National

Senators supportive of the Secure Elections Act, a bipartisan bill to protect political contests from cyberattacks, said lessons learned from next month’s midterms could make their way into a revised version in the works. Sen. Roy Blunt, Missouri Republican, and Sen. Amy Klobuchar, Minnesota Democrat, addressed efforts to rekindle the stalled Secure Elections Act during an event held Wednesday by the U.S. Election Assistance Commission in Washington, D.C. The bill will not be passed prior to the Nov. 6 midterms, according to both Mr. Blunt and Ms. Klobuchar’s co-sponsor, Sen. James Lankford, Oklahoma Republican, meaning states are missing out on millions of dollars that would have otherwise been allocated toward upgrading and securing voting and election systems, neglecting a major vulnerability raised by Russian hackers meddling in the 2016 race.

National: Security Clearances Won’t Get in the Way of Responding to Election Cyber Threats, Officials Say | Nextgov

A lack of security clearances among some state and local election officials shouldn’t hinder the Homeland Security Department from responding speedily to Election Day cybersecurity threats, the department’s top cyber official said Wednesday. Even if state and local election officials don’t have the necessary authorizations to view a particular piece of threat information, Homeland Security Undersecretary Chris Krebs said he’s confident those officials will start trying to mitigate the threat if he asks them to. “I’m confident that if I had a piece of information right now …I could say: ‘Look, I’ve got something you need to see. You need to take action. It’s going to take me a day or two to get you the information, but, in the meantime, you need to take action,” Krebs during an election readiness summit hosted by the Election Assistance Commission.\ “We have trust established so there would be at least the beginning of an article of faith that they would do something,” he said.

National: ‘No indication’ China intends to interfere with election infrastructure, Homeland Security Secretary Nielsen says | The Washington Post

The Department of Homeland Security hasn’t seen signs that China seeks to interfere in the midterm elections by targeting election infrastructure, Homeland Security Secretary Kirstjen Nielsen said Tuesday — a statement that appears to be at odds with remarks President Trump made about Beijing last week. “We currently have no indication that a foreign adversary intends to disrupt our election infrastructure,” Nielsen told me at a cybersecurity summit hosted by The Washington Post. Nielsen did not endorse Trump’s alarming claim at the United Nations that China “has been attempting to interfere in our upcoming 2018 election.” Without offering evidence, Trump said China does not “want me or us to win because I am the first president to ever challenge China on trade” — an especially striking comment considering the president has repeatedly equivocated on his support for the intelligence community’s assessment that Russia interfered in the 2016 election to help him win.

National: Activists Concerned About Counties Destroying Ballot Images | WhoWhatWhy

Election integrity activists are worried that various counties in the crucial state of Florida could defy federal law by destroying crucial documents required for election audits and recounts after the midterms. Specifically, Americans United for Democracy, Integrity, and Transparency in Elections (AUDIT-USA) believes that county supervisors of elections in Florida are either not retaining ballot images or are destroying ballot images that are required by law to be kept for 22 months after a state or federal election. “Most of the counties down there are destroying the ballot images,” said John Brakey, director of the nonpartisan group.

National: U.S. infrastructure vulnerable to cyberattacks designed to suppress voter turnout | CBS

Your voting booth might — or might not — be safe from hackers. But imagine a cyberattack that keeps you from going to your polling station in the first place. Security experts warn that critical infrastructure systems in the United States are vulnerable to crippling cyberattacks designed to suppress voter turnout by disrupting systems that cities and towns rely on. “If ransomware hits, what’s the backup plan to allow people to vote? Do we extend it a day? Do we hold off the tally of the votes? Do we take absentee ballots? What do we do?” said Fortalice Solutions CEO and former White House chief information officer Theresa Payton.

National: DHS says teamwork is improving election security | FCW

October 3, 2018

A month out from the 2018 midterms, all eyes are on the Department of Homeland Security as it approaches its first real test since being given a broader election security mandate in the wake of the 2016 presidential elections. Speaking at a cybersecurity event hosted by the Washington Post, DHS Secretary Kirstjen Nielsen highlighted improvements in information sharing across the federal government and with state and local officials as well as closer relationships with stakeholders that will lead to faster coordination in the wake of an emerging threat. “First of all, the information sharing is much stronger than it even has been before,” said Nielsen when asked what had changed in the department’s approach since 2016. “So [we’re] working very closely with the intel community, and the moment that we see something significant we are — in conjunction with the IC — sharing with our state and local partners. The sharing is quicker, faster, more tailored.”

National: The Government Isn’t Doing Enough to Protect Voting Systems from Hackers | VICE

October 2, 2018

For many, the most important question as the midterms approach isn’t whether the Democrats or Republicans will win control of Congress, but whether the elections themselves will be secure. In 2016, Russian hackers likely targeted election systems in many states and penetrated Illinois’s registration database; this year there is concern that hackers will go after both government and private systems. In March, Congress made $380 million available to states seeking to improve their election systems’ cybersecurity. But state officials and election security experts say this doesn’t even come close to addressing the nation’s electoral cybersecurity needs. So what exactly do states need to do in order to secure their election systems? Although experts largely agree on basic guidelines, there is no one playbook for how to beef up electoral cybersecurity. America’s elections infrastructure is highly decentralized, with every state managing its own system. This is a benefit in some ways, said Jim Condos, Vermont’s secretary of state and a prominent voice in election cybersecurity discussions. It means bad actors can’t just break into one centralized system. But it also means states employ a patchwork of approaches to elections cybersecurity. The contours of threats and their fixes are constantly shifting as well.

National: Voting Rights Activists Threatened with Lawsuit by ES&S Over Sharing Instruction Manual | Alternet

October 2, 2018

One the country’s most dogged vote-count transparency activists, John Brakey of Tucson, Arizona, and the small non-profit he leads, AUDIT-USA, have been told by one of America’s biggest voting machine makers to take down the instruction manuals for their firm’s paper-ballot scanners from their website by Monday—or face a lawsuit, according to a September 27, 2018, letter from Timothy J. Hallett, Associate General Counsel for Election Systems & Software, or ES&S. Brakey, a barrel-chested grandfather who sees verifying vote counts as nothing less than a moral crusade to save American democracy from the dark forces that have colonized and privatized the ballot box, posted various ES&S manuals on AUDIT-USA’s website for a simple reason. The latest generation of high-speed scanners used to tally paper ballots has a built-in feature that he wants all precincts and counting centers to use: making an electronic image of every paper ballot cast. The digitized ballot images can be used to verify close counts, which has occurred in a handful of recent races across the U.S.

National: A Record 800,000 People Registered to Vote on National Voter Registration Day | Time

October 2, 2018

A record number of people registered to vote in the midterm elections on National Voter Registration Day last week, surpassing the previous record set during the 2016 presidential campaign. More than 800,000 people registered to vote this year as part of National Voter Registration Day, which fell on Sept. 25. The corresponding campaign had aimed to register 300,000 people. “Some us were saying, ‘Hey, maybe we’ll hit 400 or 500,000,” says Brian Miller, who coordinates National Voter Registration Day in his role as executive director of Nonprofit VOTE. “No one that I know of thought we would surpass 800,000 voter registrations. That surprised all of us. But I think it’s a sign of the interest in the midterms and the interest in having this unified day of action.”

National: Congress falls flat on election security as midterms near | The Hill

Congress has failed to pass any legislation to secure U.S. voting systems in the two years since Russia interfered in the 2016 election, a troubling setback with the midterms less than six weeks away. Lawmakers have repeatedly demanded agencies step up their efforts to prevent election meddling but in the end struggled to act themselves, raising questions about whether the U.S. has done enough to protect future elections. A key GOP senator predicted to The Hill last week that a bipartisan election security bill, seen as Congress’s best chance of passing legislation on the issue, wouldn’t pass before the midterms. And on Friday, House lawmakers left town for the campaign trail, ending any chance of clearing the legislation ahead of November. Lawmakers have openly expressed frustration they were not able to act before the 2018 elections.

National: Election Security Remains Just as Vulnerable as in 2016 | Electronic Frontier Foundation

The ability to vote for local, state, and federal representatives is the cornerstone of democracy in America. With mid-term congressional elections looming in early November, many voices have raised concerns that the voting infrastructure used by states across the Union might be suspect, unreliable, or potentially vulnerable to attacks. As Congress considers measures critical to consumer rights and the functioning of technology (net neutrality, data privacy, biometric identification, and surveillance), ensuring the integrity of elections has emerged as a matter of crucial importance. On the one hand, the right to vote may not be guaranteed for many people across the country. Historically, access to the ballot has been hard fought, from the Revolution and the Civil War to the movement for civil rights that compelled the Voting Rights Act (VRA). But recent restrictions on voting rights that have proliferated since the Supreme Court struck down the VRA’s pre-clearance provisions in 2013. Coupled with procedural impediments to voting, unresolved problems continue to plague the security of the technology that many voting precincts use in elections. With mid-term elections in just two months, Secretaries of State should be pressed to do their jobs and increase security before voters cast their ballots.

National: Def Con researchers came to Washington to poke holes in voting machine security | The Washington Post

Not long ago, lawmakers might have been wary about showcasing the work of hackers who specialize in penetrating voting equipment. But on Thursday, organizers from the Def Con Voting Village — a collection of security researchers who hack election systems in hopes of making them more secure — received a warm welcome on Capitol Hill. The organizers were in town to unveil a new report identifying vulnerabilities in several widely used voting machines they tested during the Def Con hacking conference in Las Vegas over the summer, including a flaw in a vote tabulator that could allow a malicious actor to hack it remotely. They presented their findings in a meeting hosted by Rep. Jackie Speier (D-Calif.) and attended by staffers from the offices of Sen. Amy Klobuchar (D-Minn.), who is sponsoring an election security bill, and several other Democrats. The event highlights how the cybersecurity experts behind the Voting Village, which is only in its second year, are reaching beyond the niche and often apolitical community of Def Con in hopes of influencing the debate over how to secure the country’s election systems. The issue has received a wave of new attention since the 2016 election, when Russian hackers probed election administration systems in 21 states.

National: Voting Machines Are Still Absurdly At Risk | WIRED

While Russian interference operations in the 2016 US presidential elections focused on misinformation and targeted hacking, officials have scrambled ever since to shore up the nation’s vulnerable election infrastructure. New research, though, shows they haven’t done nearly enough, particularly when it comes to voting machines. The report details vulnerabilities in seven models of voting machines and vote counters, found during the DefCon security conference’s Voting Village event. All of the models are in active use around the US, and the vulnerabilities—from weak password protections to elaborate avenues for remote access—number in the dozens. The findings also connect to larger efforts to safeguard US elections, including initiatives to expand oversight of voting machine vendors and efforts to fund state and local election security upgrades.

National: After election hacking presentation, Katko pushes bill to boost security | Auburn Citizen

Dr. J. Alex Halderman inserted a memory card infected with malicious software into an electronic voting machine. It wasn’t an actual case of election hacking, but Halderman’s demonstration served a purpose: To show two members of Congress, including U.S. Rep. John Katko, what can happen if hackers gain access to voting machines. Halderman, director of the University of Michigan’s Center for Computer Security and Society, invited Katko, R-Camillus, and U.S. Rep. Mike Quigley, an Illinois Democrat, to cast votes using the Diebold AccuVote TS voting machine. Halderman programmed a mock election: A presidential race between George Washington and Benedict Arnold. There were two votes cast for Washington and one for Arnold. But the receipt printed from the voting machine revealed the effect of the malicious software. The paper showed Arnold received two votes and Washington netted one.

National: Defcon Voting Village report: bug in one system could “flip Electoral College” | Ars Technica

Today, six prominent information-security experts who took part in DEF CON’s Voting Village in Las Vegas last month issued a report on vulnerabilities they had discovered in voting equipment and related computer systems. One vulnerability they discovered—in a high-speed vote-tabulating system used to count votes for entire counties in 23 states—could allow an attacker to remotely hijack the system over a network and alter the vote count, changing results for large blocks of voters. “Hacking just one of these machines could enable an attacker to flip the Electoral College and determine the outcome of a presidential election,” the authors of the report warned.

National: DEF CON hackers’ dossier on US voting machine security is just as grim as feared | The Register

Hackers probing America’s electronic voting systems have painted an astonishing picture of the state of US election security, less than six weeks before the November midterms. The full 50-page report [PDF], released Thursday during a presentation in Washington DC, was put together by the organizers of the DEF CON hacking conference’s Voting Village. It recaps the findings of that village, during which attendees uncovered ways resourceful miscreants could compromise electoral computer systems and change vote tallies. In short, the dossier outlines shortcomings in the electronic voting systems many US districts will use later this year for the midterm elections. The report focuses on vulnerabilities exploitable by scumbags with physical access to the hardware. “The problems outlined in this report are not simply election administration flaws that need to be fixed for efficiency’s sake, but rather serious risks to our critical infrastructure and thus national security,” the report stated. “As our nation’s security is the responsibility of the federal government, Congress needs to codify basic security standards like those developed by local election officials.”

National: Hackers warn about election security ahead of midterms | CNN

The vulnerabilities in America’s voting systems are “staggering,” a group representing hackers warned lawmakers on Capitol Hill on Thursday — just over a month before the midterm elections. The findings are based on a project at the Voting Village at the Def Con hacking conference held in Las Vegas last month, where hackers were invited to attempt to break into voting machines and other equipment used in elections across the country. The hacking group claims they were able to break into some voting machines in two minutes and that they had the ability to wirelessly reprogram an electronic card used by millions of Americans to activate a voting terminal to cast their ballot. “This vulnerability could be exploited to take over the voting machine on which they vote and cast as many votes as the voter wanted,” the group claims in the report.

National: Questions on Pompeo’s certainty about secure midterms | Politico

Secretary of State Mike Pompeo on Wednesday said there was “no question” the U.S. midterm elections would be safe from foreign interference, a level of certitude that is … shall we say, not widely shared? “That’s a dangerous level of confidence for someone in that position to have,” Alex Halderman, a University of Michigan computer science professor at the forefront of the election security debate, told MC. Halderman said that perhaps intelligence sources might not see any indications of foreign planning to further disrupt elections, but “frankly, you don’t know what you don’t know.” Democratic Rep. Mike Quigley said this about Pompeo: “I wish I could be so confident.” Robert Johnston, credited with discovering the DNC hack while working at CrowdStrike and now CEO of Adlumin, told MC there are already signs Russia has interfered in the 2018 races. Some of the suspect incidents have surfaced in California’s congressional races and the U.S. Senate.

National: Widely Used Election Systems Are Vulnerable to Attack, Report Finds | Wall Street Journal

Election machines used in more than half of U.S. states carry a flaw disclosed more than a decade ago that makes them vulnerable to a cyberattack, according to a report to be delivered Thursday on Capitol Hill. The issue was found in the widely used Model 650 high-speed ballot-counting machine made by Election Systems & Software LLC, the nation’s leading manufacturer of election equipment. It is one of about seven security problems in several models of voting equipment described in the report, which is based on research conducted last month at the Def Con hacker conference. The flaw in the ES&S machine stood out because it was detailed in a security report commissioned by Ohio’s secretary of state in 2007, said Harri Hursti, an election-security researcher who co-wrote both the Ohio and Def Con reports. “There has been more than plenty of time to fix it,” he said.

National: The dark web is where hackers buy the tools to subvert elections | CBS

Voter data and the digital weapons hackers use to subvert elections are bought and sold daily on a corner of the internet known as the dark web. It is a network of websites that is tough to access but functions much like the internet we use every day. You can buy everything from guns and drugs to botnets and ransomware. And cyber-criminals can purchase voter records and hacking tools.The dark web is not accessible using typical web browsers like Chrome or Safari. Instead, you are required to log on using a virtual private network, or VPN, and the Tor web browser. Tor is an acronym for “the onion router.” Every computer has an identifying IP address, and the Tor browser can help shield your machine’s location by sending info through several layers of servers.

National: FEC data shows candidates hit snooze button on hacker threat, saying defending cyberattacks is hard | McClatchy

With some 40 days remaining to the crucial midterm elections, signs of digital meddling in campaigns are mounting. But most candidates have spent little or nothing on cybersecurity, and say it’s too hard and expensive to focus on hacking threats with all the other demands of running for office. Only six candidates for U.S. House and Senate spent more than $1,000 on cybersecurity through the most recent Federal Election Commission filing period. Yet those who monitor intrusions and digital mayhem say hackers are active. And various reports cite at least three candidates still in races or ousted in primaries were suffering attempted breaches of their campaigns. “We get things literally every day to my team … to investigate everything from phishing attacks to ‘We think our data was breached’ to ‘We think there was a denial of service attack’ to ‘Someone’s listening on our cell phones.’ So we get, like, the whole range of things every single day,” said Raffi Krikorian, chief technology officer for the Democratic National Committee, the party’s governing body.

National: Native Americans Fight Back at the Ballot Box | Stateline

Tara Benally and her 16-year-old son Delaney After Buffalo set up a plastic table alongside the last dusty highway intersection before the Arizona state line. Here in Monument Valley, in the shadows of the towering red rock monoliths sacred among the Navajo, the two are doing something that’s rarely been done in this part of Utah: conducting a voter registration drive for local Native Americans. For the first time, Navajo and Utes living here have a chance at being fully represented at the local level when they vote in November. Even though Native Americans are the majority in this 14,750-person county, slightly edging out whites, county commissioner and school board district lines were gerrymandered to give white voters disproportionate power for more than three decades.

National: Without offering evidence, Trump accuses China of interfering in U.S. midterm elections | The Washington Post

President Trump on Wednesday directly accused China of interfering in the U.S. midterm elections this fall in retaliation for the ongoing trade war between Washington and Beijing, marking a new front in the deepening hostilities that have threatened to upend bilateral relations. The president made the allegation during his opening remarks at a U.N. Security Council meeting on nonproliferation, asserting that China “has been attempting to interfere in our upcoming 2018 election, coming up in November, against my administration. They do not want me or us to win because I am the first president to ever challenge China on trade, and we are winning on trade — we are winning on every level. We don’t want them to meddle or interfere in our upcoming election.”

National: The Crisis of Election Security | The New York Times

It was mid-July 2016 when Neil Jenkins learned that someone had hacked the Illinois Board of Elections. Jenkins was a director in the Office of Cybersecurity and Communications at the Department of Homeland Security, the domestic agency with a congressional mandate to protect “critical infrastructure.” Although election systems were not yet formally designated as such — that wouldn’t happen until January 2017 — it was increasingly clear that the presidential election was becoming a national-security issue. Just a month before, Americans had been confronted with the blockbuster revelation that Russian government actors had hacked the Democratic National Committee’s servers and stolen private email and opposition research against Donald Trump, the Republican presidential candidate. And now, it emerged, someone was trying to infiltrate the election system itself. The Illinois intruders had quietly breached the network in June and spent weeks conducting reconnaissance. After alighting on the state’s voter-registration database, they downloaded information on hundreds of thousands of voters. Then something went wrong, and the attackers crashed a server, alerting officials to their presence.

National: Election security bill won’t pass ahead of midterms, says key Republican | The Hill

Sen. James Lankford (R-Okla.) said Tuesday that a bipartisan election security bill won’t be passed by Congress ahead of November’s midterm elections. Lankford told The Hill that the text of the bill, known as the Secure Elections Act, is still being worked out. And with the House only being in session for a limited number of days before the elections, the chances of an election security bill being passed by then are next to none. “The House won’t be here after this week so it’s going to be impossible to get passed,” Lankford said of the bill.

National: Why lawmakers’ personal accounts are a prime target for foreign hackers | The Washington Post

Foreign government hackers are continuing their assault on the personal email accounts used by lawmakers and congressional staff — and cybersecurity experts are warning that Congress is ill-equipped to deal with the problem. The issue got fresh attention last week, when Sen. Ron Wyden (D-Ore.) revealed — and Google later confirmed — that an unspecified number of senators’ and Senate staff members’ private email accounts were targeted by foreign hackers, as my colleague Karoun Demirjian reported. In a letter to Senate leadership, Wyden said the Senate sergeant-at-arms, the chamber’s main cybersecurity authority, wouldn’t assist them because the cyberattacks didn’t involve official accounts or devices. The threats against personal accounts are well known. The major hacks of Democratic officials during the 2016 election involved nonofficial emails, and officials as high-ranking as White House Chief of Staff John F. Kelly have had their personal accounts hacked. But Congress hasn’t taken action to safeguard their own despite intelligence officials’ warnings that foreign adversaries are still trying to disrupt U.S. politics. The risks hackers will steal or leak information only increase the longer lawmakers wait to secure their personal accounts, said Daniel Schuman, co-founder of the Congressional Data Coalition, which seeks to improve the way Congress stores and shares information online.

National: Report outlines keys to election security | MIT News

The most secure form of voting technology remains the familiar, durable innovation known as paper, according to a report authored by a group of election experts, including two prominent scholars from MIT. The report, issued by the National Academies of Science, Engineering, and Medicine, is a response to the emerging threat of hackers targeting computerized voting systems, and it comes as concerns continue to be aired over the security of the U.S. midterm elections of 2018. The U.S. has a decentralized voting system, with roughly 9,000 political jurisdictions bearing some responsibility for administering elections. However, for all that variation, and while many questions are swirling around election security, the report identifies some main themes on the topic.

National: Congress poised to allow DHS to take the lead on federal cybersecurity | The Washington Post

After years of debate, Congress is poised to vote on legislation that would cement the Department of Homeland Security’s role as the government’s main civilian cybersecurity authority. The Cybersecurity and Infrastructure Security Agency Act, which has been in the works since the Obama administration, would give the department a stand-alone cybersecurity agency with the same stature as other DHS units, such as the Federal Emergency Management Agency. The Senate could vote on the bill, which passed in the House last year, as early as this week as it takes up a slew of cybersecurity-related legislation. Approving the legislation would mark a major shift in Congress’s views on whether DHS should lead the government’s efforts to protect federal computer networks, power plants and other critical infrastructure from digital attacks. Attempts to make DHS the government’s civilian cybersecurity hub have stalled amid resistance from some lawmakers who say the relatively young agency isn’t as well equipped to deal with cyberthreats as the National Security Agency or the FBI.

National: Paper backups and audits: Officials preparing for midterms | GCN