National: Smartphone Voting Could Expand Accessibility, But Election Experts Raise Security Concerns | Abigail Abrams/Time
ome voters with disabilities will be able to cast their ballots on smart phones using blockchain technology for the first time in a U.S. election on Tuesday. But while election officials and mobile voting advocates say the technology has the potential to increase access to the ballot box, election technology experts are raising serious security concerns about the idea. The mobile voting system, a collaboration between Boston-based tech company Voatz, nonprofit Tusk Philanthropies and the National Cybersecurity Center, has previously been used for some military and overseas voters during test pilots in West Virginia, Denver and Utah County, Utah. Now, Utah County is expanding its program to include voters with disabilities in its municipal general election as well. Two Oregon counties, Jackson and Umatilla, will also pilot the system for military and overseas voters on Tuesday. The idea, according to Bradley Tusk, the startup consultant and philanthropist who is funding the pilots, is to increase voter turnout. “We can’t take on every interest group in Washington around the country and beat them, but I think what we can do is let the genie out of the bottle,” he says.National: Cyber officials tout reforms with one year to Election Day | Maggie Miller/The Hill
Officials and cyber experts are expressing confidence in reforms made to prevent a repeat of election hacking and foreign interference one year ahead of their biggest test yet, Election Day 2020, even as they remain vigilant. This optimism comes even as lawmakers remain sharply divided along party lines on how to address election security concerns. Sen. Ron Johnson (R-Wis.), the chairman of the Senate Homeland Security and Governmental Affairs Committee, told reporters on Thursday that he believes “great strides” have been made since 2016 by the Department of Homeland Security (DHS) and election officials. “It’s a serious issue, and one we take seriously, but when I take a look at all the threats facing this nation, it really is on the lower end of my priority list in terms of what I’m overly concerned about because it’s being addressed I think pretty effectively,” Johnson said. Democratic House Homeland Security Committee Chairman Bennie Thompson (Miss.), though, warned this week that "in just over a year, voters in many states across the country will vote for president in 2020 on machines that are old, have no paper trail, and are vulnerable to manipulation.”National: A Plan to Crowdsource Voting Machines’ Security Problems | Andrea Noble/Defense One
A northern Virginia infrastructure-threat clearinghouse is trying to build a system to help voting-system manufacturers learn about problems with their machines. Fueled by monetary rewards and curiosity, hackers have helped companies discover and fix security vulnerabilities in a variety of technology and software applications. But one year out from the 2020 presidential election, can they do more to help secure voting systems? Technology researchers hope so. The Information Technology-Information Sharing and Analysis Center, or IT-ISAC, is evaluating the feasibility of creating a coordinated vulnerability disclosure, or CVD, program that could alert voting system companies about weaknesses. The first step in establishing a CVD program requires voting vendors to have a system in place for receiving information about discovered vulnerabilities and acting on that information—procedures several vendors have already begun to implement, said Scott Algeier, the executive director of IT-ISAC, a non-profit that serves as a clearinghouse for information on cyber threats to critical infrastructure.National: How the threat of hacking looms over the 2020 election | Ellen Daniel/Verdict
With the UK bracing for a general election and campaigning ahead of the US 2020 presidential election now in full swing, the threat of election hacking is once more a key topic of conversation. The now infamous Democratic National Committee cyber attacks, in which hackers with ties to Russia breached the DNC network via a phishing attack, exemplified how easily democratic infrastructure can be affected by outside interference. However, four years later, the cybersecurity community is still calling for greater efforts to combat the issue. Verdict spoke to Kevin Bocek, VP of security strategy & threat intelligence at cybersecurity firm Venafi to discover the motivations behind election hacking and whether the threat can ever be fully removed. Despite the publication of the Mueller report earlier this year, and the conclusion that Russia “interfered in the 2016 presidential election in sweeping and systematic fashion”, the implications for the Western democratic system are yet to be fully addressed.National: John Oliver on exploitable voting machines: ‘We must fix this’ | Adrian Horton/The Guardian
On Last Week Tonight, John Oliver focused on voting – a staple of American democracy and, among other things, “the only way to get Sean Spicer off of Dancing with the Stars”. Before Americans vote this Tuesday – yes, Oliver reminded, there are elections this Tuesday – it’s worth asking: “How much do you trust the system that counts your ballots?” It’s not unreasonable to have some questions about election security, Oliver continued. We now know that in 2016, Russian hackers targeted election systems in all 50 states. In that case, they targeted voter registration data; as for the machines, officials have promised that they’re secure, but a Senate report on the 2016 election infrastructure found that some were “vulnerable to exploitation by a committed adversary”. Oliver offered some context: there’s not one election system in use across the US. Some states use paper ballots, others have a print-out ballot, still others use all-electronic systems. Those electronic machines were introduced after the contested 2000 presidential election, in which the race between George W Bush and Al Gore came down to 1,000 votes in a Florida recount cast on push-pin ballots.National: New federal guidelines could ban internet in voting machines | Eric Geller/Politico
A long-awaited update to federal voting technology standards could ban voting machines from connecting to the internet or using any wireless technology such as Wi-Fi or Bluetooth. A new draft of version 2.0 of the Voluntary Voting System Guidelines says that voting machines and ballot scanners “must not be capable of establishing wireless connections,” “establishing a connection to an external network” or “connecting to any device that is capable of establishing a connection to an external network.” If they survive a review process, the new rules would represent a landmark development in voting technology oversight, eliminating one of cybersecurity experts’ top concerns about voting machines by plugging holes that skilled hackers could exploit to tamper with the democratic process. The wireless and internet bans are included in the latest draft of the “system integrity” section of the VVSG update. A working group focused on the VVSG’s cybersecurity elements reviewed the document during an Oct. 29 teleconference.National: Almost 100 former officials, members of Congress urge Senate action on election security | Maggie Miller/The Hill
A group of nearly 100 former members of Congress, Cabinet officials, ambassadors and other officials is urging Congress to take action to secure U.S. elections, citing “severe threats to our national security” if certain steps are not taken. The officials, all of whom are members of nonprofit political action group Issue One’s “ReFormer’s Caucus,” sent a letter to the Senate on Thursday urging members to support various bills designed to bolster election security. “Foreign interference in American elections is a national security emergency,” the group wrote. “We are alarmed at the lack of meaningful Congressional action to secure our elections. The United States cannot afford to sit by as our adversaries exploit our vulnerabilities. Congress — especially the Senate — must enact a robust and bipartisan set of policies now.” Specifically, the officials advocated for the passage of five bipartisan bills, including the Honest Ads Act, a bill meant to increase the transparency surrounding online political ads, and the Defending Elections from Threats by Establishing Redlines (DETER) Act, which would impose sanctions on countries that interfere in U.S. elections. The officials also urged the Senate to pass legislation aimed at increasing the cybersecurity of voting infrastructure and cracking down on foreign donations to U.S. elections.National: Voting machines still easy prey for determined hackers | Derek B. Johnson/FCW
Security researchers showed lawmakers and reporters how easy it is to compromise voting machines in what has become an annual event at the U.S. Capitol. The Washington, D.C., version of the Voting Village event at the DefCon security conference in Las Vegas gives policymakers a hands-on glimpse of the technology that powers U.S. democracy. This year's report is consistent with prior exercises: virtually every machine experts can get their hands on can be easily exploited in a number of different ways. What has changed in recent years, said Voting Village Co-founder Harri Hursti, is that the community of security researchers with first-hand experience working with these machines has grown from less than a dozen to thousands. Even though the annual event has been held for several years, fresh researchers have discovered of new vulnerabilities and attack vectors. "In this area, it's always mind-blowing how these machines keep giving," Hursti told FCW.National: Four ways to address electronic voting security concerns | Earl D. Matthews/StateScoop
Despite the $380 million in federal grants made to states to update the security of their election systems, we are still woefully unprepared to deal with potential attacks on our essential digital voting infrastructure. With the 2020 election cycle fast approaching, there is tremendous urgency to address the underlying issues that jeopardize the sanctity of our elections.
As former director of cyber operations and chief information security officer for the U.S. Air Force, as well as with my more recent experience working in the cybersecurity sector, I have a fairly unique perspective on how our state governments should be addressing election security. In my view, the main cause of our cybersecurity-unpreparedness is that we are not looking at the problem holistically, nor are we fully appreciating the complexity involved. Solutions being posed only address part of the problem and inevitably fall short, thus putting our democracy at serious risk.
States are ultimately responsible for election systems and their security, but cybersecurity solutions vendors can also contribute to this effort. Below are four steps that state governments should take, working with the technology community, to effectively address vulnerabilities in the voting system and better protect our democratic process through cybersecurity practices, people and technology.
1. Mandate transparency from e-voting hardware and software providers about security of their software and require them to identify security vulnerabilities.
What I’m talking about is mandating cybersecurity hygiene, much in the same way that companies require cybersecurity hygiene of the organizations with which they do business or form partnerships. There is a broad range of commercial providers of election system technology, each playing a different role in the overall e-voting system ecosystem — some of which have begun offering free, open-source versions of their software to governments — making it critical for providers to be transparent about potential vulnerabilities in their systems. Similar to how Microsoft releases patches and upgrades when new threats are discovered to offer users greater protections, this needs to happen in our election system as well. As part of this transparency, ongoing monitoring and measurement of the effectiveness of each component also needs to be conducted, which leads to my next point.
2. Instate continuous, automated measurement and monitoring of the effectiveness of security controls.
States need to understand how systems are protecting against new and existing vulnerabilities, and this needs to be automatically monitored on an ongoing basis with cooperation from each software provider. Too often, assumptions are made that security technology and protocols are working as they’re supposed to — but given the complexity of IT environments, the number of software elements that need to work together and the volume of network and access changes made every day, misconfigurations that compromise performance are common. To ensure optimal performance of the overall security environment requires quantifiable measurement and evidence that controls are working as they should.
3. Limit access for government employees to certain portions of the election system based on role and need.
In the business world, insider threats pose greater risks to organizations than external forces, and the same can be true for governments.