Editorials: Time is running out to secure our elections | James Lankford and Amy Klobuchar/The Hill

In 2016, Russia attacked the United States. Not with bombs or guns, but with a sophisticated well-funded cyberattack and information warfare directed by President Vladimir Putin designed to undermine the values we hold most dear. Russian entities launched cyberattacks against at least 21 states and attacked U.S. voting system software companies. Every top U.S. intelligence official has warned us, including Director of National Intelligence Dan Coats, who recently described our digital election infrastructure as “literally under attack,” and sounded the alarm that “the warning lights are blinking red again.” Far from being chastened by these reports, our foreign adversaries have only become emboldened. Microsoft has already detected phishing attacks targeting at least three midterm campaigns this year.

National: Election integrity advocates protest security bill changes | Politico

The version of the Senate’s major election security bill that the Rules Committee marks up this week will not require states to conduct post-election audits using paper records, a major blow to election integrity advocates who are now sharply criticizing the bill. The chairman’s mark of the Secure Elections Act, S. 2593 (115), “would allow for and validate audits of electronic ballot images, which are just plain worthless as a safeguard against cyberattacks,” Susan Greenhalgh, policy director at the National Election Defense Coalition, told MC. Voting system vendors, which encourage local election officials to buy electronic systems, tout the supposed auditability of their digital ballots, despite cybersecurity experts nearly unanimously warning against electronic audits. “This sort of audit would be very appealing to election officials,” Greenhalgh said of the weakened provision, “as it would eliminate the need for extensive ballot manifests and tracking of paper ballots.”

National: Russian hackers targeting more US political groups, Microsoft says | The Guardian

Microsoft says it has uncovered new Russian hacking attempts targeting US political groups before the midterm elections. The company said a group linked to the Russian government created fake internet domains that appeared to spoof two US conservative organisations: the Hudson Institute and the International Republican Institute. Three other fake domains were designed to look as if they belonged to the Senate. Microsoft did not offer any further description of the fake sites. The revelation came just weeks after a similar Microsoft discovery led the senator Claire McCaskill, a Missouri Democrat who is running for re-election, to reveal that Russian hackers tried unsuccessfully to infiltrate her Senate computer network.

National: States add intrusion sensors to election systems to thwart hacking | CNN

A growing number of states are installing a cyber-intrusion sensor system supplied by the Department of Homeland Security in response to fears that election systems my be hacked by foreign adversaries during the 2018 midterm elections and beyond. To date, 36 states have installed the intrusion detection sensors, known as “Albert,” according to a DHS official. The monitoring system was developed by the Center for Internet Security, a nonprofit organization that is working with DHS on election security and coordination. Rather than block cyber threats outright, Albert alerts officials to potentially malign activity to be investigated by experts. In those states, 74 sensors in 38 counties have been installed so far, according to the official, up from 14 before the 2016 presidential election. The new numbers were first reported by Reuters.

National: How DHS is gearing up to protect the midterms from hackers | CNBC

With all the concern over cybersecurity heading into the midterm elections, it’s actually quite difficult for outsiders to directly manipulate votes. Unlike corporate networks and email systems, voting machines aren’t connected to the internet, making them hard to access. So as government officials prepare for the hotly contested congressional elections in November, their focus is more on protecting the integrity of the systems that support the pre- and post-voting periods than on the ballots themselves. “This is about more than just voting machines,” Jeanette Manfra, the top cybersecurity official at the Department of Homeland Security, told CNBC in an interview on Wednesday. “If an [attacker] was intent on sowing discord, how could they do that? It involves us looking at the broad elections administration process.”

National: In Congress, election security proposals aim at 2020 cycle | FCW

While most of the discussion around election security tends to focus on protecting the 2018 fall elections, much of the federal guidance and legislative proposals currently under consideration would likely have limited impact this year. Two bills in Congress – The Secure Elections Act and the PAVE Act – would implement a number of best-practice policies around cybersecurity and vote tabulation that are endorsed by most experts. Yet some of the most impactful provisions from those bills, such as grant funding to replace obsolete or out-of-support voting machines or require states to use paper ballots, would take years to implement before states realized results.

National: Are Blockchains the Answer for Secure Elections? Probably Not | Scientific American

With the U.S. heading into a pivotal midterm election, little progress has been made on ensuring the integrity of voting systems—a concern that retook the spotlight when the 2016 presidential election ushered Donald Trump into the White House amid allegations of foreign interference. A raft of start-ups has been hawking what they see as a revolutionary solution: repurposing blockchains, best known as the digital transaction ledgers for cryptocurrencies like Bitcoin, to record votes. Backers say these internet-based systems would increase voter access to elections while improving tamper-resistance and public auditability. But experts in both cybersecurity and voting see blockchains as needlessly complicated, and no more secure than other online ballots. Existing voting systems do leave plenty of room for suspicion: Voter impersonation is theoretically possible (although investigations have repeatedly found negligible rates for this in the U.S.); mail-in votes can be altered or stolen; election officials might count inaccurately; and nearly every electronic voting machine has proved hackable. Not surprisingly, a Gallup poll published prior to the 2016 election found a third of Americans doubted votes would be tallied properly.

National: More U.S. states deploy technology to track election hacking attempts | Reuters

A majority of U.S. states has adopted technology that allows the federal government to see inside state computer systems managing voter data or voting devices in order to root out hackers. Two years after Russian hackers breached voter registration databases in Illinois and Arizona, most states have begun using the government-approved equipment, according to three sources with knowledge of the deployment. Voter registration databases are used to verify the identity of voters when they visit polling stations. The rapid adoption of the so-called Albert sensors, a $5,000 piece of hardware developed by the Center for Internet Security www.cisecurity.org, illustrates the broad concern shared by state government officials ahead of the 2018 midterm elections, government cybersecurity experts told Reuters.

National: Hacking an American Election Is Child’s Play, Just Ask These Kids | Roll Call

In March, Hawaii Democrat Rep. Tulsi Gabbard introduced the Securing America’s Elections Act to require the use of paper ballots as backup in case of alleged election hacking. Now voting advocates are suing Georgia to do the same thing. Some voting systems are so easy to hack a child can do it. Eleven year old Emmett Brewer hacked into a simulation of Florida’s state voting website in less than 10 minutes at the DefCon hacking conference last week in Las Vegas, according to Time. Of the approximately 50 children age 8 to 17 who took part in the Election Voting Hacking Village at DefCon, 30 were able to hack into imitation election websites within three hours, Time reported. The kids were able to rewrite vote tallies so that they totaled as much as 12 billion, and change the names of parties and candidates, according to the Guardian.

National: Native Americans Work to Break Down Barriers to Voting | VoA News

In November 2012, former North Dakota attorney general Heidi Heitkamp, a Democrat, won a hotly-contested race for a seat in the U.S. Senate, a win attributed to the state’s Native American voters. Shortly after that, lawmakers in the majority Republican state passed a tough voter-ID law, making it a lot harder for tribe members to vote. The nonprofit Native American Rights Fund (NARF) sees the new law as racially motivated and has taken North Dakota to court. This year, NARF conducted field hearings across Indian Country to hear testimony on voter suppression in other states. “And what we heard was really disturbing,” said NARF attorney Jacqueline D. De León, a member of the Isleta Pueblo in New Mexico.

National: U.S. states demand better access to secrets about election cyber threats | Reuters

U.S. state election officials are demanding better access to sometimes classified federal government information about hacking threats to voting systems. With less than three months until the November midterm elections, 44 states, the District of Columbia, and numerous counties on Wednesday participated in a simulation that tested the ability of state and federal officials to work together to stop data breaches, disinformation and other voting-related security issues. They did not simulate a cyber attack, but rather played out various scenarios to learn how to react if there were one. The Department of Homeland Security, Office of the Director of National Intelligence, U.S. Cyber Command, Justice Department and the FBI participated.

National: Hackers are out to jeopardize your vote | MIT Technology Review

Russian hackers targeted US electoral systems during the 2016 presidential election. Much has been done since then to bolster those systems, but J. Alex Halderman, director of the University of Michigan’s Center for Computer Security and Society, says they are still worryingly vulnerable (see “Four big targets in the cyber battle over the US ballot box”). MIT Technology Review’s Martin Giles discussed election security with Halderman, who has testified about it before Congress and evaluated voting systems in the US, Estonia, India, and elsewhere.

Lots of things, from gerrymandering to voter ID disputes, could undermine the integrity of the US electoral process. How big an issue is hacking in comparison?

Things like gerrymandering are a question of political squabbling within the rules of the game for American democracy. When it comes to election hacking, we’re talking about attacks on the United States by hostile foreign governments. That’s not playing by the rules of American politics; that’s an attempt to subvert the foundations of our democracy.

National: DHS works to strengthen election security on heels of bipartisan legislation | BiometricUpdate

What one congressional observer called, “a day late and a dollar short,” the bipartisan Prevent Election Hacking Act of 2018 (HR 6188) was recently introduced and referred to the House Committee on House Administration. If passed, it would “direct the Secretary of [the Department of] Homeland Security [DHS] to establish a program to improve election system cybersecurity by facilitating and encouraging assessments by independent technical experts to identify and report election cybersecurity vulnerabilities, and for other purposes.” An industry cybersecurity official said on background to Biometric Update that, “HR 6188’s potentially ground breaking — sorry, overstated deliberately — concept of outsourcing cybersecurity execution to the private sector is something worth looking into.”

National: Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms | Dark Reading

Two 11-year-old budding hackers last week at DEF CON in Las Vegas used SQL injection attack code to break into a replica of the Florida Secretary of State’s website within 15 minutes, altering vote count reports on the site. Meanwhile, further down the hall in the adult Voting Machine Hacking Village at Caesars Palace, one unidentified hacker spent four hours trying to break into a replica database that housed the real, publicly available state of Ohio voter registration roll. He got as far as the secured server — penetrating two layers of firewalls with a Khali Linux pen testing tool — but in the end was unable to grab the data from the database, which included names and birthdates of registered voters. “He got to the secure file server but didn’t know how to write the query to pull the data out,” says Alon Nachmany, solution engineer with Cyberbit, which ran the voter registration database simulation. That he got as close to the data as he did was no small feat, however. “He got very far, but he didn’t have the skill needed to pull the file itself,” Nachmany says.

National: Researchers show how to alter emailed ballots in use in 30 states | McClatchy

Top computer researchers gave a startling presentation recently about how to intercept and switch votes on emailed ballots, but officials in the 30 or so states said the ease with which votes could be changed wouldn’t alter their plans to continue offering electronic voting in some fashion. Two states — Washington and Alaska — have ended their statewide online voting systems. The developments, amid mounting fears that Russians or others will try to hack the 2018 midterm elections, could heighten pressure on officials on other U.S. states to reconsider their commitment to online voting despite repeated admonitions from cybersecurity experts. But a McClatchy survey of election officials in a number of states that permit military and overseas voters to send in ballots by email or fax — including Alabama, Kansas, Missouri, North Carolina, South Carolina and Texas — produced no immediate signs that any will budge on the issue. Some chief election officers are handcuffed from making changes, even in the name of security, by state laws permitting email and fax voting. … Researchers at the DefCon convention were sharply critical of any sort of electronic voting, including voting by smartphone, which will occur for the first time in November. West Virginia announced last week that it will allow military personnel posted overseas and registered to vote in West Virginia to vote via smartphone in the Nov. 6 election, using an app created by Voatz, a Boston-based startup.

National: Research shows gap in House, Senate candidates’ website security | CyberScoop

Nearly 30 percent of House of Representatives candidates have significant security issues in their websites compared to less than 5 percent of Senate candidates, according to new research. The disparity underscores the challenge that smaller, resource-strapped campaigns have in making themselves less vulnerable to hacking. About 3 in 10 House candidate websites scanned by election-security expert Joshua Franklin and his research team were not using important security protocols for routing data or had a major certificate issue. The scans, most of which took place in June, covered the websites of more than 500 House candidates and nearly 100 Senate candidates. “The House has significantly more candidates running and that provides more opportunities for security errors,” Franklin told CyberScoop. He presented his findings at the DEF CON conference in Las Vegas. The major political parties’ Senate candidates also tend to be more experienced on the campaign trail and have bigger staffs for those statewide races.

National: US voting systems: Full of holes, loaded with pop music, and ‘hacked’ by an 11-year-old | The Register

DEF CON Hackers of all ages have been investigating America’s voting machine tech, and the results weren’t great. For instance, one 11-year-old apparently managed to hack and alter a simulated Secretary of State election results webpage in 10 minutes. The Vote Hacking Village, one of the most packed-out locations at this year’s DEF CON hacking conference in Las Vegas, saw many of the most commonly used US voting machines hijacked using a variety of wireless and wired attacks – and replica election websites so poorly constructed they were thought too boring for adults to probe, and left to youngsters to infiltrate. The first day saw 39 kids, ranging in age from six to 17, try to crack into facsimiles of government election results websites, developed by former White House technology advisor Brian Markus. The sites had deliberate security holes for the youngsters to exploit – SQL injection flaws, and similar classic coding cockups. All but four of the children managed to leverage the planted vulnerabilities within the allotted three-hour contest. Thus, it really is child’s play to commandeer a website that doesn’t follow basic secure programming practices nor keep up to date with patches – something that ought to focus the minds of people maintaining election information websites. 

National: Hacking competitions help the military; they could secure elections too | Washington Examiner

Public-facing websites and services used by the Marine Corps were targeted by hackers over the weekend – but that was part of the plan. To help identify vulnerabilities In the Marine Corps Enterprise Network, the Department of Defense and HackerOne, a service that runs crowd-sourced security testing, launched Hack the Marine Corps, a “bug bounty program” that pays hackers to identify and report vulnerabilities. As the United States faces increasing cybersecurity threats, programs such as Hack the Marine Corps are a great way to identify and fix potential problems before they really do become damaging security breaches. Hack the Marine Corps has already been successful. The program kicked off with a live event in Las Vegas with nearly 100 ethical hackers who, during the nine-hour event, identified 75 unique security vulnerabilities. True to the idea of “bug bounty,” the Marine Corps shelled out more than $80,000 to those who had identified problems.

National: For Former Felons, Voting Rights Could Be a Click Away | Roll Call

Millions of new voters could register across the country, starting Tuesday, with the launch of an online tool meant to help former felons restore their right to vote. The Campaign Legal Center’s website, restoreyourvote.org, attempts to guide users through a sometimes confusing jumble of state laws to determine whether past convictions or unpaid fines would keep them from the ballot box. It is the latest salvo in a growing movement to politically empower formerly incarcerated people, a group that is disproportionately African-American. It is unclear how much of an effect such efforts will have on elections because they are more likely to infuse urban areas that already lean left with more Democratic voters. But organizers have framed the issue as a question of civil rights. 

National: Fears of Voting Machine Hacking Erupts as an Issue in US Election | Coda Story

The potential for Russian hacking of election systems in the 2018 midterm elections has emerged as an urgent and destabilizing issue in the run-up to the U.S. elections. State and local election officials are accused of mismanagement and a lack of focus on the dangers of election systems hacking. Five U.S. states rely on outdated electronic voting systems with no paper trail, according to The Guardian, which also reported that eight more states will be using antiquated systems vulnerable to Russian cyberattack over at least part of their territory in the upcoming November elections.

National: State officials bristle as researchers — and kids — at Def Con simulate election hacks | The Washington Post

For the second year in a row, hackers at the Def Con computer security conference in Las Vegas set out to show just how vulnerable U.S. elections are to digital attacks. At one gathering geared for kids under 17, elementary school-aged hackers cracked into replicas of state election websites with apparent ease. At the Def Con Voting Village, a section of the conference that showcased hands-on hacks, security researchers picked apart voting machines and exposed new flaws that could potentially upend a race. And hackers got close to being able to manipulate a heavily-guarded mock voter registration database. But during the weekend-long hack-a-thon, these faux election hackers had a hard time winning over some of the people they wanted to reach most.

National: Why US elections remain ‘dangerously vulnerable’ to cyber-attacks | The Guardian

Sixteen months ago, Marilyn Marks was just another political junkie watching a high-profile congressional election on her laptop when she saw something she found abnormal and alarming. The date was 18 April 2017, and the election was in Georgia’s sixth congressional district, where the Democrats were hoping to pull off an upset victory against a crowded Republican field in the wake of Tom Price’s (short-lived) elevation to the Trump cabinet as health and human services secretary. By mid-evening, Jon Ossoff, the leading Democrat, had 50.3% of the vote, enough to win outright without the need for a run-off against his closest Republican challenger. Then Marks noticed that the number of precincts reporting in Fulton County, encompassing the heart of Atlanta, was going down instead of up. Soon after, the computers crashed. Election officials later blamed a “rare error” with a memory card that didn’t properly upload its vote tallies. When the count resumed more than an hour later, Ossoff was suddenly down to 48.6% and ended up at 48.1%. (He lost in the run-off to Republican Karen Handel.)

National: DEF CON’s Voting Village tests hacker-government collaboration | CyberScoop

The national conversation on election security came into sharp focus Friday at a renowned hacker conference as U.S. officials and security researchers sought common ground in raising awareness of potential vulnerabilities in election equipment. The goal was to have a more transparent conversation about those vulnerabilities without spreading undue public fear about them. The Voting Village at DEF CON in Las Vegas, a room where white-hat hackers could tinker with voting machines and mock voter registration databases, was a high-profile test of that collaboration. “I’m here to learn,” Alex Padilla, California’s secretary of state, said before touring the village in the bowels of Caesars Palace hotel and casino. …  At the village, Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, stood next to a large ballot-scanner made by Election Systems & Software, one of the country’s biggest voting-equipment vendors. A couple of young researchers were picking the machine apart looking for vulnerabilities and what voting data the old machine might reveal.

National: Pre-Teen Hackers Prove It: The U.S. Election System Simply Isn’t Secure Enough | Futurism

Young kids vs. Dumb Machines: Still not convinced that the U.S. election system is woefully insecure? Chew on this: It took an 11-year-old just 10 minutes to hack a replica of the Florida secretary of state’s website and change its stored election results. The young hacker, Audrey Jones, was one of 39 children between the ages of 8 and 17 to take part in a competition organized by R00tz Asylum, a nonprofit focused on teaching kids white-hat hacking, during annual hacking conference DEFCON. During the one-day R00tz Asylum event, the children set out to infiltrate sites designed to replicate the ones used by 13 battleground states to convey election results to the public (hacking the actual sites would be illegal). All but four of the children succeeded.

National: 4 House Intel members offer election security bill | FCW

A Senate proposal to secure the U.S. election system has a companion bill in the House and a prominent Republican co-sponsor. A bipartisan group of four lawmakers on the House Intelligence Committee have introduced a House version of the Secure Elections Act, which would authorize block grants for states to upgrade voting machines and other equipment, allow the Department of Homeland Security to more quickly share election cybersecurity threat information with state and local governments and streamline the security clearance process for state and local election officials.

National: Hacking the US mid-terms? It’s child’s play | BBC

Bianca Lewis, 11, has many hobbies. She likes Barbie, video games, fencing, singing… and hacking the infrastructure behind the world’s most powerful democracy. “I’m going to try and change the votes for Donald Trump,” she tells me. “I’m going to try to give him less votes. Maybe even delete him off of the whole thing.” Fortunately for the President, Bianca is attacking a replica website, not the real deal. She’s taking part in a competition organised by R00tz Asylum, a non-profit organisation that promotes “hacking for good”. Its aim is to send out a dire warning: the voting systems that will be used across America for the mid-term vote in November are, in many cases, so insecure a young child can learn to hack them with just a few minute’s coaching.

National: Voatz: a tale of a terrible, horrible, no-good, very bad idea | TechCrunch

Let’s get the fish in the barrel out of the way. Voatz are a tech startup whose bright idea was to disrupt democracy by having people vote on their phone, and store the votes on, you guessed it, a blockchain. Does this sound like a bad idea? Welp. It turned out that they seemed awfully casual about basic principles of software security, such as not hard-coding your AWS credentials. It turned out that their blockchain was an eight-node Hyperledger install, i.e. one phenomenologically not especially distinguishable from databases secured by passwords. They have been widely and justly chastised for these things. But they aren’t what’s important.

National: Two-Minute Hack Shows How Easy It Is To Gain Admin Access On An Elections Voting Machine | wccftech

Once again at the Defcon cybersecurity conference in Las Vegas on Friday, hackers posed how easy it is to break into the election voting machines. At the conference, officials from the US Department of Homeland security were present to learn about the problems of the election security. Seemingly, there’s another two-minute hack which will allow anyone to physically gain admin access on a voting machine. It’s definitely alarming for the forthcoming elections. So let’s dive in to see some more details on the hack and how it is performed. Rachel Tobac shared a video on Twitter, showing how she gained physical admin access in less than two minutes. It required no tools and the operation does not require any hardcore hacking techniques. At this point, with hacking options as easy as this, these attacks threaten trust in politics and even leadership to a greater scale. These loopholes can possibly allow alterations being made to the final count, which of course, does make a lot of difference.

National: Election officials’ concerns turn to information warfare as hackers gather in Vegas | CNN

As hackers sit down to break into dozens of voting machines here in Las Vegas this weekend, some state and local election officials that have flown in to witness the spectacle at one of the world’s largest hacking conventions are becoming increasingly concerned about another threat to November’s midterm elections: information warfare. Organizers of a “voting village” at the annual Def Con hacker convention have packed a conference room at Caesars Palace with voting machines and have asked civically-curious hackers to wreak havoc. The event, now in its second year, is supposed to demonstrate vulnerabilities in America’s vast election infrastructure. After a few hours on Friday, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display animations. While such hacks are a cause of concern for election officials, they are increasingly looking beyond the threats against traditional election infrastructure like voting machines and voting databases and more to the threat of disinformation. What, some of them ask, if they fall victim to a coordinated information warfare campaign?

National: Tensions Flare as Hackers Root Out Flaws in Voting Machines | Wall Street Journal

Hackers at the Defcon computer security conference believe they can help prevent manipulation of U.S. elections. Some election officials and makers of voting machines aren’t so sure. That tension was front and center at Defcon’s second-annual Voting Village, where computer hackers are invited to test the security of commonly used election machines. Organizers see the event as an early test of U.S. election security and a counterpunch to potential outside interference. On the first day of the event, which runs through Sunday, hackers were able to swap out software, uncover network plug-ins that shouldn’t have been left working, and uncover other ways for unauthorized actors to manipulate the vote. These hacks can root out weaknesses in voting machines so that vendors will be pressured to patch flaws and states will upgrade to more secure systems, organizers say. … “You want companies to be building more secure products, but at the same time the public doesn’t necessarily know the full picture,” Ms. Manfra said. “If all you are saying is, ‘Look, even a kid can hack into this’, you’re not getting the full story, which can have the impact of having the average voter not understanding what is going on.”