National: Senators duel over audit requirements in election security bill | FCW

As the Secure Elections Act barrels towards a crucial markup in the Senate, two of its original cosponsors expressed divergent views on whether the bill must mandate hand counted post-election audits. The latest version of the bill released by Senate Rules Committee chair Roy Blunt (R-Mo.) would, like its predecessors, mandate that every state conduct a post-election audit to verify the results. However, Blunt’s version would allow states to conduct those audits by hand as well as through electronic means. Previous versions of the bill specified that audits be inspected “by hand and not by device.” During a hearing on cybersecurity, Sen. Amy Klobuchar (D-Minn.), one of the original co-sponsors of the bill, pressed her colleagues to fight to reinsert the language. “I would love to see that risk-limiting audit requirement across the country,” said Klobuchar. “What we have right now in the bill is a requirement that simply audits be required and they have to report back to us. We have backup paper ballots in 14 states now, nine as you know have partial [paper backups], five don’t have any at all….I don’t know how you could prove what happened in an election if there was a hacking.”

National: States using chunk of federal $380M to safeguard voting | Associated Press

Racing to shore up their election systems before November, states are using millions of dollars from the federal government to tighten cybersecurity, safeguard their voter registration rolls and improve communication between county and state election officers. The U.S. Election Assistance Commission released a report Tuesday showing how states plan to spend $380 million allocated by Congress last spring to strengthen voting systems amid ongoing threats from Russia and others. All but a fraction of the money has already been sent to the states, the District of Columbia and U.S. territories. The largest chunk — roughly 36 percent — is being spent to improve cybersecurity in 41 states and territories. More than a quarter of the money will be used to replace voting equipment in 33 states and territories, although the bulk of this is unlikely to happen until after the Nov. 6 midterm elections.

National: Majority of election security grants going toward cybersecurity, equipment upgrades | CyberScoop

About a third of federal funding meant to improve election technology will be spent on cybersecurity-related improvements, while another third will be used to upgrade old equipment, according to plans released Tuesday by states and the U.S. Election Assistance Commission. In March, Congress appropriated $380 million for states to use for upgrades to election infrastructure, under the Help America Vote Act. It’s the first time the federal distributes HAVA funding since 2010. “The 380 [million] is something new in terms of additional funding, but it’s in that same realm of ensuring that our voting process remain secure and that vote of confidence remains high,” Tom Hicks, chairman of the EAC, told CyberScoop.

National: New bill would require paper ballots to secure election results | CNET

The Russians can’t hack paper. On Tuesday, nine Senators introduced a bill that would require state and local governments to use paper ballots in an effort to secure elections from hackers. The bill would also require rigorous audits for all federal elections to ensure that results match the votes. “Leaving the fate of America’s democracy up to hackable election machines is like leaving your front door open, unlocked and putting up a sign that says ‘out of town,'” Sen. Ron Wyden, a Democrat from Oregon, said in a . “Any failure to secure our elections amounts to disenfranchising American voters.”

National: Democrats gear up for legal fights over voter suppression | The Hill

Democrats are getting ready for a major fight this fall over access to the polls, which the party believes could be a critical issue toward determining congressional majorities in the midterm elections. Sen. Chris Van Hollen (D-Md.), the chairman of the Senate Democrats’ campaign arm, pointed out recent efforts to limit turnout by likely Democratic voters in Texas, Ohio and Indiana — three Senate battlegrounds. “A number of states have already acted. Texas put in place a set of additional restrictions,” Van Hollen said in an interview on C-SPAN’s “Newsmakers.” Hilary Shelton, the director of the Washington bureau of the NAACP, a nonpartisan group, said voting rights are under greater threat in 2018 compared to recent elections because of Attorney General Jeff Sessions.

National: Kids at hacking conference show how easily US elections could be sabotaged | The Guardian

At the world’s largest hacking conference, there was good news and bad news for fans of free and fair elections. The good news is that hacking the US midterms – actually changing the recorded votes to steal the election for a particular candidate – may be harder than it seems, and most of the political actors who could pose a threat to the validity of an election are hesitant to escalate their attacks that far. The bad news is that it doesn’t really matter. While the actual risk of a hacker seizing thousands of voting machines and altering their records may be remote, the risk of a hacker casting the validity of an election into question through one of any number of other entry points is huge, and the actual difficulty of such an attack is child’s play. Literally.

Editorials: Time is running out to secure our elections | James Lankford and Amy Klobuchar/The Hill

In 2016, Russia attacked the United States. Not with bombs or guns, but with a sophisticated well-funded cyberattack and information warfare directed by President Vladimir Putin designed to undermine the values we hold most dear. Russian entities launched cyberattacks against at least 21 states and attacked U.S. voting system software companies. Every top U.S. intelligence official has warned us, including Director of National Intelligence Dan Coats, who recently described our digital election infrastructure as “literally under attack,” and sounded the alarm that “the warning lights are blinking red again.” Far from being chastened by these reports, our foreign adversaries have only become emboldened. Microsoft has already detected phishing attacks targeting at least three midterm campaigns this year.

National: Election integrity advocates protest security bill changes | Politico

The version of the Senate’s major election security bill that the Rules Committee marks up this week will not require states to conduct post-election audits using paper records, a major blow to election integrity advocates who are now sharply criticizing the bill. The chairman’s mark of the Secure Elections Act, S. 2593 (115), “would allow for and validate audits of electronic ballot images, which are just plain worthless as a safeguard against cyberattacks,” Susan Greenhalgh, policy director at the National Election Defense Coalition, told MC. Voting system vendors, which encourage local election officials to buy electronic systems, tout the supposed auditability of their digital ballots, despite cybersecurity experts nearly unanimously warning against electronic audits. “This sort of audit would be very appealing to election officials,” Greenhalgh said of the weakened provision, “as it would eliminate the need for extensive ballot manifests and tracking of paper ballots.”

National: Russian hackers targeting more US political groups, Microsoft says | The Guardian

Microsoft says it has uncovered new Russian hacking attempts targeting US political groups before the midterm elections. The company said a group linked to the Russian government created fake internet domains that appeared to spoof two US conservative organisations: the Hudson Institute and the International Republican Institute. Three other fake domains were designed to look as if they belonged to the Senate. Microsoft did not offer any further description of the fake sites. The revelation came just weeks after a similar Microsoft discovery led the senator Claire McCaskill, a Missouri Democrat who is running for re-election, to reveal that Russian hackers tried unsuccessfully to infiltrate her Senate computer network.

National: States add intrusion sensors to election systems to thwart hacking | CNN

A growing number of states are installing a cyber-intrusion sensor system supplied by the Department of Homeland Security in response to fears that election systems my be hacked by foreign adversaries during the 2018 midterm elections and beyond. To date, 36 states have installed the intrusion detection sensors, known as “Albert,” according to a DHS official. The monitoring system was developed by the Center for Internet Security, a nonprofit organization that is working with DHS on election security and coordination. Rather than block cyber threats outright, Albert alerts officials to potentially malign activity to be investigated by experts. In those states, 74 sensors in 38 counties have been installed so far, according to the official, up from 14 before the 2016 presidential election. The new numbers were first reported by Reuters.

National: How DHS is gearing up to protect the midterms from hackers | CNBC

With all the concern over cybersecurity heading into the midterm elections, it’s actually quite difficult for outsiders to directly manipulate votes. Unlike corporate networks and email systems, voting machines aren’t connected to the internet, making them hard to access. So as government officials prepare for the hotly contested congressional elections in November, their focus is more on protecting the integrity of the systems that support the pre- and post-voting periods than on the ballots themselves. “This is about more than just voting machines,” Jeanette Manfra, the top cybersecurity official at the Department of Homeland Security, told CNBC in an interview on Wednesday. “If an [attacker] was intent on sowing discord, how could they do that? It involves us looking at the broad elections administration process.”

National: In Congress, election security proposals aim at 2020 cycle | FCW

While most of the discussion around election security tends to focus on protecting the 2018 fall elections, much of the federal guidance and legislative proposals currently under consideration would likely have limited impact this year. Two bills in Congress – The Secure Elections Act and the PAVE Act – would implement a number of best-practice policies around cybersecurity and vote tabulation that are endorsed by most experts. Yet some of the most impactful provisions from those bills, such as grant funding to replace obsolete or out-of-support voting machines or require states to use paper ballots, would take years to implement before states realized results.

National: Are Blockchains the Answer for Secure Elections? Probably Not | Scientific American

With the U.S. heading into a pivotal midterm election, little progress has been made on ensuring the integrity of voting systems—a concern that retook the spotlight when the 2016 presidential election ushered Donald Trump into the White House amid allegations of foreign interference. A raft of start-ups has been hawking what they see as a revolutionary solution: repurposing blockchains, best known as the digital transaction ledgers for cryptocurrencies like Bitcoin, to record votes. Backers say these internet-based systems would increase voter access to elections while improving tamper-resistance and public auditability. But experts in both cybersecurity and voting see blockchains as needlessly complicated, and no more secure than other online ballots. Existing voting systems do leave plenty of room for suspicion: Voter impersonation is theoretically possible (although investigations have repeatedly found negligible rates for this in the U.S.); mail-in votes can be altered or stolen; election officials might count inaccurately; and nearly every electronic voting machine has proved hackable. Not surprisingly, a Gallup poll published prior to the 2016 election found a third of Americans doubted votes would be tallied properly.

National: More U.S. states deploy technology to track election hacking attempts | Reuters

A majority of U.S. states has adopted technology that allows the federal government to see inside state computer systems managing voter data or voting devices in order to root out hackers. Two years after Russian hackers breached voter registration databases in Illinois and Arizona, most states have begun using the government-approved equipment, according to three sources with knowledge of the deployment. Voter registration databases are used to verify the identity of voters when they visit polling stations. The rapid adoption of the so-called Albert sensors, a $5,000 piece of hardware developed by the Center for Internet Security www.cisecurity.org, illustrates the broad concern shared by state government officials ahead of the 2018 midterm elections, government cybersecurity experts told Reuters.

National: Hacking an American Election Is Child’s Play, Just Ask These Kids | Roll Call

In March, Hawaii Democrat Rep. Tulsi Gabbard introduced the Securing America’s Elections Act to require the use of paper ballots as backup in case of alleged election hacking. Now voting advocates are suing Georgia to do the same thing. Some voting systems are so easy to hack a child can do it. Eleven year old Emmett Brewer hacked into a simulation of Florida’s state voting website in less than 10 minutes at the DefCon hacking conference last week in Las Vegas, according to Time. Of the approximately 50 children age 8 to 17 who took part in the Election Voting Hacking Village at DefCon, 30 were able to hack into imitation election websites within three hours, Time reported. The kids were able to rewrite vote tallies so that they totaled as much as 12 billion, and change the names of parties and candidates, according to the Guardian.

National: Native Americans Work to Break Down Barriers to Voting | VoA News

In November 2012, former North Dakota attorney general Heidi Heitkamp, a Democrat, won a hotly-contested race for a seat in the U.S. Senate, a win attributed to the state’s Native American voters. Shortly after that, lawmakers in the majority Republican state passed a tough voter-ID law, making it a lot harder for tribe members to vote. The nonprofit Native American Rights Fund (NARF) sees the new law as racially motivated and has taken North Dakota to court. This year, NARF conducted field hearings across Indian Country to hear testimony on voter suppression in other states. “And what we heard was really disturbing,” said NARF attorney Jacqueline D. De León, a member of the Isleta Pueblo in New Mexico.

National: U.S. states demand better access to secrets about election cyber threats | Reuters

U.S. state election officials are demanding better access to sometimes classified federal government information about hacking threats to voting systems. With less than three months until the November midterm elections, 44 states, the District of Columbia, and numerous counties on Wednesday participated in a simulation that tested the ability of state and federal officials to work together to stop data breaches, disinformation and other voting-related security issues. They did not simulate a cyber attack, but rather played out various scenarios to learn how to react if there were one. The Department of Homeland Security, Office of the Director of National Intelligence, U.S. Cyber Command, Justice Department and the FBI participated.

National: Hackers are out to jeopardize your vote | MIT Technology Review

Russian hackers targeted US electoral systems during the 2016 presidential election. Much has been done since then to bolster those systems, but J. Alex Halderman, director of the University of Michigan’s Center for Computer Security and Society, says they are still worryingly vulnerable (see “Four big targets in the cyber battle over the US ballot box”). MIT Technology Review’s Martin Giles discussed election security with Halderman, who has testified about it before Congress and evaluated voting systems in the US, Estonia, India, and elsewhere.

Lots of things, from gerrymandering to voter ID disputes, could undermine the integrity of the US electoral process. How big an issue is hacking in comparison?

Things like gerrymandering are a question of political squabbling within the rules of the game for American democracy. When it comes to election hacking, we’re talking about attacks on the United States by hostile foreign governments. That’s not playing by the rules of American politics; that’s an attempt to subvert the foundations of our democracy.

National: DHS works to strengthen election security on heels of bipartisan legislation | BiometricUpdate

What one congressional observer called, “a day late and a dollar short,” the bipartisan Prevent Election Hacking Act of 2018 (HR 6188) was recently introduced and referred to the House Committee on House Administration. If passed, it would “direct the Secretary of [the Department of] Homeland Security [DHS] to establish a program to improve election system cybersecurity by facilitating and encouraging assessments by independent technical experts to identify and report election cybersecurity vulnerabilities, and for other purposes.” An industry cybersecurity official said on background to Biometric Update that, “HR 6188’s potentially ground breaking — sorry, overstated deliberately — concept of outsourcing cybersecurity execution to the private sector is something worth looking into.”

National: Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms | Dark Reading

Two 11-year-old budding hackers last week at DEF CON in Las Vegas used SQL injection attack code to break into a replica of the Florida Secretary of State’s website within 15 minutes, altering vote count reports on the site. Meanwhile, further down the hall in the adult Voting Machine Hacking Village at Caesars Palace, one unidentified hacker spent four hours trying to break into a replica database that housed the real, publicly available state of Ohio voter registration roll. He got as far as the secured server — penetrating two layers of firewalls with a Khali Linux pen testing tool — but in the end was unable to grab the data from the database, which included names and birthdates of registered voters. “He got to the secure file server but didn’t know how to write the query to pull the data out,” says Alon Nachmany, solution engineer with Cyberbit, which ran the voter registration database simulation. That he got as close to the data as he did was no small feat, however. “He got very far, but he didn’t have the skill needed to pull the file itself,” Nachmany says.

National: Researchers show how to alter emailed ballots in use in 30 states | McClatchy

Top computer researchers gave a startling presentation recently about how to intercept and switch votes on emailed ballots, but officials in the 30 or so states said the ease with which votes could be changed wouldn’t alter their plans to continue offering electronic voting in some fashion. Two states — Washington and Alaska — have ended their statewide online voting systems. The developments, amid mounting fears that Russians or others will try to hack the 2018 midterm elections, could heighten pressure on officials on other U.S. states to reconsider their commitment to online voting despite repeated admonitions from cybersecurity experts. But a McClatchy survey of election officials in a number of states that permit military and overseas voters to send in ballots by email or fax — including Alabama, Kansas, Missouri, North Carolina, South Carolina and Texas — produced no immediate signs that any will budge on the issue. Some chief election officers are handcuffed from making changes, even in the name of security, by state laws permitting email and fax voting. … Researchers at the DefCon convention were sharply critical of any sort of electronic voting, including voting by smartphone, which will occur for the first time in November. West Virginia announced last week that it will allow military personnel posted overseas and registered to vote in West Virginia to vote via smartphone in the Nov. 6 election, using an app created by Voatz, a Boston-based startup.

National: Research shows gap in House, Senate candidates’ website security | CyberScoop

Nearly 30 percent of House of Representatives candidates have significant security issues in their websites compared to less than 5 percent of Senate candidates, according to new research. The disparity underscores the challenge that smaller, resource-strapped campaigns have in making themselves less vulnerable to hacking. About 3 in 10 House candidate websites scanned by election-security expert Joshua Franklin and his research team were not using important security protocols for routing data or had a major certificate issue. The scans, most of which took place in June, covered the websites of more than 500 House candidates and nearly 100 Senate candidates. “The House has significantly more candidates running and that provides more opportunities for security errors,” Franklin told CyberScoop. He presented his findings at the DEF CON conference in Las Vegas. The major political parties’ Senate candidates also tend to be more experienced on the campaign trail and have bigger staffs for those statewide races.

National: US voting systems: Full of holes, loaded with pop music, and ‘hacked’ by an 11-year-old | The Register

DEF CON Hackers of all ages have been investigating America’s voting machine tech, and the results weren’t great. For instance, one 11-year-old apparently managed to hack and alter a simulated Secretary of State election results webpage in 10 minutes. The Vote Hacking Village, one of the most packed-out locations at this year’s DEF CON hacking conference in Las Vegas, saw many of the most commonly used US voting machines hijacked using a variety of wireless and wired attacks – and replica election websites so poorly constructed they were thought too boring for adults to probe, and left to youngsters to infiltrate. The first day saw 39 kids, ranging in age from six to 17, try to crack into facsimiles of government election results websites, developed by former White House technology advisor Brian Markus. The sites had deliberate security holes for the youngsters to exploit – SQL injection flaws, and similar classic coding cockups. All but four of the children managed to leverage the planted vulnerabilities within the allotted three-hour contest. Thus, it really is child’s play to commandeer a website that doesn’t follow basic secure programming practices nor keep up to date with patches – something that ought to focus the minds of people maintaining election information websites. 

National: Hacking competitions help the military; they could secure elections too | Washington Examiner

Public-facing websites and services used by the Marine Corps were targeted by hackers over the weekend – but that was part of the plan. To help identify vulnerabilities In the Marine Corps Enterprise Network, the Department of Defense and HackerOne, a service that runs crowd-sourced security testing, launched Hack the Marine Corps, a “bug bounty program” that pays hackers to identify and report vulnerabilities. As the United States faces increasing cybersecurity threats, programs such as Hack the Marine Corps are a great way to identify and fix potential problems before they really do become damaging security breaches. Hack the Marine Corps has already been successful. The program kicked off with a live event in Las Vegas with nearly 100 ethical hackers who, during the nine-hour event, identified 75 unique security vulnerabilities. True to the idea of “bug bounty,” the Marine Corps shelled out more than $80,000 to those who had identified problems.

National: For Former Felons, Voting Rights Could Be a Click Away | Roll Call

Millions of new voters could register across the country, starting Tuesday, with the launch of an online tool meant to help former felons restore their right to vote. The Campaign Legal Center’s website, restoreyourvote.org, attempts to guide users through a sometimes confusing jumble of state laws to determine whether past convictions or unpaid fines would keep them from the ballot box. It is the latest salvo in a growing movement to politically empower formerly incarcerated people, a group that is disproportionately African-American. It is unclear how much of an effect such efforts will have on elections because they are more likely to infuse urban areas that already lean left with more Democratic voters. But organizers have framed the issue as a question of civil rights. 

National: Fears of Voting Machine Hacking Erupts as an Issue in US Election | Coda Story

The potential for Russian hacking of election systems in the 2018 midterm elections has emerged as an urgent and destabilizing issue in the run-up to the U.S. elections. State and local election officials are accused of mismanagement and a lack of focus on the dangers of election systems hacking. Five U.S. states rely on outdated electronic voting systems with no paper trail, according to The Guardian, which also reported that eight more states will be using antiquated systems vulnerable to Russian cyberattack over at least part of their territory in the upcoming November elections.

National: State officials bristle as researchers — and kids — at Def Con simulate election hacks | The Washington Post

For the second year in a row, hackers at the Def Con computer security conference in Las Vegas set out to show just how vulnerable U.S. elections are to digital attacks. At one gathering geared for kids under 17, elementary school-aged hackers cracked into replicas of state election websites with apparent ease. At the Def Con Voting Village, a section of the conference that showcased hands-on hacks, security researchers picked apart voting machines and exposed new flaws that could potentially upend a race. And hackers got close to being able to manipulate a heavily-guarded mock voter registration database. But during the weekend-long hack-a-thon, these faux election hackers had a hard time winning over some of the people they wanted to reach most.

National: Why US elections remain ‘dangerously vulnerable’ to cyber-attacks | The Guardian

Sixteen months ago, Marilyn Marks was just another political junkie watching a high-profile congressional election on her laptop when she saw something she found abnormal and alarming. The date was 18 April 2017, and the election was in Georgia’s sixth congressional district, where the Democrats were hoping to pull off an upset victory against a crowded Republican field in the wake of Tom Price’s (short-lived) elevation to the Trump cabinet as health and human services secretary. By mid-evening, Jon Ossoff, the leading Democrat, had 50.3% of the vote, enough to win outright without the need for a run-off against his closest Republican challenger. Then Marks noticed that the number of precincts reporting in Fulton County, encompassing the heart of Atlanta, was going down instead of up. Soon after, the computers crashed. Election officials later blamed a “rare error” with a memory card that didn’t properly upload its vote tallies. When the count resumed more than an hour later, Ossoff was suddenly down to 48.6% and ended up at 48.1%. (He lost in the run-off to Republican Karen Handel.)

National: DEF CON’s Voting Village tests hacker-government collaboration | CyberScoop

The national conversation on election security came into sharp focus Friday at a renowned hacker conference as U.S. officials and security researchers sought common ground in raising awareness of potential vulnerabilities in election equipment. The goal was to have a more transparent conversation about those vulnerabilities without spreading undue public fear about them. The Voting Village at DEF CON in Las Vegas, a room where white-hat hackers could tinker with voting machines and mock voter registration databases, was a high-profile test of that collaboration. “I’m here to learn,” Alex Padilla, California’s secretary of state, said before touring the village in the bowels of Caesars Palace hotel and casino. …  At the village, Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, stood next to a large ballot-scanner made by Election Systems & Software, one of the country’s biggest voting-equipment vendors. A couple of young researchers were picking the machine apart looking for vulnerabilities and what voting data the old machine might reveal.