This morning, a company called SecurityScorecard published a report on states' cyber postures.
It painted a grim picture, but several states told me it was wildly inaccurate. And while the company said it alerted states in advance, they say it didn't.
subscriber.politicopro.com/newsletter/202…
It painted a grim picture, but several states told me it was wildly inaccurate. And while the company said it alerted states in advance, they say it didn't.
subscriber.politicopro.com/newsletter/202…
This situation highlights how security firms seize on cyber crises like election fears to raise their profile — sometimes in less-than-honest ways.
@POLITICOPro subscribers can get the full story in today's @MorningCybersec (link in prev tweet), but here are a few key tidbits...
@POLITICOPro subscribers can get the full story in today's @MorningCybersec (link in prev tweet), but here are a few key tidbits...
SecurityScorecard's report gave 75% of states/territories a "C" or below, incl. 6 battleground states, 2 of which (IA+OH) got a "D."
The company scanned public-facing IT systems throughout state gov, not just elections, and scored factors from patching speed to network security.
The company scanned public-facing IT systems throughout state gov, not just elections, and scored factors from patching speed to network security.
States vehemently disputed the company's methodology and findings.
Iowa told me that the report described vulnerabilities that were fixed more than 15 years ago.
North Dakota said it looked mostly at IP addresses on guest Wi-Fi networks and other largely segmented systems.
Iowa told me that the report described vulnerabilities that were fixed more than 15 years ago.
North Dakota said it looked mostly at IP addresses on guest Wi-Fi networks and other largely segmented systems.
"Honestly, I’ve seen my third grader do a deeper, more thoughtful analysis than these guys,” Jon Keeling, a spokesman for Ohio's secretary of state, told me. “It’s a joke.”
ND CISO Kevin Ford said SecurityScorecard "didn’t validate their findings."
ND CISO Kevin Ford said SecurityScorecard "didn’t validate their findings."
State officials unanimously blasted SecurityScorecard for hyping supposed vulnerabilities weeks before the election.
Kevin Hall, a spokesman for Iowa's secretary of state, said they were “looking to generate publicity and revenue without doing their homework and fact-finding.”
Kevin Hall, a spokesman for Iowa's secretary of state, said they were “looking to generate publicity and revenue without doing their homework and fact-finding.”
Then there's the issue of notification.
The company's outside PR rep said it notified state IT offices.
Multiple IT offices said they'd never heard of this report before.
The company's GC said it shared w/ MS-ISAC.
MS-ISAC spox said it only got summary, not detailed findings.
The company's outside PR rep said it notified state IT offices.
Multiple IT offices said they'd never heard of this report before.
The company's GC said it shared w/ MS-ISAC.
MS-ISAC spox said it only got summary, not detailed findings.
SecurityScorecard says it just wanted states to use the free services it's offering through @DefendCampaigns and it hoped to raise awareness of IT underfunding so Congress will help states.
But state officials have good reason to suspect otherwise. propublica.org/article/report…
But state officials have good reason to suspect otherwise. propublica.org/article/report…
.@CISAgov isn't happy with the report, either.
A spokesperson told me that SecurityScorecard's strategy of promoting its report without fully consulting states is "unfortunate."
"While this might make for good headlines, it doesn’t make for good security."
A spokesperson told me that SecurityScorecard's strategy of promoting its report without fully consulting states is "unfortunate."
"While this might make for good headlines, it doesn’t make for good security."
There's an inherent tension in the cybersecurity vendor community. They make money from fixing problems and offering protections, so they have to highlight problems to demonstrate their worth.
But as this incident shows, how they handle that pitch makes a big difference.
But as this incident shows, how they handle that pitch makes a big difference.
Addendum:
I forgot to mention that I went back and forth with SecurityScorecard several times trying to get answers to basic Qs. They offered a general defense of their methodology but did not address specific criticisms or notification issue.
I gave them ample opportunities.
I forgot to mention that I went back and forth with SecurityScorecard several times trying to get answers to basic Qs. They offered a general defense of their methodology but did not address specific criticisms or notification issue.
I gave them ample opportunities.
So after my writeup and tweets yesterday, SecurityScorecard asked for a conversation and I chatted with them.
They recognize that they made some mistakes but think it's more important to focus on the future, and on helping states improve.
subscriber.politicopro.com/newsletter/202…
They recognize that they made some mistakes but think it's more important to focus on the future, and on helping states improve.
subscriber.politicopro.com/newsletter/202…
“Our intent was not to feed into the narrative that states are not able to conduct a fair and safe election,” Sachin Bansal, their GC, told me, noting that the report went beyond elections. “We intended to start a dialogue. ... We certainly did not intend to create any chaos.”
While the report's rollout "ruffled some feathers," said Monika Hathaway, who works for the company's PR firm, "I think we got to our end goal, which is engaging states."
As of our conversation yesterday, 9 states had signed up for SecurityScorecard's services, including Iowa, which told me on Wednesday that it hadn't heard back from the company after requesting a copy of the report.
SecurityScorecard said it has also talked to orgs like NASED.
SecurityScorecard said it has also talked to orgs like NASED.
The company reps were reluctant to dwell on states' frustrations when I asked about the miscommunication and the false claims of notifications.
They said they went to the MS-ISAC with this report because previous efforts to reach individual states didn't work out.
They said they went to the MS-ISAC with this report because previous efforts to reach individual states didn't work out.
As far as timing, SecurityScorecard said states could still fix some problems pre-election — including one you probably heard about recently.
“There are active Trickbot infections in Florida and Georgia," their GC said, "and these can be cleaned up in the next couple of weeks."
“There are active Trickbot infections in Florida and Georgia," their GC said, "and these can be cleaned up in the next couple of weeks."
SecurityScorecard's main goal seemed to be convincing the public that they're not some fly-by-night firm hoping to make a buck off of security fears.
"This is not a hit job," said Mike Wilkes, their CISO. "This is the beginning of a serious effort to work on improving security."
"This is not a hit job," said Mike Wilkes, their CISO. "This is the beginning of a serious effort to work on improving security."
Another addendum (we're having fun here!): SecurityScorecard told me yesterday that Iowa had joined their platform, but the company admitted to me today that that wasn't true. They shared their full findings with Iowa this afternoon after I went back and forth with both parties.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
