The last three weeks have revealed how reliant political campaigns have become on people’s data. Almost 90 million Facebook users from Los Angeles to London may have had their online information illegally collected by Cambridge Analytica as part of its work for Donald Trump’s 2016 presidential campaign. Mark Zuckerberg, the social networking giant’s chief executive, will testify to U.S. lawmakers this week over claims that the tech giant played fast and loose in its protection of people’s online privacy. Both companies deny any wrongdoing. It’s legitimate to point the finger at the world’s largest social network and a data analytics firm with somewhat shady political connections. But there’s one sizeable piece of the puzzle that’s missing from the world’s newfound fixation on digital privacy: voters themselves.
Texas counties have doled out millions of dollars in recent months to replace thousands of old touch-screen voting machines that lack a paper record – a weakness security experts warn could allow Russians or other hackers to rig U.S. elections without detection. The problem is, many of the new machines have the same vulnerability. So do similar machines in more than a dozen states across the country. Vicki Shelly, the election administrator in San Jacinto County, Tex., north of Houston, said she received no alert from Washington or state officials before the county spent $383,000 on its new paperless touch-screen voting system made by Hart InterCivic. “Whoever’s doing all the research, it seems like we should have been in on it a little sooner,” said Shelly, one of hundreds of election officials that make up the first line of defense against attempts to tamper with U.S. election results. “Honestly, it’s very disturbing.”
A group of U.S. states and cities sued the Trump administration to stop it from asking people filling out 2020 census forms whether they are citizens. The lawsuit by 17 states, Washington D.C. and six cities challenged what they called last week’s “unconstitutional and arbitrary” decision by the U.S. Department of Commerce, which oversees the Census Bureau, to add the citizenship question. It was also a fresh challenge to what New York Attorney General Eric Schneiderman, at a press conference announcing the lawsuit, called the administration’s “anti-immigrant animus.” All of the states bringing the case have Democratic attorneys general. They were joined by New York City, Chicago, Philadelphia, San Francisco, Seattle and Providence, Rhode Island, which all have Democratic mayors, and the U.S. Conference of Mayors. Another state, California, filed a similar lawsuit last week.
Gerrymandering, the process of drawing district lines to fortify one political party at the expense of another, is as old as the U.S. republic. In the late 1780s, Virginia Governor Patrick Henry, who opposed ratifying the new Constitution, got allies in his state’s legislature to draw a congressional district map unfavorable to James Madison, the father of the founding document. (Madison won anyway.) Good-government groups grouse that gerrymandering lets politicians choose their constituents, rather than the other way around. But as the courts get more involved, others fret about judges interfering in politics.
Her sentencing made headlines across the country this week: A woman, recently released from prison in Texas and still on felony probation, is set to head back to prison for another five years after she unknowingly broke the law by voting in the 2016 election. Texas law prohibits people such as Crystal Mason from voting until they are no longer under supervision by corrections officers. Mason told the court she had no idea she was prohibited from voting. At her polling station, officials let her cast a provisional ballot. The confusion over felons’ voting rights is not limited to Mason’s situation or to Texas. Across the country, state felon voting laws vary widely. Some states bar people from voting only while they are in prison, while others deny voting rights to people who are still under the supervision of a probation or parole officer. And some prohibit convicted felons from voting for the rest of their lives, unless they receive a pardon from the governor.
The education arm of The Leadership Conference on Civil and Human Rights is teaming up with a voting rights group to increase voter turnout and fix polling problems that keep people from voting. The Leadership Conference Education Fund announced Wednesday that it’s partnering with Access Democracy for three years to provide institutional support in the group’s efforts to fix local election issues such as long lines and broken voting machines.
A sysadmin at a leading voting machine vendor posted a firewall configuration file, including passwords, into a public Cisco support forum in 2011, opening the company up to possible attack. The config files expose a wealth of information useful to an attacker, including domain name, hostname, and ASA version number. While there is no evidence that the voting machine vendor was compromised, this accidental leakage of information is “juicy intelligence,” Dan Tentler, founder and CEO of Phobos Group, an attack simulation security company, tells CSO. “If you have a crack team of cat burglar types and they’re all going to break into a building, this firewall configuration file is the equivalent of finding the floor plan of the building they are planning to break into,” Tentler says.
A Dutch attorney was sentenced on Tuesday to 30 days in prison for lying to federal agents, in the first formal conviction obtained by Robert Mueller in his investigation of Russian election interference and alleged collusion between aides to Donald Trump and Moscow. A federal judge in Washington sentenced Alex van der Zwaan, a 33-year-old lawyer who previously worked with Paul Manafort, Trump’s former campaign manager. He was also ordered to pay a $20,000 fine. Van der Zwaan had pleaded guilty to lying to the FBI about his contacts with another former Trump adviser, Rick Gates, and a person the FBI has assessed as being tied to Russian military intelligence.
Russian hackers tried to tamper with voting systems in 21 states during the 2016 US presidential election, and the American intelligence community expects Moscow will try again in November. But states from Virginia to Rhode Island aren’t focused on new cybersecurity software. Instead, they’re looking to one of the oldest technologies in existence: paper. It’s a striking change from 2016, when five states used electronic voting systems that didn’t leave any paper record of votes, and nine used some paperless machines. Now, states are rushing to take advantage of $380 million that Congress approved last month to help protect voting systems. Most states are prioritizing some kind of paper record. “In this year of our lord 2018, we’re talking about paper ballots, but that actually might be one of the smartest systems,” Sen. Kamala Harris (D-CA) told reporters in March.
Thousands of voting machine vendor employees’ work emails and plaintext passwords appear in freely available third-party data breach dumps reviewed by CSO, raising questions about the security of voting machines and the integrity of past election results. While breached sites, like LinkedIn after the 2012 breach, force users to change their passwords, a significant number of people reuse passwords on other platforms, making third-party data breaches a gold mine for criminals and spies. For many years voting machine vendors have claimed that voting machines were air gapped — not connected to the internet — and were thus unhackable. Kim Zetter debunked that idea in The New York Times in February. An attacker who managed to break into a voting machine vendor employee’s work email, because the employee used the same password as on a breached site, could leverage that to gain access to the voting machines themselves. And if voting machine vendors install remote access software on voting machines, factory backdoors that vendor employees use to remotely access the machines for maintenance, troubleshooting or election setup purposes, this turns voting machine vendor employees into targets. Hack the vendor, hack the voting machine.
The Trump administration has told states exactly how much of a $380 million fund they will get to make their voting systems more cyber-secure ahead of the 2018 midterm elections. The funding, made available through a $1.3 trillion omnibus package passed last week, is one of Congress’s first major steps to prevent a repeat of Russian hackers’ meddling in U.S. elections. The money can be used to upgrade state computer systems and offer cybersecurity training to election officials, among other things. California, Florida, New York and Texas together will get a quarter of the cash, with California leading the pack with about $35 million. A full breakdown of the funding can be found here. The money is a “breakthrough for election security and the health of our country’s democracy,” said Lawrence Norden of the Brennan Center for Justice at NYU Law.
Most states won’t have risk-limiting audits in place by the November midterms, which makes how they spend the $380 million in federal funding for election security, due out within 39 days, that much more important. Congress included the money in the omnibus spending bill, at the Senate Intelligence Committee’s recommendation, to be disbursed to states under the Help America Vote Act and spent on verifiable paper balloting, post-election audits of votes and cyber defenses. The appropriation is a good first step in shoring up voting systems against Russian-connected hacking, according to election security experts, but it doesn’t come close to replacing vulnerable polling place equipment in most at-risk states. “I wouldn’t say it’s a drop in the bucket—a glass of water in the bucket,” Joe Kiniry, Free & Fair CEO and chief scientist, told Route Fifty by phone. “A big corporation spends this much money on cybersecurity in a year.”
National: Higher cyber security services demand around elections, says McAfee boss | Press Association
The chief executive of McAfee believes cyber security firms will see higher demand for election protection as authorities in countries such as the US and UK try to safeguard “integrity” at the ballot box. Chris Young said there was a growing trend of attacks targeting “major events” like the most recent Winter Olympics, with the next big focus likely to be the highly-anticipated US midterm elections in November. “We’re now at a point where you could almost be certain than any notable event will have a corresponding set of cyber attacks with it,” he told the Press Association, adding that “election protection is going to be … bigger.”
National: Trump administration says a citizenship question on the census will help enforce voting rights. Sure. | Los Angeles Times
He went ahead and did it. Of course he did. Bashing California is way too much fun and easy for President Trump. California Democratic leaders shouldn’t be shocked. Politically, they had it coming, proudly emerging as the president’s chief antagonist while revving up their liberal and Latino bases. Not that Trump didn’t deserve it. He has been feeding his political base by assailing California and immigrants in the country illegally since first running for president. But when a state plays hardball with a president — especially a brawler like Trump — it should expect to get hit hard. A president always has a bigger bat.
After months of stalled progress in Congress, efforts to promote and fund nationwide election security improvements have finally gained some momentum this week. The Senate Intelligence Committee released its long-awaited election infrastructure defense recommendations. Senate leaders got behind a revised version of the Secure Elections Act. And late Thursday night, the Senate passed the omnibus spending bill, which includes $380 million for securing digital election systems. All the pieces are in place. The solutions are clear. All that’s left is the doing. But, of course, that turns out to be the hardest part. Experts say that while Congress did take meaningful action this week, it likely comes too late to play an extensive role in securing this year’s midterm elections. “This is a great first step, but it’s not going to solve the problem,” says Marian Schneider, president of Verified Voting, a group that promotes election system best practices. “Just the heightened awareness of what is the threat model and what are best practices for dealing with that threat model makes me hopeful and optimistic that those steps will be taken. But I would like to see the vulnerable systems replaced, and the clock is ticking. The farther we get into the year, the less likely it is. That’s just a reality.”
The Supreme Court on Wednesday grappled with a case with the potential to reorder the country’s political landscape: How much gerrymandering is too much gerrymandering? Republicans who sued to overturn the congressional district lines that Maryland implemented after the 2010 census map found allies in the court’s four liberal justices, who expressed sympathy for their claims during oral arguments. What’s less clear is whether those four can recruit another justice to their side — the most likely targets would be Chief Justice John Roberts or Justice Anthony Kennedy, typically the high court’s swing vote on election law cases. Both asked tough questions, but neither tipped his hand. At issue was Maryland’s 6th Congressional District, represented for 20 years by a Republican. After the 2010 census, Democrats in the state legislature and the then-Democratic governor redrew the district lines to move large numbers of Democratic voters into the district. Democratic Rep. John Delaney won the seat in 2012 and was reelected twice after.
National: Everyone Agrees That All Voting Machines Should Leave A Paper Trail. Here’s Why It Won’t Happen. | Buzzfeed
Despite Congress’s agreement last week to spend $380 million to help states replace voting machines that don’t produce a paper trail, it’s likely that tens of thousands of voters will cast their ballots in this year’s midterm elections on outdated equipment that the Department of Homeland Security has called a “national security concern.” That’s because the newly approved money will be allocated to all 50 states instead of just those that have the greatest need to replace voting machines. Thirteen states use voting machines that can’t be audited because they don’t produce a paper trail to check against the machine’s electronic tabulations. Of those, only two would receive enough funding under the recent appropriation to replace all their machines; the rest could replace only a fraction of what they need. For example, the funding would cover less than half the cost of what it would take for Pennsylvania — a state whose results were critical to the outcome of the 2016 presidential race — to replace all of its outdated machines.
The Center for Internet Security’s newly established Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) plans to deploy intrusion detection sensors to voter registration websites for all 50 states by the 2018 midterm elections, an official told GCN. The intrusion detection sensors are called Albert sensors, and CIS has been using them on the state and local level since 2010, according to CIS Vice President of Operations Brian Calkin. The open-source Albert sensors provide automated alerts on both traditional and advanced network threats. Albert grew out of a Department of Homeland Security’s Einstein project, which focuses on detecting and blocking cyberattacks within federal agencies. DHS approached CIS about creating similar capability for states and localities, but since the Einstein name was taken, CIS called it Albert instead.
As part of the omnibus spending law passed on March 23, all 50 states, the District of Columbia and four U.S. territories are getting funding to improve their elections infrastructure prior to the 2018 elections. On March 29, the Elections Assistance Commission announced how the $380 million will be distributed. An extension of the 2002 Help America Vote Act that distributed funds to states to improve voting systems and voter access issues identified following the 2000 election, the 2018 HAVA Election Security Fund will give states additional resources to secure and improve their election systems. The funds will be made available by the EAC as grants to make it easier for states to access the funds ahead of the 2018 federal elections. States will receive grant award notification letters in April. With primary elections already underway, however, states will be allowed to incur costs against forthcoming grant awards with EAC approval.
After being gamed by Russian operatives during the 2016 presidential election, Facebook says it’s working to tighten election security ahead of the midterm elections. Company executives detailed new initiatives to prevent foreign interference and anticipate new tactics to undermine the integrity of the November elections. Thursday’s remarks were part of a widening public relations campaign to rebuild consumer trust following the Cambridge Analytica data leak, which gave access to the personal information of tens of millions of Facebook users to a political ad targeting firm without their consent. They come as concern mounts that Facebook can be too easily exploited to disrupt elections and democracies around the globe. “We’ve gotten progressively better over the last year and a half,” Samidh Chakrabarti, who leads Facebook’s work on election security and civic engagement, told reporters. “We feel like we’re going to be in a really good place for the 2018 midterms.”
Nearly three years after a Russian propaganda group infiltrated Facebook and other tech platforms in hopes of seeding chaos in the 2016 US election, Facebook has more fully detailed its plan to protect elections around the world. In a call with reporters Thursday, Facebook executives elaborated on their use of human moderators, third-party fact checkers, and automation to catch fake accounts, foreign interference, fake news, and to increase transparency in political ads. The company has made some concrete strides, and has promised to double its safety and security team to 20,000 people this year. And yet, as midterm races heat up in states across America, and elections overseas come and go, many of these well-meaning tools remain a work in progress. “None of us can turn back the clock, but we are all responsible for making sure the same kind of attack on our democracy does not happen again,” Guy Rosen, Facebook’s vice president of product management said on the call. “And we are taking our role in that effort very, very seriously.”
National: The Motives Behind the Trump Administration’s New Census Question on Citizenship | The New Yorker
Nine years ago, two Republican senators, David Vitter, of Louisiana, and Robert Bennett, of Utah, tried to introduce a measure to change the way that the federal government conducts the census. The Census Bureau tabulates the over-all population, not just that of citizens, and its results have far-reaching consequences, affecting the allocation of federal resources and the apportionment of congressional seats. The senators wanted a law requiring that respondents be asked whether they are American citizens, so that congressional districts could be redrawn. Without such a change, Vitter said, “States that have large populations of illegals would be rewarded.” Other states, like his own, he said, were being “penalized.” The subtext was that the Democrats, who tend to be prominent in areas with high concentrations of immigrants, were gaining an advantage. The measure fell short of the necessary votes, as it did when Vitter proposed it again, in 2014 and in 2016. But his efforts reflected a persistent partisan logic. Now, on the eve of the 2020 census, it has reëmerged.
During the 2016 presidential election, Russian hackers targeted election systems in Pennsylvania and 20 other states, according to U.S. intelligence officials. Those officials fear that, during the 2018 midterms, hackers may target state voter registration databases, county websites and official social media accounts to spread misinformation and sow doubt in the U.S. election system. In February, Pennsylvania Gov. Tom Wolf, a Democrat, directed all counties that are planning to update aging election equipment to buy machines that create a paper trail. However, the directive from Wolf, aimed at machines used by 83 percent of the state’s voters, did not come with funding attached, placing the financial burden on federal or local budgets.
National: Why adding a citizenship question to the census launched a political firestorm | The Washington Post
The Voting Rights Act was passed in 1965 to protect the voting rights of mostly black voters in mostly Southern states. It mandated, among other things, that jurisdictions covered by the law have new voting laws reviewed by the government to assure that they weren’t discriminatory. That provision was tossed by the Supreme Court in 2013. A Texas voter ID law that had been rejected by the Department of Justice prior to the court’s decision was reintroduced immediately afterward — and was quickly found to be discriminatory. During his confirmation hearing last year, Attorney General Jeff Sessions was asked about the Voting Rights Act. “It is intrusive. The Supreme Court on more than one occasion has described it legally as an intrusive act, because you’re only focused on a certain number of states,” the then-Alabama senator said in January 2017.
The Supreme Court justices seemed to grasp the problem of gerrymandering in oral arguments on Wednesday and that it will only get worse, as computer-assisted redistricting gets even more refined. But they appeared frustrated over what to do about it — without becoming the constant police officer on the beat. This case, involving a Democratic-drawn congressional district in Maryland, is essentially Act II of the gerrymandering play at the Supreme Court.
National: After GOP is criticized over election security, key official goes to Homeland Security | The Hill
The official recently replaced atop the U.S. Election Assistance Commission (EAC) is joining the Department of Homeland Security to protect elections from cyber threats, The Hill has learned. Matthew Masterson was replaced as chairman of the EAC in February as a result of a decision made by Republican leadership. The move opened up House Speaker Paul Ryan (R-Wis.) to criticism. Masterson has now signed on to work as a senior cybersecurity adviser at Homeland Security’s main cyber wing and to assist the department’s election security mission. A Homeland Security official confirmed that Masterson will work at the National Protection and Programs Directorate, which spearheads efforts to protect critical infrastructure from cyber and physical threats.
Kirstjen Nielsen, the homeland security secretary, recently warned dozens of foreign diplomats — including the Russian ambassador — that the United States would retaliate if adversaries abroad meddled in its coming elections. “To those who would try to attack our democracy, to affect our elections, to affect the elections of other countries, to undermine national sovereignty, I have a word of warning: Don’t,” Ms. Nielsen told an estimated 80 foreign envoys and other officials during a speech last week, according to a person in attendance. Two other people with knowledge of the event confirmed the comments. All three spoke on the condition of anonymity because the remarks were given at a closed-door meeting.
National: Former Cambridge Analytica workers say firm sent foreigners to advise U.S. campaigns | The Washington Post
Cambridge Analytica assigned dozens of non-U.S. citizens to provide campaign strategy and messaging advice to Republican candidates in 2014, according to three former workers for the data firm, even as an attorney warned executives to abide by U.S. laws limiting foreign involvement in elections. The assignments came amid efforts to present the newly created company as “an American brand” that would appeal to U.S. political clients even though its parent, SCL Group, was based in London, according to former Cambridge Analytica research director Christopher Wylie. Wylie, who emerged this month as a whistleblower, provided The Washington Post with documents that describe a program across several U.S. states to win campaigns for Republicans using psychological profiling to reach voters with individually tailored messages. The documents include previously unreported details about the program, which was called “Project Ripon” for the Wisconsin town where the Republican Party was born in 1854.
The 2020 U.S. Census will include a controversial question about citizenship status, the Commerce Department announced Monday night, a move that sparked outrage from Congressional Democrats, civil rights groups and liberal state attorneys general. A spokeswoman for California Attorney General Xavier Becerra said the state will be suing the administration immediately. Before the announcement, Becerra and California Secretary of State Alex Padilla wrote in an op-ed that including a citizenship question would be “illegal.” “The Trump administration is threatening to derail the integrity of the census by seeking to add a question relating to citizenship to the 2020 census questionnaire,” the pair wrote in an op-ed in the San Francisco Chronicle. “Innocuous at first blush, its effect would be truly insidious. It would discourage noncitizens and their citizen family members from responding to the census, resulting in a less accurate population count.”
Kansas Secretary of State Kris Kobach encouraged President Donald Trump to add a question about citizenship status to the U.S. Census during the early weeks of Trump’s presidency. More than a year later, Trump’s administration has moved to enact that exact policy for the 2020 census. “I won’t go into exact detail, but I raised the issue with the president shortly after he was inaugurated,” Kobach said Tuesday. “I wanted to make sure the president was well aware.” Kobach, a Republican candidate for Kansas governor who is running on a platform focused on immigration, also published a column in January on Breitbart calling for Trump to reinstate the question to the Census.