Hackers Demanding Ransoms Paralyze City Computer Systems In The U.S.

Jun 13, 2019
Originally published on June 14, 2019 7:28 am
Copyright 2019 Fresh Air. To see more, visit Fresh Air.

DAVE DAVIES, HOST:

This is FRESH AIR. I'm Dave Davies in for Terry Gross, who's off this week. As we become increasingly dependent on sprawling computer networks, we're increasingly vulnerable to hackers who exploit weaknesses in them. A recent trend is cyberattacks on American cities. Last year, hackers in Dallas gained the ability to turn on tornado sirens at will. And for weeks, the city of Baltimore has struggled to revive computer systems paralyzed by hackers demanding money.

Our guest, New York Times cybersecurity correspondent Nicole Perlroth, says even more troubling is the fact that the Baltimore hackers used stolen cyberweapons originally developed by the U.S. National Security Agency. Perlroth has reported on the proliferation of cyberweapons used by countries against each other, by hackers against governments and corporations and by private security firms willing to give clients digital espionage capabilities for the right price. Perlroth has also reported on concerns about interference in the 2020 presidential campaign and evidence that voting technology may have been hacked in one swing state in the 2016 election. I spoke to her yesterday.

Nicole Perlroth, welcome to FRESH AIR. We've seen cases where cities have suffered cyberattacks. One of the best known as Baltimore. Let's take that as an example. What happened?

NICOLE PERLROTH: Well, about a month ago, cybercriminals infected Baltimore with a type of ransomware, which is just malware that locks up your systems. And the attackers will demand a ransom to unlock them. And in Baltimore's case, they demanded bitcoin payment in the form of, I think, something like $100,000. And for the last month, Baltimore has been trying to unravel this thing. They have not paid their attackers. And as a result, it looks like they're up against something like $18 million in lost revenue and damages.

So, effectively, what's happened is people have not been able to pay parking tickets. They haven't been able to pay their water bills. The real estate agents have not been able to close deals because there's a process by which they need to check existing liens on Baltimore City network, so all of these systems have been paralyzed using this ransomware.

Now, on the back end, essentially what happened is Baltimore looks like they hadn't patched for some of the malware that was able to take over their systems. And one particular aspect of the attack that caught our attention was that contractors on site - and we know there are at least four contractors on site - picked up, in one case, a hacking tool on Baltimore's network called EternalBlue that was stolen from the National Security Agency a couple of years ago.

Now, that tool has been used in ransomware attacks all over the country recently. So some of the other places it's popped up were an attack in San Antonio, Texas, and an attack in Allentown, Pa., which were very different from Baltimore's but enough that they caused significant damage, at least in Allentown's case as well.

DAVIES: When this happens, it seems the cities don't say very much about this. Is this PR damage control or is there a good operational reason for being so reticent to talk about it?

PERLROTH: I think there's been quite a bit of victim shaming for a long time that if you get hit by one of these attacks, it's your fault, that there's something you did to not adequately protect your systems. And I think a lot of the victims come at this from a defensive crouch, basically. But the reality is we're getting to a point where most cities are facing a million of these attacks every week - not successful in many cases, but this is now what local municipalities are up against.

And in Baltimore's case, this became particularly sensitive because one of the hacking tools that was found on its network was a tool that was stolen from the NSA for which there was a patch made available almost two years ago. So there was some culpability on Baltimore's part that they had not kept their software up to date or patched their systems for the vulnerability that was exploited on its network. And I think that's where you start to see some of this defensiveness come into play.

DAVIES: A patch being a software update from, you know, Microsoft or one of the software companies they were using - you said cities are suffering millions of attacks. Does that mean millions of individual probes, like phishing emails, that kind of thing?

PERLROTH: Exactly, millions of probes or incidents or types of malware trying to hit their systems. Now, many of these are not successful or they don't get past the firewall or they try to exploit a vulnerability in software that's been patched already, but this is what cities are up against.

And in many cases, cities just don't have the big budgets for security that, say, J.P. Morgan or Bank of America do, which get hit with even more attacks but not too many more than local cities these days. And the reason that cybercriminals have targeted American cities - and I should say this is happening all over the world - is that so many critical systems are now connected to the Internet.

And cities are in a place where they're managing these sprawling networks. In most cases, they don't even know what's on their network. And when they get hit by a ransomware attack, the immediate instinct is just pay them. Just pay the attackers so that we can go back to our business, when, in reality, cities are tied up in red tape. They can't pay these attacks or if they did, they would have to do so very quietly.

And in a city like Baltimore, which is struggling with gun violence and monitoring street drugs, it's a really hard sell to say, we're going to allocate some of the budget to pay off a group of cybercriminals so we can get our data back. In the case of Baltimore, it's got into a place where the attack has been so public, city officials were left in a position where they felt like they couldn't pay. And what's interesting is the ransom that was demanded was something like $100,000, but the losses from lost revenue and the cost of remediation cleaning up from that cyberattack is now nearing $20 million.

DAVIES: Are cities or, you know, municipal authorities paying ransoms? Do we know?

PERLROTH: Many quietly are. And the reason we know that is because a lot of these ransoms come in the form of bitcoin demands. And if you look at some of the bitcoin wallets that belong to the attackers, you are seeing quite a few transactions. So we know in some cases, police departments have come out and said, we had to pay this ransom.

Hospitals, companies have been paying these ransoms. And the fact is, sometimes, it's just a lot cheaper to pay the ransom than to deal with the fallout of a huge attack that wipes all your records and all your data clean and paralyzes your networks.

DAVIES: And I don't know if you can give a general answer to this question, but what are the stakes if a city refuses to pay the ransom and simply decides it's going to repair the damage, restore the files? I mean, do they have to rebuild records by doing paper entries or are things lost forever? What happens?

PERLROTH: In some cases, cities have been able to recover their files through backups or other channels. But the fact remains a lot of data gets lost. And in many cases, it's not just that the data gets lost. It's the lost revenue from these attacks where people have not been able to close deals; people have not been able to collect parking ticket payments. They haven't been able to collect water bills. And the city essentially, in some cases, loses its tally of who has paid what.

DAVIES: And do we know who hit Baltimore or Atlanta or Dallas? I mean, do we know if it's one person or group of people that are - you know, have these tools and are going from town to town?

PERLROTH: Well, what's interesting is, in Atlanta's case, there were indictments that named a very famous group of ransomware criminals that was called the SamSam group. And the SamSam group was known for demanding pretty high ransom demands and also being pretty meticulous about the data that they locked up on systems. They really, in many cases, left victims no choice but to pay or lose all their data.

And what we didn't know until these indictments came out last year was that the SamSam group was actually a team of hackers in Iran. Now, there was no clear nexus between this group of Iranian cybercriminals and the state. But this is something they were doing from Iran for profit.

Now, in Baltimore, we still don't know. There's someone online who's taken credit for the attack. And I've heard from some people who track the dark Web that they believe it's an individual in Turkey. But we just don't know yet. In some of these other cities we may never know.

And that's sort of the danger of the Internet is that criminals and nation-states route these attacks through servers all around the globe. And attributing them to one group or one nation-state can take a very long time. And in some cases, it's just impossible.

DAVIES: When you pay the ransom, can you be sure that you'll get the files back? What does experience tell us?

PERLROTH: The experience tells us no. There are some groups who reliably unscramble your data. We know that. We know that the SamSam group, the group I just referred to from Iran, that they did unlock data in their ransomware attacks when victims did pay. But there are many, many other groups that do not.

And that's part of the decision-making process that these victims have to deal with is, if they pay and - especially in cities - if they get through that red tape where they can approve that payment and they can budget for that payment - and in a city like Baltimore that's already struggling with problems far bigger than their security budgets, it's a real dilemma.

If they pay, will the criminals on the other end unlock their systems? In some cases, these ransomware groups have a reputation to keep up, and they will reliably decrypt your systems, but in many cases, they won't.

DAVIES: Nicole Perlroth is a cybersecurity correspondent for The New York Times. We'll continue our conversation after a short break. This is FRESH AIR.

(SOUNDBITE OF PATTI SMITH'S "SMELLS LIKE TEEN SPIRIT")

DAVIES: This is FRESH AIR, and we're speaking with Nicole Perlroth. She is a cybersecurity correspondent for The New York Times.

You have reported that the attack on Baltimore and others were done using a cyberweapon that was developed by the NSA, the National Security Agency. Tell us a little about this. What is the weapon, and how did it get in the wrong hands?

PERLROTH: Well, for decades now, the National Security Agency has been essentially looking for vulnerabilities in software - often in Windows software, just because it gets used so much around the world - but obviously in firewalls and in apps and in your iPhone software. And the reason they're looking for those vulnerabilities is that if they find one and they can write code to exploit that vulnerability, it essentially gives them a backdoor into that system. And often what they're using it for is just espionage - to collect information off those systems.

So for years, the NSA has been looking for these vulnerabilities. They've been writing the code to exploit them. And they've been holding onto them in what we describe as sort of a stockpile of of hacking tools. Now, the problem with this is that, as opposed to, say, 30 years ago when we were just trying to get in to, say, the systems that Russia used at the Russian Embassy, that's no longer the case that Russia is using some different technology and we're using different technology here in the United States and China is using different technology. For the most part, we're all using the same technology.

So if the NSA is finding a vulnerability in that technology, they're not just finding it in Russia's systems or China's systems, they're finding it in technology that gets used by a lot of Americans. So over the last 10 years, the White House has tried to set up a process for discussing which of these vulnerabilities the NSA should turn over and which should be kept because they're so valuable to the NSA's intelligence-gathering mission.

DAVIES: And when you say whether they should turn them over, you mean what?

PERLROTH: Turn them over to companies like Microsoft, whose software was vulnerable in the first place, so that Microsoft can then patch that vulnerability and roll it out to their customers all over the world so they're no longer vulnerable to attacks that can make use of that vulnerability.

DAVIES: So Microsoft could send out an update so that, heaven - you know, you've got this vulnerability you didn't know about, it can be fixed provided you upload the update.

PERLROTH: Exactly. And over the last decade or so, the White House set up a process for this - to decide, OK, which of these vulnerabilities are so valuable we're going to keep them for intelligence-gathering? And which of these vulnerabilities, if discovered by one of our adversaries or by cybercriminals, could be exploited and cause so much damage or potential damage to American interests that it's far more logical that we would turn it over to a Microsoft, an Apple or Facebook or Cisco to patch just because the potential damage to American interests could be so great. And what's interesting is that as we've all sort of connected everything we possibly can to the Internet, more and more United States agencies have sent representatives into this process.

So whereas in the beginning it might just be representatives for the intelligence agencies and the Department of Homeland Security, who were a part of these discussions, now we know that there needs to be representatives from the Treasury, representatives from the Department of Health because so many - so much of the software touches hospitals and banks and trading systems. And if there is a vulnerability in that software that could be exploited to harm those interests, well, then those agencies need to be a part of that debate.

DAVIES: So it seems in this case, the NSA decided it had discovered this vulnerability. And it was in a Microsoft operating system, right? And they decided to keep it a secret so that they could use it. What happened?

PERLROTH: Well, we know that there was actually quite a bit of work that went into not only finding this vulnerability, which was just in a Microsoft Windows protocol. There was actually quite a bit of work - a team that spent many man hours making the code to exploit this in a way that wouldn't crash computer screens on the other end. And that was not easy. That took quite a bit of work by the NSA's engineers and algorithms to develop and exploit that could reliably hack into these Microsoft systems.

So part of what we learned in our reporting was that once the NSA had honed this, they considered it to be one of the most-valuable tools in their arsenal. They said it netted some of the best counter intelligence that they had and was - played a role in some of the biggest counterterrorism investigations that the NSA was participating in. So they actually said at no point did they consider turning this over to Microsoft for patching because it just played such a big role in their mission.

So fast-forward to 2016, a new group comes online. They call themselves The Shadow Brokers. We still have no idea who they are. And the group essentially starts threatening the NSA online and says, we have some of your hacking tools. They allude to some of the tools that they've stolen. And they begin to auction them for sale online.

Now, no one comes forward to pay for these things, in part for obvious reasons. But one year later, in early 2017, the group just goes ahead and dumps these tools online.

DAVIES: The program was called EternalBlue.

PERLROTH: Yeah. So EternalBlue was, like I said, one of the most-important tools in the NSA's arsenal. And to be fair, the NSA was using this tool for espionage. They weren't using it necessarily to destroy computers or to send out cyberattacks that were going to destroy data or paralyze networks. But that same tool could be picked up and used by nation-states and cybercriminals and built onto their own ransomware or malware for whatever they sought to do.

So what happened was - the first thing we saw was an about May of 2017. North Korean hackers took the NSA's stolen tool, EternalBlue, and put it on to some ransomware that that researchers called WannaCry. And they sent it around the world. And within about 24 hours, they had paralyzed the British health system and hit some 200,000 other victims - just in the first 24 hours.

DAVIES: What was their purpose?

PERLROTH: Well, in that case, the malware that they were sending around was ransomware. Now, unfortunately, the North Koreans hadn't put enough thought into this ransomware, and it wasn't that effective. In fact, if you paid for - to unlock your systems - and some did - the bitcoin wallet wasn't functioning. And no matter what, you wouldn't have gotten your data back.

But clearly there was a profit incentive here. And it was pretty interesting to see a nation-state send out ransomware like that. And it's not - had not been unprecedented. We'd seen this from hackers in Iran before. But it was such a wide-scale attack, and it paralyzed so many systems that it was a huge embarrassment to the National Security Agency.

DAVIES: Nicole Perlroth is a cybersecurity correspondent at The New York Times. After a break, we'll hear more about the cyberweapons stolen from the NSA and how they're being used around the world. And she'll talk about evidence that Russian hacking may have impaired voting systems in one North Carolina county in the 2016 presidential election. Also, Justin Chang reviews the new film "The Last Black Man In San Francisco." I'm Dave Davies, and this is FRESH AIR.

(SOUNDBITE OF FAREED HAQUE AND KAIA STRING QUARTET'S "QUINTET FOR GUITAR AND STRINGS - ALLEGRO VIVACE")

DAVIES: This is FRESH AIR. I'm Dave Davies in for Terry Gross, who's off this week. Let's get back to my interview with New York Times cybersecurity correspondent Nicole Perlroth. She's written recently about ransomware attacks, which have paralyzed computer networks in several American cities.

When we left off, we were talking about how some hacking tools developed by the NSA have been stolen by outside groups and used in cyberattacks, including one on the city of Baltimore. One of those NSA tools, which was stolen and posted on the Internet by an anonymous group called The Shadow Brokers, is called EternalBlue.

EternalBlue was, essentially, a way to get into a lot of computer systems. And once you had that tool, there are different kinds of mischief you could do once you penetrated it, right? - could be ransomware.

PERLROTH: Right.

DAVIES: It could be destroying files, whatever.

PERLROTH: Yeah, and it's not just a way to get into these systems. It's a way of spreading within these systems, so you can think of it almost like a way to supercharge your ransomware so it makes it out to as many systems as possible. And what happened a month later, after North Koreans put EternalBlue onto their ransomware, is Russia picked up EternalBlue. And this time, they attached it to ransomware that they aimed at Ukraine. And it was a hugely successful attack.

In fact, we now know that this was, perhaps, the most destructive, costliest cyberattack in history. We're talking about tens of billions of dollars of damages. And what was interesting that time - and the attack against Ukraine was called NotPetya but by some researchers who reverse engineered the code. What was interesting in that case was it didn't just hit Ukraine. It hit any business that had a remote employee in Ukraine or had an office in Ukraine or worked with a contractor there.

So we saw Mondelez - giant snack maker, makes Oreo cookies. They got hit by the NotPetya attack and have now reported something like $600 million in damages, so this was not something that was just an attack by Russia on Ukraine. This was an attack that boomeranged back to American companies and companies all over the world, where the damage was caused, in large part, by an American-made hacking tool - EternalBlue.

DAVIES: Wow. Now, last month, you and a couple of other reporters - David Sanger and Scott Shane - reported that the Chinese had acquired some NSA hacking tools and repurposed them to attack U.S. allies and private companies. Is this EternalBlue or is this something different?

PERLROTH: It's something different, but the exploit that they used was also among the tools that The Shadow Brokers dumped online in 2017. And what was interesting in this case is that it turns out that a group we had been tracking in China - very sophisticated Chinese contractor group that, in the past, had hacked a lot of aerospace, satellite space technology, even nuclear propulsion technology - had somehow discovered the NSA's hacking tool, we think, in an attack on China's own systems.

And they took it, and they repurposed it for their own attacks on American interests and allies all over the globe. So in that case, what was interesting was it's not like they took the tool after it was dumped online by The Shadow Brokers. They actually discovered it in the course of an NSA operation, picked it up, reverse engineered it and bolted it onto their own malware for their own espionage operations.

DAVIES: So a weapon aimed at them, they effectively captured and turned it around and used it against their attacker.

PERLROTH: Exactly. And what's interesting about that case is it raises questions about, how safe can the NSA keep its most valuable cyberweapons? So clearly, in the case of Shadow Brokers, we still don't know how Shadow Brokers got the NSA's tools. In fact, we still don't know, two years later, who The Shadow Brokers are.

Initially, we thought maybe it was Russia that had hacked the NSA somehow. We've heard that the investigation has started to focus on a potential NSA mole, but we still don't have answers there. And that's something that, I think, we need to see more accountability from the NSA on.

For right now, the NSA has yet to even acknowledge that the tools that were dumped online belonged to the agency. But what was interesting about the Chinese case is it's not as if the Chinese took this tool after it had been dumped online. They just took it in the course of the NSA's routine operations, which begs the question is - once you use these tools, can you ever really control them?

DAVIES: The Shadow Brokers have posted on social media, right? What are their posts like? Do they give us any clues as to who they might be?

PERLROTH: So The Shadow Brokers - they write these posts and these demands in very poorly broken English. And it honestly sounds like someone who is not Russian trying to sound Russian (laughter), so we have no idea who they are. But, essentially, they're very menacing.

They've actually picked out individuals who used to work at the NSA and made fun of them alongside some of their dumps of the NSA hacking tools. And some of the posts that they made have made other NSA analysts or, I should say, former NSA analysts start to think that this is someone who had very deep operational knowledge of the agency and the way it worked and knew things about the agency that could not have been gleaned just out there on the Internet.

It's stuff that they would have had to have had some deep knowledge of the inner workings of the agency. And I think, in part, that's why this investigation has gone from assuming that this was a Russian operation to potentially an insider.

DAVIES: You know, as we see a circumstance here where this really important National Security Agency of the United States has developed these weapons, which have fallen into the wrong hands, I mean, it really does raise policy questions, right? I mean, they say war is an instrument of policy. Cyberwar is another instrument of policy.

Are people at the top asking fundamental questions like, should we be developing weapons like this? Or is there a way for international regulation of weapons like this, as we've seen with, you know, nuclear treaties?

PERLROTH: There are some voices in the wilderness calling for a sort of digital version of the Geneva Convention. And the leading voice out there is actually Brad Smith, the president of Microsoft. Now, Microsoft has a stake in this, which is that it's Microsoft software that's being infiltrated in so many cases by nation-states for foreign espionage simply because Microsoft has such a great market share that it's the leading target for a lot of these nation-state espionage operations.

And what Microsoft has said is that, essentially, what happened with EternalBlue and The Shadow Brokers leak is that the NSA left a missile out there for anyone to pick up, and they didn't adequately protect these missiles. And now American companies and American citizens are paying for that situation.

DAVIES: Nicole Perlroth is a cybersecurity correspondent for The New York Times. We will continue our conversation after this short break. This is FRESH AIR.

(SOUNDBITE OF MUSIC)

DAVIES: This is FRESH AIR, and we're speaking with Nicole Perlroth. She is a cybersecurity correspondent for The New York Times.

I want to talk a bit about election security. You know, there's a general feeling, I think, that there was Russian interference in the 2016 presidential campaign in the form of hacked emails and disinformation campaigns but that the voting process itself was not tampered with. You've been on this beat a while and have been looking into this. What did you find?

PERLROTH: Well, we found that there is a dearth of serious forensic investigation that investigated problems from the 2016 election. And there were issues, particularly in North Carolina, that suggest that there actually were quite a few problems tied to issues with electronic pollbook systems, the systems that check you in when you go to check in at the voting booth.

And in many cases, these pollbooks were telling people that they had already voted when they hadn't, that they were not registered to vote when they were. And some of those pollbooks were managed by a company called VR Systems that, we know from leaked NSA documents, was in fact hacked by Russia prior to the 2016 election.

DAVIES: And was there any pattern to which communities or precincts these problems occurred?

PERLROTH: There was. Durham County, in particular, had a lot of problems with its e-poll book systems. Now, if you were going to try to disenfranchise a large number of Democratic voters in North Carolina, you'd probably go right to Durham County. This is a blue county in a largely red state. And when people went to go vote in Durham County, they were finding a lot of irregularities with the e-poll book systems.

So over a year ago, we wrote about those problems. And what was really disturbing is that when we tried to find whether there had been an in-depth forensic investigation of the e-poll book issues in Durham County, I found a report that was conducted that was unlike any other cyberforensics report I had ever seen. Usually, when you look at these forensic reports, they tell you, you know, we did an analysis of this computer. We found this vulnerability. We found this malware or we didn't find this malware or we found this hacking technique or we didn't find this hacking technique.

This read very differently. It read like a police report, where whoever was conducting the investigation was a local detective, former police officer, who said, at 3:15 p.m., I interviewed Suzy (ph), who was working at the voting booth, and she said all was normal. I mean, I've never seen a cybersecurity investigation report look like that.

And when we asked North Carolina to sort of account for this or to take a deeper look, they were pretty defensive about the issues that had happened in Durham County. And only now, a couple of years later, have we found out that, in fact, VR Systems - the company that was hacked by China - did remotely access the e-poll book systems in Durham the night before the 2016 election to try and diagnose some problems it was seeing. And that remote access could have very well been exploited by nation-state hackers. We just don't know.

DAVIES: Right. And so, again, we're talking about the electronic pollbooks. That's essentially the registry of electors in a particular polling place. And the company that managed them, VR Systems - you say that we know that it actually was penetrated by Russian hackers. What exactly do we know about that?

PERLROTH: We know this from leaked NSA documents that VR Systems was compromised in some kind of spear phishing-attack - so when employees open a malicious email attachment or click on a malicious link that allows malware into their systems. And we know that VR Systems maintained remote access to the e-poll books in Durham and many other counties all over the country - in Florida and elsewhere.

And what we don't know is, was that access exploited by Russian hackers to disenfranchise voters? We still don't know. And only now do we know that DHS, the Department of Homeland Security, is conducting a forensic examination of those e-poll book issues in Durham County.

DAVIES: And what does VR Systems say?

PERLROTH: VR Systems hasn't said much. I think the last time we spoke to them, they denied that they had been phished. They have sort of resisted what was leaked in the NSA documents that suggested it was successfully phished. And they've said they're cooperating with investigators. But beyond that, we really don't know what actually happened there.

DAVIES: Authorities actually identified the person in the NSA who leaked this report that VR Systems had been hacked. You want to tell us that story? What became of her?

PERLROTH: Right. So we may have never known about this if not for a young NSA employee by the name of Reality Winner, and that is her actual name. She leaked NSA documents that confirmed VR Systems had been hacked in a Russian cyberattack to The Intercept - a digital publication run by Glenn Greenwald. And The Intercept actually published the leaked documents and did it in a way that the NSA was able to trace the leak pretty easily back to Reality Winner. Now, she's since been sentenced to more than five years in prison under the Espionage Act for leaking those documents.

DAVIES: You've also written that there's evidence of Russian hacking in the 2018 midterm elections. Are the FBI and American security officials putting more resources into dealing with foreign interference in 2020? Is Congress doing anything?

PERLROTH: I wish I could say yes. The reality is that there's been a lot of red tape and a lot of politics around securing the next election. Now, that's not to say nothing's been done. We know that U.S. Cyber Command, that U.S. military hackers, going into the 2018 election, conducted a cyberattack that shut down servers that belonged to Russia's Internet Research Agency to sort of preemptively shut down any kind of Russian interference. We also know Claire McCaskill and other Democratic senators were targeted by spear phishing attacks ahead of the 2018 midterm elections, although they say that the attacks weren't successful.

Now, the problem going into 2020 is the same phishing attacks that targeted John Podesta and others in the 2016 election are probably happening right now. And what has happened is a lot of candidates have reached out to cybersecurity firms and services and said, please help us defend against these phishing attacks. We know they're coming. We know their targets. We need help.

And what has been incredibly frustrating, I think, for these candidates and for the cybersecurity community and anyone whose eyes are open enough to see that 2020 is going to be huge battleground for cyberattacks and disinformation is that campaigns have not been able to accept help from many cybersecurity firms that defend against phishing attacks and other forms of cyberattacks because those services are considered an in-kind donation and illegal because of federal campaign finance laws.

And so we just had a case where there was a Silicon Valley company that asked the Federal Election Commission to make an exemption so that it could help campaigns defend against phishing attacks. And so far, the Federal Election Commission has said that they would not actually make an exemption, although we're still waiting on a final ruling.

DAVIES: That's so remarkable. The Federal Election Commission seems to never make a decision.

(LAUGHTER)

DAVIES: But they'd made a decision about this. Anything happening in Congress on this issue?

PERLROTH: No, and we have one man to thank for that, and his name is Mitch McConnell. Mitch McConnell has said he does not plan to bring any election security bills to the Senate floor, period. We know that the House is trying to come up with some work arounds for this, but many of the bills that would just establish basic security norms and things like paper backups of votes have been proposed by Senator Ron Wyden and others are really stalled in the Senate right now because Mitch McConnell has said he refuses to bring them to a Senate vote.

DAVIES: What's McConnell saying about why he's doing this?

PERLROTH: Well, in general, McConnell has said that there's no reason to bring these measures to the Senate floor, that states should play the biggest role in securing elections and that the federal government should not get involved. But behind the scenes, we're told that a lot of this just has to do with the optics, that the president doesn't want to even hear about election security because, apparently, according to people we've spoken with, he thinks any focus on election security or the Russian interference in the 2016 election takes away from the legitimacy of his victory in 2016.

DAVIES: Well, Nicole Perlroth, thanks so much for speaking with us.

PERLROTH: Thanks so much for having me, Dave.

DAVIES: Nicole Perlroth is a cybersecurity correspondent at The New York Times. Coming up, Justin Chang reviews the new film "The Last Black Man In San Francisco." This is FRESH AIR.

(SOUNDBITE OF RAY CHARLES' "DOODLIN'") Transcript provided by NPR, Copyright NPR.