National: Online-only voting? Don’t do it, experts say in report on election security | GeekWire

Chastened by Russian interference and hacking attempts in the 2016 election, academic experts on voting technology say electronic voting machines that don’t leave a paper trail should be phased out as soon as possible. “Every effort should be made to use human-readable paper ballots in the 2018 federal election,” the experts write in a report issued today by the National Academies of Science, Engineering and Medicine. “All local, state and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election.” That’s already the case for Washington, Oregon and Colorado, where mail-only voting has become the norm. (The report notes that “vote-by-mail” is something of a misnomer, since most ballots are still returned by hand. “Ballot delivery by mail” comes closer to the mark.)

National: From encryption to deepfakes, lawmakers geek out during Facebook and Twitter hearing | The Washington Post

Jack Dorsey and Sheryl Sandberg relentlessly practiced before taking hot seats on Capitol Hill, engaging in role play and panels of questioning with colleagues and consultants. But the tech executives weren’t the only ones who came prepared for class on Wednesday. Senators on the Intelligence Committee clearly did their homework on a wide range of technical topics, and they peppered the executives with questions on issues ranging from doctored videos known as “deepfakes” to encryption. The grilling marked a stark departure from hearings earlier this year with Facebook Chief Executive Mark Zuckerberg, when senators on the Judiciary and Commerce committees were panned for their technical illiteracy. 

National: Why the Midterm Elections Are Hackable | BankInfoSecurity

With the midterm elections just around the corner, Barbara Simons, author of the election security book “Broken Ballots,” explains why some voting computers remain inherently flawed. The genesis of problems with today’s voting machines was the controversy involved in counting certain paper ballots in the 2000 presidential election in Florida, Simons explains. “What we really have are voting computers, and anybody who has been reading the news for the past few years understands that computers are vulnerable to attack by hacking; they’re also vulnerable to software bugs and other unintentional errors that can occur,” Simons says in an interview with Information Security Media Group. “And yet as a result of this early, wrong perception that paper was not a good technology to use for voting, many of these initial voting computers that came out were paperless, which meant that it was impossible to do a recount.”

National: DHS ramping up election security coordination | Politico

DHS will boost coordination and information sharing efforts on election security threats later this month in the run-up to the midterms, a senior agency official said Tuesday. The “heightened operational posture” will take effect Sept. 21, as absentee ballots begin streaming in, Bob Kolasky, director of DHS’s new National Risk Management Center, told reporters after a panel discussion at the Intelligence and National Security Summit in National Harbor, Md. The agency’s Election Task Force “continues to be the hub of DHS election activity,” according to Kolasky. But there will be “enhanced coordination” and “heightened information sharing” among the department’s various agencies and partners, including the Defense Department, 45 days before voters go to the polls, Kolasky explained. He noted that while the increase is in part time-driven, there are no plans “to change the nature of how we work with states in the run-up to the elections.”

National: Phishing for political secrets: Hackers take aim at midterm campaigns | CBS

The best hacks are always the simplest. When Russian hackers successfully attacked Hillary Clinton’s presidential campaign chairman John Podesta in 2016, they didn’t need to use crippling ransomware or a complex zero-day exploit. Instead, the Russians used one of the oldest tricks in the hacker playbook: Email phishing. “Phishing is all about the bad guy — the attacker — sending a malicious email to a victim and fooling that person either to click on a link within the email or open up an attachment,” said hacker and computer security consultant Kevin Mitnick in an interview with CBS News. “When the victim [clicks the link or opens the attachment] their computer ends up being compromised and malware is installed so the bad guy has full control.” The goal of phishing attacks like those aimed at the Clinton campaign in 2016, says Mitnick, is to swipe sensitive information or to implant malware that will give the attacker access to the entire network. Once inside, hackers can move laterally across the computer system and swipe information from multiple email accounts, copy intellectual property, and cause irreparable damage.  

National: Upcoming redistricting is a backstory of 2018 midterms | Associated Press

The task of drawing new boundaries for thousands of federal and state legislative districts is still about three years away, yet the political battle over redistricting already is playing out in this year’s midterm elections. North Carolina’s congressional elections were thrown into a week of uncertainty when a federal judicial panel raised the possibility that it would order new districts before the fall elections to correct what it had ruled was unconstitutional partisan gerrymandering. It opted against doing that on Tuesday, conceding there was not enough time. In Colorado, Michigan, Missouri and Utah, campaigns are underway for November ballot initiatives that would change the redistricting process so it’s less partisan and creates more competitive districts. National Democratic and Republican groups are pouring millions of dollars into state races seeking to ensure they have officeholders in position to influence the next round of redistricting.

National: ‘Our House Is on Fire.’ Elections Officials Worry About Midterms Security | Time

Greasing the machinery of democracy can be tedious business. Aside from the occasional recount or a hanging chad, the bureaucrats who run state elections don’t usually see much drama in their work. But this year’s all-important midterms are no ordinary election cycle. So it was that election administrators from all 50 states received rarified, red-carpet treatment outside Washington earlier this year, as federal intelligence gurus granted them secret clearances for the day, shuttled them to a secure facility, and gave them eye-opening, classified briefings on the looming threat. The message, participants said, was chilling. Officials from the FBI, the Department of Homeland Security, the National Security Agency and other agencies warned that the Russians had already shown they could hit hard in the 2016 presidential campaign, and they have been preparing to hit even harder — and no doubt in different ways — this time around. “This was a first for me,” Steve Sandvoss, who heads the Illinois elections office and attended the briefing, said in a recent interview. “I came out of there with the understanding that the threat is not going to go away.” The midterms will determine control of Congress, where a flip to the Democrats in the House or the Senate would no doubt intensify the pressure Trump is already facing from Special Counsel Robert Mueller’s Russia investigation.

National: No Let Up in Cyberattacks, Influence Campaigns Targeting US | VoA News

Top U.S. intelligence and defense officials caution the threat to the U.S. in cyberspace is not diminishing ahead of November’s midterm elections despite indications that Russia’s efforts to disrupt or influence the vote may not match what it did in 2016. The warnings of an ever more insidious and persistent danger come as lawmakers and security officials have increasingly focused on hardening defenses for the country’s voter rolls and voting systems. It also comes as top executives from social media giants Facebook, Twitter and Google prepare to testify on Capitol Hill about their effort to curtail the types of disinformation campaigns used by Moscow and which are increasingly being copied by other U.S. adversaries.

National: Are We Making Elections Less Secure Just to Save Time? | The Intercept

Something strange happens on election night. With polls closing, American supporters of both parties briefly, intensely align as one: We all want to know who’s going to win, and we don’t want to wait one more minute. The ravenous national appetite for an immediate victor, pumped up by frenzied cable news coverage and now Twitter, means delivering hyper-updated results and projections before any official tally is available. But the technologies that help ferry lightning-quick results out of polling places and onto CNN are also some of the riskiest, experts say. It’s been almost two years since Russian military hackers attempted to hijack computers used by both local election officials and VR Systems, an e-voting company that helps make Election Day possible in several key swing states. Since then, reports detailing the potent duo of inherent technical risk and abject negligence have made election security a national topic. In November, millions of Americans will vote again — but despite hundreds of millions of dollars in federal aid poured into beefing up the security of your local polling station, tension between experts, corporations, and the status quo over what secure even means is leaving key questions unanswered: Should every single vote be recorded on paper, so there’s a physical trail to follow? Should every election be audited after the fact, as both a deterrent and check against fraud? And, in an age where basically everything else is online, should election equipment be allowed anywhere near the internet?

National: Polling Places Remain a Target Ahead of November Elections | Stateline

In the five years since the U.S. Supreme Court struck down key parts of the Voting Rights Act, nearly a thousand polling places have been shuttered across the country, many of them in southern black communities. The trend continues: This year alone, 10 counties with large black populations in Georgia closed polling spots after a white elections consultant recommended they do so to save money. When the consultant suggested a similar move in Randolph County, pushback was enough to keep its nine polling places open. But the closures come amid a tightening of voter ID laws in many states that critics view as an effort to make it harder for blacks and other minorities to vote — and, in Georgia specifically, the high-profile gubernatorial bid by a black woman. The ballot in November features Stacey Abrams, a Democrat trying to become the first black woman elected governor in the United States, versus Brian Kemp, the Republican secretary of state who has led efforts in Georgia to purge voter rolls, slash early voting and close polling places.

National: Tech mobilizes to boost election security | The Hill

Private companies are stepping up to offer cybersecurity programs for midterm campaigns as Congress stalls on passing election security legislation. Microsoft is the most prominent name, unveiling a free cybersecurity program in August after the company revealed it had detected Russian hackers who appeared to target a pair of conservative think tanks. The company is joining a broad list of firms providing free or discounted security services, such as McAfee, Cloudflare and most recently Valimail, which is offering its anti-fraud email service to campaigns. Officials at companies said they felt obligated to step up to the plate and offer services that election officials or campaigns might otherwise not have access to — shortcomings that have been widely highlighted ahead of November’s midterm elections.

National: Once Bipartisan, an Election Security Bill Collapses in Rancor | The New York Times

The purpose of the bill seemed unassailable: to ensure that state officials could protect their elections against the kind of hacking or interference that has clouded the 2016 campaign. Although it started out backed by election integrity advocates and powerful senators from both parties, the Secure Elections Act has now all but collapsed. Lawmakers modified one of the bill’s key provisions after hearing relentless complaints from state officials, prompting many of its advocates to pull their support. Then last week delivered what one of the bill’s co-sponsors called “the gut punch” — the formal meeting to draft the bill before sending it to the floor was abruptly postponed, and the White House offered a statement critical of the legislation later that same day. No timetable has since been offered to reschedule it, and the election is two months away.

National: Election security bill backers say delay helps Russia | Associated Press

Just two months before the midterm elections, bipartisan legislation to try to prevent foreign hacking into U.S. election systems is stalled in Congress as the White House and some Republicans worry it could exert too much federal control over the states. Supporters of the bill say the delay could embolden Russia, which targeted election infrastructure in at least 21 states in 2016. A committee vote on the bipartisan bill was abruptly canceled two weeks ago after objections from some Republican senators and the states they represent. And Republicans and Democrats who are supporting the bill say they don’t know when — or if — it will be taken up again in the few remaining weeks Congress is in session before the midterms. The delay has some concerned that Congress could punt on the only piece of legislation that is designed to fix what went wrong in 2016 — and to prevent Russia or other countries from trying again. There is no evidence that the Russian targeting of state election systems was successful or changed any votes, but lawmakers, intelligence officials and elections experts say that they believe Russia will return in 2018 and beyond with more sophisticated tools.

National: States want more money, but aren’t waiting around to improve election cybersecurity | Washington Examiner

Election officials at the state and local levels are unhappily coming to terms with the idea that more funding probably isn’t coming for securing electoral systems from hacks this fall. But with help from the Department of Homeland Security, their confidence appears to be growing about how well they will perform on Election Day. Those officials are the front-line soldiers in the battle to combat Russian and any other cyber interference aimed at the midterm elections. In turn, they are becoming cybersecurity managers, according to Noah Praetz, director of elections in Cook County, Ill. He warned that $380 million in recent federal assistance to the 50 states “is not nearly enough to do a technology refresh” to update all of the antiquated elections systems across the country, but it has helped put state cyber experts “on the street” in five counties across Illinois. “It’s kind of like Andy in Mayberry being sent to deal with a foreign invasion,” he joked. DHS official Jeanette Manfra, speaking at a recent cyber conference, said the department is collaborating with states to shield voter registration from manipulation, ensuring the machines that tally votes are secure, and helping ensure that “unofficial tallies” released before the final election results aren’t altered to sow confusion and discord.

National: State Department unit created to fight foreign election interference still waiting on funding: report | The Hill

A State Department unit established to blunt election interference efforts by foreign countries has still not received funding that was allocated for the project two years ago, HuffPost reported. The news outlet reported that the Defense Department agreed to provide $40 million in funding to the Global Engagement Center earlier this year following complaints from lawmakers. However, the money still had not arrived as of last week, and a Senate aide told HuffPost that the amount had since been cut in half to $20 million. A State Department official told the news outlet that the Global Engagement Center would “be fine” even with the reduced amount of funding. The official said the center is waiting on another $20 million through the State Department’s budget.

National: Why the latest election security bill is stalled in Congress | The Washington Post

For a while there, the Senate’s flagship bill to help states improve election security appeared to be gaining steam. Lawmakers from both sides of the aisle signed onto it. And an unlikely coalition of former national security officials, technologists and public policy groups urged lawmakers to pass the legislation. But the Secure Elections Act stalled last week after the Senate Rules Committee canceled a key vote on the legislation at the last minute — and now its future is uncertain. Some Republicans who seemed poised to support the bill balked after the White House raised concerns about giving the federal government too much authority in election administration, while state officials objected to some of its requirements. Election security experts, meanwhile, worry the legislation is getting too watered down. The delay highlights the tension at the core of the debate over how to best secure the country’s elections as officials warn about Russia’s ongoing campaign to disrupt U.S. politics. And the lack of progress in Congress underscores how difficult it is for lawmakers to balance competing concerns from state election administrators to national security officials to voting integrity groups.

National: Will Russian Hackers Affect This Year’s US Election? | Associated Press

Nearly a year after Russian government hackers meddled in the 2016 U.S. election, researchers at cybersecurity firm Trend Micro zeroed in on a new sign of trouble: a group of suspect websites. The sites mimicked a portal used by U.S. senators and their staffs, with easy-to-miss discrepancies. Emails to Senate users urged them to reset their passwords — an apparent attempt to steal them. Once again, hackers on the outside of the American political system were probing for a way in. “Their attack methods continue to take advantage of human nature and when you get into an election cycle the targets are very public ,” said Mark Nunnikhoven, vice president of cloud research at Trend Micro. Now the U.S. has entered a new election cycle. And the attempt to infiltrate the Senate network, linked to hackers aligned with Russia and brought to public attention in July, is a reminder of the risks, and the difficulty of assessing them.

National: Election Hacking: Security Upgrades Are Too Little, Too Late for 2018 Midterms, and Race is Already on for 2020, Experts Say | Newsweek

Election experts, cybersecurity experts and those who are overseeing the upcoming midterms have one thing to say about stopping Russian interference in American elections: Forget 2018. It’s too late. Focus on 2020. Before President Donald Trump had even been sworn into office, intelligence agencies revealed that cyberattacks spanning across 21 states had been conducted under the direct order of Russian President Vladimir Putin. The FBI, CIA and National Security Agency’s report concluded that “Russia’s goals were to undermine public faith in the U.S. democratic process, denigrate Secretary Clinton and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump.”  Despite this, lawmakers and federal officials took months, sometimes longer, to take action, with the result that most federal assistance arrived too late to protect the midterm elections. 

National: White House agrees to destroy documents collected by Kobach-led commission | Lawrence Journal-World

A public interest watchdog group said Thursday that the Trump administration has complied with an agreement to destroy sensitive voter registration information that was collected by a now-defunct advisory commission on which Kansas Secretary of State Kris Kobach served as vice chair. The action came in response to two lawsuits, both of which have now been dismissed, in which separate groups sought to block the Presidential Advisory Commission on Election Integrity from obtaining or keeping those records. “President Trump’s now-disbanded voter fraud Commission was flawed from the start,” Paul Seamus Ryan, vice president for policy and litigation at the Washington-based group Common Cause, said in a statement. “Common Cause and its 1.2 million members celebrate the end of this litigation and the destruction of the commission’s illegally collected voter data.” Common Cause was the lead plaintiff in one of the lawsuits. The other suit was led by the Electronic Privacy Information Center, or EPIC, which agreed to dismiss its suit last week.

National: Does the CFAA apply to voting machine hacks? | FCW

For decades, the Computer Fraud and Abuse Act served as the U.S. government’s most powerful tool to prosecute hackers. Over the years, virtually every high-profile cybercrime case in which federal prosecutors brought forth charges – from Aaron Swartz and Marcus Hutchins to Russian and Iranian -backed hacking groups – has used the CFAA as its cornerstone statute. As the U.S. heads into the 2018 mid-term elections, the government is facing intense political pressure to harden the security around election systems, while the Trump administration has also come under fire for not doing enough to draw bright lines around election infrastructure and signal to foreign nations that interference will come with great consequences.

National: Justice Department Warns It Might Not Be Able to Prosecute Voting Machine Hackers | Motherboard

After more than a decade of headlines about the vulnerability of US voting machines to hacking, it turns out the federal government says it may not be able to prosecute election hacking under the federal law that currently governs computer intrusions. Per a Justice Department report issued in July from the Attorney General’s Cyber Digital Task Force, electronic voting machines may not qualify as “protected computers” under the Computer Fraud and Abuse Act, the 1986 law that prohibits unauthorized access to protected computers and networks or access that exceeds authorization (such as an insider breach). The report says the law generally only prohibits against hacking computers “that are connected to the Internet (or that meet other narrow criteria for protection)” and notes that voting machines generally do not meet this criteria “as they are typically kept off the Internet.” Consequently, “should hacking of a voting machine occur, the government would not, in many conceivable circumstances, be able to use the CFAA to prosecute the hackers.”

National: Focusing on the long tail of cybersecurity | FCW

When the Department of Homeland Security announced the formation of a new National Risk Management Center in July to handle cybersecurity threats and engage with the private sector, some wondered how the center’s mission would overlap or conflict with another DHS organ, the National Cybersecurity and Communications Integration Center. Matthew Travis, deputy undersecretary of the National Protections and Programs Directorate, elaborated further on how DHS views the differing missions of the NCCIC and the NRMC while giving a speech at an Aug. 28 conference in Washington D.C. The NCCIC, Travis said, will still serve as a threat and information sharing hub designed to react to problems and facilitate cooperation with state, local, private and critical infrastructure sectors in the face of immediate threats, like the ransomware attack that hit Atlanta earlier this year or the 2017 WannaCry attacks. The center will continue its role sharing threat indicators, conducting trainings, providing malware analysis for specific incidents and sending out technical advisories about emerging threats.

National: Here’s What Keeps The Democratic Party’s Technology Boss Awake At Night | KTTZ

The 2016 campaign was a nightmare for Democrats. So Democratic National Committee Chief Technology Officer Raffi Krikorian was brought in to the DNC in 2017 to make sure embarrassing breaches — and the subsequent leak of internal communications — weren’t repeated. But with fewer than 70 days to go until the midterm elections, there’s still a lot of room for improvement, he acknowledged, both inside and outside the organization. “We all still have work to do. And we’re not getting the support that I think we need from … governmental agencies,” Krikorian said. “This is the thing that keeps me up at night.”

National: The Only Election Security Bill That Matters Picks Up Two New Senate Co-sponsors | Gizmodo

Democrats are pushing forward with a bill that, unlike competing legislation, would actually require the use of paper ballots and comprehensive audits in all federal elections. Today, Senators Bernie Sanders of Vermont and Kamala Harris of California added their names to a list of co-sponsors of the Protecting American Votes and Elections Act, joining nine others, including Oregon Sen. Ron Wyden, the bill’s author. The PAVE Act is the only legislation currently proposed that would require nationwide use of so-called “risk-limiting” audits to protect election results from tampering by hackers, from computer glitches and other voting system errors. Moreover, it is the only bill to mandate the use by all states of paper trail printers to verify machine-count outcomes.

National: Lawmakers dismiss ES&S’s claim that spies benefit from election hacking demos | The Washington Post

The nation’s leading voting equipment vendor made the bombastic claim that foreign spies may be infiltrating events where ethical hackers test vulnerabilities in voting machines — such as the Def Con hacking conference that took place this month in Las Vegas — to glean intelligence on how to hack an election. “[F]orums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international espionage,”  Election Systems and Software wrote in a letter made public Monday to a bipartisan group of lawmakers on the Senate Intelligence Committee. ES&S was responding to bipartisan group of lawmakers on the Senate Intelligence Committee who inquired about the security of the company’s machines after researchers at Def Con discovered new vulnerabilities in voting equipment made by ES&S and other vendors. Yet the company’s response took issue with the idea of testing by independent hackers in the first place: “We believe that exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention.”

National: The agency created to protect elections is broken | Yahoo News

More than a decade before anyone worried about Russian bots, there were chads. The hanging chad was the most famous chad of all. But there was also the pregnant chad, the fat chad, the dimpled chad and the tri-chad. These were all minute variations on a scrap of paper a fraction of an inch in diameter, the vestige of a voting ballot not quite fully punched through. Hanging chads that could not be counted led George W. Bush to beat Al Gore in Florida in the 2000 election by 537 votes and become president. The hanging chad became the central image of that election, and of the Supreme Court case that decided it. Scenes of Florida election officials studying indentations on sheets of paper suggested a ridiculously outmoded system. Two years later, Congress passed the Help America Vote Act, or HAVA, which was designed to provide funds for states “to replace punch card voting systems” and to “establish minimum election administration standards” for the nation’s 10,000 voting jurisdictions.

National: Lankford says his Secure Elections Act isn’t dead, despite delays | newsOK

U.S. Sen. James Lankford says election security legislation he has touted for months is not dead, despite delays by a Senate committee and mixed messages from the White House. The Secure Elections Act, which was introduced by the Oklahoma City Republican late last year, appeared to be headed for passage this fall. It has attracted a bipartisan following as intelligence officials continue to warn of Russian attempts to hack America’s elections. But last week, the Senate Rules Committee abruptly pulled the bill from consideration and a White House spokesperson suggested it was unnecessary because the Department of Homeland Security already “has all the statutory authority it needs to assist state and local officials” as they seek to ensure their elections are secure.

National: Senators Want Independent Security Testing of Voting Machines | Decipher

While a proposed measure that would have given state officials more tools to help secure elections has bogged down in the Senate, four members of that body’s Intelligence Committee are pressuring a major manufacturer of electronic voting machines to allow independent tests of their products by election agencies and to work with researchers to assess the security of the machines. In a letter sent to the president and CEO of Election Systems & Software, a maker of voting machines used in many states, a bipartisan group of senators expressed concerns about the company’s reaction to the Voting Village hacking contest at the DEF CON security conference earlier this month. The Voting Village gave participants the opportunity to get their hands on various electronic voting machines, look for vulnerabilities, and see whether they could find ways around the defenses on the machines. Before DEF CON, ES&S officials sent a FAQ to customers, informing them of the contest and somewhat downplaying any negative results that might come from it.

National: List of U.S. Senators Targeted by Foreign Phishing Attacks Mounts | Government Technology

Sen. Patrick J. Toomey is the latest U.S. politician to announce his campaign was the target of an attempt to hack into its emails. Google notified Toomey’s office that “hackers from a nation state may have attempted to infiltrate specific email accounts associated with his campaign apparatus” through a phishing scam, Steve Kelly, a spokesman for the Pennsylvania Republican, said in a statement. “This underscores the cybersecurity threats our government, campaigns, and elections are currently facing,” Kelly said. “It is essential that Congress impose tough penalties on any entity that undermines our institutions.” The attacks were not successful. Toomey’s Senate office has not been the target of similar hacking attempts.

National: Report: Election Offices ‘Highly Susceptible’ to Spoofing | GovernmentCIO

Despite warnings about possible cyberattacks aimed at undermining midterm election security, new research reveals an overwhelming number of evaluated state, territory and District of Columbia election offices as highly vulnerable to email spoofing. Released today, the “Email Spoofing Threat to the 2018 U.S. Midterm Elections” report by Anomali Labs, the R&D arm of threat intelligence company Anomali, explores the strength of email security programs for election-related infrastructure. And of the 90 state, territory and District of Columbia election offices Anomali Labs assessed, 96 percent are “highly susceptible” to email spoofing attacks. The report found a low adoption rate of strong email authentication and email security standards among the majority of state-level election offices and their online voter registration sites. Adoption overall is inconsistent across the board. Being spoofable means threat actors could falsify the sender’s origins to appear as if the fraudulent email came from a legitimate government organization, according to the report. This type of threat is “100 percent real, and as far as urgency, given that phishing is the No. 1 attack vector, not just against election officials but also in industry in general, I think it’s very, very high,” said Roberto Sanchez, Anomali director of threat and sharing analysis and the lead researcher for the election security report.