National: Does the CFAA apply to voting machine hacks? | FCW

For decades, the Computer Fraud and Abuse Act served as the U.S. government’s most powerful tool to prosecute hackers. Over the years, virtually every high-profile cybercrime case in which federal prosecutors brought forth charges – from Aaron Swartz and Marcus Hutchins to Russian and Iranian -backed hacking groups – has used the CFAA as its cornerstone statute. As the U.S. heads into the 2018 mid-term elections, the government is facing intense political pressure to harden the security around election systems, while the Trump administration has also come under fire for not doing enough to draw bright lines around election infrastructure and signal to foreign nations that interference will come with great consequences.

National: Justice Department Warns It Might Not Be Able to Prosecute Voting Machine Hackers | Motherboard

After more than a decade of headlines about the vulnerability of US voting machines to hacking, it turns out the federal government says it may not be able to prosecute election hacking under the federal law that currently governs computer intrusions. Per a Justice Department report issued in July from the Attorney General’s Cyber Digital Task Force, electronic voting machines may not qualify as “protected computers” under the Computer Fraud and Abuse Act, the 1986 law that prohibits unauthorized access to protected computers and networks or access that exceeds authorization (such as an insider breach). The report says the law generally only prohibits against hacking computers “that are connected to the Internet (or that meet other narrow criteria for protection)” and notes that voting machines generally do not meet this criteria “as they are typically kept off the Internet.” Consequently, “should hacking of a voting machine occur, the government would not, in many conceivable circumstances, be able to use the CFAA to prosecute the hackers.”

National: Focusing on the long tail of cybersecurity | FCW

When the Department of Homeland Security announced the formation of a new National Risk Management Center in July to handle cybersecurity threats and engage with the private sector, some wondered how the center’s mission would overlap or conflict with another DHS organ, the National Cybersecurity and Communications Integration Center. Matthew Travis, deputy undersecretary of the National Protections and Programs Directorate, elaborated further on how DHS views the differing missions of the NCCIC and the NRMC while giving a speech at an Aug. 28 conference in Washington D.C. The NCCIC, Travis said, will still serve as a threat and information sharing hub designed to react to problems and facilitate cooperation with state, local, private and critical infrastructure sectors in the face of immediate threats, like the ransomware attack that hit Atlanta earlier this year or the 2017 WannaCry attacks. The center will continue its role sharing threat indicators, conducting trainings, providing malware analysis for specific incidents and sending out technical advisories about emerging threats.

National: Here’s What Keeps The Democratic Party’s Technology Boss Awake At Night | KTTZ

The 2016 campaign was a nightmare for Democrats. So Democratic National Committee Chief Technology Officer Raffi Krikorian was brought in to the DNC in 2017 to make sure embarrassing breaches — and the subsequent leak of internal communications — weren’t repeated. But with fewer than 70 days to go until the midterm elections, there’s still a lot of room for improvement, he acknowledged, both inside and outside the organization. “We all still have work to do. And we’re not getting the support that I think we need from … governmental agencies,” Krikorian said. “This is the thing that keeps me up at night.”

National: The Only Election Security Bill That Matters Picks Up Two New Senate Co-sponsors | Gizmodo

Democrats are pushing forward with a bill that, unlike competing legislation, would actually require the use of paper ballots and comprehensive audits in all federal elections. Today, Senators Bernie Sanders of Vermont and Kamala Harris of California added their names to a list of co-sponsors of the Protecting American Votes and Elections Act, joining nine others, including Oregon Sen. Ron Wyden, the bill’s author. The PAVE Act is the only legislation currently proposed that would require nationwide use of so-called “risk-limiting” audits to protect election results from tampering by hackers, from computer glitches and other voting system errors. Moreover, it is the only bill to mandate the use by all states of paper trail printers to verify machine-count outcomes.

National: Lawmakers dismiss ES&S’s claim that spies benefit from election hacking demos | The Washington Post

The nation’s leading voting equipment vendor made the bombastic claim that foreign spies may be infiltrating events where ethical hackers test vulnerabilities in voting machines — such as the Def Con hacking conference that took place this month in Las Vegas — to glean intelligence on how to hack an election. “[F]orums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international espionage,”  Election Systems and Software wrote in a letter made public Monday to a bipartisan group of lawmakers on the Senate Intelligence Committee. ES&S was responding to bipartisan group of lawmakers on the Senate Intelligence Committee who inquired about the security of the company’s machines after researchers at Def Con discovered new vulnerabilities in voting equipment made by ES&S and other vendors. Yet the company’s response took issue with the idea of testing by independent hackers in the first place: “We believe that exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention.”

National: The agency created to protect elections is broken | Yahoo News

More than a decade before anyone worried about Russian bots, there were chads. The hanging chad was the most famous chad of all. But there was also the pregnant chad, the fat chad, the dimpled chad and the tri-chad. These were all minute variations on a scrap of paper a fraction of an inch in diameter, the vestige of a voting ballot not quite fully punched through. Hanging chads that could not be counted led George W. Bush to beat Al Gore in Florida in the 2000 election by 537 votes and become president. The hanging chad became the central image of that election, and of the Supreme Court case that decided it. Scenes of Florida election officials studying indentations on sheets of paper suggested a ridiculously outmoded system. Two years later, Congress passed the Help America Vote Act, or HAVA, which was designed to provide funds for states “to replace punch card voting systems” and to “establish minimum election administration standards” for the nation’s 10,000 voting jurisdictions.

National: Lankford says his Secure Elections Act isn’t dead, despite delays | newsOK

U.S. Sen. James Lankford says election security legislation he has touted for months is not dead, despite delays by a Senate committee and mixed messages from the White House. The Secure Elections Act, which was introduced by the Oklahoma City Republican late last year, appeared to be headed for passage this fall. It has attracted a bipartisan following as intelligence officials continue to warn of Russian attempts to hack America’s elections. But last week, the Senate Rules Committee abruptly pulled the bill from consideration and a White House spokesperson suggested it was unnecessary because the Department of Homeland Security already “has all the statutory authority it needs to assist state and local officials” as they seek to ensure their elections are secure.

National: Senators Want Independent Security Testing of Voting Machines | Decipher

While a proposed measure that would have given state officials more tools to help secure elections has bogged down in the Senate, four members of that body’s Intelligence Committee are pressuring a major manufacturer of electronic voting machines to allow independent tests of their products by election agencies and to work with researchers to assess the security of the machines. In a letter sent to the president and CEO of Election Systems & Software, a maker of voting machines used in many states, a bipartisan group of senators expressed concerns about the company’s reaction to the Voting Village hacking contest at the DEF CON security conference earlier this month. The Voting Village gave participants the opportunity to get their hands on various electronic voting machines, look for vulnerabilities, and see whether they could find ways around the defenses on the machines. Before DEF CON, ES&S officials sent a FAQ to customers, informing them of the contest and somewhat downplaying any negative results that might come from it.

National: List of U.S. Senators Targeted by Foreign Phishing Attacks Mounts | Government Technology

Sen. Patrick J. Toomey is the latest U.S. politician to announce his campaign was the target of an attempt to hack into its emails. Google notified Toomey’s office that “hackers from a nation state may have attempted to infiltrate specific email accounts associated with his campaign apparatus” through a phishing scam, Steve Kelly, a spokesman for the Pennsylvania Republican, said in a statement. “This underscores the cybersecurity threats our government, campaigns, and elections are currently facing,” Kelly said. “It is essential that Congress impose tough penalties on any entity that undermines our institutions.” The attacks were not successful. Toomey’s Senate office has not been the target of similar hacking attempts.

National: Report: Election Offices ‘Highly Susceptible’ to Spoofing | GovernmentCIO

Despite warnings about possible cyberattacks aimed at undermining midterm election security, new research reveals an overwhelming number of evaluated state, territory and District of Columbia election offices as highly vulnerable to email spoofing. Released today, the “Email Spoofing Threat to the 2018 U.S. Midterm Elections” report by Anomali Labs, the R&D arm of threat intelligence company Anomali, explores the strength of email security programs for election-related infrastructure. And of the 90 state, territory and District of Columbia election offices Anomali Labs assessed, 96 percent are “highly susceptible” to email spoofing attacks. The report found a low adoption rate of strong email authentication and email security standards among the majority of state-level election offices and their online voter registration sites. Adoption overall is inconsistent across the board. Being spoofable means threat actors could falsify the sender’s origins to appear as if the fraudulent email came from a legitimate government organization, according to the report. This type of threat is “100 percent real, and as far as urgency, given that phishing is the No. 1 attack vector, not just against election officials but also in industry in general, I think it’s very, very high,” said Roberto Sanchez, Anomali director of threat and sharing analysis and the lead researcher for the election security report.

National: McCain Made Campaign Finance Reform A Years-Long Mission | NPR

John McCain devoted much of his career in the Senate to controlling the influence of money in public life — in part to try to recover from his own role in a big congressional influence scandal. McCain, who died Saturday of brain cancer, made money and influence big themes of his first presidential race. “Y’know, there’s a little game they got in Washington,” he told a crowd in New Hampshire in 1999. “And that is: Look at the tax bill when it comes out, to figure out who’s getting the benefit — because of the very complex and convoluted way that they write the tax laws. And it’s a disgrace.” Although McCain, an Arizona Republican, lost the Republican nomination to George W. Bush, his warnings that money was corrupting politics reverberated in many state primaries, amplifying his message and propelling him toward an unexpected legislative triumph in the Senate that helped define his career. … McCain, who served more than 30 years in the Senate, began as an unlikely crusader.

National: Facebook and Microsoft briefed state officials on election security efforts today | TechCrunch

So much for summer Fridays. Yesterday, BuzzFeed reported that a dozen tech companies, including Facebook, Google, Microsoft and Snapchat, would meet at Twitter headquarters on Friday to discuss election security. For two of them, that wasn’t the only meeting in the books. In what appears to be a separate event on Friday, Facebook and Microsoft also met with the Department of Homeland Security, the FBI and two bodies of state election officials, the National Association of State Election Directors (NASED) and the National Association of Secretaries of State (NASS), about their election security efforts.

National: Democrats Overhaul Controversial Superdelegate System | The New York Times

Democratic Party officials, after a yearslong battle between warring ideological wings, have agreed to sharply reduce the influence of the top political insiders known as superdelegates in the presidential nomination process. Under the new plan, which was agreed to on Saturday afternoon in Chicago at the Democratic National Committee’s annual summer meetings, superdelegates retain their power to back any candidate regardless of how the public votes. They will now be largely barred, however, from participating in the first ballot of the presidential nominating process at the party’s convention — drastically diluting their power. Superdelegates will be able to cast substantive votes only in extraordinary cases like contested conventions, in which the nomination process is extended through multiple ballots until one candidate prevails. “After you lose an election, you have to look in the mirror,” said Howard Dean, former chairman of the Democratic National Committee. Mr. Dean had recorded a video message to committee members urging them to back the proposed changes.

National: Midterm Campaigns Fight to Prevent Cyber Attacks | New York Magazine

Melting in South Florida’s humidity, a young congressional campaign manager let his nerves show. Sitting across from a pair of visitors on a café patio, he widened his eyes when they asked if there were any tool he wished he had to help protect his campaign from cyber attacks. “I have no idea! I don’t even know what that would be, to be honest.” Weeks away from Election Day, the operative’s fear is increasingly common — practically unavoidable in 2018, in fact. Midterm campaigns are entering the fall more anxious than ever about looming threats of email phishing, text hacking, and countless other ominous possibilities that could derail their hopes with the touch of a Muscovite button. And it’s becoming increasingly clear to many that they may just not be ready for what’s coming — or what’s already occurred.

National: Trump Objections to Senate Election Security Bill Stalled Measure | Roll Call

President Donald Trump is objecting to the Senate’s effort to help improve election security, citing concerns about imposing federal burdens on state and local governments. The Rules and Administration Committee abruptly scrapped a Wednesday  markup of bipartisan election security legislation, and there were rumors that the White House might have been at least in part behind the delay. Some Republican members of the committee were against the bill, including former Chairman Richard C. Shelby, R-Ala. … The White House is asking the Senate, “Do not violate the principles of Federalism — Elections are the responsibility of the states and local governments,” according to the Walters statement. “We cannot support legislation with inappropriate mandates or that moves power or funding from the states to Washington for the planning and operation of elections.”

National: White House blocks bill that would protect elections | Yahoo News

A bill that would have significantly bolstered the nation’s defenses against electoral interference has been held up in the Senate at the behest of the White House, which opposed the proposed legislation, according to congressional sources. The Secure Elections Act, introduced by Sen. James Lankford, R-Okla., in December 2017, had co-sponsorship from two of the Senate’s most prominent liberals, Kamala Harris, D-Calif., and Amy Klobuchar, D-Minn., as well as from conservative stalwart Lindsey Graham, R-S.C., and consummate centrist Susan Collins, R-Me. Sen. Roy Blunt, R-Mo., was set to conduct a markup of the bill on Wednesday morning in the Senate Rules Committee, which he chairs. The bill had widespread support, including from some of the committee’s Republican members, and was expected to come to a full Senate vote in October. But then the chairman’s mark, as the critical step is known, was canceled, and no explanation was given.

National: What’s next for postponed Secure Elections Act | Politico

The Senate Rules Committee’s last-minute decision Wednesday to postpone a markup of the Secure Elections Act (S. 2593) was a significant setback for a bill that had been considered a bipartisan bright spot in a bitterly divided Congress. “For everyone else who delayed this action today, I hope that you will listen to the clarion cry of our intelligence community and continue to work with us and reschedule the markup and pass the bill into law,” Sen. Amy Klobuchar, the ranking member on the Rules Committee and the bill’s chief Democratic co-sponsor, said in a statement. Rules announced the delay hours before DHS Secretary Kirstjen Nielsen urged states to have a “verifiable and auditable ballot,” though she deferred on the question of whether paper was essential, saying, “I don’t know that we’re interested in mandating how.”

National: Election-Hacking Lessons from the 2018 Def Con Hackers Conference | The New Yorker

Earlier this month, Bianca Lewis, who is eleven years old, was wearing a T-shirt printed with the words “No time for Barbie, there’s hacking to be done” and sitting in front of a computer at the annual Def Con hacking conference, in Las Vegas, meddling with a replica of the Florida Secretary of State’s election Web site. She’d already surreptitiously entered the site’s database through what is known as an SQL injection. “First, you open the site,” she explained, “then you type a few lines of code into the search bar, and you can delete things and change votes. I deleted Trump. I deleted every single vote for him.” Lewis was visiting an event at the conference run by R00tz Asylum, a nonprofit that teaches hacking to kids, where organizers had replicated thirteen Secretary of State Web sites and invited kids to hack them. The day the conference began, as programmers were finishing coding the sites, the National Association of Secretaries of State issued a press release complaining that Def Con “utilizes a pseudo environment which in no way replicates state election systems, networks, or physical security.” That was true enough—these sites were only look-alikes—but they were constructed from data scraped from the actual state sites, and contained known vulnerabilities that had been exploited by hackers in the past. One of the organizers, Jake Braun, rolled his eyes when I asked him about the association’s letter. “It’s totally tone-deaf,” he said. “A nation-state is literally hacking our democracy—wouldn’t you want to take any help you could possibly get? If they don’t think that the Russians are not doing what we’re doing here all year, as opposed to just a weekend, then they are fucking idiots, right?”

National: Former Facebook security chief warns its too late to protect 2018 elections | CNET

Former Facebook security chief Alex Stamos has issued a sobering warning about the continuing threat of foreign interference in US elections, saying it’s “too late to protect the 2018 elections.” But he believes the 2020 election can still be saved. Stamos, who departed Facebook for Stanford University earlier this month, is well acquainted with the subject, having played a central role in Facebook’s response to interference by Russian trolls in the 2016 US presidential election that took place on the social media giant. In a blog post published Wednesday on Lawfare, Stamos seizes on two pieces of news he says proves that “America’s adversaries believe that it is still both safe and effective to attack U.S. democracy using American technologies and the freedoms we cherish.”

National: ES&S to boost security following criticism | The Hill

A major election systems vendor on Thursday announced steps to boost the security of its products, just one day after lawmakers raised concerns that the company is not doing enough to safeguard itself from hackers. Election Systems and Software (ES&S), which is the third largest election system vendor in the U.S., announced it will work more closely with the Department of Homeland Security (DHS) and Information Sharing and Analysis Centers (ISAC) in an effort to increase security of its systems ahead of the 2018 midterm elections. The company in a press release said it has formed “new partnerships with multiple DHS offices that include its key cyber office known as the National Protection and Programs Directorate (NPPD) as well as the National Cybersecurity Assessment and Technical Services (NCATS). 

National: Senate Panel Abruptly Cancels Markup of Election Security Bill | Roll Call

A Senate committee on Wednesday abruptly postponed the planned markup of a key election security bill that had bipartisan support and would have imposed new audit requirements on states. The markup of the Secure Elections Act, authored by Oklahoma Republican James Lankford and Minnesota Democrat Amy Klobuchar, is “postponed until further notice,” the Senate Rules and Administration Committee said on its website. The bill had the backing of several GOP lawmakers, including Richard M. Burr of North Carolina, Susan Collins of Maine and Lindsey Graham of South Carolina, as well as Democrats such as Mark Warner of Virginia, Kamala Harris of California and Martin Heinrich of New Mexico. But a senior Republican lawmaker, Sen. Richard C. Shelby, objected to the bill’s provisions expanding the federal role in elections. 

National: Senate Intelligence Committee members raise concerns about voting system vulnerabilities | The Hill

A bipartisan group of lawmakers on the Senate Intelligence Committee raised concerns Wednesday about the election voting systems provided by one of the largest vendors in the United States, questioning whether the company is doing enough to safeguard itself from hackers. Four committee members wrote in a letter they were disappointed that Election Systems & Software (ES&S) has not agreed to undergo independent testing to determine the security level of its systems. The letter comes after an annual hacking conference earlier this month appeared to reveal security vulnerabilities in ES&S voting systems. “We are concerned that ES&S and other election system providers may not be prepared for the growing threats to our elections,” Senate Intelligence Committee Vice Chairman Mark Warner (D-Va.) and Sens. Susan Collins (R-Maine), James Lankford (R-Okla.), and Kamala Harris (D-Calif.) wrote in a letter to the company.

National: DHS chief calls on officials in all 50 states to have ‘verifiable’ ballots by 2020 election | The Hill

Homeland Security Secretary Kirstjen Nielsen on Wednesday called on election officials in all 50 states to ensure that ballots used during the 2020 presidential election are able to be audited. Nielsen told a group of reporters touring the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va., that she wants “all state and local election officials to make certain that by the 2020 presidential election, every American votes on a verifiable and auditable ballot.” “Our systems must be resilient. We must be able to demonstrate that the votes count and that they are counted correctly,” she added.

National: The Votes Are In: Election Security Matters | Dark Reading

No matter what side of the political divide on which one falls, everyone agrees that the security and integrity of elections are critical. Throughout history, foreign adversaries have attempted to influence election outcomes to their benefit and, in 2016, the efforts escalated to cyberattacks. For this reason, the security of US elections and election infrastructure remains a top national concern, and in early 2017, the government designated the election system as one of our critical infrastructures. With the number of cyberattacks growing every day, improving cybersecurity will be a mandatory component in preserving our political process. The US Department of Homeland Security (DHS) confirmed that at least 21 states have had their networks scanned by Russian adversaries. Scanning is the cyber equivalent of checking for holes in a fence, an unlocked door, or an open window. There are also confirmed reports of a few specific intrusions into government-owned voter registration databases.

National: Democratic Party Says It Thwarted Attempted Hack of Voter Database | The New York Times

The Democratic National Committee said Wednesday that it was alerted to an attempted hack of its voter database this week and that it had notified law enforcement. The effort to target the Democratic Party’s voter file, known as Votebuilder, was not successful, and a party official said the identities of the culprits were unclear. When the Democratic National Committee was hacked in 2016 during the presidential campaign, the incident was traced to Russia. This week’s attempt was aggressive, two officials briefed on it said. The hackers set up a fake page that mimicked the party’s login page for its voter-registration website, a tactic that could gather names, passwords and other credentials of those using the voter database. The hackers also may have sent emails to people within the national committee to try to trick them into using the fake page, a tactic known as “spearphishing,” the officials said. The Federal Bureau of Investigation is looking into the incident, one of the officials said.

National: Officials fear voter registries vulnerable to hackers, could lead to problems on Election Day | Associated Press

A top Department of Homeland Security official said on Tuesday that while it would be difficult for hackers to meaningfully change vote totals in the upcoming elections, they could attack more vulnerable voter registration files, which an expert said could sow “chaos” on Election Day. “Our assessment is that it would be exceedingly complex to change vote totals, and that in trying to attempt to do so [it’s] likely that something would be noticed,” DHS’s National Risk Management Center Director Robert Kolasky said in a Senate hearing. “Voter registration files we’ve assessed as more of a vulnerability than the actual vote count process.”

National: States Detail Election-Security Plans | Wall Street Journal

State election officials plan to spend about two thirds of election security money allocated by Congress earlier this year on new voting equipment and cybersecurity efforts, though not all the improvements will be completed before the November elections. New data gathered by the federal agency that distributes the funds detail how states plan to spend $380 million appropriated by Congress in March to upgrade election security. States plan to spend roughly $134.2 million on cybersecurity upgrades over five years, and $102.6 million on voting equipment, according to the data released by the U.S. Election Assistance Commission. States plan to spend the rest of the federal funding on measures that include upgrading voter-registration databases, bolstering postelection auditing and communications capabilities.

National: Tech giants open up about election cyberthreats as specter of regulation looms | The Washington Post

Tech companies are taking a more transparent approach than usual in disclosing cyberthreats against their platforms — especially when it comes to election interference. One high-profile example came this week when Microsoft announced that Russian hackers tried to use the company’s domains to launch phishing attacks on U.S. political institutions. The company also revealed recently that hackers had used similar means to target 2018 congressional candidates. And just last month, Facebook said that it had uncovered a sophisticated political disinformation campaign involving nearly two dozen fraudulent pages and profiles. The disclosures are not just limited to U.S. election threats. Late Tuesday, Facebook announced that it had identified new social media influence campaigns — one backed by the Iranian government, another linked to Russian military intelligence — and removed hundreds of fraudulent accounts that it said were designed to manipulate users in other countries around the globe.

National: Election security steps hobbled by Congress-White House funding fight | Reuters

A battle between U.S. President Donald Trump and Democrats over federal funding to help secure November’s U.S. elections stymied legislation in Congress on Wednesday, at least for now, that is aimed at thwarting Russian meddling by strengthening states’ voting procedures. The Senate Rules Committee unexpectedly canceled a work session that was intended to advance the Secure Elections Act. That is a bipartisan bill requiring greater coordination between the U.S. Department of Homeland Security and a range of other federal and state election agencies as well as making it easier to audit voting results in the 50 states. The fight pits Democrats and some state officials against the Trump administration and Republicans who oppose additional money flowing from Washington to the states to shore up elections.