Sudanese Hackers: Lessons in International Lawlessness

 

Up until last spring, if you wanted to cause real problems to almost any organization with a substantial web presence, all you had to do was get on the instant-messaging service Telegram and get in touch with a shady outfit called Anonymous Sudan.  There you could pay as little as $150 a day—or a discount of $700 for a whole week—to arrange a distributed denial-of service (DDOS) attack on the website of your choice. 

 

The people running this service were two Sudanese brothers, Ahmed Salah Yousif Omer and Alaa Salah Yusuuf Omer, who operated a highly sophisticated network of cloud-based servers that nimbly evaded most security measures.  In 2023, the pair claimed responsibility for attacks on the websites of PayPal, Twitter/X, and OpenAI, as well as attempts on the U. S. Federal Bureau of Investigation site.  They paid special attention to targets in the Los Angeles area, hitting at least 70 LA-based institutions, including the Cedars-Sinai Medical Center. 

 

Because that particular attack indirectly threatened the lives of patients by disabling the medical center's emergency facilities and forcing them to send patients elsewhere, Ahmed Salah is charged with life-threatening actions that could lead to a life sentence.

 

The world found out about this earlier this month when the U. S. Department of Justice (DOJ) issued a press release saying that the brothers had been arrested back in March, and that critical parts of their software and hardware have been seized and disabled.  The DOJ didn't say where they were imprisoned, but apparently extradition must take place before they can be tried in the U. S.  The Anonymous Sudan attacks had a definite political flavor, as they coordinated an attack on an Israeli alert system on Oct. 7, 2023, the day of the Hamas attack that killed over 1100 people and resulted in the capture of about 250 hostages.  And Cedars-Sinai Hospital has its roots in the old Cedars of Lebanon hospital founded by Jewish businessman Kaspare Cohn in 1902.

 

DDOS attacks are nothing new, and in the continuously escalating rivalry between computer security efforts on the part of private industry and governments on the one hand, and hackers on the other hand, it's not surprising that an outfit like Anonymous Sudan would offer their services for sale.  Because of the international nature of the Internet, any effort by a single government agency such as the FBI is hampered by the need to deal with and through governments of other nations, specifically Sudan in this case.  From a purely administrative point of view, it would be much easier if we just had a single world government, because its FBI equivalent could freely travel and exercise power anywhere in the world without the inconvenience of having to establish extradition treaties and so on.

 

But there are excellent reasons not to have a single world government, stemming mainly from the fact of original sin.  Even well-intentioned organizations like the FBI make mistakes from time to time, and so it's not a good idea to empower them, or anybody else for that matter, with worldwide police authority.  Instead, they must develop diplomatic connections and a complex web of informal agreements of which I have no detailed knowledge.  Suffice it to say that a huge amount of behind-the-scenes negotiations and even power plays must have occurred for these two characters to get arrested, wherever they were, and their server farms taken down.

 

In order to evade arrest and conduct a highly profitable and politically influential business for so long despite the best efforts of industries and governments to stop them, these guys must have had a great deal of raw talent.  Why didn't they take those abilities and put them to use in a way that would benefit the world at large rather than harm it? 

 

The final answer is locked in the privacy of their souls, so we can only speculate.  What alternatives for employment did a clever boy interested in computers have growing up in Sudan?  The Wikipedia article on the country's economy says that agriculture and petroleum are the leading sources of wealth, with a smattering of light industry and a growing medical sector.  In the U. S., such a smart pair as the Omer brothers could have found some venture capitalists interested in a wacky idea of theirs, and they could have started a company doing something legitimate.

 

But in Sudan, that does not appear to be an option.  It may have seemed to them that the only way to get rich quick with their computer skills was to walk on the dark side, and so they developed their for-profit DDOS service, and on the way did what they could to benefit the anti-Israeli cause espoused by so many predominantly Muslim countries.  In a certain frame of mind, one could view any attack on any private or public organization based in the Great Satan (the U. S.) was a blow struck for good in the ongoing battle between the Islamic forces of righteousness and the evil empire headed by the United States and its sinister support for the Little Satan, Israel.  It all depends on your point of view.

 

We may never learn the true motivations for the activities of Anonymous Sudan, but clearly the same conditions that gave rise to those hackers exist in other parts of the world.  Law enforcement of the type that led to their capture has at least two good reasons to exist. 

 

First, it puts a stop to the harmful activities of the criminals who are arrested.  The expertise of the Omer brothers is no longer at the disposal of other crooks who would like to pay a few bucks to cost hospitals and government organizations millions of dollars in hacking damage.  (Viewed in terms of return on investment, though, it was a real bargain.  Many criminal enterprises are.) 

 

Second, it serves notice to other criminals that if you keep doing what you're doing, you may well get caught.  I don't think the FBI will ever become effective enough to scare all hackers into hiding, unless we somehow manage to get that world government that is the pipe dream of administrators, but by then we'll be dealing with a whole other set of problems.  But we can thank the FBI and everyone who helped them for eliminating at least this particular source of hacking woes, and serving notice that hiding in a country with a chaotic government is no protection against being arrested. 

 

Sources:  The DOJ press release announcing the arrest of the Omer brothers is at https://www.justice.gov/usao-cdca/pr/two-sudanese-nationals-indicted-alleged-role-anonymous-sudan-cyberattacks-hospitals.  I also referred to a report at https://krebsonsecurity.com/2024/10/sudanese-brothers-arrested-in-anonsudan-takedown/and the Wikipedia websites on the economy of Sudan and Cedars-Sinai Medical Center. 

 

CrowdStrike Violates "No Headlines" Rule

 

An old friend of mine summarized engineering ethics for me once in two words:  "No headlines."  Meaning, I suppose, that if an engineering firm does its job right, there is no reason for it to show up in news headlines, which tend to focus on bad news. 

 

Well, the cybersecurity firm CrowdStrike, based just up the road from me in Austin, Texas, managed to break that rule spectacularly last Friday, July 19, when they issued what was supposed to be a routine "sensor configuration update." 

 

CrowdStrike makes cloud-based software that helps prevent cyberattacks and other security breaches, and one part of doing that involves sensing attacks.  Because the nature of cyberattacks changes daily, security software firms such as CrowdStrike have to update their software constantly, and so that includes updating the sensor parts too.  It's not clear to me whether it gets installed by IT departments or individuals, but I would suspect the former.  Its product that was involved in the update last Friday, called Falcon, is used exclusively on Microsoft Windows machines, of which there are about 1.4 billion in the world.

 

Something was radically wrong with the update sent out near 11 PM Austin time, because on about 8 million PCs, a logic error in the update caused them to freeze up and exhibit the famed "blue screen of death" (BSOD).  One way I tell my students that they can assess the relative importance of a given technology, is to imagine that an evil genie waves a magic wand at midnight, and suddenly all examples of that technology throughout the world vanish.  How big would the disruption be? 

 

Well, something like that happened Friday, and the disruptions made a ton of headlines.  Most major U. S. airlines suddenly found themselves without a scheduling or ticketing system.  Schools and hospitals across the U. S. were deprived of their computer systems.  Some 911 emergency-call systems in some cities crashed. 

 

CrowdStrike CEO and co-founder George Kurtz issued an apology Saturday, saying on a blog post "I want to sincerely apologize directly to all of you for today's outage."  Once their engineers discovered what was going on, CrowdStrike rushed to provide a fix, which involved rebooting the paralyzed PCs into safe mode, deleting a certain file, and rebooting.  But multiply that fairly simple task, which could be done easily by an IT tech and with difficulty by anyone else, times 8.5 million PCs, and it was clear that this mess wasn't going to be cleaned up overnight.

 

As computer foulups go, this one was fairly minor, unless you were trying to get somewhere by plane over the weekend.  I don't know for sure, but it's possible it could have been avoided if CrowdStrike had a policy of trying out each of their updates on a garden-variety PC to make sure it works.  Maybe they did, and there's some subtle difference between their test bed and the 8.5 million PCs that froze up.  That's for them to figure out, assuming that they weather the storm of lawsuits that may arise on the horizon once the accountants of affected organizations figure out how much revenue was lost in the flight delays, scheduling problems, and other issues caused by the glitch.

 

The crowning irony of the whole thing was, of course, that the problem was caused by software that was designed to prevent problems.  This isn't the first time that safety equipment turned out to be dangerous.  In the auto industry, a years-long slow-motion tragedy was caused by the carelessness of Takata, a manufacturer of airbag inflators, which sold inflators with a defect that caused them to detonate and send flying metal shrapnel into the car's passengers instead of just inflating the airbag.  After years of recalls, Takata declared bankruptcy in 2017 and is out of business.

 

One hopes that this single screwup will not spell doom for a cybersecurity company that up to now seems to have been doing a good job of preventing computer breaches and otherwise keeping out of trouble.  It's a public corporation with about 8,000 employees, so it's unlikely that giant firms such as American Airlines could recoup their losses without just bankrupting the whole outfit.  If Microsoft itself was directly responsible, that would be another question, but Microsoft's only involvement was the fact that the product was used only on Windows machines. 

 

This whole episode can serve as a cautionary experience to help us prepare for something bigger that might come down the technology pike in the future.  Malicious actors are constantly trying to exploit vulnerabilities for various nefarious purposes, ranging from vandalistic amusement all the way up to strategic military incursions mounted against multiple countries.  It would be worth while to imagine the worst that could happen computer-wise, and then at least ask the question, "What would we do about it?" 

 

My sister works at a large hospital where they have toyed with the idea of deliberately turning off all their computers once every so often, and trying to keep their operations going with paper and phones.  They've never mustered the nerve to do it, partly because there are some things that would be flat impossible to do, and the reduction in service capabilities would be a disservice to the public they have committed to serve. 

 

But for organizations that could manage it, it would be a worthwhile exercise to see if doing without computers for a set time is possible at all, and what would have to change to make it possible if it isn't presently. 

 

In researching this article, I discovered that of those 1.4 billion PCs running Windows out there, about 1 billion of them are still running Windows 10, which is set to go out of business some time in 2025.  I happen to own one of those legacy Windows 10 machines that can't be upgraded to Windows 11 because of some newfangled Windows 11 hardware requirement.  So we can expect another disruption around October of 2025 when Windows 10 support ends.  Let's just hope it isn't as sudden and startling as the CrowdStrike blue screens of death.

 

Sources:  I consulted the articles "Huge Microsoft Outage Caused by CrowdStrike Takes Down Computers Around the World" at https://www.wired.com/story/microsoft-windows-outage-crowdstrike-global-it-probems/, "CrowdStrike discloses new technical details behind outage" at https://www.scmagazine.com/news/crowdstrike-discloses-new-technical-details-behind-outage, https://www.zdnet.com/article/is-windows-10-too-popular-for-its-own-good/

for the statistic about Windows computers, and the Wikipedia article on CrowdStrike.

The Surveillance State of the Olympics

 

On this date, Feb. 6 of 1936, the Winter Olympics opened in Garmisch-Partenkirchen, Bavaria—the last time both the Winter and Summer Olympics were held in the same country in the same year.  The Olympics that year attracted some controversy in the U. S. because of the nature of the German political regime under Chancellor Adolf Hitler, who had by then been in power only three years.  But the argument that sports should be independent of politics won out, and so the U. S. went on to participate in both sets of Olympic games.

 

Last Wednesday, the 2022 Winter Olympics kicked off in the Peoples' Republic of China.  The U. S. is once again participating, although the Biden administration has enforced a diplomatic boycott of the event in protest of  "the PRC’s ongoing genocide and crimes against humanity in Xinjiang and other human rights abuses.”  Britain, Australia, and Canada joined the U. S. in the diplomatic boycott, which does not prevent athletes of those countries from participating in the games.  Chinese government representatives fired back that the U. S. was taking actions that “politicize sports, create divisions and provoke confrontation," according to the Center for Strategic and International Studies.

 

If you are an athlete or anyone else attending the games, the Chinese government is requiring you to download an app to your smartphone called "My 2022," two weeks before your arrival, and make daily reports of the state of your health.  Ostensibly, the app is supposed to help the government achieve a 100% COVID-free event.  But when computer scientists examined the app, they found serious security flaws in it that can allow not only the Beijing government but random hackers to gain entry to your phone.

 

It's no surprise to Chinese citizens that the My 2022 app is full of holes.  The Chinese government explicitly reserves the right to access any information stored on an electronic device.  My 2022 just makes it easier for them to do so.  According to the University of Toronto's cybersecurity group Citizen Lab, the app can transmit confidential information such as passport and travel data with encryption that can be "trivially sidestepped."  So even before leaving the U. S., Olympic athletes and anyone else attending will be subject to the Chinese national security apparatus.

 

Some people may not be bothered by this.  After all, there is some weight to the argument that sporting events shouldn't be politicized.  But it seems to me that the only way to completely divorce politics from sports is to have all competitors hail from the same political entity.  Victor Cha, writing on the Center for Strategic and International Studies website about the U. S. diplomatic boycott, quotes famed anti-totalitarian author George Orwell as saying, "sport is war minus the shooting."  Any time you have competition, you're going to have partisan cheering, even at the most humble level of small-town sporting events like the Ponca City Wildcats playing against the Enid Plainsmen in the wilds of northern Oklahoma. 

 

So at the basic level of identification, all sporting events are politicized.  What Beijing objects to is not mere identification with the participants, however, but any action that singles China out as being a less worthy player on the international political stage. 

 

Are they?  Consider the fact that for the last decade or more, China has been busily constructing a surveillance state that goes beyond the wildest dreams of Orwell's Nineteen Eighty-Four.  One of the most chilling aspects of that book, which came out in 1949, was the omnipresence of "telescreens" which simultaneously broadcast state propaganda from "Big Brother" and spied on people.  Back then, readers reassured themselves that this was rank science fiction, because no regime could possibly afford to hire half the population to spy on the other half, and so most of the time, nobody was watching on the other end.

 

That was before the Internet and the advent of artificial-intelligence (AI) systems that can recognize faces, voices, and certain words, such as the 2,422 terms in the "illegalwords.txt" file bundled with the My 2022 app.  In it are phrases such as "Tiananmen Riot" and "Dalai Lama." Woe unto anyone who uses those words at the Olympics this winter.

 

China's goal is to use any information it can get to establish social-credit scores that determine the degree of freedom allotted to each citizen.  People who behave well, according to standards set by the government, can travel, hold jobs, visit certain places, and behave almost like free citizens.  Those lacking a high social-credit score find that their privileges are suddenly withdrawn, and may feel some sympathy with the Uighur people of Xinjiang Province, many of whom have disappeared into "reeducation camps" for no other reason than their identity.

 

If anyone happens to download this blog onto their My-2022-equipped phone, I will not be held responsible for the consequences.  But it doesn't matter, because the truth about the Beijing regime isn't affected by what I say about it, or by what anybody else says or doesn't say about it.  The Chinese surveillance state has to be one of the grandest violations of human rights, extended over time and space, that the world has ever seen.  Because it has been put in place gradually and folded into the other routine malfeasances and wrongdoings of the regime, it hasn't attracted that many headlines, and billions of people in China manage to go about their business without being seriously inconvenienced by it.

 

But it's like living in a house with four-foot ceilings.  Nobody would want to live there if the ceilings were dropped all in a day, but if they were moved down three inches a year, you might be able to get used to it.  But it still wouldn't be a good thing.

 

I can't help but wonder what the endgame will be in China.  Germany overreached its hand, and in 1936 the thousand-year reich actually had less than a decade of future left.  China clearly covets world domination, and in some measures it is well on the way to achieving it. 

 

But a world in which true freedom is vanquished by an AI-enhanced surveillance regime and every action is monitored and evaluated, is not a world I would care to live in, given a choice.  So far, we still have a choice.  Let's learn from our experience with things like My 2022 that the choice is worth preserving.  

 

Sources:  I used material from the following websites:  VOA News at https://www.voanews.com/a/required-app-raises-fears-china-will-track-sensitive-data-during-olympics-/6412900.html, Japan Forward at https://japan-forward.com/attending-the-beijing-winter-olympics-use-a-burner-phone/, CSIS at https://www.csis.org/analysis/biden-boycott-2022-beijing-winter-olympics, and the Wikipedia articles on the 1936 Winter and Summer Olympics. 

The SolarWinds Data Breach: Should We Care?

 

The year 2020 will go down in history for a number of reasons, but the cherry on the disaster cake hit the news in mid-December.  Cybersecurity investigators discovered that some software provided by the Austin, Texas network-monitoring software firm SolarWinds was "trojaned" some time in early 2020.  Hackers, later identified as Russian, managed to insert malware into an update of Solar Winds's popular network-monitoring software, and this allowed the hackers to access customers' emails and other supposedly secure data from around March of 2020 until one of SolarWind's customers noticed that someone had stolen some of their cybersecurity tools, and notified the company.  In similar attacks, Microsoft software was similarly compromised.

 

This was a complicated and well-organized exploit, as the hackers focused their attention on high-value targets such as government agencies.  Wikipedia's article on the breach reads like a list of a spy's dream targets:  the Department of Defense, the National Nuclear Security Administration, the National Institutes of Health (in the midst of the COVID-19 pandemic, yet), the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, the Department of State, and the Department of the Treasury.  As in any spying operation, most of what they got won't be that useful to them, but some of it very well may be. 

 

Fortunately, the hackers did not use their access to lock files or cause other disruptions that might have drawn premature attention to what they were doing.  They were spying, not sabotaging.  But of course, what they learned may help them commit sabotage in the future.  We simply don't know.

 

How did this happen?  In the case of SolarWinds, the hackers gained access to the firm's "software-publishing infrastructure" way back in October of 2019.  Clearly, the company's own security measures were insufficient to prevent this initial breach, which if caught could have stopped the whole attack in its tracks.  But something as simple as carelessness with passwords can allow hackers into a system.  Hacking is like burglary, in that ordinary defenses stop the average burglar, but if a huge sophisticated gang decides to focus on your house, there's not a lot you can do to stop them.

 

And SolarWinds was the focus of the Russian hacking group known as "Cozy Bear" because of their critical place in the software supply chain.  Thousands of firms use their network-monitoring software, which meant that "trojanizing" a SolarWinds software update gave the hackers potential access to any of SolarWinds's customer's systems.  And that is exactly what happened.

 

Once the breach was discovered last month, SolarWinds went public and warned its customers of the problem.  But as one expert interviewed on the breach put it, fixing the leaks that the hackers established is like getting rid of bed bugs:  sometimes they are so spread out that finding each individual bug is an impossible task, and you have to burn the mattress.  The reason is that once the attackers got into a system, they could wander around and establish more access points.  And stopping the original breach does nothing about those access points, which can be hard to find.  So even though we know how the hackers got in, it's not going to be an easy matter making sure that they can't keep spying on their victims without throwing out a whole lot of software and starting over from scratch.

 

What difference does all this make to the average Joe or Jane?  If you don't work for one of the affected companies or agencies, should you even bother to put this on your already-lengthy worry list? 

 

In itself, the breach's consequences are unpredictable.  Governments keep some things secret for good reasons, mostly, and when those secrets are revealed, bad things can happen.  We are not currently in direct hand-to-hand conflicts with Russia, but there are low-level military operations going on all over the world, many of which the U. S. is involved in without the knowledge of the general public.  As in any military operation, intelligence about plans or proposed actions can be used against you if it leaks, so for one thing, our military forces have been put in a potentially bad situation.  But again, it's hard to tell yet.

 

During World War II, the Germans were largely unaware that the Allies had breached their most-secure code system with the Turing-inspired "bombes" of Bletchley Park, because any military advantage that the Allies' decoding operations gave them was carefully disguised to look like luck.  So we can expect Russia to disguise any advantages it's attained from the Cozy Bear attacks similarly, although we now know roughly what they've been up to. 

 

Institutions change slowly, and the old saying that generals in a new war start out by fighting with the previous war's weapons is still true.  There will always be a need for troops on the ground in some situations, but as more and more commerce and activity of national importance takes place in cyberspace, future battles will also be staged more and more in the digital realm. 

 

As we know from bitter experience in other areas of engineering ethics, it usually takes a spectacular tragedy to inspire major institutional change that could have prevented the tragedy in the first place.  We have been relatively fortunate that bad consequences from cyberattacks on U. S. targets have not approached the magnitude of a 9/11, for example.  Probably the worst ones have been ransomware attacks mounted by apparently private criminal groups that shake down organizations for money, usually in the form of bitcoin.  While serious for the organizations targeted, these sorts of attacks have not up to now appeared to be part of a coordinated terrorist-like systematic assault on the nation's infrastructure.

 

Such an attack could come at any time, however.  And the fact that Cozy Bear hackers were reading the Pentagon's mail for the last nine months does not inspire confidence in the ability of our nation's cyber-warfare personnel to prevent such attacks.  Until we take cyberwarfare fully as seriously, if not more seriously, than attacks with conventional weapons, we are effectively inviting hackers to see what they can do to disrupt life in the United States.  Let's hope they don't try any time soon.

 

Sources:  I referred to an article by Kara Carlson of the USA Today Network which appeared on the Austin  American-Statesman's website on Dec. 30 at https://www.statesman.com/story/business/2020/12/30/solarwinds-breach-could-shape-cybersecurity-future/3999961001/.  I also referred to a chronology of the attacks on the channele2e website at https://www.channele2e.com/technology/security/solarwinds-orion-breach-hacking-incident-timeline-and-updated-details/, and the Wikipedia article "2020 United States federal government data breach."

Russian Interference in Elections: Fancy Bear is Not Exactly What We Had in Mind

Excuse the long title, but whenever humorist Roy Blount Jr. would run across something totally contrary to his expectations, he would say mildly, "Well, that's not exactly what I had in mind."  By a convoluted series of circumstances, we in the U. S. have become vulnerable to election interference by a foreign power in a way that few people anticipated.  This is a lesson in how novel technologies and aggressions can outwit both legislators and organizations dedicated to preventing such aggressions.  And novel countermeasures—some of them possibly costly in both money and convenience—may be needed to deal with them.

Historically, it has been difficult for non-U. S. citizens or foreign countries to interfere with U. S. elections.  While the fear of such interference has always been present to a greater or lesser degree, my amateur historical memory does not bring to mind any significant cases in which a foreign power was clearly shown to have acted covertly in a way that provably influenced the outcome of a national election.  Laws prohibiting foreign campaign contributions acknowledge that the danger is real, but if such interference happened in the past, it was so well concealed that it never got into the historical record. 

Ever since there were governments, there have been privileged communications among those in power which, if disclosed in public, might prove to be embarrassing or even illegal.  But until recently, these communications took place either by word of mouth, by letter and memo, or by phone.  And considerable espionage work has to be done to intercept such communications.  You have to have a spy or a listening device in place to overhear critical private discussions.  You have to steal or secretly photograph written documents, and you have to tap phone lines.  All of these activities were by necessity local in nature, meaning that a foreign power bent on obtaining embarrassing information that could sway an election had to mount a full-scale espionage program, with boots on U. S. soil, and take serious risks of being caught while engaged on a fishing expedition that might or might not reveal any good dirt, so to speak. 

Then came the Internet and email.

While much email physically travels only a few miles or less, it passes through a network in which physical distance has for all intents and purposes been abolished.  So if I email my wife in the next room, somebody in Australia who simply wants to know what I'm emailing can try to hack into my emails and, if successful, can find out that I'm asking her to get crunchy raisin bran at the store today.  Nobody in their right mind would bother to do such a thing, but the Internet and email have made it hugely easier to carry out international spying on privileged communications of all kinds.  The kinds of spying that used to be done only in wartime by major powers can now be done by a few smart kids in some obscure but hospitable country.  And here is where Fancy Bear comes in.

A private security firm in Japan has discovered signs that the same group probably responsible for hacking the Democratic Party's emails during the 2016 elections is trying to mess with the Congressional elections coming up later this year.  An elaborate mock-up of the internal Senate email system has been traced to this so-called Fancy Bear group, which evidently has ties to Russia.  Such a mockup would be useful to entrap careless Senate staffers who might mistakenly reply to an email that looks legitimate, but is in fact a kind of Trojan horse that would allow the Russians (or their minions) access to all further emails sent through what looks like a legitimate site, but is in fact a trap. 

I am not a cybersecurity expert and won't speculate further on how the Fancy Bear people do their dirty work.  But the fact that they are still out there working to steal emails and release them at times calculated to throw U. S. elections one way or the other, brings to mind two things that we need to consider.

1.  Messing with electronic voting is not the main cyber-threat to our election system.  Much concern has been expressed that electronic voting systems are not as secure as they should be.  While this is probably true, it doesn't appear to be a significant problem that has actually resulted in thrown elections, except perhaps in small elections at the local level, and usually by accident rather than by design.

2.  We may have to trade some Internet freedom for security in guarding U. S. elections against foreign interference.  The moral innocents who designed the Internet back in the 1970s made the mistake of assuming that everybody who would use it was just like themselves, or rather, their polished-up image of themselves:  sincere, forthright, open, and filled with only good motives.  One wishes that the concept of original sin had been included in every computer-science curriculum since the discipline began in the 1960s, but that isn't the case.  The radically borderless and space-abolishing nature of the Internet brings foreign threats and interference to everyone's doorstep.  With the click of a button in Uzbekistan, Maude in Indianapolis can read the latest fabricated scandal on Facebook about the guy she was thinking of voting for, or hear on the news that his private emails to his mistress have been posted on Wikileaks. 

Not that I condone elected officials who have mistresses.  But these are examples of the kinds of things that can go on once everybody routinely uses a medium which, under present circumstances, is about as private as yelling your credit card number to somebody on the other side of Grand Central Station.

To make email as secure as the U. S. Postal Service, we obviously require more rigid and well-organized security protocols than we have had up to now.  My own university has recently gone to a two-step verification system that is inconvenient, but greatly heightens the security of certain privileged communications such as entering grades.  It may be time for everyone concerned in elections—political parties, governments, and private citizens—to agree to some kind of inconvenient but more secure email approaches, applied uniformly with government regulation if necessary, so that we can get back to where we were in terms of preventing outsiders from interfering with our most characteristic action as a democracy—electing those in power.

Sources:  The AP report by Raphael Satter "Cybersecurity firm:  Senate in Russian hacker crosshairs" was published on Jan. 12 and carried by numerous papers, including the Washington Post at https://www.washingtonpost.com/business/technology/cybersecurity-firm-us-senate-in-russian-hackers-crosshairs/2018/01/12/150ca956-f799-11e7-9af7-a50bc3300042_story.html.