National

With midterm races in the home stretch and the 2020 presidential election on the horizon, a pair of top national security officials have a message for state election administrators: Trust us when we warn you about cyberthreats. William Evanina, director of the National Counterintelligence and Security Center, and Christopher Krebs, the Department of Homeland Security’s cybersecurity chief, urged state officials to keep their lines open to the feds as Election Day approaches and the possibility of an attack on their systems looms large. “At some point in your future, next month or 2020, there will be a piece of intelligence that comes so fast and furious in the community, the phone call will be made to Chris that will tell him, ‘Hey, this happened and we need to act,’ ” Evanina said Wednesday at an election security summit on Capitol Hill with state leaders and members of Congress. “Chris will pick up the phone and call a state and say, ‘You need to do something.’ And you have to trust Chris.”

National: Overseas Voters Having Trouble Getting Ballots As States Try To Thwart Hacking | HuffPost

Thousands of U.S. voters living overseas have encountered difficulties requesting absentee ballots because of state restrictions on internet traffic as part of efforts to secure their election systems, according to a report in The Philadelphia Inquirer. Federal law requires states to provide eligible U.S. voters based in foreign countries with a chance to get an absentee ballot. But some of these voters are having problems accessing official election websites to get information and, in some cases, download ballots, the Inquirer reported. The snags are occurring because of the steps taken by states to restrict traffic from foreign countries or entities to prevent potential interference with the election process, including the vote count. The Inquirer identified five states where voters were unable to load websites this week: Georgia, New Mexico, Pennsylvania, Tennessee and Vermont. Wanda Murren, a spokeswoman for Pennsylvania Department of State, said her office first learned of the download problems experienced by overseas voters were on Sept. 25. Three days later, she said, the federal agency that helps overseas voters ― including military families ― cast ballots informed the office the problem was more widespread than previously believed.

National: Mike Pence accuses China of meddling in US elections despite lack of evidence | The Guardian

Mike Pence has claimed that Russian interference in US elections “pales in comparison” with Chinese meddling, which he said was aimed at ousting Donald Trump. The vice-president’s allegation echoes a similar claim made by the president at the UN last week, but it has been contradicted by cybersecurity experts and the administration has yet to provide any supporting evidence, other than to point to instances of overt lobbying. The administration’s own secretary of homeland security, Kirstjen Nielsen, said: “We currently have no indication that a foreign adversary intends to disrupt our election infrastructure. “We know they [the Chinese] have the capability and we know they have the will. So we’re constantly on alert to watch. But what we see with China right now are the influence campaigns, the more traditional, longstanding, holistic influence campaigns,” Nielsen said on Tuesday at a Washington Post cybersecurity conference.

National: Senate Punts on Beefed-Up Election Security Until After Midterms | Bloomberg

Legislation to increase protection of voting systems from foreign hackers is gaining support in the Senate. Just don’t expect the chamber to take it up before the November elections. Senate Rules and Administration Committee Chairman Roy Blunt (R-Mo.) said he supports the bill (S. 2593). It just isn’t needed to make sure the midterm elections are safe, Blunt told state and local election officials at a Capitol Hill conference sponsored by the U.S. Election Assistance Commission.“We’re not going to get anything in law between now and Election Day,” Blunt said. “Everything we want is basically happening, but I still would like to see it in law,” Blunt said. He said heightened awareness of security threats since 2016 would help protect voting this November, though it would still be worthwhile to enact changes to protect future elections.

National: Planning to Vote in the November Election? Why Most Americans Probably Won’t | The New York Times

Lula Hill voted in just about every election once she became old enough in 1952. Her coal mining family of registered Democrats believed that elections were like church services: You didn’t skip them. But over time, her sense of civic obligation faded. Mines started laying people off. Opioids started poisoning her neighbors. As her town lost its vigor, Ms. Hill watched as smiling politicians kept making promises and, in her view, growing richer. By the late 1990s, when political leaders — Democrat or Republican — talked about the greater good, she no longer believed them. “I just got to the point, I said, ‘I’m not going do it anymore,’” said Ms. Hill, sitting on a couch in the lobby of the hotel she owns and runs, the Hotel Madison, 30 miles south of Charleston. “I just can’t vote for any of them in good conscience.” She has not voted since 1996 and said she has no intention of starting in November. Ms. Hill is hardly alone in West Virginia, a state with one of the lowest rates of voter turnout in the country and where the Democratic senator, Joe Manchin III, faces a tough race.

National: Secure Elections Act sponsors eye lame duck session | FCW

Meanwhile, Sen. Amy Klobuchar (D-Minn.), the primary Democratic sponsor, said she and other senators are working on refining the legislation, but noted that lawmakers have a short window of opportunity to pass the Secure Elections Act before the midterms reset the legislative calendar. “We have a new version [of the bill] coming out, and we just ask you to work with us; I would love to have it get passed in the lame duck,” Klobuchar said. “For people that want to delay it or stall it beyond that, well that’s up to you because then we’ll have a new Congress.” The Secure Elections Act looked poised for a floor vote in August or September before a Rules Committee markup was abruptly canceled. Blunt’s staff told FCW at the time that Republican senators were balking at some of the provisions after receiving complaints from state and local election officials, while Reuters reported that the White House came out against the bill at the last minute for similar reasons. Lankford and Klobuchar have continued to fight for the bill’s passage, but several prominent Democratic senators, including original co-sponsor Kamala Harris (D-Calif.), signed on to rival legislation spearheaded by Sen. Ron Wyden (D-Ore.).

National: Senators say midterms will inspire revived version of stalled election security bill | Washington Times

Senators supportive of the Secure Elections Act, a bipartisan bill to protect political contests from cyberattacks, said lessons learned from next month’s midterms could make their way into a revised version in the works. Sen. Roy Blunt, Missouri Republican, and Sen. Amy Klobuchar, Minnesota Democrat, addressed efforts to rekindle the stalled Secure Elections Act during an event held Wednesday by the U.S. Election Assistance Commission in Washington, D.C. The bill will not be passed prior to the Nov. 6 midterms, according to both Mr. Blunt and Ms. Klobuchar’s co-sponsor, Sen. James Lankford, Oklahoma Republican, meaning states are missing out on millions of dollars that would have otherwise been allocated toward upgrading and securing voting and election systems, neglecting a major vulnerability raised by Russian hackers meddling in the 2016 race.

National: Security Clearances Won’t Get in the Way of Responding to Election Cyber Threats, Officials Say | Nextgov

A lack of security clearances among some state and local election officials shouldn’t hinder the Homeland Security Department from responding speedily to Election Day cybersecurity threats, the department’s top cyber official said Wednesday. Even if state and local election officials don’t have the necessary authorizations to view a particular piece of threat information, Homeland Security Undersecretary Chris Krebs said he’s confident those officials will start trying to mitigate the threat if he asks them to. “I’m confident that if I had a piece of information right now …I could say: ‘Look, I’ve got something you need to see. You need to take action. It’s going to take me a day or two to get you the information, but, in the meantime, you need to take action,” Krebs during an election readiness summit hosted by the Election Assistance Commission.\ “We have trust established so there would be at least the beginning of an article of faith that they would do something,” he said.

National: ‘No indication’ China intends to interfere with election infrastructure, Homeland Security Secretary Nielsen says | The Washington Post

The Department of Homeland Security hasn’t seen signs that China seeks to interfere in the midterm elections by targeting election infrastructure, Homeland Security Secretary Kirstjen Nielsen said Tuesday — a statement that appears to be at odds with remarks President Trump made about Beijing last week. “We currently have no indication that a foreign adversary intends to disrupt our election infrastructure,” Nielsen told me at a cybersecurity summit hosted by The Washington Post. Nielsen did not endorse Trump’s alarming claim at the United Nations that China “has been attempting to interfere in our upcoming 2018 election.” Without offering evidence, Trump said China does not “want me or us to win because I am the first president to ever challenge China on trade” — an especially striking comment considering the president has repeatedly equivocated on his support for the intelligence community’s assessment that Russia interfered in the 2016 election to help him win.

National: Activists Concerned About Counties Destroying Ballot Images | WhoWhatWhy

Election integrity activists are worried that various counties in the crucial state of Florida could defy federal law by destroying crucial documents required for election audits and recounts after the midterms. Specifically, Americans United for Democracy, Integrity, and Transparency in Elections (AUDIT-USA) believes that county supervisors of elections in Florida are either not retaining ballot images or are destroying ballot images that are required by law to be kept for 22 months after a state or federal election. “Most of the counties down there are destroying the ballot images,” said John Brakey, director of the nonpartisan group.

National: U.S. infrastructure vulnerable to cyberattacks designed to suppress voter turnout | CBS

Your voting booth might — or might not — be safe from hackers. But imagine a cyberattack that keeps you from going to your polling station in the first place. Security experts warn that critical infrastructure systems in the United States are vulnerable to crippling cyberattacks designed to suppress voter turnout by disrupting systems that cities and towns rely on. “If ransomware hits, what’s the backup plan to allow people to vote? Do we extend it a day? Do we hold off the tally of the votes? Do we take absentee ballots? What do we do?” said Fortalice Solutions CEO and former White House chief information officer Theresa Payton.

National: DHS says teamwork is improving election security | FCW

October 3, 2018

A month out from the 2018 midterms, all eyes are on the Department of Homeland Security as it approaches its first real test since being given a broader election security mandate in the wake of the 2016 presidential elections. Speaking at a cybersecurity event hosted by the Washington Post, DHS Secretary Kirstjen Nielsen highlighted improvements in information sharing across the federal government and with state and local officials as well as closer relationships with stakeholders that will lead to faster coordination in the wake of an emerging threat. “First of all, the information sharing is much stronger than it even has been before,” said Nielsen when asked what had changed in the department’s approach since 2016. “So [we’re] working very closely with the intel community, and the moment that we see something significant we are — in conjunction with the IC — sharing with our state and local partners. The sharing is quicker, faster, more tailored.”

National: The Government Isn’t Doing Enough to Protect Voting Systems from Hackers | VICE

October 2, 2018

For many, the most important question as the midterms approach isn’t whether the Democrats or Republicans will win control of Congress, but whether the elections themselves will be secure. In 2016, Russian hackers likely targeted election systems in many states and penetrated Illinois’s registration database; this year there is concern that hackers will go after both government and private systems. In March, Congress made $380 million available to states seeking to improve their election systems’ cybersecurity. But state officials and election security experts say this doesn’t even come close to addressing the nation’s electoral cybersecurity needs. So what exactly do states need to do in order to secure their election systems? Although experts largely agree on basic guidelines, there is no one playbook for how to beef up electoral cybersecurity. America’s elections infrastructure is highly decentralized, with every state managing its own system. This is a benefit in some ways, said Jim Condos, Vermont’s secretary of state and a prominent voice in election cybersecurity discussions. It means bad actors can’t just break into one centralized system. But it also means states employ a patchwork of approaches to elections cybersecurity. The contours of threats and their fixes are constantly shifting as well.

National: Voting Rights Activists Threatened with Lawsuit by ES&S Over Sharing Instruction Manual | Alternet

October 2, 2018

One the country’s most dogged vote-count transparency activists, John Brakey of Tucson, Arizona, and the small non-profit he leads, AUDIT-USA, have been told by one of America’s biggest voting machine makers to take down the instruction manuals for their firm’s paper-ballot scanners from their website by Monday—or face a lawsuit, according to a September 27, 2018, letter from Timothy J. Hallett, Associate General Counsel for Election Systems & Software, or ES&S. Brakey, a barrel-chested grandfather who sees verifying vote counts as nothing less than a moral crusade to save American democracy from the dark forces that have colonized and privatized the ballot box, posted various ES&S manuals on AUDIT-USA’s website for a simple reason. The latest generation of high-speed scanners used to tally paper ballots has a built-in feature that he wants all precincts and counting centers to use: making an electronic image of every paper ballot cast. The digitized ballot images can be used to verify close counts, which has occurred in a handful of recent races across the U.S.

National: A Record 800,000 People Registered to Vote on National Voter Registration Day | Time

October 2, 2018

A record number of people registered to vote in the midterm elections on National Voter Registration Day last week, surpassing the previous record set during the 2016 presidential campaign. More than 800,000 people registered to vote this year as part of National Voter Registration Day, which fell on Sept. 25. The corresponding campaign had aimed to register 300,000 people. “Some us were saying, ‘Hey, maybe we’ll hit 400 or 500,000,” says Brian Miller, who coordinates National Voter Registration Day in his role as executive director of Nonprofit VOTE. “No one that I know of thought we would surpass 800,000 voter registrations. That surprised all of us. But I think it’s a sign of the interest in the midterms and the interest in having this unified day of action.”

National: Congress falls flat on election security as midterms near | The Hill

Congress has failed to pass any legislation to secure U.S. voting systems in the two years since Russia interfered in the 2016 election, a troubling setback with the midterms less than six weeks away. Lawmakers have repeatedly demanded agencies step up their efforts to prevent election meddling but in the end struggled to act themselves, raising questions about whether the U.S. has done enough to protect future elections. A key GOP senator predicted to The Hill last week that a bipartisan election security bill, seen as Congress’s best chance of passing legislation on the issue, wouldn’t pass before the midterms. And on Friday, House lawmakers left town for the campaign trail, ending any chance of clearing the legislation ahead of November. Lawmakers have openly expressed frustration they were not able to act before the 2018 elections.

National: Election Security Remains Just as Vulnerable as in 2016 | Electronic Frontier Foundation

The ability to vote for local, state, and federal representatives is the cornerstone of democracy in America. With mid-term congressional elections looming in early November, many voices have raised concerns that the voting infrastructure used by states across the Union might be suspect, unreliable, or potentially vulnerable to attacks. As Congress considers measures critical to consumer rights and the functioning of technology (net neutrality, data privacy, biometric identification, and surveillance), ensuring the integrity of elections has emerged as a matter of crucial importance. On the one hand, the right to vote may not be guaranteed for many people across the country. Historically, access to the ballot has been hard fought, from the Revolution and the Civil War to the movement for civil rights that compelled the Voting Rights Act (VRA). But recent restrictions on voting rights that have proliferated since the Supreme Court struck down the VRA’s pre-clearance provisions in 2013. Coupled with procedural impediments to voting, unresolved problems continue to plague the security of the technology that many voting precincts use in elections. With mid-term elections in just two months, Secretaries of State should be pressed to do their jobs and increase security before voters cast their ballots.

National: Def Con researchers came to Washington to poke holes in voting machine security | The Washington Post

Not long ago, lawmakers might have been wary about showcasing the work of hackers who specialize in penetrating voting equipment. But on Thursday, organizers from the Def Con Voting Village — a collection of security researchers who hack election systems in hopes of making them more secure — received a warm welcome on Capitol Hill. The organizers were in town to unveil a new report identifying vulnerabilities in several widely used voting machines they tested during the Def Con hacking conference in Las Vegas over the summer, including a flaw in a vote tabulator that could allow a malicious actor to hack it remotely. They presented their findings in a meeting hosted by Rep. Jackie Speier (D-Calif.) and attended by staffers from the offices of Sen. Amy Klobuchar (D-Minn.), who is sponsoring an election security bill, and several other Democrats. The event highlights how the cybersecurity experts behind the Voting Village, which is only in its second year, are reaching beyond the niche and often apolitical community of Def Con in hopes of influencing the debate over how to secure the country’s election systems. The issue has received a wave of new attention since the 2016 election, when Russian hackers probed election administration systems in 21 states.

National: Voting Machines Are Still Absurdly At Risk | WIRED

While Russian interference operations in the 2016 US presidential elections focused on misinformation and targeted hacking, officials have scrambled ever since to shore up the nation’s vulnerable election infrastructure. New research, though, shows they haven’t done nearly enough, particularly when it comes to voting machines. The report details vulnerabilities in seven models of voting machines and vote counters, found during the DefCon security conference’s Voting Village event. All of the models are in active use around the US, and the vulnerabilities—from weak password protections to elaborate avenues for remote access—number in the dozens. The findings also connect to larger efforts to safeguard US elections, including initiatives to expand oversight of voting machine vendors and efforts to fund state and local election security upgrades.

National: After election hacking presentation, Katko pushes bill to boost security | Auburn Citizen

Dr. J. Alex Halderman inserted a memory card infected with malicious software into an electronic voting machine. It wasn’t an actual case of election hacking, but Halderman’s demonstration served a purpose: To show two members of Congress, including U.S. Rep. John Katko, what can happen if hackers gain access to voting machines. Halderman, director of the University of Michigan’s Center for Computer Security and Society, invited Katko, R-Camillus, and U.S. Rep. Mike Quigley, an Illinois Democrat, to cast votes using the Diebold AccuVote TS voting machine. Halderman programmed a mock election: A presidential race between George Washington and Benedict Arnold. There were two votes cast for Washington and one for Arnold. But the receipt printed from the voting machine revealed the effect of the malicious software. The paper showed Arnold received two votes and Washington netted one.

National: Defcon Voting Village report: bug in one system could “flip Electoral College” | Ars Technica

Today, six prominent information-security experts who took part in DEF CON’s Voting Village in Las Vegas last month issued a report on vulnerabilities they had discovered in voting equipment and related computer systems. One vulnerability they discovered—in a high-speed vote-tabulating system used to count votes for entire counties in 23 states—could allow an attacker to remotely hijack the system over a network and alter the vote count, changing results for large blocks of voters. “Hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election,” the authors of the report warned.

National: DEF CON hackers’ dossier on US voting machine security is just as grim as feared | The Register

Hackers probing America’s electronic voting systems have painted an astonishing picture of the state of US election security, less than six weeks before the November midterms. The full 50-page report [PDF], released Thursday during a presentation in Washington DC, was put together by the organizers of the DEF CON hacking conference’s Voting Village. It recaps the findings of that village, during which attendees uncovered ways resourceful miscreants could compromise electoral computer systems and change vote tallies. In short, the dossier outlines shortcomings in the electronic voting systems many US districts will use later this year for the midterm elections. The report focuses on vulnerabilities exploitable by scumbags with physical access to the hardware. “The problems outlined in this report are not simply election administration flaws that need to be fixed for efficiency’s sake, but rather serious risks to our critical infrastructure and thus national security,” the report stated. “As our nation’s security is the responsibility of the federal government, Congress needs to codify basic security standards like those developed by local election officials.”

National: Hackers warn about election security ahead of midterms | CNN

The vulnerabilities in America’s voting systems are “staggering,” a group representing hackers warned lawmakers on Capitol Hill on Thursday — just over a month before the midterm elections. The findings are based on a project at the Voting Village at the Def Con hacking conference held in Las Vegas last month, where hackers were invited to attempt to break into voting machines and other equipment used in elections across the country. The hacking group claims they were able to break into some voting machines in two minutes and that they had the ability to wirelessly reprogram an electronic card used by millions of Americans to activate a voting terminal to cast their ballot. “This vulnerability could be exploited to take over the voting machine on which they vote and cast as many votes as the voter wanted,” the group claims in the report.

National: Questions on Pompeo’s certainty about secure midterms | Politico

Secretary of State Mike Pompeo on Wednesday said there was “no question” the U.S. midterm elections would be safe from foreign interference, a level of certitude that is … shall we say, not widely shared? “That’s a dangerous level of confidence for someone in that position to have,” Alex Halderman, a University of Michigan computer science professor at the forefront of the election security debate, told MC. Halderman said that perhaps intelligence sources might not see any indications of foreign planning to further disrupt elections, but “frankly, you don’t know what you don’t know.” Democratic Rep. Mike Quigley said this about Pompeo: “I wish I could be so confident.” Robert Johnston, credited with discovering the DNC hack while working at CrowdStrike and now CEO of Adlumin, told MC there are already signs Russia has interfered in the 2018 races. Some of the suspect incidents have surfaced in California’s congressional races and the U.S. Senate.

National: Widely Used Election Systems Are Vulnerable to Attack, Report Finds | Wall Street Journal

Election machines used in more than half of U.S. states carry a flaw disclosed more than a decade ago that makes them vulnerable to a cyberattack, according to a report to be delivered Thursday on Capitol Hill. The issue was found in the widely used Model 650 high-speed ballot-counting machine made by Election Systems & Software LLC, the nation’s leading manufacturer of election equipment. It is one of about seven security problems in several models of voting equipment described in the report, which is based on research conducted last month at the Def Con hacker conference. The flaw in the ES&S machine stood out because it was detailed in a security report commissioned by Ohio’s secretary of state in 2007, said Harri Hursti, an election-security researcher who co-wrote both the Ohio and Def Con reports. “There has been more than plenty of time to fix it,” he said.

National: The dark web is where hackers buy the tools to subvert elections | CBS

Voter data and the digital weapons hackers use to subvert elections are bought and sold daily on a corner of the internet known as the dark web. It is a network of websites that is tough to access but functions much like the internet we use every day. You can buy everything from guns and drugs to botnets and ransomware. And cyber-criminals can purchase voter records and hacking tools.The dark web is not accessible using typical web browsers like Chrome or Safari. Instead, you are required to log on using a virtual private network, or VPN, and the Tor web browser. Tor is an acronym for “the onion router.” Every computer has an identifying IP address, and the Tor browser can help shield your machine’s location by sending info through several layers of servers.

National: FEC data shows candidates hit snooze button on hacker threat, saying defending cyberattacks is hard | McClatchy

With some 40 days remaining to the crucial midterm elections, signs of digital meddling in campaigns are mounting. But most candidates have spent little or nothing on cybersecurity, and say it’s too hard and expensive to focus on hacking threats with all the other demands of running for office. Only six candidates for U.S. House and Senate spent more than $1,000 on cybersecurity through the most recent Federal Election Commission filing period. Yet those who monitor intrusions and digital mayhem say hackers are active. And various reports cite at least three candidates still in races or ousted in primaries were suffering attempted breaches of their campaigns. “We get things literally every day to my team … to investigate everything from phishing attacks to ‘We think our data was breached’ to ‘We think there was a denial of service attack’ to ‘Someone’s listening on our cell phones.’ So we get, like, the whole range of things every single day,” said Raffi Krikorian, chief technology officer for the Democratic National Committee, the party’s governing body.

National: Native Americans Fight Back at the Ballot Box | Stateline