National: New federal guidelines could ban internet in voting machines | Eric Geller/Politico
A long-awaited update to federal voting technology standards could ban voting machines from connecting to the internet or using any wireless technology such as Wi-Fi or Bluetooth. A new draft of version 2.0 of the Voluntary Voting System Guidelines says that voting machines and ballot scanners “must not be capable of establishing wireless connections,” “establishing a connection to an external network” or “connecting to any device that is capable of establishing a connection to an external network.” If they survive a review process, the new rules would represent a landmark development in voting technology oversight, eliminating one of cybersecurity experts’ top concerns about voting machines by plugging holes that skilled hackers could exploit to tamper with the democratic process. The wireless and internet bans are included in the latest draft of the “system integrity” section of the VVSG update. A working group focused on the VVSG’s cybersecurity elements reviewed the document during an Oct. 29 teleconference.National: Almost 100 former officials, members of Congress urge Senate action on election security | Maggie Miller/The Hill
A group of nearly 100 former members of Congress, Cabinet officials, ambassadors and other officials is urging Congress to take action to secure U.S. elections, citing “severe threats to our national security” if certain steps are not taken. The officials, all of whom are members of nonprofit political action group Issue One’s “ReFormer’s Caucus,” sent a letter to the Senate on Thursday urging members to support various bills designed to bolster election security. “Foreign interference in American elections is a national security emergency,” the group wrote. “We are alarmed at the lack of meaningful Congressional action to secure our elections. The United States cannot afford to sit by as our adversaries exploit our vulnerabilities. Congress — especially the Senate — must enact a robust and bipartisan set of policies now.” Specifically, the officials advocated for the passage of five bipartisan bills, including the Honest Ads Act, a bill meant to increase the transparency surrounding online political ads, and the Defending Elections from Threats by Establishing Redlines (DETER) Act, which would impose sanctions on countries that interfere in U.S. elections. The officials also urged the Senate to pass legislation aimed at increasing the cybersecurity of voting infrastructure and cracking down on foreign donations to U.S. elections.National: Voting machines still easy prey for determined hackers | Derek B. Johnson/FCW
Security researchers showed lawmakers and reporters how easy it is to compromise voting machines in what has become an annual event at the U.S. Capitol. The Washington, D.C., version of the Voting Village event at the DefCon security conference in Las Vegas gives policymakers a hands-on glimpse of the technology that powers U.S. democracy. This year's report is consistent with prior exercises: virtually every machine experts can get their hands on can be easily exploited in a number of different ways. What has changed in recent years, said Voting Village Co-founder Harri Hursti, is that the community of security researchers with first-hand experience working with these machines has grown from less than a dozen to thousands. Even though the annual event has been held for several years, fresh researchers have discovered of new vulnerabilities and attack vectors. "In this area, it's always mind-blowing how these machines keep giving," Hursti told FCW.National: Four ways to address electronic voting security concerns | Earl D. Matthews/StateScoop
Despite the $380 million in federal grants made to states to update the security of their election systems, we are still woefully unprepared to deal with potential attacks on our essential digital voting infrastructure. With the 2020 election cycle fast approaching, there is tremendous urgency to address the underlying issues that jeopardize the sanctity of our elections.
As former director of cyber operations and chief information security officer for the U.S. Air Force, as well as with my more recent experience working in the cybersecurity sector, I have a fairly unique perspective on how our state governments should be addressing election security. In my view, the main cause of our cybersecurity-unpreparedness is that we are not looking at the problem holistically, nor are we fully appreciating the complexity involved. Solutions being posed only address part of the problem and inevitably fall short, thus putting our democracy at serious risk.
States are ultimately responsible for election systems and their security, but cybersecurity solutions vendors can also contribute to this effort. Below are four steps that state governments should take, working with the technology community, to effectively address vulnerabilities in the voting system and better protect our democratic process through cybersecurity practices, people and technology.
1. Mandate transparency from e-voting hardware and software providers about security of their software and require them to identify security vulnerabilities.
What I’m talking about is mandating cybersecurity hygiene, much in the same way that companies require cybersecurity hygiene of the organizations with which they do business or form partnerships. There is a broad range of commercial providers of election system technology, each playing a different role in the overall e-voting system ecosystem — some of which have begun offering free, open-source versions of their software to governments — making it critical for providers to be transparent about potential vulnerabilities in their systems. Similar to how Microsoft releases patches and upgrades when new threats are discovered to offer users greater protections, this needs to happen in our election system as well. As part of this transparency, ongoing monitoring and measurement of the effectiveness of each component also needs to be conducted, which leads to my next point.
2. Instate continuous, automated measurement and monitoring of the effectiveness of security controls.
States need to understand how systems are protecting against new and existing vulnerabilities, and this needs to be automatically monitored on an ongoing basis with cooperation from each software provider. Too often, assumptions are made that security technology and protocols are working as they’re supposed to — but given the complexity of IT environments, the number of software elements that need to work together and the volume of network and access changes made every day, misconfigurations that compromise performance are common. To ensure optimal performance of the overall security environment requires quantifiable measurement and evidence that controls are working as they should.
3. Limit access for government employees to certain portions of the election system based on role and need.
In the business world, insider threats pose greater risks to organizations than external forces, and the same can be true for governments.