Earlier this month, Bianca Lewis, who is eleven years old, was wearing a T-shirt printed with the words “No time for Barbie, there’s hacking to be done” and sitting in front of a computer at the annual Def Con hacking conference, in Las Vegas, meddling with a replica of the Florida Secretary of State’s election Web site. She’d already surreptitiously entered the site’s database through what is known as an SQL injection. “First, you open the site,” she explained, “then you type a few lines of code into the search bar, and you can delete things and change votes. I deleted Trump. I deleted every single vote for him.” Lewis was visiting an event at the conference run by R00tz Asylum, a nonprofit that teaches hacking to kids, where organizers had replicated thirteen Secretary of State Web sites and invited kids to hack them. The day the conference began, as programmers were finishing coding the sites, the National Association of Secretaries of State issued a press release complaining that Def Con “utilizes a pseudo environment which in no way replicates state election systems, networks, or physical security.” That was true enough—these sites were only look-alikes—but they were constructed from data scraped from the actual state sites, and contained known vulnerabilities that had been exploited by hackers in the past. One of the organizers, Jake Braun, rolled his eyes when I asked him about the association’s letter. “It’s totally tone-deaf,” he said. “A nation-state is literally hacking our democracy—wouldn’t you want to take any help you could possibly get? If they don’t think that the Russians are not doing what we’re doing here all year, as opposed to just a weekend, then they are fucking idiots, right?”
Former Facebook security chief Alex Stamos has issued a sobering warning about the continuing threat of foreign interference in US elections, saying it’s “too late to protect the 2018 elections.” But he believes the 2020 election can still be saved. Stamos, who departed Facebook for Stanford University earlier this month, is well acquainted with the subject, having played a central role in Facebook’s response to interference by Russian trolls in the 2016 US presidential election that took place on the social media giant. In a blog post published Wednesday on Lawfare, Stamos seizes on two pieces of news he says proves that “America’s adversaries believe that it is still both safe and effective to attack U.S. democracy using American technologies and the freedoms we cherish.”
A major election systems vendor on Thursday announced steps to boost the security of its products, just one day after lawmakers raised concerns that the company is not doing enough to safeguard itself from hackers. Election Systems and Software (ES&S), which is the third largest election system vendor in the U.S., announced it will work more closely with the Department of Homeland Security (DHS) and Information Sharing and Analysis Centers (ISAC) in an effort to increase security of its systems ahead of the 2018 midterm elections. The company in a press release said it has formed “new partnerships with multiple DHS offices that include its key cyber office known as the National Protection and Programs Directorate (NPPD) as well as the National Cybersecurity Assessment and Technical Services (NCATS).
A Senate committee on Wednesday abruptly postponed the planned markup of a key election security bill that had bipartisan support and would have imposed new audit requirements on states. The markup of the Secure Elections Act, authored by Oklahoma Republican James Lankford and Minnesota Democrat Amy Klobuchar, is “postponed until further notice,” the Senate Rules and Administration Committee said on its website. The bill had the backing of several GOP lawmakers, including Richard M. Burr of North Carolina, Susan Collins of Maine and Lindsey Graham of South Carolina, as well as Democrats such as Mark Warner of Virginia, Kamala Harris of California and Martin Heinrich of New Mexico. But a senior Republican lawmaker, Sen. Richard C. Shelby, objected to the bill’s provisions expanding the federal role in elections.
National: Senate Intelligence Committee members raise concerns about voting system vulnerabilities | The Hill
A bipartisan group of lawmakers on the Senate Intelligence Committee raised concerns Wednesday about the election voting systems provided by one of the largest vendors in the United States, questioning whether the company is doing enough to safeguard itself from hackers. Four committee members wrote in a letter they were disappointed that Election Systems & Software (ES&S) has not agreed to undergo independent testing to determine the security level of its systems. The letter comes after an annual hacking conference earlier this month appeared to reveal security vulnerabilities in ES&S voting systems. “We are concerned that ES&S and other election system providers may not be prepared for the growing threats to our elections,” Senate Intelligence Committee Vice Chairman Mark Warner (D-Va.) and Sens. Susan Collins (R-Maine), James Lankford (R-Okla.), and Kamala Harris (D-Calif.) wrote in a letter to the company.
National: DHS chief calls on officials in all 50 states to have ‘verifiable’ ballots by 2020 election | The Hill
Homeland Security Secretary Kirstjen Nielsen on Wednesday called on election officials in all 50 states to ensure that ballots used during the 2020 presidential election are able to be audited. Nielsen told a group of reporters touring the Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) in Arlington, Va., that she wants “all state and local election officials to make certain that by the 2020 presidential election, every American votes on a verifiable and auditable ballot.” “Our systems must be resilient. We must be able to demonstrate that the votes count and that they are counted correctly,” she added.
No matter what side of the political divide on which one falls, everyone agrees that the security and integrity of elections are critical. Throughout history, foreign adversaries have attempted to influence election outcomes to their benefit and, in 2016, the efforts escalated to cyberattacks. For this reason, the security of US elections and election infrastructure remains a top national concern, and in early 2017, the government designated the election system as one of our critical infrastructures. With the number of cyberattacks growing every day, improving cybersecurity will be a mandatory component in preserving our political process. The US Department of Homeland Security (DHS) confirmed that at least 21 states have had their networks scanned by Russian adversaries. Scanning is the cyber equivalent of checking for holes in a fence, an unlocked door, or an open window. There are also confirmed reports of a few specific intrusions into government-owned voter registration databases.
The Democratic National Committee said Wednesday that it was alerted to an attempted hack of its voter database this week and that it had notified law enforcement. The effort to target the Democratic Party’s voter file, known as Votebuilder, was not successful, and a party official said the identities of the culprits were unclear. When the Democratic National Committee was hacked in 2016 during the presidential campaign, the incident was traced to Russia. This week’s attempt was aggressive, two officials briefed on it said. The hackers set up a fake page that mimicked the party’s login page for its voter-registration website, a tactic that could gather names, passwords and other credentials of those using the voter database. The hackers also may have sent emails to people within the national committee to try to trick them into using the fake page, a tactic known as “spearphishing,” the officials said. The Federal Bureau of Investigation is looking into the incident, one of the officials said.
National: Officials fear voter registries vulnerable to hackers, could lead to problems on Election Day | Associated Press
A top Department of Homeland Security official said on Tuesday that while it would be difficult for hackers to meaningfully change vote totals in the upcoming elections, they could attack more vulnerable voter registration files, which an expert said could sow “chaos” on Election Day. “Our assessment is that it would be exceedingly complex to change vote totals, and that in trying to attempt to do so [it’s] likely that something would be noticed,” DHS’s National Risk Management Center Director Robert Kolasky said in a Senate hearing. “Voter registration files we’ve assessed as more of a vulnerability than the actual vote count process.”
State election officials plan to spend about two thirds of election security money allocated by Congress earlier this year on new voting equipment and cybersecurity efforts, though not all the improvements will be completed before the November elections. New data gathered by the federal agency that distributes the funds detail how states plan to spend $380 million appropriated by Congress in March to upgrade election security. States plan to spend roughly $134.2 million on cybersecurity upgrades over five years, and $102.6 million on voting equipment, according to the data released by the U.S. Election Assistance Commission. States plan to spend the rest of the federal funding on measures that include upgrading voter-registration databases, bolstering postelection auditing and communications capabilities.
National: Tech giants open up about election cyberthreats as specter of regulation looms | The Washington Post
Tech companies are taking a more transparent approach than usual in disclosing cyberthreats against their platforms — especially when it comes to election interference. One high-profile example came this week when Microsoft announced that Russian hackers tried to use the company’s domains to launch phishing attacks on U.S. political institutions. The company also revealed recently that hackers had used similar means to target 2018 congressional candidates. And just last month, Facebook said that it had uncovered a sophisticated political disinformation campaign involving nearly two dozen fraudulent pages and profiles. The disclosures are not just limited to U.S. election threats. Late Tuesday, Facebook announced that it had identified new social media influence campaigns — one backed by the Iranian government, another linked to Russian military intelligence — and removed hundreds of fraudulent accounts that it said were designed to manipulate users in other countries around the globe.
A battle between U.S. President Donald Trump and Democrats over federal funding to help secure November’s U.S. elections stymied legislation in Congress on Wednesday, at least for now, that is aimed at thwarting Russian meddling by strengthening states’ voting procedures. The Senate Rules Committee unexpectedly canceled a work session that was intended to advance the Secure Elections Act. That is a bipartisan bill requiring greater coordination between the U.S. Department of Homeland Security and a range of other federal and state election agencies as well as making it easier to audit voting results in the 50 states. The fight pits Democrats and some state officials against the Trump administration and Republicans who oppose additional money flowing from Washington to the states to shore up elections.
As the Secure Elections Act barrels towards a crucial markup in the Senate, two of its original cosponsors expressed divergent views on whether the bill must mandate hand counted post-election audits. The latest version of the bill released by Senate Rules Committee chair Roy Blunt (R-Mo.) would, like its predecessors, mandate that every state conduct a post-election audit to verify the results. However, Blunt’s version would allow states to conduct those audits by hand as well as through electronic means. Previous versions of the bill specified that audits be inspected “by hand and not by device.” During a hearing on cybersecurity, Sen. Amy Klobuchar (D-Minn.), one of the original co-sponsors of the bill, pressed her colleagues to fight to reinsert the language. “I would love to see that risk-limiting audit requirement across the country,” said Klobuchar. “What we have right now in the bill is a requirement that simply audits be required and they have to report back to us. We have backup paper ballots in 14 states now, nine as you know have partial [paper backups], five don’t have any at all….I don’t know how you could prove what happened in an election if there was a hacking.”
Racing to shore up their election systems before November, states are using millions of dollars from the federal government to tighten cybersecurity, safeguard their voter registration rolls and improve communication between county and state election officers. The U.S. Election Assistance Commission released a report Tuesday showing how states plan to spend $380 million allocated by Congress last spring to strengthen voting systems amid ongoing threats from Russia and others. All but a fraction of the money has already been sent to the states, the District of Columbia and U.S. territories. The largest chunk — roughly 36 percent — is being spent to improve cybersecurity in 41 states and territories. More than a quarter of the money will be used to replace voting equipment in 33 states and territories, although the bulk of this is unlikely to happen until after the Nov. 6 midterm elections.
National: Majority of election security grants going toward cybersecurity, equipment upgrades | CyberScoop
About a third of federal funding meant to improve election technology will be spent on cybersecurity-related improvements, while another third will be used to upgrade old equipment, according to plans released Tuesday by states and the U.S. Election Assistance Commission. In March, Congress appropriated $380 million for states to use for upgrades to election infrastructure, under the Help America Vote Act. It’s the first time the federal distributes HAVA funding since 2010. “The 380 [million] is something new in terms of additional funding, but it’s in that same realm of ensuring that our voting process remain secure and that vote of confidence remains high,” Tom Hicks, chairman of the EAC, told CyberScoop.
The Russians can’t hack paper. On Tuesday, nine Senators introduced a bill that would require state and local governments to use paper ballots in an effort to secure elections from hackers. The bill would also require rigorous audits for all federal elections to ensure that results match the votes. “Leaving the fate of America’s democracy up to hackable election machines is like leaving your front door open, unlocked and putting up a sign that says ‘out of town,'” Sen. Ron Wyden, a Democrat from Oregon, said in a . “Any failure to secure our elections amounts to disenfranchising American voters.”
Democrats are getting ready for a major fight this fall over access to the polls, which the party believes could be a critical issue toward determining congressional majorities in the midterm elections. Sen. Chris Van Hollen (D-Md.), the chairman of the Senate Democrats’ campaign arm, pointed out recent efforts to limit turnout by likely Democratic voters in Texas, Ohio and Indiana — three Senate battlegrounds. “A number of states have already acted. Texas put in place a set of additional restrictions,” Van Hollen said in an interview on C-SPAN’s “Newsmakers.” Hilary Shelton, the director of the Washington bureau of the NAACP, a nonpartisan group, said voting rights are under greater threat in 2018 compared to recent elections because of Attorney General Jeff Sessions.
At the world’s largest hacking conference, there was good news and bad news for fans of free and fair elections. The good news is that hacking the US midterms – actually changing the recorded votes to steal the election for a particular candidate – may be harder than it seems, and most of the political actors who could pose a threat to the validity of an election are hesitant to escalate their attacks that far. The bad news is that it doesn’t really matter. While the actual risk of a hacker seizing thousands of voting machines and altering their records may be remote, the risk of a hacker casting the validity of an election into question through one of any number of other entry points is huge, and the actual difficulty of such an attack is child’s play. Literally.
The Election Assistance Commission, the government agency charged with distributing federal funds to support elections, released a report Tuesday detailing how each state plans to spend a total of $380 million in grants allocated to improve and secure their election systems. But even as intelligence officials warn of foreign interference in the midterm election, much…
In 2016, Russia attacked the United States. Not with bombs or guns, but with a sophisticated well-funded cyberattack and information warfare directed by President Vladimir Putin designed to undermine the values we hold most dear. Russian entities launched cyberattacks against at least 21 states and attacked U.S. voting system software companies. Every top U.S. intelligence official has warned us, including Director of National Intelligence Dan Coats, who recently described our digital election infrastructure as “literally under attack,” and sounded the alarm that “the warning lights are blinking red again.” Far from being chastened by these reports, our foreign adversaries have only become emboldened. Microsoft has already detected phishing attacks targeting at least three midterm campaigns this year.
The version of the Senate’s major election security bill that the Rules Committee marks up this week will not require states to conduct post-election audits using paper records, a major blow to election integrity advocates who are now sharply criticizing the bill. The chairman’s mark of the Secure Elections Act, S. 2593 (115), “would allow for and validate audits of electronic ballot images, which are just plain worthless as a safeguard against cyberattacks,” Susan Greenhalgh, policy director at the National Election Defense Coalition, told MC. Voting system vendors, which encourage local election officials to buy electronic systems, tout the supposed auditability of their digital ballots, despite cybersecurity experts nearly unanimously warning against electronic audits. “This sort of audit would be very appealing to election officials,” Greenhalgh said of the weakened provision, “as it would eliminate the need for extensive ballot manifests and tracking of paper ballots.”
Microsoft says it has uncovered new Russian hacking attempts targeting US political groups before the midterm elections. The company said a group linked to the Russian government created fake internet domains that appeared to spoof two US conservative organisations: the Hudson Institute and the International Republican Institute. Three other fake domains were designed to look as if they belonged to the Senate. Microsoft did not offer any further description of the fake sites. The revelation came just weeks after a similar Microsoft discovery led the senator Claire McCaskill, a Missouri Democrat who is running for re-election, to reveal that Russian hackers tried unsuccessfully to infiltrate her Senate computer network.
A growing number of states are installing a cyber-intrusion sensor system supplied by the Department of Homeland Security in response to fears that election systems my be hacked by foreign adversaries during the 2018 midterm elections and beyond. To date, 36 states have installed the intrusion detection sensors, known as “Albert,” according to a DHS official. The monitoring system was developed by the Center for Internet Security, a nonprofit organization that is working with DHS on election security and coordination. Rather than block cyber threats outright, Albert alerts officials to potentially malign activity to be investigated by experts. In those states, 74 sensors in 38 counties have been installed so far, according to the official, up from 14 before the 2016 presidential election. The new numbers were first reported by Reuters.
With all the concern over cybersecurity heading into the midterm elections, it’s actually quite difficult for outsiders to directly manipulate votes. Unlike corporate networks and email systems, voting machines aren’t connected to the internet, making them hard to access. So as government officials prepare for the hotly contested congressional elections in November, their focus is more on protecting the integrity of the systems that support the pre- and post-voting periods than on the ballots themselves. “This is about more than just voting machines,” Jeanette Manfra, the top cybersecurity official at the Department of Homeland Security, told CNBC in an interview on Wednesday. “If an [attacker] was intent on sowing discord, how could they do that? It involves us looking at the broad elections administration process.”
While most of the discussion around election security tends to focus on protecting the 2018 fall elections, much of the federal guidance and legislative proposals currently under consideration would likely have limited impact this year. Two bills in Congress – The Secure Elections Act and the PAVE Act – would implement a number of best-practice policies around cybersecurity and vote tabulation that are endorsed by most experts. Yet some of the most impactful provisions from those bills, such as grant funding to replace obsolete or out-of-support voting machines or require states to use paper ballots, would take years to implement before states realized results.
With the U.S. heading into a pivotal midterm election, little progress has been made on ensuring the integrity of voting systems—a concern that retook the spotlight when the 2016 presidential election ushered Donald Trump into the White House amid allegations of foreign interference. A raft of start-ups has been hawking what they see as a revolutionary solution: repurposing blockchains, best known as the digital transaction ledgers for cryptocurrencies like Bitcoin, to record votes. Backers say these internet-based systems would increase voter access to elections while improving tamper-resistance and public auditability. But experts in both cybersecurity and voting see blockchains as needlessly complicated, and no more secure than other online ballots. Existing voting systems do leave plenty of room for suspicion: Voter impersonation is theoretically possible (although investigations have repeatedly found negligible rates for this in the U.S.); mail-in votes can be altered or stolen; election officials might count inaccurately; and nearly every electronic voting machine has proved hackable. Not surprisingly, a Gallup poll published prior to the 2016 election found a third of Americans doubted votes would be tallied properly.
A majority of U.S. states has adopted technology that allows the federal government to see inside state computer systems managing voter data or voting devices in order to root out hackers. Two years after Russian hackers breached voter registration databases in Illinois and Arizona, most states have begun using the government-approved equipment, according to three sources with knowledge of the deployment. Voter registration databases are used to verify the identity of voters when they visit polling stations. The rapid adoption of the so-called Albert sensors, a $5,000 piece of hardware developed by the Center for Internet Security www.cisecurity.org, illustrates the broad concern shared by state government officials ahead of the 2018 midterm elections, government cybersecurity experts told Reuters.
In March, Hawaii Democrat Rep. Tulsi Gabbard introduced the Securing America’s Elections Act to require the use of paper ballots as backup in case of alleged election hacking. Now voting advocates are suing Georgia to do the same thing. Some voting systems are so easy to hack a child can do it. Eleven year old Emmett Brewer hacked into a simulation of Florida’s state voting website in less than 10 minutes at the DefCon hacking conference last week in Las Vegas, according to Time. Of the approximately 50 children age 8 to 17 who took part in the Election Voting Hacking Village at DefCon, 30 were able to hack into imitation election websites within three hours, Time reported. The kids were able to rewrite vote tallies so that they totaled as much as 12 billion, and change the names of parties and candidates, according to the Guardian.
In November 2012, former North Dakota attorney general Heidi Heitkamp, a Democrat, won a hotly-contested race for a seat in the U.S. Senate, a win attributed to the state’s Native American voters. Shortly after that, lawmakers in the majority Republican state passed a tough voter-ID law, making it a lot harder for tribe members to vote. The nonprofit Native American Rights Fund (NARF) sees the new law as racially motivated and has taken North Dakota to court. This year, NARF conducted field hearings across Indian Country to hear testimony on voter suppression in other states. “And what we heard was really disturbing,” said NARF attorney Jacqueline D. De León, a member of the Isleta Pueblo in New Mexico.
U.S. state election officials are demanding better access to sometimes classified federal government information about hacking threats to voting systems. With less than three months until the November midterm elections, 44 states, the District of Columbia, and numerous counties on Wednesday participated in a simulation that tested the ability of state and federal officials to work together to stop data breaches, disinformation and other voting-related security issues. They did not simulate a cyber attack, but rather played out various scenarios to learn how to react if there were one. The Department of Homeland Security, Office of the Director of National Intelligence, U.S. Cyber Command, Justice Department and the FBI participated.