National: America’s new voting machines bring new fears of election tampering | The Guardian

By design, tens of millions of votes are cast across America on machines that cannot be audited, where the votes cannot be verified, and there is no meaningful paper trail to catch problems – such as a major error or a hack. For almost 17 years, states and counties around the country have conducted elections on machines that have been repeatedly shown to be vulnerable to hacking, errors, breakdowns, and that leave behind no proof that the votes counted actually match the votes that were cast. Now, in a climate of fear and suspicion over attacks to America’s voting system sparked by Russia’s attacks on the 2016 elections, states and counties across the country are working to replace these outdated machines with new ones. The goal is to make the 2020 elections secure. “There’s a lot of work to do before 2020 but I think there’s definitely opportunities to make sure that the reported outcomes are correct in 2020,” said Marian Schneider, president of the election integrity watchdog Verified Voting. “I think that people are focusing on it in a way that has never happened before. It’s thanks to the Russians.” The purchases replace machines from the turn of the century that raise serious security concerns. But the same companies that made and sold those machines are behind the new generation of technology, and a history of distrust between election security advocates and voting machine vendors has led to a bitter debate over the viability of the new voting equipment – leaving some campaigners wondering if America’s election system in 2020 might still be just as vulnerable to attack.

National: Mueller report highlights scope of election security challenge | The Washington Post

Special counsel Robert S. Mueller III’s investigation of the “sweeping and systematic fashion” in which Russia interfered in the 2016 election highlights the breadth and complexity of the U.S. voting infrastructure that needs protecting. From voter registration to the vote itself to election night tabulation, there are countless computers and databases that offer avenues for foreign adversaries to try to create havoc and undermine trust in the democratic process. In addition to targeting the Democratic Party and Clinton campaign in 2016, Mueller noted in his report, Russian hackers also went after election technology firms and county officials who administer the vote — officials often without the resources to hire information technology staffs. [Through email leaks and propaganda, Russians sought to elect Trump, Mueller finds] “The Mueller report makes clear that there’s a much larger infrastructure that we have to protect,” said Lawrence Norden, an election security expert at New York University Law School’s Brennan Center for Justice. “There’s clearly a lot to do before 2020.”

National: Cyber aspects of Mueller report tread familiar ground on ’16 election hacks | InsideCyberSecurity

The redacted Mueller report on Russia and the 2016 elections contains politically contentious elements on collusion and obstruction of justice, but the aspects directly related to cybersecurity largely have been released and absorbed through earlier reports and indictments. The document released Thursday by the Justice Department is in a format that’s not searchable, but there are parts on cyber issues such as botnets, which is heavily redacted, and lengthy discussion of what Russian agents did to hack into computers associated with the presidential campaign of Democrat Hillary Clinton. The basic cybersecurity issues involved have been known for some time and were reflected in the Senate Intelligence Committee’s election-security recommendations issued in March 2018. Intelligence Chairman Richard Burr (R-NC) said Thursday that final reports from his committee’s Russia probe will begin coming out in a matter of “weeks.”

National: Mueller Report: Russia Funded US Election Snooping, Manipulation with Bitcoin | GCN

It is no news by now that the long-awaited Mueller Report has revealed extensive Russian efforts to interfere with the 2016 U.S. presidential election. While much attention has been focused on whether or not president Donald Trump was in any way complicit with these efforts, what is less reported is that the report showed that state-backed Russian operatives used bitcoin extensively in their attempts to impede Hilary Clinton and help Donald Trump’s campaign. According to the report, agents working on behalf of Russian military intelligence used bitcoin to do everything from purchasing VPNs to buying domains hosting political propaganda. This was part of a wide-reaching and apparently successful attempt to hack the 2016 election that saw Trump emerge victorious against all expectations. While this may not be news to anyone familiar with cryptocurrencies, the Russian agents apparently worked under the mistaken assumption that the mere fact of their transactions being carried out using cryptocurrency made them anonymous and untraceable. In fact, as has been demonstrated several times, bitcoin transactions are not that difficult to trace, given the presence of some key data.

National: 2020 Campaigns Are Still Vulnerable to Cyber Attacks | Time

Most Americans aren’t yet paying a lot of attention to the 2020 presidential campaign. The same can’t be said for Russian spies. Aides and advisers to the vast field of Democratic hopefuls are ringing alarm bells, telling their bosses they should assume that Moscow is laying the groundwork to disrupt, if not derail, their campaigns, just as Russian intelligence did to Hillary Clinton’s in 2016. But interviews with the campaigns show cyber security is a secondary concern, with most of the campaigns contacted by TIME say they have not “finalized” their tech plan or hired a security chief. The biggest problem is money. Every campaign focuses vast amounts of effort raising money to compete on ground troops, ads and campaign offices in key locations. Spending precious cash on cyber tools, whose successful deployment results in a non-event, is hard to defend. “There’s nothing sexy about it,” says Mike Sager, the chief technology officer at EMILY’s List, a group that works to elect women who support abortion rights. But, he says, “the folks who have been through it, who know what happens when you don’t do this, get it.” Nobody disputes the threat. Russia’s larger goals remain the same as they were in 2016: making American democracy look bad. “It is about the legitimacy of democracy and about the trust people have in their democracy,” said Eric Rosenbach, a former Pentagon chief of staff who now heads Harvard’s Defending Digital Democracy program. “Unfortunately, there are a lot of different ways in the information age that bad actors and nefarious nation-states can undermine that.”

National: Democrats Urge Judge Not to Dismiss Russian Hacking Suit | Bloomberg

While much of the U.S. was poring over the Mueller Report, the Democratic National Committee argued Thursday that its civil suit against President Donald Trump, the Russian Federation, WikiLeaks and members of the Trump campaign and White House should go forward. The DNC claims the defendants violated U.S. racketeering, computer fraud and other laws by conspiring to hack emails from DNC computers and leak them in advance of the 2016 election in a “brazen attack on American democracy.” The conspiracy sought to help Trump become president and continued into his presidency, according to the DNC. “After securing Trump’s grip on power, defendants worked tirelessly to keep it, lying to the American public, Congress, the Justice Department and the FBI to conceal any misconduct that jeopardized Trump’s presidency,” the DNC said in court papers filed late Thursday in Manhattan federal court.

National: Mueller report is a reminder that Russian hack hit House races, too | Roll Call

Special counsel Robert S. Mueller III’s report provided new details Thursday about how Russian agents hacked into Democratic Congressional Campaign Committee computers in 2016, renewing the question of whether the two parties would agree not to use stolen material in future political attacks. Leaders of the DCCC and the National Republican Congressional Committee came close to such an an agreement in late 2018, but talks broke down. The two committees, which have new leaders for the 2020 cycle, have not restarted discussions. The DCCC is interested in re-engaging in talks, according to a source familiar with the committee’s thinking. The NRCC declined to comment. The group’s new chairman, Minnesota Rep. Tom Emmer, was more focused Thursday on attacking the politics of investigating President Donald Trump. “It is time for the emotional, socialist Democrats to knock it off with their childish temper tantrums, accept reality and get back to work,” he said in a statement. DCCC Chairwoman Cheri Bustos could not be reached immediately for comment.

National: Mueller Report Raises New Questions About Russia’s Hacking Targets In 2016 | NPR

While the headlines about special counsel Robert Mueller’s report have focused on the question of whether President Trump obstructed justice, the report also gave fresh details about Russian efforts to hack into U.S. election systems. In particular, the report said, “We understand the FBI believes that this operation enabled [Russian military intelligence] to gain access to the network of at least one Florida county government” during the 2016 campaign. That came as news to Paul Lux, president of the Florida State Association of Supervisors of Elections — which has been working closely with federal authorities to protect their election systems against such attacks. “I haven’t heard even a whisper” about such a breach, Lux told NPR, noting that the report referred to a county “government” office network, not specifically to an “elections” office, although the two are frequently connected. It’s unusual that such a breach would occur and Florida officials would not know about it. For the past two years, election officials around the country have been working with both the Department of Homeland Security and the FBI to share information about potential security threats. They have set up several national communications networks specifically for that purpose.

National: House Homeland Committee wants more cyber funding for DHS | FCW

Twenty-eight members of the House Homeland Security Committee are urging appropriators to boost cyber funding at the Department of Homeland Security above what the White House has requested. In a letter sent to the House Appropriations Committee, the signatories — including Chairman Bennie Thompson (D-Miss.) and ranking member Mike Rogers (R-Ala.) — asked for a raise in the spending cap for DHS cyber spending, saying years of flat funding levels at the department will not be enough to “properly resource” the newly established Cybersecurity and Infrastructure Security Agency and its mission. “We urge the committee to break from the status quo and increase the Homeland Security Subcommittee’s 302(b) allocation commensurate with the threat,” the members wrote. “It is imperative that [the allocation] enable CISA to mature and grow the services it provides to secure federal and critical infrastructure networks.” The letter cited increasing threats to federal data, election infrastructure, critical infrastructure sectors and “long-standing threats from nation-states, terrorists, transnational criminal organizations and other malicious actors” to justify an elevation in funding. Members highlighted how past funding increases have helped DHS and CISA expand their services to state and local governments to secure election and voting systems and incorporate additional federal agencies into cybersecurity programs like Einstein and Continuous Diagnostics and Mitigation.

National: How Will Cybersecurity Influence the 2020 US Election Cycle? | HeadStuff

The air is undeniably tense surrounding the next United States presidential race. Not only does the Land of the Free currently have one of the most controversial commanders-in-chief in its history, but the issues at stake are being approached from more partisan, polarised angles than ever before. Whether it’s women’s rights, the tax plan, or guns and public health, you cannot deny the stiff atmosphere in politics today. There’s a topic that’s become a bigger issue than it was four years ago, however: data protection. Cybersecurity is already a hot topic in the media. Of course, data security was previously a concern to the people who knew a thing or two about it, but the public was largely focused on other issues. But now, cybersecurity has become a public cause of concern. With the emerging news in the last few years about Russia’s attempts to tamper with the 2016 election, the American people are skeptical like never before. This begs a few questions: What role is cybersecurity going to play in our upcoming presidential debates? How will it be discussed in the media? And how will the public come down on these important issues?

National: The cyber teams that helped stop Russian election interference | Fifth Domain

When Pentagon leaders tasked Air Force cyber teams with helping prevent Russian trolls from influencing the 2018 midterm elections, it marked the first time those forces were tasked with such a mission under new authorities. Department of Defense has openly discussed their success in keeping the midterm elections free from Russian interference, but officials have provided few details about which teams were tasked with doing so. During an April 11 event at Langley Air Force Base, Gen. James Holmes, commander of Air Combat Command, said Maj. Gen. Robert Skinner, the head of Air Forces Cyber, was ordered and given the authority to defeat Russian influence operations. “It’s the first time we’ve really had the authority to go operate and do that in the cyber environment,” Holmes said. Cyber authorities have typically been held at the highest levels of government making them difficult to be approved for rapid use, but over the last year the Trump administration has begun to loosen those restrictions in an attempt to make it easier for commanders to employ cyber tools faster and react more quickly to adversaries in a domain that is measured in milliseconds.

National: Feds say Russian 2016 election meddling spanned all US states | Naked Security

A multi-agency report has strengthened claims that Russia meddled with election systems in all 50 US states during the last presidential race. The report is called a joint intelligence bulletin (JIB), and it comes from the Department of Homeland Security and the FBI. It is an unclassified document intended for internal distribution to state and local authorities. Intelligence newsletter OODA Loop reports that the JIB reveals stronger evidence of Russian interference. Agencies believe that Russian agents targeted more than the 21 states initially suspected. According to the bulletin:

Russian cyber actors in the summer of 2016 conducted online research and reconnaissance to identify vulnerable databases, usernames, and passwords in webpages of a broader number of state and local websites than previously identified, bringing the number of states known to be researched by Russian actors to greater than 40.

Although there are some gaps in the data, the bulletin claims “moderate confidence” that Russia conducted “at least reconnaissance” against all US states because its research was so methodical, it added.

National: Inside the Russian effort to target Sanders supporters — and help elect Trump | The Washington Post

After Bernie Sanders lost his presidential primary race against Hillary Clinton in 2016, a Twitter account called Red Louisiana News reached out to his supporters to help sway the general election. “Conscious Bernie Sanders supporters already moving towards the best candidate Trump! #Feel the Bern #Vote Trump 2016,” the account tweeted. The tweet was not actually from Louisiana, according to an analysis by Clemson University researchers. Instead, it was one of thousands of accounts identified as based in Russia, part of a cloaked effort to persuade supporters of the senator from Vermont to elect Trump. “Bernie Sanders says his message resonates with Republicans,” said another Russian tweet. While much attention has focused on the question of whether the Trump campaign encouraged or conspired with Russia, the effort to target Sanders supporters has been a lesser-noted part of the story. Special counsel Robert S. Mueller III, in a case filed last year against 13 Russians accused of interfering in the U.S. presidential campaign, said workers at a St. Petersburg facility called the Internet Research Agency were instructed to write social media posts in opposition to Clinton but “to support Bernie Sanders and then-candidate Donald Trump.” That strategy could receive new attention with the release of Mueller’s report, expected within days.  

National: DHS, FBI say election systems in all 50 states were targeted in 2016 | Ars Technica

A joint intelligence bulletin (JIB) has been issued by the Department of Homeland Security and Federal Bureau of Investigation to state and local authorities regarding Russian hacking activities during the 2016 presidential election. While the bulletin contains no new technical information, it is the first official report to confirm that the Russian reconnaissance and hacking efforts in advance of the election went well beyond the 21 states confirmed in previous reports. As reported by the intelligence newsletter OODA Loop, the JIB stated that, while the FBI and DHS “previously observed suspicious or malicious cyber activity against government networks in 21 states that we assessed was a Russian campaign seeking vulnerabilities and access to election infrastructure,” new information obtained by the agencies “indicates that Russian government cyber actors engaged in research on—as well as direct visits to—election websites and networks in the majority of US states.” While not providing specific details, the bulletin continued, “The FBI and DHS assess that Russian government cyber actors probably conducted research and reconnaissance against all US states’ election networks leading up to the 2016 Presidential elections.” DHS-FBI JIBs are unclassified documents, but they’re usually marked “FOUO” (for official use only) and are shared through the DHS’ state and major metropolitan Fusion Centers with state and local authorities. The details within the report are mostly well-known. “The information contained in this bulletin is consistent with what we have said publicly and what we have briefed to election officials on multiple occasions,” a DHS spokesperson told Ars. “We assume the Russian government researched and in some cases targeted election infrastructure in all 50 states in an attempt to sow discord and influence the 2016 election.”

National: Election machine vendors back legislation requiring post-election audits, vulnerability disclosure | InsideCyberSecurity

Two major election machine vendors stated their support for requiring post-election audits to ensure the validity of election results in the case of a cyber attack or other tampering, in response to questions recently posed by senior Senate Democrats. Sens. Amy Klobuchar (D-MN), Gary Peters (D-MI), Jack Reed (D-RI), and Mark Warner (D-VA) sent letters last month to the three largest election machine vendors asking whether the companies would support legislation around post-election audits and what cyber controls are in place to secure the vote. In its response submitted on Tuesday, Hart InterCivic wrote that “robust post-election audits are the most compelling response” to threats posed by outdated technology. “Auditing is the most transparent and effective means to demonstrate that election outcomes accurately reflect the intention of voters,” Hart wrote. “Hart unequivocally supports state efforts to strengthen auditing procedures.” Tom Burt, the president and CEO of Election Systems and Software, also supported the idea of legislation around post-election audits, writing that the company “strongly supports legislation that would expand the use of routine post-election audits. ES&S believes that successful post-election audits, including risk-limiting audits such as those which have recently occurred in several jurisdictions, will increase confidence in our country’s election process.”

National: Cybersecurity Campaign Aid Delayed by Corporate Money Fears | Bloomberg

The Federal Election Commission delayed a vote on a plan to provide free cybersecurity assistance for campaigns, with the panel’s chairwoman voicing concerns it could the open the door to corporate money in campaigns. Ellen Weintraub said she supported the goal of cybersecurity but questioned whether the proposal could grant broad leeway for providing aid to campaigns outside the limits and restrictions of campaign finance law, including a longstanding ban on corporate contributions to candidates. “We do not want to inadvertently blow a hole in the corporate contribution ban,” the Democratic chairwoman said at a commission meeting today. The nonprofit watchdog Campaign Legal Center, which had voiced similar concern about the initial proposal, has signed off on a compromise that includes language emphasizing the aid is tied to the imminent threat of illegal foreign interference in elections. The commission may take up the issue again at its scheduled April 25 meeting.

National: After Arrest of Julian Assange, the Russian Mysteries Remain | The New York Times

In June 2016, five months before the American presidential election, Julian Assange made a bold prediction during a little-noticed interview with a British television show. “WikiLeaks has a very big year ahead,” he said, just seconds after announcing that the website he founded would soon be publishing a cache of emails related to Hillary Clinton. He was right. But an indictment unsealed on Thursday charging Mr. Assange with conspiring to hack into a Pentagon computer in 2010 makes no mention of the central role that WikiLeaks played in the Russian campaign to undermine Mrs. Clinton’s presidential chances and help elect President Trump. It remains unclear whether the arrest of Mr. Assange will be a key to unlocking any of the lingering mysteries surrounding the Russians, the Trump campaign and the plot to hack an election. The Justice Department spent years examining whether Mr. Assange was working directly with the Russian government, but legal experts point out that what is known about his activities in 2016 — including publishing stolen emails — is not criminal, and therefore it would be difficult to bring charges against him related to the Russian interference campaign. Numerous significant questions are left unanswered, including what, if anything, Mr. Assange knew about the identity of Guccifer 2.0, a mysterious hacker who American intelligence and law enforcement officials have identified as a front for Russian military intelligence operatives.

National: Comey Says Trump’s Silence Invites Another Russia Election Hack | Bloomberg

Former FBI Director James Comey said the U.S. remains unprepared for another attack on its elections and faulted the attorney general for suggesting that the government was “spying” on Donald Trump’s presidential campaign in 2016. Echoing the findings of U.S. intelligence agencies, Comey said Russia intervened in the 2016 election to damage American democracy, undermine Democratic nominee Hillary Clinton and bolster Trump. Russian officials have denied the accusations. But Comey said Trump’s “denial of a fundamental attack” on the U.S. means “we’re inviting it to happen again with our president’s silence.” The former FBI leader also said he was concerned by Attorney General William Barr’s comments on Wednesday that he’s starting his own inquiry into counterintelligence decisions that may have amounted to political espionage, including actions taken during the Russia probe in 2016. “I really don’t know what he’s talking about when he talks about spying on the campaign,” Comey said. “The FBI and Department of Justice conduct court-ordered surveillance. If the attorney general has come to the belief that that should be called spying, wow, that’s going to inspire a whole lot of conversations in the Department of Justice.”

National: Divided Congress can’t agree on fix for ‘dangerous’ Russian election meddling | McClatchy

Despite clear and compelling evidence of a Russian plot to disrupt the 2016 presidential election, partisanship has all but killed any chance that Congress will pass legislation to shore up election security before voters cast their ballots next year. Republicans and Democrats in Congress largely agree with Special Counsel Robert Mueller’s finding that Russia tried to meddle in U.S. democracy — and that foreign interference remains a serious threat. “Russia’s ongoing efforts to interfere with our democracy are dangerous and disturbing,” said Senate Majority Leader Mitch McConnell, R-Kentucky, after Mueller finalized his investigation last month. But McConnell has made it clear that he’s unlikely to allow the Senate to vote on any election-related legislation for the foreseeable future. Republican Sen. Roy Blunt of Missouri, who chairs the Senate Rules Committee that has jurisdiction over election security legislation, blames House Democrats for McConnell’s hardline stance. Blunt said Democrats overreached in January when they passed H.R. 1, a sweeping measure focused on voting rights, campaign finance, and government ethics.

National: Registered to vote? Your state may be posting personal information about you online. | The Washington Post

Americans routinely hemorrhage personally identifiable information (PII) across social media and other websites. On almost a weekly basis, PII bleeds out in dramatic breaches like the recent one at Toyota that exposed 3.1 million customers or another at Georgia Tech in which an “unknown outside entity” illegally accessed data for more than 1 million students, faculty members and alumni. Some 26 million Americans were victims of identity theft in 2016, according to the Bureau of Justice Statistics. One way thieves, scammers and psychopaths perform reconnaissance on their victims is to find them via Google or social media. A fair start — but information on the Internet is often inaccurate. If I were a malicious actor looking for a victim’s PII, I’d begin where the data is government-certified. Tax records and housing data are PII treasure troves but not all records are digitized. Political contributions can be valuable — if a person gave money to a candidate over a certain amount. Yet, an exposed area still exists. States hold important personal records of American voters through their secretary of state (SOS) websites. In most states, some or all of this information is accessible to anyone with an Internet connection. I have an Internet connection. And until recently, I ran the open source intelligence division at a cybersecurity firm. So, I tried to access all 50 states’ (and the District’s) online voter registration systems. In the process, I was able to obtain personal information about the citizens of 40 different states, from Alaska to Arkansas, West Virginia to Wisconsin, New Mexico to North Carolina. In some states, that PII included personal addresses, historic voter data and race.

National: Cybersecurity toolkits ahead for elections and media people | Politico

The founder of Craigslist and the Global Cyber Alliance are teaming up to provide free cyber defense toolkits to election officials, nonprofit election rights groups and the media modeled after the ones GCA recently pioneered for small businesses. Craig Newmark Philanthropies is offering GCA more than $1 million for the project, and GCA is netting $1.5 million from other sources, the groups are announcing today. “Elections bodies and the media are facing increasingly sophisticated cyberattacks that can impair the exercise of democracy and affect election results, and they are not prepared to deal with the threat,” Phil Reitinger, president and CEO of the GCA, told MC. The idea is to assemble a set of immediately available resources, rather than just advice. “I’ve been lucky enough to do well and put my money where my mouth is and help protect the people who protect our country,” Newmark told MC.

National: Nielsen Firing Leaves Cybersecurity Concerns Without a Champion | Bloomberg

The abrupt ouster of Homeland Security Secretary Kirstjen Nielsen could be a blow to the department’s efforts to bolster America’s defenses against growing cybersecurity threats, former officials from the department, advocates and lobbyists say. “The worst-case scenario is that our adversaries use this moment of leadership transition, and use it as a Trojan Horse to launch some sort of attack,” Caitlin Durkovich, former DHS assistant secretary for infrastructure protection for the Obama administration, said in an interview. “Who’s to say that the new acting secretary’s priorities aren’t different and that there will be the same emphasis on cyber when there’s such an emphasis on immigration?” said Durkovich, who now works with risk advisory firm Toffler Associates. Nielsen may be most remembered as the face of President Donald Trump’s most hard-line immigration policies. But over her 16-month tenure, cyber specialists and federal officials have applauded her relentless championing of cybersecurity priorities. She frequently warned that increasing threats of hijacking critical infrastructure—from the electric grid to voting machines—were a greater threat to America’s security than terrorism.

National: ‘We can’t confirm him,’ Pat Roberts warns of potential Kobach nomination for DHS | The Kansas City Star

One of the GOP senators from Kris Kobach’s home state said Tuesday that the Senate would not be able to confirm the Kansas Republican if President Donald Trump taps him for a cabinet post. Kobach, the former Kansas secretary of state, has been mentioned as a potential candidate for an array of immigration-related positions since President Donald Trump pulled his nominee for the director of Immigration Customs Enforcement and announced the departure of Secretary of Homeland Security Kirstjen Nielsen. But Sen. Pat Roberts, R-Kansas, said he doesn’t believe the Republican-controlled Senate could confirm his fellow Kansan, who has gained national notoriety for championing stronger restrictions on immigration. “Don’t go there. We can’t confirm him,” Roberts whispered to The Kansas City Star when asked about Kobach Tuesday on his way into a Senate vote. “I never said that to you,” Roberts added, despite the fact that another reporter was present and The Star had not agreed to an off record conversation.

National: Lack of security clearances hampers federal Election Assistance Commission | Politico

Only half the members of a federal commission advising states on election threats have security clearances, raising questions about whether it can effectively help local and state officials defend against adversaries such as Russian hackers. And no members of the four-person Election Assistance Commission had clearances during the past two election cycles, including the period when Kremlin-linked hackers are suspected of mounting a range of cyberattacks against state election offices, the Democratic Party and Hillary Clinton’s campaign in 2016. The delay in issuing security clearances for commission members is part of a massive backlog of application approvals throughout the entire federal government. But it’s a particularly acute problem for the EAC, one of the key agencies offering guidance to state and local officials about how to protect themselves from security risks. “The people entrusted with securing our elections need to know what threats they’re supposed to address,” Sen. Ron Wyden (D-Ore.), one of the lawmakers who has focused the most on election security, told POLITICO in a statement. “An Election Assistance [Commission member] without a security clearance is like making a baseball player hit without a bat.”

National: Nielsen departure could deal a blow to Trump administration’s cybersecurity efforts | The Washington Post

Kirstjen Nielsen’s resignation as secretary of homeland security could deal a blow to the Trump administration’s cybersecurity efforts — as she was one of the last civilians in its top ranks with extensive cybersecurity expertise. That’s a dangerous position, experts say, as the nation barrels toward a 2020 election that will likely be targeted by Russian hackers and the Homeland Security Department launches a major campaign to get government and industry to stop buying technology from China’s Huawei and other companies deemed national security threats. “Hopefully whoever runs DHS will prioritize its vital cybersecurity mission, but it makes a difference if the person at the top has a background in cyber and knows from experience how important it is rather than just being told,” former State Department cyber coordinator Chris Painter told me. “DHS is spread thin among multiple priorities as it is, and without a clear mandate from department leadership that cybersecurity is a prime mission, their efforts risk being sidelined.” Nielsen – who The Post reported was forced to step down because Trump was dissatisfied with her handling of the border — had, by far, the longest cybersecurity resume of any DHS secretary in history. She advised President George W. Bush on cybersecurity and homeland security issues, founded a consulting group called Sunesis Consulting focused on cybersecurity and critical infrastructure, and served as a senior fellow at George Washington University’s Center for Cyber and Homeland Security. Her acting successor, U.S. Customs and Border Protection Commissioner Kevin K. McAleenan, by contrast, has no substantial background in the field.

National: Scrutiny and suspicion as Mueller report undergoes redaction | The Washington Post

The escalating political battle over special counsel Robert S. Mueller III’s report centers on redactions — a lawyerly editing process that has angered distrustful Democrats eager to see the all evidence and conclusions from his 22-month investigation of President Trump’s conduct and Russia’s elaborate interference operation during the 2016 campaign. Attorney General William P. Barr is redacting at least four categories of information from the report, which spans nearly 400 pages, before issuing it to Congress and the public. Legal experts say he has wide discretion to determine what should not be revealed, meaning the fight over blacked-out boxes is likely to spawn months of fights between Congress and the Justice Department, and it may end up in the courts. The first public confrontation is imminent, with Barr scheduled to appear Tuesday and Wednesday before the House and Senate Appropriations committees for hearings ostensibly about the Justice Department’s budget. He is expected to face extensive questioning about the Mueller report and his ongoing redaction process, though, and his testimony will be scrutinized for any sign he is trying to protect the president. “There’s a lot of pressure all pointing in the direction of doing a robust release,” said John Bies, who held senior roles in the Justice Department during the Obama administration and now works at American Oversight, a liberal watchdog group. “We are very hopeful the attorney general will do the right thing here and make everything public that can lawfully be made public.”

National: States slow to spend funds to enhance election security, report finds | CNN

US states and territories given $380 million in combined federal funds for election upgrades last year only spent 8.1% of that money in the first six months it was available, the agency responsible for distributing the funds said on Thursday. That money was distributed as part of a 2018 bill, which was passed after Homeland Security secretary Kirstjen Nielsen warned it is a “national security concern” that US elections can’t be audited with paper ballots.
Security experts have in recent years called for major elections to have a physical paper trail so a trustworthy audit can be performed. However, brands and types of voting equipment vary by state. Many states use some machines that don’t leave a paper trail, and five states are entirely paperless for the general population. The report from the US Election Assistance Commission only tracked spending through September 2018, and many states have since spent or plan to spend some of their money on cybersecurity features or staff or upgraded equipment that badly needs replacing.

National: States spent just a fraction of $380 million in election security money before midterms | The Washington Post

Congress scrambled in early 2018 to deliver a surge in election security money before the midterms. But it turns out that states only spent about 8 percent of the $380 million Congress approved by the time the elections rolled around. That’s the bad news in a spending report released Thursday by the Election Assistance Commission, which is responsible for disbursing the money. The good news is that states are on track to spend the majority of the money before the 2020 elections — which intelligence officials say are far likelier than the midterms to be a hacking target for Russia and other U.S. adversaries. The report highlights the lengthy process of investigations and reviews that are necessary before states can make major upgrades to specialized election equipment. Given the tight time frame — Congress approved the money in March and the EAC began disbursing it to states in June — EAC Chairwoman Christy McCormick told me that 8 percent is a reasonable amount to have spent and about what the commission expected. It’s also a warning to Congress that the clock is ticking if it wants to deliver more election security money that will make a meaningful difference in 2020.

National: States’ spending on election security expected to pick up in 2019 | StateScoop

States and territories spent just 8 percent of the $380 million in federal election-security grants in the six months after they were distributed last year, according to the U.S. Election Assistance Commission. But in a report Thursday, the commission said it expects the bulk of that funding to be spent before the 2020 presidential election. The report follows states’ spending on new voting equipment, cybersecurity resources and personnel between last April and Sept. 30, when the federal government’s 2018 fiscal year ended. But the EAC said it expects spending to pick up this year as more grant money is transferred to states and as legislatures approve spending plans. “There hasn’t been a lot of money spent, but there is a lot of activity,” Mark Abbott, the commission’s grants director, told StateScoop. Of the $31.4 million states spent through last September, more than half — $18.3 million — went toward cybersecurity, including hiring new personnel dedicated to network security, implementing risk assessments and vulnerability scans and putting up stronger firewalls around statewide voter registration systems, which were infamously targeted by Russian hackers during the 2016 presidential election.

National: Blockchain Voting: Unwelcome Disruption or Senseless Distraction? | U.S. Vote Foundation

It really gets old being a guinea pig. Not because of the cagey confines, but for the insistence of those who try their ideas out on you. Overseas and military voters continue to be the guinea pigs for unvetted online voting ideas, the new one being “blockchain voting”. We have been here before. Overseas and military voters do need continued meaningful reforms across all states, and it is good when people truly care enough to examine and invest in solutions. What we do not need is a distraction that introduces new threats to overseas and military ballot integrity. The cliché “disruption model” doesn’t belong in our elections. Particularly in light of Russia’s cyber-interference in elections in Ukraine in 2014 and the US in 2016, we should consider with extra caution the idea of putting the entire voting process online. Russia itself is pushing to use this same technology for voting. Maybe it is worth a deeper look at it before we rush to its implementation? Perhaps investment in a threat detection system, which most state election offices cannot yet afford, would, at minimum, be a wise first course of action. Typically election systems must undergo formal testing and certification. Public access and examination is crucial. With a fully online system, that requirement is far more serious. Internet voting is not the same sort of simple transaction as is online banking; it is far more complex due to the fact that there must be a separation of the transaction from the identity of the person executing it. Just because there is a “blockchain” for the transaction doesn’t make the total voting system secure. The bottom line: it should not be possible to implement these systems in real elections without full and complete public examination. It is not sufficient to declare a technology as “tested” when it is used only in private elections and by outside companies hired to do “security audits”.