National: Panel backs bipartisan congressional action for securing election data systems | InsideCyberSecurity.com

Congressional staff on Thursday heard from a panel — including a former high-ranking Justice Department official and a state county clerk responsible for election-data rolls — that called for swift, bipartisan action on legislation offering new requirements and funding for states to upgrade and secure the nation’s election system from foreign and other malicious hacks. The move could have implications for industry by setting security requirements on the technologies and products sold to state election officials, and underscores a growing sentiment for a physical backup to operations that take place in cyberspace. Susan Greenhalgh, an election specialist with the non-profit group Verified Voting, said the National Institute of Standards and Technology and the Department of Homeland Security are meeting with the Election Assistance Commission to promote use of the NIST cybersecurity framework by state officials. The EAC was established by Congress in 2002 to assist states with guidance and funding to upgrade voting systems. Greenhalgh spoke as part of the panel on election security held on the Senate side of the Capitol on Thursday.

National: Trump’s secretive fraud panel is keeping own members in the dark | Associated Press

Donald Trump’s advisory commission on election integrity has integrity questions of its own – with some of its own members raising concerns about its secretive operations. Democrats in the Senate are requesting a government investigation of the commission for ignoring formal requests from Congress. This week, two members sent letters to commission staff complaining about a lack of information about the panel’s agenda and demanding answers about its activities. In a letter sent on 17 October, Maine’s secretary of state, Matthew Dunlap, said he was not being made aware of information pertaining to the commission and requested copies of all correspondence between its members since Trump signed the executive order creating it in May. “I am in a position where I feel compelled to inquire after the work of the commission upon which I am sworn to serve, and am yet completely uninformed as to its activities,” Dunlap wrote in his letter to Andrew Kossack, the commission’s executive director.

National: A Death And More Questions For Trump’s Fraud Commission | NPR

A member of President Trump’s voter fraud commission, former Arkansas state Rep. David Dunn, died suddenly Monday from complications during surgery, according to his office. According to the Associated Press, Dunn was 52 years old. Dunn was one of five Democrats on the advisory panel, which has been embroiled in controversy ever since it was created earlier this year to study problems in the nation’s electoral system. In a statement, fellow commissioner J. Christian Adams, a Republican, said Dunn was “courageous to serve, courteous in his manners, and kind to everyone.” The commission has met only twice so far — the last time on Sept. 12 in New Hampshire. There’s been no word on when, where or whether it will meet again.

National: Sharing Election Threat Info with States Won’t be One-Size-Fits-All, DHS Says | Nextgov

When the Homeland Security Department alerted state governments about Russian attempts to probe their election systems in 2016, it followed an ad hoc, one-size-fits-all process, mostly reaching out through existing cybersecurity relationships with governors’ offices. As a result, the officials running those elections—which are often politically firewalled from governors—were sometimes left in the dark. As the clock counts down to national elections in 2018 and 2020, Homeland Security is taking the opposite approach, asking top election officials in all 50 states how they’d like to communicate about relevant information security information, said Robert Kolasky, acting deputy undersecretary for Homeland Security’s cyber and infrastructure protection division.

National: Senators say feds leave local officials on their own on cybersecurity | Cronkite News

An empty chair fielded question after question from an angry Senate panel Thursday, after a White House cybersecurity coordinator invoked executive privilege and skipped the hearing. Representatives from the FBI, the Pentagon and the Department of Homeland Security testified beside the empty chair, telling the Senate Armed Services Commitee they are working to increase coordination and communication. But much of the hearing was focused on Rob Joyce’s empty chair, which Sen. John McCain, R-Arizona, said showed “a fundamental misalignment between authority and accountability” in cybersecurity efforts at a time when Russians are meddling in an attempt to “destroy the fundamentals of democracy.” Sen. Elizabeth Warren, D-Massachusetts, said the lack of federal coordination leaves local governments “by themselves to fight a sophisticated cyber-adversary like Russia.”

National: CIA: Intelligence assessment has not changed on Russia election interference | The Hill

The CIA said on Thursday that the U.S. intelligence community has not reached new conclusions on Russian efforts to interfere in the 2016 election, hours after the agency’s director, Mike Pompeo, said that intelligence agencies had determined that the meddling had no effect on the results. “The intelligence assessment with regard to Russian election meddling has not changed,” Ryan Trapani, a CIA spokesman, told The Washington Post, “and the director did not intend to suggest that it had.” Pompeo reportedly said during a security conference in Washington on Thursday that “the intelligence community’s assessment is that the Russian meddling that took place did not affect the outcome of the election.”

National: Warner, Klobuchar, McCain Introduce Bipartisan Legislation To Prevent Foreign Interference In Elections | Alexandria News

U.S. Senator Amy Klobuchar (D-MN), Ranking Member of the Senate Rules Committee, U.S. Senator Mark Warner (D-VA), Vice Chairman of the Select Committee on Intelligence, and U.S. Senator John McCain (R-AZ), Chairman of the Senate Committee on Armed Services today introduced the Honest Ads Act to help prevent foreign interference in future elections and improve the transparency of online political advertisements. “Online political advertising represents an enormous marketplace, and today there is almost no transparency. The Russians realized this, and took advantage in 2016 to spread disinformation and misinformation in an organized effort to divide and distract us,” Senator Warner said. “Our bipartisan Honest Ads Act extends transparency and disclosure to political ads in the digital space. At the end of the day, it is not too much to ask that our most innovative digital companies work with us by exercising additional judgment and providing some transparency.” 

National: Nikki Haley on Russia meddling: Election interference is ‘warfare’ | Politico

U.S. Ambassador to the United Nations Nikki Haley said Thursday that interference in U.S. elections by another nation “is warfare,” telling an audience in New York that such meddling has become Russia’s go-to tactic. “I will tell you that when a country can come interfere in another country’s elections, that is warfare. It really is, because you’re making sure that the democracy shifts from what the people want to giving out that misinformation,” Haley said Thursday at a forum hosted in New York by the George W. Bush institute. ”And we didn’t just see it here. You can look at France and you can look at other countries. They are doing this everywhere. This is their new weapon of choice. And we have to make sure we get in front of it.”

National: Russia Probes Spur Lawmakers on Election Security, Social Media | Bloomberg

After months of congressional investigations into Russian interference with U.S. elections, legislation is gaining traction in the Senate that would impose new disclosure requirements for political advertising on Facebook, Twitter, Google and other social media. Senator John McCain gave a big boost to a proposal by Democratic Senators Amy Klobuchar and Mark Warner to require disclosure of who’s paying for online political ads, announcing he’ll co-sponsor the bill. In two weeks, executives for the social media giants are due to testify at public hearings about Russia’s use of their networks to interfere in the 2016 election. “I’ve been fighting for free and open and full disclosure for the past 25 years. This is part of that effort,” McCain told reporters Wednesday.

National: Sessions: U.S. not doing enough to prevent interference in elections | Yahoo

Attorney General Jeff Sessions conceded Wednesday that the U.S. government is not doing enough to prevent future interference in elections by Russia and other foreign adversaries. “We’re not,” Sessions said, when asked by Sen. Ben Sasse, R-Neb., if the government is taking adequate action to prevent meddling in its elections. “The matter is so complex that for most of us we’re not able to fully grasp the technical dangers that are out there.” Sessions said he accepts the U.S. intelligence community’s findings that Russia interfered with the 2016 election and may attempt to do so again. He said the Justice Department has been aggressively looking into the stealing of trade secrets in the private sector and noted that the FBI’s computer experts are also highly trained.

National: Democratic Senators want probe of Trump’s fraud commission | The Hill

A group of Senate Democrats is asking a government watchdog to investigate President Trump’s voter fraud commission. Democratic Sens. Michael Bennet (Colo.), Amy Klobuchar (Minn.) and Cory Booker (N.J.) sent a letter to the Government Accountability Office (GAO) saying the panel, known as the Presidential Advisory Commission on Election Integrity, is a “cause for serious concern.” “Investigative reports raise questions about the partisan motives and actions of the Commission,” the senators wrote. They added that the panel has “ignored numerous requests” from lawmakers seeking to clarify its activities.

National: Despite backlash over political ads, Facebook’s role in elections will only grow | Los Angeles Times

Negative headlines. Congressional inquiries. Corporate apologies. The heightening scrutiny surrounding Facebook after it allowed Russian trolls and inflammatory political ads to spread on its network is the kind of thing companies would do anything to avoid. But don’t expect it to harm the tech giant’s bottom line. As the political world looks to apply the lessons of Donald Trump’s victory to future campaigns, one of the few clear conclusions is that Facebook played an outsized role in propelling the candidate to his improbable win. The company’s ability to affordably target hyper-specific audiences with little to no transparency gives it a distinct advantage over other forms of media, researchers and political operatives believe.

National: The fix is in for hackable voting machines: use paper | Naked Security

Want better security of election voting results? Use paper. With the US almost halfway between the last national election and the 2018 mid-terms, not nearly enough has been done yet to improve the demonstrated insecurity of current electronic voting systems. Multiple experts say one obvious, fundamental move should be to ensure there is a paper trail for every vote. That was a major recommendation at a panel discussion this past week that included representatives of the hacker conference DefCon and the Atlantic Council think tank, which concluded that while there is progress, it is slow.

National: Russian troll factory paid US activists to help fund protests during election | The Guardian

Russian trolls posing as Americans made payments to genuine activists in the US to help fund protest movements on socially divisive issues, according to a new investigation by a respected Russian media outlet. On Tuesday, the newspaper RBC published a major investigation into the work of a so-called Russian “troll factory” since 2015, including during the period of the US election campaign, disclosures that are likely to put further spotlight on alleged Russian meddling in the election. The existence of the troll factory, which has a history of spamming Russian and English blogs and comment forums, has been reported on by many outlets including the Guardian, but the RBC investigation is the first in-detail look at the organisation’s activity during the election period.

National: Conflict Mounts Inside Fraud Commission in the Wake of Child Porn Arrest | ProPublica

The arrest, on child pornography charges, of a researcher for the controversial Presidential Advisory Commission on Election Integrity is intensifying conflict inside the group, with two Democratic members asserting again that a small band of conservatives holds disproportionate power. The researcher, Ronald Williams II, who was arrested late last week, previously worked as an intern at the Department of Justice on a case with J. Christian Adams, who is now a Republican member of the commission. Democratic commissioner Matt Dunlap contends Williams’ involvement with the commission is the latest in a series of discoveries suggesting a few conservative members wield outsize clout; Dunlap claims that Democratic members have been largely excluded from planning. Today he wrote a letter to the commission demanding information. “I am seeking information because I lack it,” stated the letter, a copy of which was given to ProPublica. “I am in a position where I feel compelled to inquire after the work of the Commission upon which I am sworn to serve, and am yet completely uninformed as to its activities.” The letter demanded copies of “any and all communication between members of the commission” beginning in May.

National: State officials to be given access to 2016 election cyberattack data | CBS

CBS News has learned that in an unprecedented effort to enhance election security ahead of the 2018 midterms, select state officials will be given access to some of the most sensitive information about the extent of the 2016 cyberattacks, but that access will require them to submit to the time-consuming and lengthy process of filling out federal security clearance applications. The process online can take up to 10 hours and, even after completing the application, some election officials say they have doubts about the extent of what they’ll be able to see.During the 2016 election, suspected Russian hackers scanned and probed voter databases and other election related computer networks in at least 21 states.

National: DHS and top election officials finally meet to begin hashing out ‘critical infrastructure’ designation | Washington Examiner

Top election officials from around the country met this weekend to create the formal organization to hash out what powers and lines of communications the Department of Homeland Security should have after the department designated voting systems in the states and territories as “critical infrastructure” earlier this year. By voting to adopt a charter for a “Government Coordinating Council,” the secretaries of state now have a group that has an official channel and a single “voice” to communicate with DHS. The move marks the first major step in the coming together between the nonpartisan National Association of Secretaries of State, or NASS, and DHS, amidst a contentious and sometimes mistrusting year.

National: Senator Klochubar wants Kaspersky out of U.S. voting systems | FCW

A U.S. senator has linked two of the hottest tech policy stories around – efforts by U.S. agencies to blacklist cybersecurity vendor Kaspersky Lab and concerns about the vulnerability of voting systems used by cities and states. Sen. Amy Klochubar (D-Minn.) who sits on a committee with authority over federal elections, is concerned that Kaspersky could be in a position to provide Russian intelligence agencies access to state and local election data, by virtue of connections to computers involved in managing election activities. “Given recent revelations regarding how Russia used Kaspersky software to breach our systems, it is important to prioritize state critical infrastructure systems in conjunction with efforts currently underway at the federal level,” Klochubar wrote in an Oct. 12 letter to Acting Homeland Security Secretary Elaine Duke.

National: Google, Facebook putting an early mark on political advertising bills | Politico

Google and Facebook are looking to make an early imprint on legislation being drafted in the House and Senate that would force them and other online networks to disclose information about the buyers of political ads. Lobbyists from the Silicon Valley behemoths have met with the staffs of Sens. Mark Warner and Amy Klobuchar and Rep. Derek Kilmer, all of whom are drawing up bills that would impose new regulations on the industry, according to Democratic aides and company representatives. The Senate bill is expected to be formally introduced next week. It is not clear when the House legislation, which has not been previously reported, will be introduced. Facebook has talked with those working on the bill, a company source confirmed, characterizing Facebook as willing to continue discussing it as the process moves along. A spokesperson for Google declined to comment.

National: An intern Cambridge Analytica left sensitive voter targeting tools online for nearly a year | Business Insider | Business Insider

An intern at the data mining and analysis firm Cambridge Analytica left online for nearly a year what appears to be programming instructions for the voter targeting tools the company used around the time of the election, raising questions about who could have accessed the tools and to what end. Social media analyst and data scientist Jonathan Albright discovered the election data processing scripts — or programming instructions — on what he said was the intern’s personal GitHub account. GitHub, a “Facebook for programmers,” is an internet hosting service mostly used for code. The account was scrubbed less than an hour after Albright published his findings on Medium, but the scripts had already been archi

National: Are Americans Beginning to Care About Election Integrity? | WhoWhatWhy

Nearly a year after the 2016 presidential election, many Americans have been forced, some for the very first time, to look critically at their voting protections, and recognize that US balloting systems are not nearly as impregnable as they once thought. Clearly, the US intelligence reports about Russia hacks provided a long-overdue wake up call for this issue. The good news: some progress has been made in some jurisdictions in the last year. The bad news: that progress hasn’t been as widespread or comprehensive as the problem would seem to demand. “I think we’re moving in the right direction,” said Larry Norden, of NYU’s nonpartisan Brennan Center for Justice. “I’m heartened by the fact that, for instance, we’re seeing, in both House and Congress, bipartisan proposals to invest in increased election system security.” … Election consultant Pam Smith agreed that there has “definitely [been] a pattern towards more secure elections” across the country. Some states appear to be ahead of the game. Virginia, for example, recently earned praise for decertifying all its touchscreen, paperless Direct Record Electronic (DRE) voting machines ahead of the termination date required by its own legislation.

National: The Race to Secure Voting Tech Gets an Urgent Jumpstart | WIRED

Numerous electronic voting machines used in United States elections have critical exposures that could make them vulnerable to hacking. Security experts have known that for a decade. But it wasn’t until Russia meddled in the 2016 US presidential campaigns and began probing digital voting systems that the topic took on pressing urgency. Now hackers, researchers, diplomats, and national security experts are pushing to effect real change in Washington. The latest update? It’s working, but maybe not fast enough. On Tuesday, representatives from the hacking conference DefCon and partners at the Atlantic Council think tank shared findings from a report about DefCon’s Voting Village, where hundreds of hackers got to physically interact with—and compromise—actual US voting machines for the first time ever at the conference in July. Work over three days at the Village underscored the fundamental vulnerability of the devices, and raised questions about important issues, like the trustworthiness of hardware parts manufactured in other countries, including China. But most importantly, the report highlights the dire urgency of securing US voting systems before the 2018 midterm elections.

National: Wary of Hackers, States Move to Upgrade Voting Systems | The New York Times

State election officials, worried about the integrity of their voting systems, are pressing to make them more secure ahead of next year’s midterm elections. Reacting in large part to Russian efforts to hack the presidential election last year, a growing number of states are upgrading electoral databases and voting machines, and even adding cybersecurity experts to their election teams. The efforts — from both Democrats and Republicans — amount to the largest overhaul of the nation’s voting infrastructure since the contested presidential election in 2000 spelled an end to punch-card ballots and voting machines with mechanical levers. One aim is to prepare for the 2018 and 2020 elections by upgrading and securing electoral databases and voting machines that were cutting-edge before Facebook and Twitter even existed. Another is to spot and defuse attempts to depress turnout and sway election results by targeting voters with false news reports and social media posts.

National: Trump Fraud Commission Violates Federal Law, Lawsuit Claims | Newsweek

President Donald Trump’s controversial “election integrity” commission is facing yet another legal challenge with a privacy-rights group saying the panel is breaking federal law by gathering massive amounts of information on the nation’s registered voters. The Electronic Privacy Information Center, which has been doing court battle against the voter panel for months, filed a revised complaint in District of Columbia federal court Thursday. Privacy watchdogs concerned about the panel’s activities have questioned whether the information can and will be kept safe from hackers and whether it will only used for research and not other political purposes.  The Trump administration has defended the attempt to collect huge quantities of voter data by saying the panel is not technically a federal agency. Therefore, the argument goes, it does not have to do a so-called “impact assessment” to show that collecting the information doesn’t violate anyone’s privacy rights.

National: DEFCON hopes voting machine hacking can secure systems | TechTarget

A new report pushes recommendations based on the research done into voting machine hacking at DEFCON 25, including basic cybersecurity guidelines, collaboration with local officials and an offer of free voting machine penetration testing. It took less than an hour for hackers to break into the first voting machine at the DEFCON conference in July. This week, DEFCON organizers released a new report that details the results from the Voting Village and the steps needed to ensure election security in the future. Douglas Lute, former U.S. ambassador to NATO and retired U.S. Army lieutenant general, wrote in the report that “last year’s attack on America’s voting process is as serious a threat to our democracy as any I have ever seen in the last 40+ years – potentially more serious than any physical attack on our Nation. Loss of life and damage to property are tragic, but we are resilient and can recover. Losing confidence in the security of our voting process — the fundamental link between the American people and our government — could be much more damaging,” Lute wrote. “In short, this is a serious national security issue that strikes at the core of our democracy.”

National: Voting Machines: A National Security Vulnerability? | Atlantic Council

The political instability that has resulted from Russian meddling in the 2016 US presidential elections has put the focus on voting machines as a national security vulnerability, Douglas Lute, a former US permanent representative to NATO, said at the Atlantic Council on October 10. “I don’t think I’ve seen a more severe threat to American national security than the election hacking experience of 2016,” said Lute. There is a “fundamental democratic connection between the individual voter and the democratic outcome” of an election, he said, adding: “If you can undermine that, you don’t need to attack America with planes and ships. You can attack democracy from the inside.” … Lute delivered a keynote address at the Atlantic Council to call for a sense of urgency among policymakers and all stakeholders able to play a role in the solution to insecure voting machines. He also highlighted the findings presented in the DEF CON Report on Cyber Vulnerabilities in US Election Equipment, Databases, and Infrastructure, launched at the Council, which help to shed light on the technological dimensions of this national security threat. Ultimately, as Lute writes in the foreword, “this report makes one key point: our voting systems are not secure.”

National: Report details election vulnerabilities uncovered at DEFCON | GCN

When attendees at the July DEFCON conference breached every poll book and voting machine that event organizers had in the Voting Machine Hacking Village, elections officials took notice. A new report from DEFCON, the National Governors Association, the Atlantic Council, the Center for Internet Security and a number of universities and top technology vendors provides a more detailed look at just how vulnerable the entire U.S. election system – equipment, databases and infrastructure —  is to hacking and urges policymakers to shore up security gaps. Vulnerabilities start with an insecure supply chain. Many parts used in voting machines are manufactured overseas, and the report authors suggested that bad actors could compromise the equipment “well before that voting machine rolls off the production line.” Voting Village participants found voting machines with universal default passwords and ones that broadcast their own Wi-Fi access point, which would allow hackers to connect. Once hackers gained access, they could escalate their privileges so they could run code, change votes in the database or turn the machine off remotely. Additionally, unprotected, uncovered USB ports provided easy inputs for thumb drives or keyboards.

National: Facebook scrubbed potentially damning Russia data before researchers could analyze it further | Business Insider

Facebook removed thousands of posts shared during the 2016 election by accounts linked to Russia after a Columbia University social-media researcher, Jonathan Albright, used the company’s data-analytics tool to examine the reach of the Russian accounts. Albright, who discovered the content had reached a far broader audience than Facebook had initially acknowledged, told The Washington Post on Wednesday that the data had allowed him “to at least reconstruct some of the pieces of the puzzle” of Russia’s election interference. “Not everything, but it allowed us to make sense of some of this thing,” he said.

National: It Isn’t Even That Difficult To Hack Voting Equipment | HuffPost

You don’t even have to know much about voting machines to hack some of the systems that are still in use across the country. A new report published on Tuesday outlines how amateur hackers were able to “effectively breach” voting equipment, in some cases in a matter of minutes or hours, over just four days in July at DEFCON, an annual hacker conference. The report underscores the vulnerability of U.S. election systems. It also highlights the need for states to improve their security protocols after the Department of Homeland Security said Russian hackers attempted to target them during the 2016 election. “The DEFCON Voting Village showed that technical minds with little or no previous knowledge about voting machines, without even being provided proper documentation or tools, can still learn how to hack the machines within tens of minutes or a few hours,” the report says.

National: How DEFCON Turned an Event Into a Major Initiative | Associations Now

Organizers of the long-running DEFCON hacking conference have teamed with a variety of groups, including the National Governors Association, on an initiative to boost electoral security. The new coalition comes on the heels of a new report highlighting how insecure many voting machines really are. The DEFCON hacking conference, which has existed in one form or another for nearly a quarter century, is getting into the election security business—with the help of a number of associations and nonprofits. A September report [PDF] outlines the results of the first-ever “Voting Machine Hacking Village,” held at the DEFCON conference in Las Vegas last summer. The exercise revealed significant vulnerabilities in digital voting machines and in the ways they’re used to tally votes. And this week it led to the announcement of a coalition on election security that includes the National Governors Association, the Atlantic Council, the Center for Internet Security, and a variety of academic groups, among others.