President Donald Trump’s controversial “election integrity” commission is facing yet another legal challenge with a privacy-rights group saying the panel is breaking federal law by gathering massive amounts of information on the nation’s registered voters. The Electronic Privacy Information Center, which has been doing court battle against the voter panel for months, filed a revised complaint in District of Columbia federal court Thursday. Privacy watchdogs concerned about the panel’s activities have questioned whether the information can and will be kept safe from hackers and whether it will only used for research and not other political purposes. The Trump administration has defended the attempt to collect huge quantities of voter data by saying the panel is not technically a federal agency. Therefore, the argument goes, it does not have to do a so-called “impact assessment” to show that collecting the information doesn’t violate anyone’s privacy rights.
A new report pushes recommendations based on the research done into voting machine hacking at DEFCON 25, including basic cybersecurity guidelines, collaboration with local officials and an offer of free voting machine penetration testing. It took less than an hour for hackers to break into the first voting machine at the DEFCON conference in July. This week, DEFCON organizers released a new report that details the results from the Voting Village and the steps needed to ensure election security in the future. Douglas Lute, former U.S. ambassador to NATO and retired U.S. Army lieutenant general, wrote in the report that “last year’s attack on America’s voting process is as serious a threat to our democracy as any I have ever seen in the last 40+ years – potentially more serious than any physical attack on our Nation. Loss of life and damage to property are tragic, but we are resilient and can recover. Losing confidence in the security of our voting process — the fundamental link between the American people and our government — could be much more damaging,” Lute wrote. “In short, this is a serious national security issue that strikes at the core of our democracy.”
The political instability that has resulted from Russian meddling in the 2016 US presidential elections has put the focus on voting machines as a national security vulnerability, Douglas Lute, a former US permanent representative to NATO, said at the Atlantic Council on October 10. “I don’t think I’ve seen a more severe threat to American national security than the election hacking experience of 2016,” said Lute. There is a “fundamental democratic connection between the individual voter and the democratic outcome” of an election, he said, adding: “If you can undermine that, you don’t need to attack America with planes and ships. You can attack democracy from the inside.” … Lute delivered a keynote address at the Atlantic Council to call for a sense of urgency among policymakers and all stakeholders able to play a role in the solution to insecure voting machines. He also highlighted the findings presented in the DEF CON Report on Cyber Vulnerabilities in US Election Equipment, Databases, and Infrastructure, launched at the Council, which help to shed light on the technological dimensions of this national security threat. Ultimately, as Lute writes in the foreword, “this report makes one key point: our voting systems are not secure.”
When attendees at the July DEFCON conference breached every poll book and voting machine that event organizers had in the Voting Machine Hacking Village, elections officials took notice. A new report from DEFCON, the National Governors Association, the Atlantic Council, the Center for Internet Security and a number of universities and top technology vendors provides a more detailed look at just how vulnerable the entire U.S. election system – equipment, databases and infrastructure — is to hacking and urges policymakers to shore up security gaps. Vulnerabilities start with an insecure supply chain. Many parts used in voting machines are manufactured overseas, and the report authors suggested that bad actors could compromise the equipment “well before that voting machine rolls off the production line.” Voting Village participants found voting machines with universal default passwords and ones that broadcast their own Wi-Fi access point, which would allow hackers to connect. Once hackers gained access, they could escalate their privileges so they could run code, change votes in the database or turn the machine off remotely. Additionally, unprotected, uncovered USB ports provided easy inputs for thumb drives or keyboards.
National: Facebook scrubbed potentially damning Russia data before researchers could analyze it further | Business Insider
Facebook removed thousands of posts shared during the 2016 election by accounts linked to Russia after a Columbia University social-media researcher, Jonathan Albright, used the company’s data-analytics tool to examine the reach of the Russian accounts. Albright, who discovered the content had reached a far broader audience than Facebook had initially acknowledged, told The Washington Post on Wednesday that the data had allowed him “to at least reconstruct some of the pieces of the puzzle” of Russia’s election interference. “Not everything, but it allowed us to make sense of some of this thing,” he said.
You don’t even have to know much about voting machines to hack some of the systems that are still in use across the country. A new report published on Tuesday outlines how amateur hackers were able to “effectively breach” voting equipment, in some cases in a matter of minutes or hours, over just four days in July at DEFCON, an annual hacker conference. The report underscores the vulnerability of U.S. election systems. It also highlights the need for states to improve their security protocols after the Department of Homeland Security said Russian hackers attempted to target them during the 2016 election. “The DEFCON Voting Village showed that technical minds with little or no previous knowledge about voting machines, without even being provided proper documentation or tools, can still learn how to hack the machines within tens of minutes or a few hours,” the report says.
Organizers of the long-running DEFCON hacking conference have teamed with a variety of groups, including the National Governors Association, on an initiative to boost electoral security. The new coalition comes on the heels of a new report highlighting how insecure many voting machines really are. The DEFCON hacking conference, which has existed in one form or another for nearly a quarter century, is getting into the election security business—with the help of a number of associations and nonprofits. A September report [PDF] outlines the results of the first-ever “Voting Machine Hacking Village,” held at the DEFCON conference in Las Vegas last summer. The exercise revealed significant vulnerabilities in digital voting machines and in the ways they’re used to tally votes. And this week it led to the announcement of a coalition on election security that includes the National Governors Association, the Atlantic Council, the Center for Internet Security, and a variety of academic groups, among others.
The electronic voting machine, now used to some degree in all 50 states, is the functional equivalent of an unoccupied Lamborghini left running at midnight with vanity plates that say STEALME. This summer, hobbyist hackers with no specialized expertise who attended a convention called Defcon were able to compromise four different voting machines, one in less than 30 minutes. “Unfortunately, they were much easier than, say, a home router or mobile device,” says Defcon organizer Jeff Moss. … Online voting is hardly a fix. “There are so many problems and insecurities in internet voting, it’s not something we should even begin to consider in the next ten years,” says Princeton University professor of computer science Andrew Appel.
National: A warning from the Senate Intelligence Committee has vulnerable lawmakers fretting about election security | Politico
Democratic senators fighting to hold on to their seats next year are increasingly worried about a troubling reality: Russia appears set to mess with U.S. elections — again. The bipartisan leaders of the Senate Intelligence Committee warned last week that Russia’s second straight attempt to upend a major election appears certain. They pointed to hacked emails, fake news stories and other evidence of interference in France, Montenegro and elsewhere over the past year as signs Moscow remains determined to monkey with voting. Democratic senators such as Heidi Heitkamp of North Dakota, Bob Casey of Pennsylvania and Jon Tester of Montana — who hail from states President Donald Trump won in 2016 — know they’re already facing stiff reelection challenges.
National: Obama-linked group asks for temporary injunction against Trump fraud commission | McClatchy
A group of former Obama Administration lawyers on Wednesday moved for a temporary injunction against President Donald Trump’s voting fraud commission, saying the committee caused an “immediate blow to the proper functioning of our democracy” when it requested voter data from all 50 states without following legally mandated procedures. The motion, filed in U.S. District Court in Washington, D.C., by Protect Democracy Project and United to Protect Democracy, cited reports of people withdrawing their voter registration in response to the Trump commission’s request for information — proof, the motion argues, that the court should stop the Trump group from collecting the data now before it does more harm. The motion also argues that the requests “may increase the vulnerability of voter registration systems to hackers” and, contrary to federal law, gives Protect Democracy insufficient time to respond and mobilize the public to its actions.
Hackers could have easily infiltrated US voting machines in 2016 and are likely to try again in light of vulnerabilities in electronic polling systems, a group of researchers said Tuesday. A report with detailed findings from a July hacker conference which demonstrated how voting machines could be manipulated concluded that numerous vulnerabilities exist, posing a national security threat. The researchers analyzed the results of the “voting village” hacking contest at the DefCon gathering of hackers in Las Vegas this year, which showed how ballot machines could be compromised within minutes. “These machines were pretty easy to hack,” said Jeff Moss, the DefCon founder who presented the report at the Atlantic Council in Washington. “The problem is not going away. It’s only going to accelerate.”
Hacking and national security experts say that U.S. voting machines are vulnerable and could allow Russia to access to them, according to a new report out of DEFCON, one of the world’s longest-running hacker conferences. The report concludes that it is incredibly easy to hack U.S. voting machines, and the system is not nearly as safe as it’s portrayed by election officials because many voting machines contain foreign-manufactured internal parts that may be susceptible to tampering. Hackers also do not need advanced knowledge of voting machines to hack them — it would take only a few minutes or hours for someone with the technical knowledge to infiltrate the machines. At the Voting Village conference in July, DEFCON set up a hacking village to draw attention to cyber vulnerabilities in U.S. election infrastructure. It invited participants to hack 25 pieces of election equipment including voting machines and electronic poll books, and produced a report afterwards.
Hackers are joining forces with U.S. governors and academics in a new group aimed at preventing the manipulation of voter machines and computer systems to sway the outcome of future U.S. elections, a source familiar with the project said on Monday. The anti-hacking coalition’s members include organizers of last summer’s Def Con hacking conference in Las Vegas, the National Governors Association and the Center for Internet Security, said the source, who asked not to be identified ahead of a formal announcement due to be made on Tuesday. The Washington-based Atlantic Council think tank and several universities are also part of the project, the source said.
It happened in Las Vegas, but the weaknesses in U.S. voting equipment uncovered during a summer hackathon are too important to stay there, experts say. They’re a matter of national security. A new report breaks down the lessons learned at the DEF CON 25 hacking conference, which amounted to a concentrated attack—orchestrated in the name of public safety—on the programming and machinery used in U.S. elections. “The results were sobering,” according to a copy of the report provided by the Atlantic Council, an international affairs think tank. “By the end of the conference, every piece of equipment in the Voting Village was effectively breached in some manner. Participants with little prior knowledge and only limited tools and resources were quite capable of undermining the confidentiality, integrity, and availability of these systems.” … Researchers found the susceptibilities exposed by the hackers controverted manufacturers’ long-standing claims that their products were designed to thwart tampering. “If a voting machine can be hacked by a relative novice in a matter of minutes at DEFCON, imagine what a savvy and well-resourced adversary could do with months or years,” the researchers wrote.
A member of President Donald Trump’s voter fraud probe expressed deep frustration Tuesday over the way the commission has been run so far and doubted that the panel would ever meet again. Even though the Presidential Advisory Commission on Election Integrity was formally created five months ago and has conducted two public meetings, Maine Secretary of State Matthew Dunlap (D) told HuffPost that he still has no idea what it’s working on or when it will meet next. He said he plans to raise concerns with Kansas Secretary of State Kris Kobach (R), the commission’s vice chair, about how it has operated so far ― if he ever has another chance. “I think we have to talk about that if we get another opportunity. I don’t know that we’re ever going to meet again, to tell you the truth. We certainly haven’t talked about it,” Dunlap said. “I think it is a possibility. We haven’t heard about any future meetings. We talked about a meeting in November ― that was back in July. We haven’t had anything further about it. … It wouldn’t surprise me if we didn’t meet again.”
National: Time is running out for state officials to be approved for cybersecurity intel ahead of elections | Cyberscoop
With just about a month left before the polls open in New Jersey and Virginia for gubernatorial elections, the Department of Homeland Security is racing to vet state officials who have applied for the ability to receive classified briefings and other information related to potential cyber-intrusions into election systems, people familiar with the matter tell CyberScoop. In August, the DHS began reaching out to chief election officials in every state to begin the process of obtaining clearances. While the nominees for these clearances are usually the secretary of state or similar high-ranking office-holders, some supporting staff have also sought clearances. The processing for each of these applications varies by person and as a result, there’s no average wait time. Over the last several months, however, DHS has been able to issue “interim” clearances when necessary within 30 days of an application, officials told CyberScoop. Final clearance approvals are taking much longer, the officials said.
National: Carter Page says he won’t testify before Senate Intelligence panel in Russia probe | Politico
Carter Page, a former foreign policy adviser to the Trump campaign, informed the Senate Intelligence Committee on Tuesday that he will not be cooperating with any requests to appear before the panel for its investigation into Russian meddling in the 2016 election and would plead the Fifth, according to a source familiar with the matter. A former naval-officer-turned-energy consultant, Page came under fire last year after reports emerged that he had met with high-level associates of Russian President Vladimir Putin in Moscow in 2016. While Page denied those meetings occurred, the Trump campaign distanced itself from the adviser not long after, with former officials saying that Page and Trump had never met.
YouTube videos of police beatings on American streets. A widely circulated internet hoax about Muslim men in Michigan collecting welfare for multiple wives. A local news story about two veterans brutally mugged on a freezing winter night. All of these were recorded, posted or written by Americans. Yet all ended up becoming grist for a network of Facebook pages linked to a shadowy Russian company that has carried out propaganda campaigns for the Kremlin, and which is now believed to be at the center of a far-reaching Russian program to influence the 2016 presidential election. A New York Times examination of hundreds of those posts shows that one of the most powerful weapons that Russian agents used to reshape American politics was the anger, passion and misinformation that real Americans were broadcasting across social media platforms.
American voting machines are full of foreign-made hardware and software, including from China, and a top group of hackers and national security officials says that means they could have been infiltrated last year and into the future. DEFCON, the world’s largest hacker conference, will release its findings on Tuesday, months after hosting a July demonstration in which hackers quickly broke into 25 different types of voting machines. The report, to be unveiled at an event at the Atlantic Council, comes as the investigation continues by four Hill committees, plus Justice Department special counsel Robert Mueller, into Russian meddling in the 2016 elections, on top of the firm intelligence community assessments of interference. Though the report offers no proof of an attack last year, experts involved with it say they’re sure it is possible—and probable—and that the chances of a bigger attack in the future are high.
President Donald Trump says allegations of Russian hacking in the 2016 election are a hoax — but his own agencies are working with states to beef up their cybersecurity, heeding the U.S. intelligence community’s warning: Moscow will be back in 2018. The Department of Homeland Security, state and local election officials, the FBI, and a federal election council have joined forces to work through hacking scenarios and root out weaknesses in state election systems. The project, in which states will have access to grants to upgrade election technology and tools to run simulations to examine holes in their systems, is a test for how well officials can work together to ward off potential election-related threats ahead of the midterm elections next year and the presidential election in 2020, experts said.
National: Google uncovers Russian-bought ads on YouTube, Gmail and other platforms | The Washington Post
Google for the first time has uncovered evidence that Russian operatives exploited the company’s platforms in an attempt to interfere in the 2016 election, according to people familiar with the company’s investigation. The Silicon Valley giant has found that tens of thousands of dollars were spent on ads by Russian agents who aimed to spread disinformation across Google’s many products, which include YouTube, as well as advertising associated with Google search, Gmail, and the company’s DoubleClick ad network, the people said, speaking on condition of anonymity to discuss matters that have not been made public. Google runs the world’s largest online advertising business, and YouTube is the world’s largest online video site. The discovery by Google is also significant because the ads do not appear to be from the same Kremlin-affiliated troll farm that bought ads on Facebook — a sign that the Russian effort to spread disinformation online may be a much broader problem than Silicon Valley companies have unearthed so far.
National: Microsoft is reviewing its records for signs of potential Russian meddling during the 2016 election | Recode
Microsoft is currently reviewing its sales records to determine whether trolls aligned with the Russian government purchased ads on Bing or other company products during the 2016 U.S. presidential race. The decision to conduct an internal investigation comes as Microsoft’s tech industry peers — Facebook, Google and Twitter — contend with parallel probes by the U.S. Congress into the extent to which Kremlin-backed agents spread disinformation on their platforms around Election Day. “We take reports of misuse of our platform seriously,” a Microsoft spokesman said late Monday. “We are therefore investigating and if inappropriate activity is found, we will take steps to minimize such misuse in the future.” Reuters first reported the news.
National: The U.S. Election System Remains Deeply Vulnerable, But States Would Rather Celebrate Fake Success | The Intercept
When the Department of Homeland Security notified 21 states that Russian actors had targeted their elections systems in the months leading up to the 2016 presidential election, the impacted states rolled out a series of defiant statements. … But in most cases, according to the DHS, Russian actors scanned the public-facing websites of state agencies, apparently looking for vulnerabilities. The DHS said that in almost all of the cases, there was no evidence the operatives attempted to exploit any vulnerabilities. It was not, in other words, a thwarted bank robbery. Instead, Russian operatives surveyed the bank from the sidewalk, and then headed home. While the states are busy celebrating their successes, they are doing far too little to ensure that operatives don’t get in next time they show up and actually try to infiltrate, say cybersecurity experts.
A U.S. senator wants to know how well the country’s top six voting machine manufactures protect themselves against cyberattacks, a move that comes just weeks after federal authorities notified 21 states that they had been targeted by Russian government hackers during the 2016 presidential election. In a letter Tuesday to the CEOs of top election technology firms, Sen. Ron Wyden writes that public faith in American election infrastructure is “more important than ever before.” “Ensuring that Americans can trust that election systems and infrastructure are secure is necessary to protecting confidence in our electoral process and democratic government,” writes Widen, an Oregon Democrat.
Kansas Secretary of State Kris Kobach urged President Donald Trump to pursue changes to federal voting law to promote proof-of-citizenship requirements, according to documents unsealed Thursday by a federal judge. Kobach, a candidate for Kansas governor and the vice chair of Trump’s voting commission, was photographed carrying a strategic plan for the Department of Homeland Security into a meeting with Trump in November. The American Civil Liberties Union sought the documents as part of an ongoing lawsuit challenging a Kansas law that requires voters to provide proof of citizenship, such as a birth certificate or passport, when they register. Kobach was ordered to turn over the documents to the ACLU earlier this year, but the documents had been sealed until Judge Julie Robinson opened them Thursday.
National: Supreme Court takes up Wisconsin as test in partisan gerrymandering claims | The Washington Post
Opponents of political gerrymandering had reason for optimism at the Supreme Court on Tuesday, with Justice Anthony M. Kennedy, the likely swing vote, appearing more in sync with liberal colleagues who seemed convinced that a legislative map can be so infected with political bias that it violates the Constitution. But it’s what Kennedy didn’t say that could determine whether the court, for the first time, strikes down a legislative map because of extreme partisan gerrymandering. While he has previously expressed concerns about the political mapmaking practice, he has yet to endorse a way of determining when gerrymandering is excessive, and Kennedy give no sign at oral arguments Tuesday that he had found one. In a case from Wisconsin that could reshape the way American elections are conducted, the Supreme Court heard from challengers that it was the “only institution in the United States” that could prevent a coming wave of extreme partisan gerrymandering that would distort the basic structure of democracy.
A Kansas official who later became vice chairman of President Donald Trump’s commission on election fraud drafted a proposal for Trump to change federal voter registration laws to promote proof-of-citizenship requirements by states, an unsealed federal court document showed Thursday. The proposal was part of a “strategic plan” for the U.S. Department of Homeland Security prepared by Kansas Secretary of State Kris Kobach and carried by him into a meeting in November with Trump, then the president-elect. It was among three proposals designed to “stop aliens from voting.” U.S. District Judge Julie Robinson ordered a highly-edited version of the document unsealed Thursday in a voting-rights lawsuit from the American Civil Liberties Union. Robinson also ordered the unsealing of a second document, prepared by Kobach and circulated within the Kansas secretary of state’s office, showing the text of proposed changes to federal law.
National: The ‘unique’ nature of the US voting system could help Russia tip the scales of future elections, experts say | Business Insider
The vice chairman of the Senate Intelligence Committee told reporters on Wednesday he was disappointed that it had taken nearly a year for the Department of Homeland Security to notify 21 states that their voter registration systems had been targeted by hackers during the election. “There needs to be a more aggressive, whole-of-government approach in terms of protecting our electoral system,” said Democratic Sen. Mark Warner. “Remember, to make a change in a national election doesn’t require penetration into 50 states … arguably, you could pick two or three states, and two or three jurisdictions, and alter an election.”
Facebook cut references to Russia from a public report in April about manipulation of its platform around the presidential election because of concerns among the company’s lawyers and members of its policy team, according to people familiar with the matter. The drafting of the report sparked internal debate over how much information to disclose about Russian mischief on Facebook and its efforts to affect U.S. public opinion during the 2016 presidential contest, according to these people. Some at Facebook pushed to not include a mention of Russia in the report because the company’s understanding of Russian activity was too speculative, according to one of the people.
Over the past two years, nine states and the District of Columbia have quietly implemented a significant overhaul of the voter registration process, aiming to reduce bureaucracy and increase the number of people signed up to vote. Automatic voter registration, or AVR for short, essentially turns the current opt-in system of voter registration to an opt-out system. “When eligible citizens interact with certain government offices, they are added to the voter rolls unless they say no,” according to an article by the Brennan Center for Justice at New York University, which is working to advance the idea. Two years ago, no state had AVR. Today, 1 in 4 Americans live in a state that has approved automatic voter registration. “AVR is coming,” says Natalie Tennant, a former Democratic secretary of state from West Virginia who is now the Brennan Center’s manager of state advocacy on voting rights and elections.