbs in LONDON, Christopher Bing in WASHINGTON; Additional reporting by Bozorgmehr Sharafedin in LONDON; Editing by Damon Darlin and Grant McCool)