Something strange happens on election night. With polls closing, American supporters of both parties briefly, intensely align as one: We all want to know who’s going to win, and we don’t want to wait one more minute. The ravenous national appetite for an immediate victor, pumped up by frenzied cable news coverage and now Twitter, means delivering hyper-updated results and projections before any official tally is available. But the technologies that help ferry lightning-quick results out of polling places and onto CNN are also some of the riskiest, experts say. It’s been almost two years since Russian military hackers attempted to hijack computers used by both local election officials and VR Systems, an e-voting company that helps make Election Day possible in several key swing states. Since then, reports detailing the potent duo of inherent technical risk and abject negligence have made election security a national topic. In November, millions of Americans will vote again — but despite hundreds of millions of dollars in federal aid poured into beefing up the security of your local polling station, tension between experts, corporations, and the status quo over what secure even means is leaving key questions unanswered: Should every single vote be recorded on paper, so there’s a physical trail to follow? Should every election be audited after the fact, as both a deterrent and check against fraud? And, in an age where basically everything else is online, should election equipment be allowed anywhere near the internet?
In the five years since the U.S. Supreme Court struck down key parts of the Voting Rights Act, nearly a thousand polling places have been shuttered across the country, many of them in southern black communities. The trend continues: This year alone, 10 counties with large black populations in Georgia closed polling spots after a white elections consultant recommended they do so to save money. When the consultant suggested a similar move in Randolph County, pushback was enough to keep its nine polling places open. But the closures come amid a tightening of voter ID laws in many states that critics view as an effort to make it harder for blacks and other minorities to vote — and, in Georgia specifically, the high-profile gubernatorial bid by a black woman. The ballot in November features Stacey Abrams, a Democrat trying to become the first black woman elected governor in the United States, versus Brian Kemp, the Republican secretary of state who has led efforts in Georgia to purge voter rolls, slash early voting and close polling places.
Private companies are stepping up to offer cybersecurity programs for midterm campaigns as Congress stalls on passing election security legislation. Microsoft is the most prominent name, unveiling a free cybersecurity program in August after the company revealed it had detected Russian hackers who appeared to target a pair of conservative think tanks. The company is joining a broad list of firms providing free or discounted security services, such as McAfee, Cloudflare and most recently Valimail, which is offering its anti-fraud email service to campaigns. Officials at companies said they felt obligated to step up to the plate and offer services that election officials or campaigns might otherwise not have access to — shortcomings that have been widely highlighted ahead of November’s midterm elections.
The purpose of the bill seemed unassailable: to ensure that state officials could protect their elections against the kind of hacking or interference that has clouded the 2016 campaign. Although it started out backed by election integrity advocates and powerful senators from both parties, the Secure Elections Act has now all but collapsed. Lawmakers modified one of the bill’s key provisions after hearing relentless complaints from state officials, prompting many of its advocates to pull their support. Then last week delivered what one of the bill’s co-sponsors called “the gut punch” — the formal meeting to draft the bill before sending it to the floor was abruptly postponed, and the White House offered a statement critical of the legislation later that same day. No timetable has since been offered to reschedule it, and the election is two months away.
Just two months before the midterm elections, bipartisan legislation to try to prevent foreign hacking into U.S. election systems is stalled in Congress as the White House and some Republicans worry it could exert too much federal control over the states. Supporters of the bill say the delay could embolden Russia, which targeted election infrastructure in at least 21 states in 2016. A committee vote on the bipartisan bill was abruptly canceled two weeks ago after objections from some Republican senators and the states they represent. And Republicans and Democrats who are supporting the bill say they don’t know when — or if — it will be taken up again in the few remaining weeks Congress is in session before the midterms. The delay has some concerned that Congress could punt on the only piece of legislation that is designed to fix what went wrong in 2016 — and to prevent Russia or other countries from trying again. There is no evidence that the Russian targeting of state election systems was successful or changed any votes, but lawmakers, intelligence officials and elections experts say that they believe Russia will return in 2018 and beyond with more sophisticated tools.
National: States want more money, but aren’t waiting around to improve election cybersecurity | Washington Examiner
Election officials at the state and local levels are unhappily coming to terms with the idea that more funding probably isn’t coming for securing electoral systems from hacks this fall. But with help from the Department of Homeland Security, their confidence appears to be growing about how well they will perform on Election Day. Those officials are the front-line soldiers in the battle to combat Russian and any other cyber interference aimed at the midterm elections. In turn, they are becoming cybersecurity managers, according to Noah Praetz, director of elections in Cook County, Ill. He warned that $380 million in recent federal assistance to the 50 states “is not nearly enough to do a technology refresh” to update all of the antiquated elections systems across the country, but it has helped put state cyber experts “on the street” in five counties across Illinois. “It’s kind of like Andy in Mayberry being sent to deal with a foreign invasion,” he joked. DHS official Jeanette Manfra, speaking at a recent cyber conference, said the department is collaborating with states to shield voter registration from manipulation, ensuring the machines that tally votes are secure, and helping ensure that “unofficial tallies” released before the final election results aren’t altered to sow confusion and discord.
National: State Department unit created to fight foreign election interference still waiting on funding: report | The Hill
A State Department unit established to blunt election interference efforts by foreign countries has still not received funding that was allocated for the project two years ago, HuffPost reported. The news outlet reported that the Defense Department agreed to provide $40 million in funding to the Global Engagement Center earlier this year following complaints from lawmakers. However, the money still had not arrived as of last week, and a Senate aide told HuffPost that the amount had since been cut in half to $20 million. A State Department official told the news outlet that the Global Engagement Center would “be fine” even with the reduced amount of funding. The official said the center is waiting on another $20 million through the State Department’s budget.
For a while there, the Senate’s flagship bill to help states improve election security appeared to be gaining steam. Lawmakers from both sides of the aisle signed onto it. And an unlikely coalition of former national security officials, technologists and public policy groups urged lawmakers to pass the legislation. But the Secure Elections Act stalled last week after the Senate Rules Committee canceled a key vote on the legislation at the last minute — and now its future is uncertain. Some Republicans who seemed poised to support the bill balked after the White House raised concerns about giving the federal government too much authority in election administration, while state officials objected to some of its requirements. Election security experts, meanwhile, worry the legislation is getting too watered down. The delay highlights the tension at the core of the debate over how to best secure the country’s elections as officials warn about Russia’s ongoing campaign to disrupt U.S. politics. And the lack of progress in Congress underscores how difficult it is for lawmakers to balance competing concerns from state election administrators to national security officials to voting integrity groups.
Nearly a year after Russian government hackers meddled in the 2016 U.S. election, researchers at cybersecurity firm Trend Micro zeroed in on a new sign of trouble: a group of suspect websites. The sites mimicked a portal used by U.S. senators and their staffs, with easy-to-miss discrepancies. Emails to Senate users urged them to reset their passwords — an apparent attempt to steal them. Once again, hackers on the outside of the American political system were probing for a way in. “Their attack methods continue to take advantage of human nature and when you get into an election cycle the targets are very public ,” said Mark Nunnikhoven, vice president of cloud research at Trend Micro. Now the U.S. has entered a new election cycle. And the attempt to infiltrate the Senate network, linked to hackers aligned with Russia and brought to public attention in July, is a reminder of the risks, and the difficulty of assessing them.
National: Election Hacking: Security Upgrades Are Too Little, Too Late for 2018 Midterms, and Race is Already on for 2020, Experts Say | Newsweek
Election experts, cybersecurity experts and those who are overseeing the upcoming midterms have one thing to say about stopping Russian interference in American elections: Forget 2018. It’s too late. Focus on 2020. Before President Donald Trump had even been sworn into office, intelligence agencies revealed that cyberattacks spanning across 21 states had been conducted under the direct order of Russian President Vladimir Putin. The FBI, CIA and National Security Agency’s report concluded that “Russia’s goals were to undermine public faith in the U.S. democratic process, denigrate Secretary Clinton and harm her electability and potential presidency. We further assess Putin and the Russian Government developed a clear preference for President-elect Trump.” Despite this, lawmakers and federal officials took months, sometimes longer, to take action, with the result that most federal assistance arrived too late to protect the midterm elections.
National: White House agrees to destroy documents collected by Kobach-led commission | Lawrence Journal-World
A public interest watchdog group said Thursday that the Trump administration has complied with an agreement to destroy sensitive voter registration information that was collected by a now-defunct advisory commission on which Kansas Secretary of State Kris Kobach served as vice chair. The action came in response to two lawsuits, both of which have now been dismissed, in which separate groups sought to block the Presidential Advisory Commission on Election Integrity from obtaining or keeping those records. “President Trump’s now-disbanded voter fraud Commission was flawed from the start,” Paul Seamus Ryan, vice president for policy and litigation at the Washington-based group Common Cause, said in a statement. “Common Cause and its 1.2 million members celebrate the end of this litigation and the destruction of the commission’s illegally collected voter data.” Common Cause was the lead plaintiff in one of the lawsuits. The other suit was led by the Electronic Privacy Information Center, or EPIC, which agreed to dismiss its suit last week.
For decades, the Computer Fraud and Abuse Act served as the U.S. government’s most powerful tool to prosecute hackers. Over the years, virtually every high-profile cybercrime case in which federal prosecutors brought forth charges – from Aaron Swartz and Marcus Hutchins to Russian and Iranian -backed hacking groups – has used the CFAA as its cornerstone statute. As the U.S. heads into the 2018 mid-term elections, the government is facing intense political pressure to harden the security around election systems, while the Trump administration has also come under fire for not doing enough to draw bright lines around election infrastructure and signal to foreign nations that interference will come with great consequences.
National: Justice Department Warns It Might Not Be Able to Prosecute Voting Machine Hackers | Motherboard
After more than a decade of headlines about the vulnerability of US voting machines to hacking, it turns out the federal government says it may not be able to prosecute election hacking under the federal law that currently governs computer intrusions. Per a Justice Department report issued in July from the Attorney General’s Cyber Digital Task Force, electronic voting machines may not qualify as “protected computers” under the Computer Fraud and Abuse Act, the 1986 law that prohibits unauthorized access to protected computers and networks or access that exceeds authorization (such as an insider breach). The report says the law generally only prohibits against hacking computers “that are connected to the Internet (or that meet other narrow criteria for protection)” and notes that voting machines generally do not meet this criteria “as they are typically kept off the Internet.” Consequently, “should hacking of a voting machine occur, the government would not, in many conceivable circumstances, be able to use the CFAA to prosecute the hackers.”
When the Department of Homeland Security announced the formation of a new National Risk Management Center in July to handle cybersecurity threats and engage with the private sector, some wondered how the center’s mission would overlap or conflict with another DHS organ, the National Cybersecurity and Communications Integration Center. Matthew Travis, deputy undersecretary of the National Protections and Programs Directorate, elaborated further on how DHS views the differing missions of the NCCIC and the NRMC while giving a speech at an Aug. 28 conference in Washington D.C. The NCCIC, Travis said, will still serve as a threat and information sharing hub designed to react to problems and facilitate cooperation with state, local, private and critical infrastructure sectors in the face of immediate threats, like the ransomware attack that hit Atlanta earlier this year or the 2017 WannaCry attacks. The center will continue its role sharing threat indicators, conducting trainings, providing malware analysis for specific incidents and sending out technical advisories about emerging threats.
The 2016 campaign was a nightmare for Democrats. So Democratic National Committee Chief Technology Officer Raffi Krikorian was brought in to the DNC in 2017 to make sure embarrassing breaches — and the subsequent leak of internal communications — weren’t repeated. But with fewer than 70 days to go until the midterm elections, there’s still a lot of room for improvement, he acknowledged, both inside and outside the organization. “We all still have work to do. And we’re not getting the support that I think we need from … governmental agencies,” Krikorian said. “This is the thing that keeps me up at night.”
National: The Only Election Security Bill That Matters Picks Up Two New Senate Co-sponsors | Gizmodo
Democrats are pushing forward with a bill that, unlike competing legislation, would actually require the use of paper ballots and comprehensive audits in all federal elections. Today, Senators Bernie Sanders of Vermont and Kamala Harris of California added their names to a list of co-sponsors of the Protecting American Votes and Elections Act, joining nine others, including Oregon Sen. Ron Wyden, the bill’s author. The PAVE Act is the only legislation currently proposed that would require nationwide use of so-called “risk-limiting” audits to protect election results from tampering by hackers, from computer glitches and other voting system errors. Moreover, it is the only bill to mandate the use by all states of paper trail printers to verify machine-count outcomes.
National: Lawmakers dismiss ES&S’s claim that spies benefit from election hacking demos | The Washington Post
The nation’s leading voting equipment vendor made the bombastic claim that foreign spies may be infiltrating events where ethical hackers test vulnerabilities in voting machines — such as the Def Con hacking conference that took place this month in Las Vegas — to glean intelligence on how to hack an election. “[F]orums open to anonymous hackers must be viewed with caution, as they may be a green light for foreign intelligence operatives who attend for purposes of corporate and international espionage,” Election Systems and Software wrote in a letter made public Monday to a bipartisan group of lawmakers on the Senate Intelligence Committee. ES&S was responding to bipartisan group of lawmakers on the Senate Intelligence Committee who inquired about the security of the company’s machines after researchers at Def Con discovered new vulnerabilities in voting equipment made by ES&S and other vendors. Yet the company’s response took issue with the idea of testing by independent hackers in the first place: “We believe that exposing technology in these kinds of environments makes hacking elections easier, not harder, and we suspect that our adversaries are paying very close attention.”
More than a decade before anyone worried about Russian bots, there were chads. The hanging chad was the most famous chad of all. But there was also the pregnant chad, the fat chad, the dimpled chad and the tri-chad. These were all minute variations on a scrap of paper a fraction of an inch in diameter, the vestige of a voting ballot not quite fully punched through. Hanging chads that could not be counted led George W. Bush to beat Al Gore in Florida in the 2000 election by 537 votes and become president. The hanging chad became the central image of that election, and of the Supreme Court case that decided it. Scenes of Florida election officials studying indentations on sheets of paper suggested a ridiculously outmoded system. Two years later, Congress passed the Help America Vote Act, or HAVA, which was designed to provide funds for states “to replace punch card voting systems” and to “establish minimum election administration standards” for the nation’s 10,000 voting jurisdictions.
U.S. Sen. James Lankford says election security legislation he has touted for months is not dead, despite delays by a Senate committee and mixed messages from the White House. The Secure Elections Act, which was introduced by the Oklahoma City Republican late last year, appeared to be headed for passage this fall. It has attracted a bipartisan following as intelligence officials continue to warn of Russian attempts to hack America’s elections. But last week, the Senate Rules Committee abruptly pulled the bill from consideration and a White House spokesperson suggested it was unnecessary because the Department of Homeland Security already “has all the statutory authority it needs to assist state and local officials” as they seek to ensure their elections are secure.
While a proposed measure that would have given state officials more tools to help secure elections has bogged down in the Senate, four members of that body’s Intelligence Committee are pressuring a major manufacturer of electronic voting machines to allow independent tests of their products by election agencies and to work with researchers to assess the security of the machines. In a letter sent to the president and CEO of Election Systems & Software, a maker of voting machines used in many states, a bipartisan group of senators expressed concerns about the company’s reaction to the Voting Village hacking contest at the DEF CON security conference earlier this month. The Voting Village gave participants the opportunity to get their hands on various electronic voting machines, look for vulnerabilities, and see whether they could find ways around the defenses on the machines. Before DEF CON, ES&S officials sent a FAQ to customers, informing them of the contest and somewhat downplaying any negative results that might come from it.
Sen. Patrick J. Toomey is the latest U.S. politician to announce his campaign was the target of an attempt to hack into its emails. Google notified Toomey’s office that “hackers from a nation state may have attempted to infiltrate specific email accounts associated with his campaign apparatus” through a phishing scam, Steve Kelly, a spokesman for the Pennsylvania Republican, said in a statement. “This underscores the cybersecurity threats our government, campaigns, and elections are currently facing,” Kelly said. “It is essential that Congress impose tough penalties on any entity that undermines our institutions.” The attacks were not successful. Toomey’s Senate office has not been the target of similar hacking attempts.
Despite warnings about possible cyberattacks aimed at undermining midterm election security, new research reveals an overwhelming number of evaluated state, territory and District of Columbia election offices as highly vulnerable to email spoofing. Released today, the “Email Spoofing Threat to the 2018 U.S. Midterm Elections” report by Anomali Labs, the R&D arm of threat intelligence company Anomali, explores the strength of email security programs for election-related infrastructure. And of the 90 state, territory and District of Columbia election offices Anomali Labs assessed, 96 percent are “highly susceptible” to email spoofing attacks. The report found a low adoption rate of strong email authentication and email security standards among the majority of state-level election offices and their online voter registration sites. Adoption overall is inconsistent across the board. Being spoofable means threat actors could falsify the sender’s origins to appear as if the fraudulent email came from a legitimate government organization, according to the report. This type of threat is “100 percent real, and as far as urgency, given that phishing is the No. 1 attack vector, not just against election officials but also in industry in general, I think it’s very, very high,” said Roberto Sanchez, Anomali director of threat and sharing analysis and the lead researcher for the election security report.
John McCain devoted much of his career in the Senate to controlling the influence of money in public life — in part to try to recover from his own role in a big congressional influence scandal. McCain, who died Saturday of brain cancer, made money and influence big themes of his first presidential race. “Y’know, there’s a little game they got in Washington,” he told a crowd in New Hampshire in 1999. “And that is: Look at the tax bill when it comes out, to figure out who’s getting the benefit — because of the very complex and convoluted way that they write the tax laws. And it’s a disgrace.” Although McCain, an Arizona Republican, lost the Republican nomination to George W. Bush, his warnings that money was corrupting politics reverberated in many state primaries, amplifying his message and propelling him toward an unexpected legislative triumph in the Senate that helped define his career. … McCain, who served more than 30 years in the Senate, began as an unlikely crusader.
National: Facebook and Microsoft briefed state officials on election security efforts today | TechCrunch
So much for summer Fridays. Yesterday, BuzzFeed reported that a dozen tech companies, including Facebook, Google, Microsoft and Snapchat, would meet at Twitter headquarters on Friday to discuss election security. For two of them, that wasn’t the only meeting in the books. In what appears to be a separate event on Friday, Facebook and Microsoft also met with the Department of Homeland Security, the FBI and two bodies of state election officials, the National Association of State Election Directors (NASED) and the National Association of Secretaries of State (NASS), about their election security efforts.
Democratic Party officials, after a yearslong battle between warring ideological wings, have agreed to sharply reduce the influence of the top political insiders known as superdelegates in the presidential nomination process. Under the new plan, which was agreed to on Saturday afternoon in Chicago at the Democratic National Committee’s annual summer meetings, superdelegates retain their power to back any candidate regardless of how the public votes. They will now be largely barred, however, from participating in the first ballot of the presidential nominating process at the party’s convention — drastically diluting their power. Superdelegates will be able to cast substantive votes only in extraordinary cases like contested conventions, in which the nomination process is extended through multiple ballots until one candidate prevails. “After you lose an election, you have to look in the mirror,” said Howard Dean, former chairman of the Democratic National Committee. Mr. Dean had recorded a video message to committee members urging them to back the proposed changes.
Melting in South Florida’s humidity, a young congressional campaign manager let his nerves show. Sitting across from a pair of visitors on a café patio, he widened his eyes when they asked if there were any tool he wished he had to help protect his campaign from cyber attacks. “I have no idea! I don’t even know what that would be, to be honest.” Weeks away from Election Day, the operative’s fear is increasingly common — practically unavoidable in 2018, in fact. Midterm campaigns are entering the fall more anxious than ever about looming threats of email phishing, text hacking, and countless other ominous possibilities that could derail their hopes with the touch of a Muscovite button. And it’s becoming increasingly clear to many that they may just not be ready for what’s coming — or what’s already occurred.
President Donald Trump is objecting to the Senate’s effort to help improve election security, citing concerns about imposing federal burdens on state and local governments. The Rules and Administration Committee abruptly scrapped a Wednesday markup of bipartisan election security legislation, and there were rumors that the White House might have been at least in part behind the delay. Some Republican members of the committee were against the bill, including former Chairman Richard C. Shelby, R-Ala. … The White House is asking the Senate, “Do not violate the principles of Federalism — Elections are the responsibility of the states and local governments,” according to the Walters statement. “We cannot support legislation with inappropriate mandates or that moves power or funding from the states to Washington for the planning and operation of elections.”
A bill that would have significantly bolstered the nation’s defenses against electoral interference has been held up in the Senate at the behest of the White House, which opposed the proposed legislation, according to congressional sources. The Secure Elections Act, introduced by Sen. James Lankford, R-Okla., in December 2017, had co-sponsorship from two of the Senate’s most prominent liberals, Kamala Harris, D-Calif., and Amy Klobuchar, D-Minn., as well as from conservative stalwart Lindsey Graham, R-S.C., and consummate centrist Susan Collins, R-Me. Sen. Roy Blunt, R-Mo., was set to conduct a markup of the bill on Wednesday morning in the Senate Rules Committee, which he chairs. The bill had widespread support, including from some of the committee’s Republican members, and was expected to come to a full Senate vote in October. But then the chairman’s mark, as the critical step is known, was canceled, and no explanation was given.
The Senate Rules Committee’s last-minute decision Wednesday to postpone a markup of the Secure Elections Act (S. 2593) was a significant setback for a bill that had been considered a bipartisan bright spot in a bitterly divided Congress. “For everyone else who delayed this action today, I hope that you will listen to the clarion cry of our intelligence community and continue to work with us and reschedule the markup and pass the bill into law,” Sen. Amy Klobuchar, the ranking member on the Rules Committee and the bill’s chief Democratic co-sponsor, said in a statement. Rules announced the delay hours before DHS Secretary Kirstjen Nielsen urged states to have a “verifiable and auditable ballot,” though she deferred on the question of whether paper was essential, saying, “I don’t know that we’re interested in mandating how.”
Earlier this month, Bianca Lewis, who is eleven years old, was wearing a T-shirt printed with the words “No time for Barbie, there’s hacking to be done” and sitting in front of a computer at the annual Def Con hacking conference, in Las Vegas, meddling with a replica of the Florida Secretary of State’s election Web site. She’d already surreptitiously entered the site’s database through what is known as an SQL injection. “First, you open the site,” she explained, “then you type a few lines of code into the search bar, and you can delete things and change votes. I deleted Trump. I deleted every single vote for him.” Lewis was visiting an event at the conference run by R00tz Asylum, a nonprofit that teaches hacking to kids, where organizers had replicated thirteen Secretary of State Web sites and invited kids to hack them. The day the conference began, as programmers were finishing coding the sites, the National Association of Secretaries of State issued a press release complaining that Def Con “utilizes a pseudo environment which in no way replicates state election systems, networks, or physical security.” That was true enough—these sites were only look-alikes—but they were constructed from data scraped from the actual state sites, and contained known vulnerabilities that had been exploited by hackers in the past. One of the organizers, Jake Braun, rolled his eyes when I asked him about the association’s letter. “It’s totally tone-deaf,” he said. “A nation-state is literally hacking our democracy—wouldn’t you want to take any help you could possibly get? If they don’t think that the Russians are not doing what we’re doing here all year, as opposed to just a weekend, then they are fucking idiots, right?”