National: Election tech vendors say they’re securing their systems. Does anyone believe them? | CyberScoop

The last few years have been an awakening for Election Systems & Software. Before 2016, very few people were publicly pressing the company to change the way it handled its cybersecurity practices. Now, the nation’s leading manufacturer of election technology has become a lightning rod for critics. Security experts say the small number of companies that dominate the nation’s election technology market, including ES&S, have failed to acknowledge and remedy vulnerabilities that lie in systems used to hold elections across the country. Once left to obscurity, the entire ecosystem has been called into question since the Russian government was found to have interfered with the 2016 presidential campaign. While there has never been any evidence to suggest that any voting machines were compromised, the Department of Homeland Security and FBI recently issued a memo that all 50 states were at least targeted by Russian intelligence. The peak of the criticism came after the Voting Village exhibition at the 2018 DEF CON security conference, where amateur hackers unearthed a bevy of flaws in the company’s tech. In a number of publications — including CyberScoop — ES&S disputed the notion that it didn’t take cybersecurity seriously, arguing its own due diligence was enough to satisfy any security worries. It didn’t help the Omaha, Nebraska-based company’s case when the Voting Village committee issued a report in September that found decades-old vulnerabilities in an ES&S ballot tabulator that has been used in elections in more than half of the states. In light of these issues, some of the election tech manufacturers are trying to change course, and ES&S is the most public about its efforts. With the country gearing up for the 2020 presidential election, the company has revamped its security testing procedures, putting together a plan to let penetration testers from both the public and private sector evaluate the safety of its systems. Furthermore, ES&S and its competitors are communicating in an unprecedented way about committing to a certain level of standards that can lift the entire industry to a better security baseline.

National: DHS is pushing cybersecurity support to presidential campaigns | The Washington Post

The Department of Homeland Security is offering to help test and improve the cybersecurity of Democratic presidential campaigns — and this time, these services are getting a lot of interest. “We haven’t had anyone decline to have a call with us or not be excited about the resources we’re offering or the support or services,” DHS senior adviser on election security Matt Masterson said of offers to the crowded field of 2020 candidates, during a panel discussion at the Atlantic Council’s International Conference on Cyber Engagement. That’s a far better reception than ahead of the 2018 midterms, when state election officials broadly rejected DHS’s offer to help with their cybersecurity early in the Trump administration. Despite the Russian hacking and influence operation that upended the presidential election, state officials were concerned DHS aid could lead to a federal takeover of election administration and were angered by the department’s slow pace sharing information about Russia’s 2016 hacking attempts. It was well into 2017 before some states changed their tune and began working with DHS on girding their election systems against hacking from Russia and elsewhere in the midterm elections. Now, the acceptance of free help from DHS is a sign the campaigns and states are getting on the same page as the federal government about the need for security to protect both voter information and the integrity of the vote.

National: Trump, GOP Won’t Act on Election Interference Warnings | RealClearPolitics

Foreign powers and domestic disruptors are already interfering in next year’s presidential and congressional elections and this week we learned what the likely response of the Trump re-election campaign will be: bring it on. Two prominent Trump associates — Rudy Giuliani and Jared Kushner — both dismissed the impact of Russia’s interference in the 2016 election, essentially telling those currently seeking to sow disinformation, “Come on in, fellas, no big deal.” What Special Counsel Robert Mueller characterized in his findings as a “sweeping and systematic” effort by the Russian government to interfere, and help elect Trump, was “a couple Facebook ads,” Kushner said Tuesday, adding that the investigation itself — into a foreign attack on this nation’s electoral process — had done more damage to democracy. To Rudy, “there’s nothing wrong” with accepting help from a hostile foreign power. Some characterized Kushner’s comments as unpatriotic, even treasonous. What they were, at best, was irresponsible. They were also false. According to the Mueller Report, by Election Day the Russian government was spending more than $1 million per month on its campaign and, by Facebook’s account, reaching one-third of the U.S. population. The very hour that Kushner spoke at the Time 100 Summit, NBC was reporting that Twitter had removed 5,000 accounts of bots attacking the Mueller investigation as the “Russiagate hoax.” They weren’t Russian bots but ones connected to a pro-Saudi social media operation that formerly went under the name Arabian Veritas, which had claimed to be “an initiative that aims to spread the truth about Saudi Arabia and the Middle East through social engagement.”

National: Cybersecurity proposal pits cyber pros against campaign finance hawks | The Washington Post

The Federal Election Commission could decide today whether nonpartisan groups can offer political campaigns free cybersecurity services, an issue that has made bedfellows of Republicans and Democrats but divided cyber pros and campaign finance hawks. The proposal’s authors, Hillary Clinton’s 2016 campaign manager Robby Mook and Mitt Romney’s 2012 campaign manager Matt Rhoades, come to the issue from bitter experience. The Romney campaign was targeted by Chinese hackers, and Clinton’s campaign was upended by a Russian hacking and disinformation operation aimed at helping  Donald Trump. The bipartisan duo want to help presidential and congressional campaigns steer clear of similar hacking operations by allowing nonprofits to provide cybersecurity free of charge. But first they need the FEC to say those services don’t amount to an illegal campaign contribution. “This is warfare,” Mook told FEC commissioners during a review of the proposal April 11. “People are trying to disrupt our democracy.” The plan is a hit with many cybersecurity pros who say campaigns aren’t equipped to defend themselves against sophisticated, government-backed hacking operations from Russia and China, and think this might level the playing field. 

National: Managing unknown risks in the next election | GCN

As the nation heads into the 2020 election cycle, experts disagree over whether the nation should expect the same type of cyber threats and influence campaigns experienced in 2016 or if we should expect the unexpected. Matthew Masterson, a senior advisor at the Department of Homeland Security focusing on election security, said that he spends “a lot of time thinking through that undermining confidence [angle] and ways that we can build that resilience.” Speaking at an April 23 cybersecurity conference, he told the audience that “the reality is you don’t actually even have to touch a system to push a narrative that undermines confidence in the elections process.” Liisa Past, former chief research officer at the Cyber Security Branch of the Estonian Information System Authority, said at the same event that election influence campaigns operate on multiple fronts. “It really illustrates the adversarial activity, which is that they’re throwing spaghetti at the walls,” said Past. “Cyber is one wall, misinformation, disinformation and social media is another wall. We’re having to assume that using proxies and … useful idiots is another wall, and I’m afraid that behind it there might also be an element of blackmail and personal manipulation.” The challenge, she said, is “how do you come up with a risk management model that clearly has the same degree of flexibility as the adversary’s tactics have?”

National: In Push for 2020 Election Security, Top Official Was Warned: Don’t Tell Trump | The New York Times

In the months before Kirstjen Nielsen was forced to resign, she tried to focus the White House on one of her highest priorities as homeland security secretary: preparing for new and different Russian forms of interference in the 2020 election. President Trump’s chief of staff told her not to bring it up in front of the president. Ms. Nielsen left the Department of Homeland Security early this month after a tumultuous 16-month tenure and tensions with the White House. Officials said she had become increasingly concerned about Russia’s continued activity in the United States during and after the 2018 midterm elections — ranging from its search for new techniques to divide Americans using social media, to experiments by hackers, to rerouting internet traffic and infiltrating power grids. But in a meeting this year, Mick Mulvaney, the White House chief of staff, made it clear that Mr. Trump still equated any public discussion of malign Russian election activity with questions about the legitimacy of his victory. According to one senior administration official, Mr. Mulvaney said it “wasn’t a great subject and should be kept below his level.” Even though the Department of Homeland Security has primary responsibility for civilian cyberdefense, Ms. Nielsen eventually gave up on her effort to organize a White House meeting of cabinet secretaries to coordinate a strategy to protect next year’s elections. As a result, the issue did not gain the urgency or widespread attention that a president can command. And it meant that many Americans remain unaware of the latest versions of Russian interference.

Editorials: The Trump Campaign Conspired With the Russians. Mueller Proved It. | Jed Handelsman Shugerman/The New York Times

In his first letter after receiving the Mueller report, Attorney General William Barr accurately quoted it as saying that “the investigation did not establish” that the Trump campaign “conspired or coordinated with the Russian government in its election interference activities.” But the opposite is also true: The Mueller report does establish that, in fact, members of the Trump campaign conspired or coordinated with the Russian government in its election interference activities. How is this possible? It’s the difference between the report’s criminal prosecution standard of proof “beyond a reasonable doubt” and a lower standard — the preponderance standard of “more likely than not” — relevant for counterintelligence and general parlance about facts, and closer to the proper standard for impeachment. There is confusion about the Mueller report’s fact-finding because he used the wrong coordination standard, obstruction probably obscured the evidence of crimes, and the summary was unclear about evidentiary standards. The report’s very high standard for legal conclusions for criminal charges was explicitly proof “beyond a reasonable doubt.” So the report did not establish crimes beyond a reasonable doubt. But it did show a preponderance of conspiracy and coordination. The Mueller report is best understood as two reports, and not just in its organization of one volume on Russia and one on obstruction. Each volume is one report on facts, and another on applying criminal law to those facts. When the report explains its prosecution decisions and interprets the legal questions of conspiracy and coordination, it repeatedly clarifies that its standard is “whether admissible evidence would probably be sufficient to obtain and sustain a conviction.”

California: Inside Contra Costa County’s election cybersecurity scare | San Jose Mercury News

The email that showed up in an employee’s inbox at the Contra Costa County elections office last month appeared harmless enough: It looked like it had been sent by a member of her church group and contained the innocuously named attachment “Request3.doc.” But when the employee clicked on the attachment on a work computer, malware laced into the document attempted to contact a Russian IP address, sparking a weeklong scare over the possibility of a foreign attempt to access county election internet systems. Emails from the elections office obtained by the Bay Area News Group through a public records request shed new light on the incident, which occurred the same week that Special Counsel Robert Mueller delivered his report on Russian interference in the 2016 election. The suspicious email was investigated by the FBI and the Department of Homeland Security, and state and federal authorities ultimately concluded that no county data had been compromised. State and local officials said they believe the elections office was not specifically targeted for the attack and it may have been a typical cyber scam motivated by money.

Florida: The other Mueller finding: How one state addresses Russian hacking risk | CSMonitor

Amid all the debate over whether the Mueller report incriminates or exonerates President Donald Trump, one salient point is being largely overlooked: Russia interfered in the 2016 election to undermine American democracy as a whole. And the damaging effects go beyond any one party or candidate. The intent of Russian meddling was to sow discord in the U.S. political system, said special counsel Robert Mueller in his report to the U.S. Justice Department. The intelligence community and others say that the Kremlin will likely launch more sophisticated attacks in 2020 – both cyberattacks and disinformation campaigns on social media. “I guarantee you that Russia is working on hacking this election right now,” says Seth Moulton, a decorated Marine and Democratic congressman from Massachusetts who entered the presidential race this week on promises to bolster national security and restore America’s moral authority in the world. “And the fact that we are just letting them undermine our democracy, undermine the very fundamental principle that every vote counts in a democracy, is complete dereliction of duty by the commander in chief of the United States,” says Representative Moulton, responding to a question amid campaigning in Bedford, New Hampshire, on Wednesday. Nearly half the nation’s states were targeted by Russian hacking in 2016, and the Mueller report revealed that at least one county government in Florida was breached by it. It also revealed that Russians compromised the computer network of Illinois’ Board of Elections and gained access to information about millions of voters there. Florida is of particular concern as a key swing state and one which has faced numerous crises in its election system going back to the “hanging chad” controversy in the 2000 race between George W. Bush and Al Gore. And it makes an important case study for other reasons. Its efforts since 2016 to step up election security and improve its cyber defenses illustrate both the scope of the challenge and possible paths to address it.

Florida: FBI to brief Ron DeSantis, Rick Scott on Russian hacking attempts | Tampa Bay Times

Silent so far on new information that Russian hackers may have phished their way into a local elections office, the FBI has agreed to meet next month with Florida officials to brief them on the topic. Gov. Ron DeSantis and U.S. Sen. Rick Scott each said Thursday that the FBI has reached out about scheduling a meeting within the next few weeks to discuss elections hacking. Both the current and former governor have been critical of federal authorities for remaining silent in the weeks since Robert Mueller’s Russian elections interference report said the FBI believes Russian hackers were able to “gain access” to “at least one” Florida county government computer network. “They won’t tell us which county it was. Are you kidding me? Why would you not say something immediately?” DeSantis said Thursday in Miami, where he made an appearance to name two new members of the Third District Court of Appeal. “We’re looking for answers. I think finally next week we’re going to get somebody, or maybe the week after we’re going to have somebody come brief us on what happened.” DeSantis’ office did not provide additional details about the meeting, and the FBI did not immediately respond to a request for comment.

Georgia: Voting system contract attracts bids from large election companies | Atlanta Journal-Constitution

At least four election companies submitted confidential bids before Tuesday’s deadline to sell voting machines to Georgia, which plans to become the first state to roll out touchscreen-and-printer voting technology for every voter starting next year. The competition for the state’s $150 million contract will now be evaluated by government officials, and a decision on the state’s next election company is scheduled for mid-July. The selection process will fuel debates over election integrity and ongoing lawsuits following a contentious decision by the Georgia General Assembly to switch from electronic voting machines to a similar system that adds printed-out paper ballots. Critics say both systems are inherently insecure, and they want Georgia to use paper ballots filled out by hand. The Secretary of State’s Office wouldn’t release any information about the companies bidding on the contract, citing a state law that exempts proposals and cost estimates from public disclosure until the government gives notice of intent to award a contract to the successful bidder. The law says disclosure would undermine the goal of obtaining the best value during negotiations. But four large election companies confirmed to The Atlanta Journal-Constitution that they submitted bids before Tuesday’s deadline.

Minnesota: Minnesota hasn’t accepted election security funding. Why not? | KMSP

A Republican state senator is putting election security upgrades at risk by blocking federal funding from getting to Minnesota, Secretary of State Steve Simon said Thursday. Minnesota is the only state that has not accepted its share of the federal money under the Help America Vote Act, which amounts to $6.6 million. State Sen. Mary Kiffmeyer is blocking it, and said during a wide-ranging news conference Thursday that she was concerned about how the funding would be used. Now, Minnesota’s four-year project to recode its statewide voter database is in jeopardy because the state has three years and 11 months before it would have to return the money to the feds. “We literally don’t have all the time we need to do the cornerstone project here,” Simon said. “That’s dangerous. It’s putting our election system at risk. And it’s got to stop right now.” Kiffmeyer – a former secretary of state – defended her actions Thursday while claiming she was misquoted last week saying that hacking was “no big deal.” “I found that in the information we had to date, there was a lot lacking. We had more questions,” Kiffmeyer told reporters about why she was blocking the funding. But Simon said Kiffmeyer has never come to him to get more information. “We have offered her the opportunity to ask a question, make a comment, make a suggestion. Nothing. Absolutely nothing,” Simon said in an interview.

North Carolina: Board of Elections asking if North Carolina voting software company was hacked in 2016 | WSOC

The North Carolina State Board of Elections is asking a voting software company if it was hacked by Russian cyber attackers in 2016. The NCSBE wants to know if VR Systems is “Vendor 1” in the Mueller report. The report indicates that russian intelligence successfully “installed malware on the company network.” The letter from NCSBE asks VR Systems for “immediate, written assurance regarding the security” of its network. Nearly two dozen counties in the state used VR Systems in 2016, including Mecklenburg. “What we use it for on is the back end so that we can record provisional ballots, transfers, that sort of stuff that allows us to do it uniformly through 195 different precincts,” Mecklenburg County Board of Election Director Michael Dickerson said. VR Systems is based in Tallahassee and used to have an office in Matthews. Emails to the company were not returned.

Australia: Cyber spooks hint at hard work defending election from hackers | Sydney Morning Herald

The international Five Eyes network of cyber spies believes Australia is at risk from foreign interference in its federal election, including direct hacks and targeted “fake news”, a security conference has been told. Disinformation is proving to be a broader challenge for the agencies because of how it intersects with free speech, one expert said. Australia’s top secret cyber security agency revealed on Wednesday it is on high alert to guard Australia against such threats during the campaign. Scott MacLeod, assistant director-general for “Protect, Assure and Enable” at the Australian Signals Directorate, made a rare public appearance at the CyberUK security conference in Scotland on Wednesday. Alongside colleagues from security agencies in the other Five Eyes nations, MacLeod said electoral security was a critical priority.

Israel: Voting to stay secure: Israel a long way from electronic ballots | Ynet

Tears could be seen on the face of Orly Adas, the director of the Central Elections Committee, two weeks ago, when she began speaking at a meeting to discuss the final election results. The tears were an expression of the enormous tension and frustration felt by members of the committee during the period between Election Day and the release of the results. “We were under ferocious attack,” says Adas, referring to efforts by the New Right party to undermine the validity of election results that put them just 1,500 votes short of the threshold to enter the Knesset. That said, one must not cast aside claims made on social media by voters unaligned to a particular political party, who cite examples of distortions in the vote count. In the end, the question is whether there a way to improve the voting system and the count, both of which have barely been modified since the establishment of the State of Israel in 1948, despite the enormous technological improvements made in the past decades?

Spain: Spain on the front line of election security ahead of EU-wide poll | The Daily Swig

Spain is boosting its cybersecurity preparedness and ramping up its efforts to fight the spread of disinformation ahead of national elections this weekend. The April 28 general election in Spain may act as a testing ground for measures to protect the integrity of the European Parliament elections in late May, the Associated Press reports. Europe-wide election security efforts include a “rapid alert system” linking specialized coordination units across all EU member states, as well as a plan to get internet firms to team up and share intelligence on disinformation campaigns. The Spanish government has tasked a division of its National Cybersecurity Institute, or INCIBE, to coordinate defenses against cyber-attacks and combat fake news. A national security report released in March described a rising tide of disinformation amid a myriad of “hybrid threats”, some stemming from international political intrigue. Allegations of foreign interference in Spain have centered on events around Catalonia’s highly contentious independence referendum back in October 2017. Allegations of cyber-spying have also been a factor in a number of domestic cases. “Espionage is now a huge issue in Spain because of three different scandals: these are the Villarejo case, the Pablo Iglesias case, and the Catalan independence protest,” Joe Haslam, a professor at the IE Business School in Madrid and executive director and chairman of hot.es, a mobile hotel booking app, told The Daily Swig. “The spooks are active, but little attention is being paid to threats from outside Spain.”