Despite clear and compelling evidence of a Russian plot to disrupt the 2016 presidential election, partisanship has all but killed any chance that Congress will pass legislation to shore up election security before voters cast their ballots next year. Republicans and Democrats in Congress largely agree with Special Counsel Robert Mueller’s finding that Russia tried to meddle in U.S. democracy — and that foreign interference remains a serious threat. “Russia’s ongoing efforts to interfere with our democracy are dangerous and disturbing,” said Senate Majority Leader Mitch McConnell, R-Kentucky, after Mueller finalized his investigation last month. But McConnell has made it clear that he’s unlikely to allow the Senate to vote on any election-related legislation for the foreseeable future. Republican Sen. Roy Blunt of Missouri, who chairs the Senate Rules Committee that has jurisdiction over election security legislation, blames House Democrats for McConnell’s hardline stance. Blunt said Democrats overreached in January when they passed H.R. 1, a sweeping measure focused on voting rights, campaign finance, and government ethics.
National: Registered to vote? Your state may be posting personal information about you online. | The Washington Post
Americans routinely hemorrhage personally identifiable information (PII) across social media and other websites. On almost a weekly basis, PII bleeds out in dramatic breaches like the recent one at Toyota that exposed 3.1 million customers or another at Georgia Tech in which an “unknown outside entity” illegally accessed data for more than 1 million students, faculty members and alumni. Some 26 million Americans were victims of identity theft in 2016, according to the Bureau of Justice Statistics. One way thieves, scammers and psychopaths perform reconnaissance on their victims is to find them via Google or social media. A fair start — but information on the Internet is often inaccurate. If I were a malicious actor looking for a victim’s PII, I’d begin where the data is government-certified. Tax records and housing data are PII treasure troves but not all records are digitized. Political contributions can be valuable — if a person gave money to a candidate over a certain amount. Yet, an exposed area still exists. States hold important personal records of American voters through their secretary of state (SOS) websites. In most states, some or all of this information is accessible to anyone with an Internet connection. I have an Internet connection. And until recently, I ran the open source intelligence division at a cybersecurity firm. So, I tried to access all 50 states’ (and the District’s) online voter registration systems. In the process, I was able to obtain personal information about the citizens of 40 different states, from Alaska to Arkansas, West Virginia to Wisconsin, New Mexico to North Carolina. In some states, that PII included personal addresses, historic voter data and race.
The founder of Craigslist and the Global Cyber Alliance are teaming up to provide free cyber defense toolkits to election officials, nonprofit election rights groups and the media modeled after the ones GCA recently pioneered for small businesses. Craig Newmark Philanthropies is offering GCA more than $1 million for the project, and GCA is netting $1.5 million from other sources, the groups are announcing today. “Elections bodies and the media are facing increasingly sophisticated cyberattacks that can impair the exercise of democracy and affect election results, and they are not prepared to deal with the threat,” Phil Reitinger, president and CEO of the GCA, told MC. The idea is to assemble a set of immediately available resources, rather than just advice. “I’ve been lucky enough to do well and put my money where my mouth is and help protect the people who protect our country,” Newmark told MC.
The abrupt ouster of Homeland Security Secretary Kirstjen Nielsen could be a blow to the department’s efforts to bolster America’s defenses against growing cybersecurity threats, former officials from the department, advocates and lobbyists say. “The worst-case scenario is that our adversaries use this moment of leadership transition, and use it as a Trojan Horse to launch some sort of attack,” Caitlin Durkovich, former DHS assistant secretary for infrastructure protection for the Obama administration, said in an interview. “Who’s to say that the new acting secretary’s priorities aren’t different and that there will be the same emphasis on cyber when there’s such an emphasis on immigration?” said Durkovich, who now works with risk advisory firm Toffler Associates. Nielsen may be most remembered as the face of President Donald Trump’s most hard-line immigration policies. But over her 16-month tenure, cyber specialists and federal officials have applauded her relentless championing of cybersecurity priorities. She frequently warned that increasing threats of hijacking critical infrastructure—from the electric grid to voting machines—were a greater threat to America’s security than terrorism.
National: ‘We can’t confirm him,’ Pat Roberts warns of potential Kobach nomination for DHS | The Kansas City Star
One of the GOP senators from Kris Kobach’s home state said Tuesday that the Senate would not be able to confirm the Kansas Republican if President Donald Trump taps him for a cabinet post. Kobach, the former Kansas secretary of state, has been mentioned as a potential candidate for an array of immigration-related positions since President Donald Trump pulled his nominee for the director of Immigration Customs Enforcement and announced the departure of Secretary of Homeland Security Kirstjen Nielsen. But Sen. Pat Roberts, R-Kansas, said he doesn’t believe the Republican-controlled Senate could confirm his fellow Kansan, who has gained national notoriety for championing stronger restrictions on immigration. “Don’t go there. We can’t confirm him,” Roberts whispered to The Kansas City Star when asked about Kobach Tuesday on his way into a Senate vote. “I never said that to you,” Roberts added, despite the fact that another reporter was present and The Star had not agreed to an off record conversation.
With looming fears of foreign interference in last year’s midterm elections, Congress rushed to send almost $6.2 million to help Alabama secure its voting system. But the state did not spend a dime of it, according to a report this month from the U.S. Election Assistance Commission, which disbursed the funds. The money came from the so-called omnibus spending bill approved in March 2018. But Alabama Secretary of State John Merrill said the money did not come in time to spend before the November midterm election. In order to spend federal grant money, he told FOX10 News, the state has to going through a competitive bidding process and get companies on an approved vendor list, among other requirements. “That’s an arduous process, at best,” he said. “We’re not gonna get in a hurry because someone thinks we should be in a hurry to spend it.”
California: Hackers attacked California DMV voter registration system marred by bugs, glitches | Los Angeles Times
California has launched few government projects with higher stakes than its ambitious 2018 program for registering millions of new voters at the Department of Motor Vehicles, an effort with the potential to shape elections for years to come. Yet six days before the scheduled launch of the DMV’s new “motor voter” system last April, state computer security officials noticed something ominous: The department’s computer network was trying to connect to internet servers in Croatia. “This is pretty typical of a compromised device phoning home,” a California Department of Technology official wrote in an April 10, 2018, email obtained by The Times. “My Latin is a bit rusty, but I think Croatia translates to Hacker Heaven.” Although the email described the incident as the DMV system attempting “communication with foreign nations,” a department spokesperson later insisted voter information wasn’t at risk. The apparent hacking incident was the most glaring of several unexpected problems — never disclosed to the public — in rolling out a project that cost taxpayers close to $15 million. The Times conducted a four-month review of nearly 1,300 pages of documents and interviewed state employees and other individuals who worked on the project — most of whom declined to be identified for fear of reprisal. Neither the emails nor the interviews made clear who was ultimately responsible for the botched rollout, though an independent audit is expected to be released in the coming days.
Critics of Georgia’s outdated voting system told a judge on Tuesday that a new system outlined by lawmakers has many of the same fundamental flaws and is unconstitutional. A law signed last week by Gov. Brian Kemp provides specifications for a new voting system. Bids are due later this month, and state officials say they plan to implement the new system in time for next year’s presidential election. Lawyers for the Coalition for Good Governance and for a group of voters, who had filed a lawsuit challenging Georgia’s election system, told U.S. District Judge Amy Totenberg they plan to ask her initially to stop the state from using the current machines for special and municipal elections scheduled this year. Ultimately, they said, they want her to prohibit the state from using the current paperless machines, as well as the ballot-marking machines provided for in the new law. Lawyers for the state argued complaints about the current voting system have been made irrelevant by the new law and that complaints about ballot-marking machines can’t be considered yet because the state hasn’t even selected a new system.
On Tuesday, the Davidson County Board of Commissioners unanimously voted in favor of a resolution that asks the General Assembly to delay decertification of voting machines until the 2022 election. Davidson County uses direct record electronic voting machines that use electronic tabulation with a touch screen. A law passed in 2013 will decertify any system that doesn’t use paper ballots after Dec. 1. Jon Myers, chairman of the Davidson County Board of Elections, said the state prefers paper ballots because there are some who do not have confidence in the electronic voting system and that they would rather have individuals mark a ballot by hand. The county, along with 21 others, may have its voting machines decertified later this year. In the resolution, the Davidson County Board of Elections states that if its current equipment were decertified, the board would not have enough time for accurate testing, training and deployment in time for the elections in March 2020. “The legislation regarding the voting equipment requires that we test equipment before we can purchase,” Myers said. “So we would be required to test in the November municipal election before we can order. Even at best, there’s no way we could order before mid-November. … I think it’s a very difficult, if not impossible timeline to meet.”
Europe: Member states test their #CybersecurityPreparedness for fair and free 2019 EU elections | EU Reporter
The European Parliament, the EU member states, the European Commission and the EU Agency for cybersecurity (ENISA) have organized an exercise to test the EU’s response to and crisis plans for potential cybersecurity incidents affecting the EU elections. The objective of the exercise, which took place today in the European Parliament, was to test how effective EU member states and the EU’s response practices and crisis plans are and to identify ways to prevent, detect and mitigate cybersecurity incidents that may affect the upcoming EU elections. This exercise is part of the measures being implemented by the European Union to ensure free and fair elections in May 2019. Digital Single Market Vice President Andrus Ansip said:”We must protect our free and fair elections. This is the cornerstone of our democracy. To secure our democratic processes from manipulation or malicious cyber activities by private interests or third countries, the European Commission proposed in September 2018 a set of actions. Together with the EU Member States, and other EU institutions we are implementing these actions. We also decided to test our cybersecurity vigilance and readiness towards secure, fair and free EU elections 2019 by organising the first in its kind EU exercise on elections. I believe that this is an important step forward for more resilient EU elections in a connected society.”
Editorials: Canada’s federal election could be under attack. Are we prepared? | Wesley Wark/The Globe and Mail
Canadians have witnessed a steady drumbeat of stern warnings about likely foreign interference in the coming federal election. The Minister for Democratic Institutions, Karina Gould, sounded the latest alarm in a news conference Monday, in which she delivered the latest report on election threats authored by the government’s cybersecurity agency, the Communications Security Establishment (CSE), which laid out the potential for a sophisticated, co-ordinated and determined effort by foreign state actors to maliciously interfere in the upcoming election. “Nothing is more important to this government than protecting our democracy and ensuring that our next election is fair, free and secure,” Ms. Gould said. Her concern around the Canadian federal election is based on the rising tempo of foreign interference in elections globally, and of technological change that has made cyber meddling easier and cheaper. CSE argues that for foreign adversaries, the potential benefits of cyber electoral interference – which can range from sowing confusion and loss of faith in politics, to trying to steer an election – far outweigh the costs. The threat was basically non-existent in the 2015 federal election, and the true scale of the threat to the 2019 election and our ability to meet it remain to be seen. But there have been some positive developments around our readiness. There’s more public attention than ever on the issue, and intelligence capabilities to detect and assess threats have been increased substantially. A system to alert the public has been created, based on an intelligence fusion centre and a senior panel of government officials who can independently ring the alarm bells.
The National Bureau of Investigation NBI is looking into the circumstances around an apparent cyber attack against Finland’s election information systems. It happened over the weekend, when the official results service was hit by a denial of service attack. The service sends results to the media, among others. The incident is being investigated as ‘grave telecommunications harassment’ under Finnish law. “The preliminary investigation is at an early stage, so the exact type of criminal charge might become more accurate as the investigation progresses” says Marko Leponen from the NBI’s Cyber Centre. “The authorities have prepared for this type of suspected cyber crime in the elections. In general, attacks on public services are quite common, and especially current or publicly available services are often attractive targets” Leponen explains. Meanwhile more than 1.5 million eligible Finns voted in advance of the general election, as the early voting period came to a close on Monday night.
Spanish Prime Minister Pedro Sánchez on Tuesday called on all political forces in the country to back a new national cybersecurity fight against “attempts to hack democracy and undermine citizens’ trust in the political system.” Spain’s April 28 general election is seen as a testing ground for new measures that the European Union is adopting to shield elections to the European Parliament a month later. The Europe-wide efforts include a “rapid alert system” linking specialized coordination units in all EU member states and require internet companies to share regular updates on their efforts to eradicate disinformation campaigns. Spain joined the Europe-wide initiative in early March, establishing a high-level unit to coordinate the fight against cyberattacks and fake news. The experts report directly to Sánchez, who on Tuesday equated disinformation to attacks on “the quality of democracy.” “We need to protect Europe in order for Europe to be able to protect its citizens,” the Socialist leader said during a visit to the national cybersecurity institute, or INCIBE, in the northern province of León. Sánchez also called for new cybersecurity guidelines that are currently being designed to be backed by all national parties, regardless of who wins the upcoming election.