National: Democratic Party Says It Thwarted Attempted Hack of Voter Database | The New York Times

The Democratic National Committee said Wednesday that it was alerted to an attempted hack of its voter database this week and that it had notified law enforcement. The effort to target the Democratic Party’s voter file, known as Votebuilder, was not successful, and a party official said the identities of the culprits were unclear. When the Democratic National Committee was hacked in 2016 during the presidential campaign, the incident was traced to Russia. This week’s attempt was aggressive, two officials briefed on it said. The hackers set up a fake page that mimicked the party’s login page for its voter-registration website, a tactic that could gather names, passwords and other credentials of those using the voter database. The hackers also may have sent emails to people within the national committee to try to trick them into using the fake page, a tactic known as “spearphishing,” the officials said. The Federal Bureau of Investigation is looking into the incident, one of the officials said.

National: Officials fear voter registries vulnerable to hackers, could lead to problems on Election Day | Associated Press

A top Department of Homeland Security official said on Tuesday that while it would be difficult for hackers to meaningfully change vote totals in the upcoming elections, they could attack more vulnerable voter registration files, which an expert said could sow “chaos” on Election Day. “Our assessment is that it would be exceedingly complex to change vote totals, and that in trying to attempt to do so [it’s] likely that something would be noticed,” DHS’s National Risk Management Center Director Robert Kolasky said in a Senate hearing. “Voter registration files we’ve assessed as more of a vulnerability than the actual vote count process.”

National: States Detail Election-Security Plans | Wall Street Journal

State election officials plan to spend about two thirds of election security money allocated by Congress earlier this year on new voting equipment and cybersecurity efforts, though not all the improvements will be completed before the November elections. New data gathered by the federal agency that distributes the funds detail how states plan to spend $380 million appropriated by Congress in March to upgrade election security. States plan to spend roughly $134.2 million on cybersecurity upgrades over five years, and $102.6 million on voting equipment, according to the data released by the U.S. Election Assistance Commission. States plan to spend the rest of the federal funding on measures that include upgrading voter-registration databases, bolstering postelection auditing and communications capabilities.

National: Tech giants open up about election cyberthreats as specter of regulation looms | The Washington Post

Tech companies are taking a more transparent approach than usual in disclosing cyberthreats against their platforms — especially when it comes to election interference. One high-profile example came this week when Microsoft announced that Russian hackers tried to use the company’s domains to launch phishing attacks on U.S. political institutions. The company also revealed recently that hackers had used similar means to target 2018 congressional candidates. And just last month, Facebook said that it had uncovered a sophisticated political disinformation campaign involving nearly two dozen fraudulent pages and profiles. The disclosures are not just limited to U.S. election threats. Late Tuesday, Facebook announced that it had identified new social media influence campaigns — one backed by the Iranian government, another linked to Russian military intelligence — and removed hundreds of fraudulent accounts that it said were designed to manipulate users in other countries around the globe.

National: Election security steps hobbled by Congress-White House funding fight | Reuters

A battle between U.S. President Donald Trump and Democrats over federal funding to help secure November’s U.S. elections stymied legislation in Congress on Wednesday, at least for now, that is aimed at thwarting Russian meddling by strengthening states’ voting procedures. The Senate Rules Committee unexpectedly canceled a work session that was intended to advance the Secure Elections Act. That is a bipartisan bill requiring greater coordination between the U.S. Department of Homeland Security and a range of other federal and state election agencies as well as making it easier to audit voting results in the 50 states. The fight pits Democrats and some state officials against the Trump administration and Republicans who oppose additional money flowing from Washington to the states to shore up elections.

National: Senators duel over audit requirements in election security bill | FCW

As the Secure Elections Act barrels towards a crucial markup in the Senate, two of its original cosponsors expressed divergent views on whether the bill must mandate hand counted post-election audits. The latest version of the bill released by Senate Rules Committee chair Roy Blunt (R-Mo.) would, like its predecessors, mandate that every state conduct a post-election audit to verify the results. However, Blunt’s version would allow states to conduct those audits by hand as well as through electronic means. Previous versions of the bill specified that audits be inspected “by hand and not by device.” During a hearing on cybersecurity, Sen. Amy Klobuchar (D-Minn.), one of the original co-sponsors of the bill, pressed her colleagues to fight to reinsert the language. “I would love to see that risk-limiting audit requirement across the country,” said Klobuchar. “What we have right now in the bill is a requirement that simply audits be required and they have to report back to us. We have backup paper ballots in 14 states now, nine as you know have partial [paper backups], five don’t have any at all….I don’t know how you could prove what happened in an election if there was a hacking.”

National: States using chunk of federal $380M to safeguard voting | Associated Press

Racing to shore up their election systems before November, states are using millions of dollars from the federal government to tighten cybersecurity, safeguard their voter registration rolls and improve communication between county and state election officers. The U.S. Election Assistance Commission released a report Tuesday showing how states plan to spend $380 million allocated by Congress last spring to strengthen voting systems amid ongoing threats from Russia and others. All but a fraction of the money has already been sent to the states, the District of Columbia and U.S. territories. The largest chunk — roughly 36 percent — is being spent to improve cybersecurity in 41 states and territories. More than a quarter of the money will be used to replace voting equipment in 33 states and territories, although the bulk of this is unlikely to happen until after the Nov. 6 midterm elections.

National: Majority of election security grants going toward cybersecurity, equipment upgrades | CyberScoop

About a third of federal funding meant to improve election technology will be spent on cybersecurity-related improvements, while another third will be used to upgrade old equipment, according to plans released Tuesday by states and the U.S. Election Assistance Commission. In March, Congress appropriated $380 million for states to use for upgrades to election infrastructure, under the Help America Vote Act. It’s the first time the federal distributes HAVA funding since 2010. “The 380 [million] is something new in terms of additional funding, but it’s in that same realm of ensuring that our voting process remain secure and that vote of confidence remains high,” Tom Hicks, chairman of the EAC, told CyberScoop.

National: New bill would require paper ballots to secure election results | CNET

The Russians can’t hack paper. On Tuesday, nine Senators introduced a bill that would require state and local governments to use paper ballots in an effort to secure elections from hackers. The bill would also require rigorous audits for all federal elections to ensure that results match the votes. “Leaving the fate of America’s democracy up to hackable election machines is like leaving your front door open, unlocked and putting up a sign that says ‘out of town,'” Sen. Ron Wyden, a Democrat from Oregon, said in a . “Any failure to secure our elections amounts to disenfranchising American voters.”

National: Democrats gear up for legal fights over voter suppression | The Hill

Democrats are getting ready for a major fight this fall over access to the polls, which the party believes could be a critical issue toward determining congressional majorities in the midterm elections. Sen. Chris Van Hollen (D-Md.), the chairman of the Senate Democrats’ campaign arm, pointed out recent efforts to limit turnout by likely Democratic voters in Texas, Ohio and Indiana — three Senate battlegrounds. “A number of states have already acted. Texas put in place a set of additional restrictions,” Van Hollen said in an interview on C-SPAN’s “Newsmakers.” Hilary Shelton, the director of the Washington bureau of the NAACP, a nonpartisan group, said voting rights are under greater threat in 2018 compared to recent elections because of Attorney General Jeff Sessions.

National: Kids at hacking conference show how easily US elections could be sabotaged | The Guardian

At the world’s largest hacking conference, there was good news and bad news for fans of free and fair elections. The good news is that hacking the US midterms – actually changing the recorded votes to steal the election for a particular candidate – may be harder than it seems, and most of the political actors who could pose a threat to the validity of an election are hesitant to escalate their attacks that far. The bad news is that it doesn’t really matter. While the actual risk of a hacker seizing thousands of voting machines and altering their records may be remote, the risk of a hacker casting the validity of an election into question through one of any number of other entry points is huge, and the actual difficulty of such an attack is child’s play. Literally.

Editorials: Time is running out to secure our elections | James Lankford and Amy Klobuchar/The Hill

In 2016, Russia attacked the United States. Not with bombs or guns, but with a sophisticated well-funded cyberattack and information warfare directed by President Vladimir Putin designed to undermine the values we hold most dear. Russian entities launched cyberattacks against at least 21 states and attacked U.S. voting system software companies. Every top U.S. intelligence official has warned us, including Director of National Intelligence Dan Coats, who recently described our digital election infrastructure as “literally under attack,” and sounded the alarm that “the warning lights are blinking red again.” Far from being chastened by these reports, our foreign adversaries have only become emboldened. Microsoft has already detected phishing attacks targeting at least three midterm campaigns this year.

National: Election integrity advocates protest security bill changes | Politico

The version of the Senate’s major election security bill that the Rules Committee marks up this week will not require states to conduct post-election audits using paper records, a major blow to election integrity advocates who are now sharply criticizing the bill. The chairman’s mark of the Secure Elections Act, S. 2593 (115), “would allow for and validate audits of electronic ballot images, which are just plain worthless as a safeguard against cyberattacks,” Susan Greenhalgh, policy director at the National Election Defense Coalition, told MC. Voting system vendors, which encourage local election officials to buy electronic systems, tout the supposed auditability of their digital ballots, despite cybersecurity experts nearly unanimously warning against electronic audits. “This sort of audit would be very appealing to election officials,” Greenhalgh said of the weakened provision, “as it would eliminate the need for extensive ballot manifests and tracking of paper ballots.”

National: Russian hackers targeting more US political groups, Microsoft says | The Guardian

Microsoft says it has uncovered new Russian hacking attempts targeting US political groups before the midterm elections. The company said a group linked to the Russian government created fake internet domains that appeared to spoof two US conservative organisations: the Hudson Institute and the International Republican Institute. Three other fake domains were designed to look as if they belonged to the Senate. Microsoft did not offer any further description of the fake sites. The revelation came just weeks after a similar Microsoft discovery led the senator Claire McCaskill, a Missouri Democrat who is running for re-election, to reveal that Russian hackers tried unsuccessfully to infiltrate her Senate computer network.

National: States add intrusion sensors to election systems to thwart hacking | CNN

A growing number of states are installing a cyber-intrusion sensor system supplied by the Department of Homeland Security in response to fears that election systems my be hacked by foreign adversaries during the 2018 midterm elections and beyond. To date, 36 states have installed the intrusion detection sensors, known as “Albert,” according to a DHS official. The monitoring system was developed by the Center for Internet Security, a nonprofit organization that is working with DHS on election security and coordination. Rather than block cyber threats outright, Albert alerts officials to potentially malign activity to be investigated by experts. In those states, 74 sensors in 38 counties have been installed so far, according to the official, up from 14 before the 2016 presidential election. The new numbers were first reported by Reuters.

National: How DHS is gearing up to protect the midterms from hackers | CNBC

With all the concern over cybersecurity heading into the midterm elections, it’s actually quite difficult for outsiders to directly manipulate votes. Unlike corporate networks and email systems, voting machines aren’t connected to the internet, making them hard to access. So as government officials prepare for the hotly contested congressional elections in November, their focus is more on protecting the integrity of the systems that support the pre- and post-voting periods than on the ballots themselves. “This is about more than just voting machines,” Jeanette Manfra, the top cybersecurity official at the Department of Homeland Security, told CNBC in an interview on Wednesday. “If an [attacker] was intent on sowing discord, how could they do that? It involves us looking at the broad elections administration process.”

National: In Congress, election security proposals aim at 2020 cycle | FCW

While most of the discussion around election security tends to focus on protecting the 2018 fall elections, much of the federal guidance and legislative proposals currently under consideration would likely have limited impact this year. Two bills in Congress – The Secure Elections Act and the PAVE Act – would implement a number of best-practice policies around cybersecurity and vote tabulation that are endorsed by most experts. Yet some of the most impactful provisions from those bills, such as grant funding to replace obsolete or out-of-support voting machines or require states to use paper ballots, would take years to implement before states realized results.

National: Are Blockchains the Answer for Secure Elections? Probably Not | Scientific American

With the U.S. heading into a pivotal midterm election, little progress has been made on ensuring the integrity of voting systems—a concern that retook the spotlight when the 2016 presidential election ushered Donald Trump into the White House amid allegations of foreign interference. A raft of start-ups has been hawking what they see as a revolutionary solution: repurposing blockchains, best known as the digital transaction ledgers for cryptocurrencies like Bitcoin, to record votes. Backers say these internet-based systems would increase voter access to elections while improving tamper-resistance and public auditability. But experts in both cybersecurity and voting see blockchains as needlessly complicated, and no more secure than other online ballots. Existing voting systems do leave plenty of room for suspicion: Voter impersonation is theoretically possible (although investigations have repeatedly found negligible rates for this in the U.S.); mail-in votes can be altered or stolen; election officials might count inaccurately; and nearly every electronic voting machine has proved hackable. Not surprisingly, a Gallup poll published prior to the 2016 election found a third of Americans doubted votes would be tallied properly.

National: More U.S. states deploy technology to track election hacking attempts | Reuters

A majority of U.S. states has adopted technology that allows the federal government to see inside state computer systems managing voter data or voting devices in order to root out hackers. Two years after Russian hackers breached voter registration databases in Illinois and Arizona, most states have begun using the government-approved equipment, according to three sources with knowledge of the deployment. Voter registration databases are used to verify the identity of voters when they visit polling stations. The rapid adoption of the so-called Albert sensors, a $5,000 piece of hardware developed by the Center for Internet Security www.cisecurity.org, illustrates the broad concern shared by state government officials ahead of the 2018 midterm elections, government cybersecurity experts told Reuters.

National: Hacking an American Election Is Child’s Play, Just Ask These Kids | Roll Call

In March, Hawaii Democrat Rep. Tulsi Gabbard introduced the Securing America’s Elections Act to require the use of paper ballots as backup in case of alleged election hacking. Now voting advocates are suing Georgia to do the same thing. Some voting systems are so easy to hack a child can do it. Eleven year old Emmett Brewer hacked into a simulation of Florida’s state voting website in less than 10 minutes at the DefCon hacking conference last week in Las Vegas, according to Time. Of the approximately 50 children age 8 to 17 who took part in the Election Voting Hacking Village at DefCon, 30 were able to hack into imitation election websites within three hours, Time reported. The kids were able to rewrite vote tallies so that they totaled as much as 12 billion, and change the names of parties and candidates, according to the Guardian.

National: Native Americans Work to Break Down Barriers to Voting | VoA News

In November 2012, former North Dakota attorney general Heidi Heitkamp, a Democrat, won a hotly-contested race for a seat in the U.S. Senate, a win attributed to the state’s Native American voters. Shortly after that, lawmakers in the majority Republican state passed a tough voter-ID law, making it a lot harder for tribe members to vote. The nonprofit Native American Rights Fund (NARF) sees the new law as racially motivated and has taken North Dakota to court. This year, NARF conducted field hearings across Indian Country to hear testimony on voter suppression in other states. “And what we heard was really disturbing,” said NARF attorney Jacqueline D. De León, a member of the Isleta Pueblo in New Mexico.

National: U.S. states demand better access to secrets about election cyber threats | Reuters

U.S. state election officials are demanding better access to sometimes classified federal government information about hacking threats to voting systems. With less than three months until the November midterm elections, 44 states, the District of Columbia, and numerous counties on Wednesday participated in a simulation that tested the ability of state and federal officials to work together to stop data breaches, disinformation and other voting-related security issues. They did not simulate a cyber attack, but rather played out various scenarios to learn how to react if there were one. The Department of Homeland Security, Office of the Director of National Intelligence, U.S. Cyber Command, Justice Department and the FBI participated.

National: Hackers are out to jeopardize your vote | MIT Technology Review

Russian hackers targeted US electoral systems during the 2016 presidential election. Much has been done since then to bolster those systems, but J. Alex Halderman, director of the University of Michigan’s Center for Computer Security and Society, says they are still worryingly vulnerable (see “Four big targets in the cyber battle over the US ballot box”). MIT Technology Review’s Martin Giles discussed election security with Halderman, who has testified about it before Congress and evaluated voting systems in the US, Estonia, India, and elsewhere.

Lots of things, from gerrymandering to voter ID disputes, could undermine the integrity of the US electoral process. How big an issue is hacking in comparison?

Things like gerrymandering are a question of political squabbling within the rules of the game for American democracy. When it comes to election hacking, we’re talking about attacks on the United States by hostile foreign governments. That’s not playing by the rules of American politics; that’s an attempt to subvert the foundations of our democracy.

National: DHS works to strengthen election security on heels of bipartisan legislation | BiometricUpdate

What one congressional observer called, “a day late and a dollar short,” the bipartisan Prevent Election Hacking Act of 2018 (HR 6188) was recently introduced and referred to the House Committee on House Administration. If passed, it would “direct the Secretary of [the Department of] Homeland Security [DHS] to establish a program to improve election system cybersecurity by facilitating and encouraging assessments by independent technical experts to identify and report election cybersecurity vulnerabilities, and for other purposes.” An industry cybersecurity official said on background to Biometric Update that, “HR 6188’s potentially ground breaking — sorry, overstated deliberately — concept of outsourcing cybersecurity execution to the private sector is something worth looking into.”

National: Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms | Dark Reading

Two 11-year-old budding hackers last week at DEF CON in Las Vegas used SQL injection attack code to break into a replica of the Florida Secretary of State’s website within 15 minutes, altering vote count reports on the site. Meanwhile, further down the hall in the adult Voting Machine Hacking Village at Caesars Palace, one unidentified hacker spent four hours trying to break into a replica database that housed the real, publicly available state of Ohio voter registration roll. He got as far as the secured server — penetrating two layers of firewalls with a Khali Linux pen testing tool — but in the end was unable to grab the data from the database, which included names and birthdates of registered voters. “He got to the secure file server but didn’t know how to write the query to pull the data out,” says Alon Nachmany, solution engineer with Cyberbit, which ran the voter registration database simulation. That he got as close to the data as he did was no small feat, however. “He got very far, but he didn’t have the skill needed to pull the file itself,” Nachmany says.

National: Researchers show how to alter emailed ballots in use in 30 states | McClatchy

Top computer researchers gave a startling presentation recently about how to intercept and switch votes on emailed ballots, but officials in the 30 or so states said the ease with which votes could be changed wouldn’t alter their plans to continue offering electronic voting in some fashion. Two states — Washington and Alaska — have ended their statewide online voting systems. The developments, amid mounting fears that Russians or others will try to hack the 2018 midterm elections, could heighten pressure on officials on other U.S. states to reconsider their commitment to online voting despite repeated admonitions from cybersecurity experts. But a McClatchy survey of election officials in a number of states that permit military and overseas voters to send in ballots by email or fax — including Alabama, Kansas, Missouri, North Carolina, South Carolina and Texas — produced no immediate signs that any will budge on the issue. Some chief election officers are handcuffed from making changes, even in the name of security, by state laws permitting email and fax voting. … Researchers at the DefCon convention were sharply critical of any sort of electronic voting, including voting by smartphone, which will occur for the first time in November. West Virginia announced last week that it will allow military personnel posted overseas and registered to vote in West Virginia to vote via smartphone in the Nov. 6 election, using an app created by Voatz, a Boston-based startup.

National: Research shows gap in House, Senate candidates’ website security | CyberScoop

Nearly 30 percent of House of Representatives candidates have significant security issues in their websites compared to less than 5 percent of Senate candidates, according to new research. The disparity underscores the challenge that smaller, resource-strapped campaigns have in making themselves less vulnerable to hacking. About 3 in 10 House candidate websites scanned by election-security expert Joshua Franklin and his research team were not using important security protocols for routing data or had a major certificate issue. The scans, most of which took place in June, covered the websites of more than 500 House candidates and nearly 100 Senate candidates. “The House has significantly more candidates running and that provides more opportunities for security errors,” Franklin told CyberScoop. He presented his findings at the DEF CON conference in Las Vegas. The major political parties’ Senate candidates also tend to be more experienced on the campaign trail and have bigger staffs for those statewide races.

National: US voting systems: Full of holes, loaded with pop music, and ‘hacked’ by an 11-year-old | The Register

DEF CON Hackers of all ages have been investigating America’s voting machine tech, and the results weren’t great. For instance, one 11-year-old apparently managed to hack and alter a simulated Secretary of State election results webpage in 10 minutes. The Vote Hacking Village, one of the most packed-out locations at this year’s DEF CON hacking conference in Las Vegas, saw many of the most commonly used US voting machines hijacked using a variety of wireless and wired attacks – and replica election websites so poorly constructed they were thought too boring for adults to probe, and left to youngsters to infiltrate. The first day saw 39 kids, ranging in age from six to 17, try to crack into facsimiles of government election results websites, developed by former White House technology advisor Brian Markus. The sites had deliberate security holes for the youngsters to exploit – SQL injection flaws, and similar classic coding cockups. All but four of the children managed to leverage the planted vulnerabilities within the allotted three-hour contest. Thus, it really is child’s play to commandeer a website that doesn’t follow basic secure programming practices nor keep up to date with patches – something that ought to focus the minds of people maintaining election information websites. 

National: Hacking competitions help the military; they could secure elections too | Washington Examiner

Public-facing websites and services used by the Marine Corps were targeted by hackers over the weekend – but that was part of the plan. To help identify vulnerabilities In the Marine Corps Enterprise Network, the Department of Defense and HackerOne, a service that runs crowd-sourced security testing, launched Hack the Marine Corps, a “bug bounty program” that pays hackers to identify and report vulnerabilities. As the United States faces increasing cybersecurity threats, programs such as Hack the Marine Corps are a great way to identify and fix potential problems before they really do become damaging security breaches. Hack the Marine Corps has already been successful. The program kicked off with a live event in Las Vegas with nearly 100 ethical hackers who, during the nine-hour event, identified 75 unique security vulnerabilities. True to the idea of “bug bounty,” the Marine Corps shelled out more than $80,000 to those who had identified problems.