National: New NSA cyber lead says agency must share more info about digital threats | Joseph Marks/The Washington Post

The NSA is the U.S. government’s premier digital spying agency and it has a well-earned reputation for keeping secrets. But the agency needs to stop keeping so many things confidential and classified if it wants to protect the nation from cyberattacks. That’s the assessment from Anne Neuberger, director of NSA’s first Cybersecurity Directorate, which will launch Oct. 1 and essentially combine the work of many disparate NSA divisions dealing with cybersecurity, including its offensive and defensive operations. The directorate’s mission is to “prevent and eradicate” foreign hackers from attacking critical U.S. targets including election infrastructure and defense companies, Neuberger said yesterday during her first public address since being named to lead the directorate in July. Neuberger acknowledged the difficulty of her mission during an onstage interview at the Billington Cybersecurity Summit, but also said the growing hacking threats from Russia, China and other U.S. adversaries mean the nation “must” achieve it. “The nation needs it … the threat demands it and the nation deserves that we achieve it,” Neuberger said. That mission also means, however, that NSA, which was once colloquially known as “no such agency” and has traditionally kept mum to protect its own hacking operations and secret sources, must start sharing more threat data with cybersecurity pros in the private sector, she said. And the NSA will have to share that information far more quickly than it has in the past when many recipients hcomplained that, by the time they get the information, it’s no longer useful, she said. In some instances, the agency will have to look for “creative approaches” to share that information, Neuberger told reporters after her talk.

National: Blue Dog Democrats urge action on election security | Maggie Miller/The Hill

The leaders of the House Blue Dog Coalition and the House Blue Dog Task Force on National Security on Thursday sent a letter to House and Senate leaders calling for action to prevent foreign interference in U.S. elections and to secure election systems. The House Blue Dog Coalition, a group of 26 moderate Democrats, urged congressional leaders to “put politics aside and pursue bipartisan solutions” to bolster election security ahead of 2020. “We are calling on Congress to take further action to secure our elections, punish Russia for its attempts to meddle in the 2016 and 2018 elections, and deter our adversaries from meddling in future U.S. elections,” the leaders of the Blue Dog Coalition and the Task Force wrote. “The threat to our national security could not be more clear.” The letter was sent to Speaker Nancy Pelosi (D-Calif.), House Majority Leader Steny Hoyer (D-Md.), Minority Leader Kevin McCarthy (R-Calif.), Senate Majority Leader Mitch McConnell (R-Ky.) and Senate Minority Leader Charles Schumer (D-N.Y.).  The House has passed two major election security bills earlier this year, both along party lines. The SAFE Act, passed in June, would provide states with $600 million for election security efforts, and would also ban voting machines from being connected to the internet and from being manufactured outside the U.S. The House also approved the For the People Act, which includes sweeping language on election security and voting reform. Both bills have been blocked from a vote in the Senate by Republicans, who cite concerns around federalizing elections.

National: Big Tech Companies Meeting With U.S. Officials on 2020 Election Security | Mike Isaac and Davey Alba/The New York Times

Facebook, Google, Twitter and Microsoft met with government officials in Silicon Valley on Wednesday to discuss and coordinate on how best to help secure the 2020 American election, kicking off what is likely to be a marathon effort to prevent the kind of foreign interference that roiled the 2016 election. The daylong meeting, held at Facebook’s headquarters in Menlo Park, Calif., included security teams from the tech companies, as well as members of the F.B.I., the Office of the Director of National Intelligence and the Department of Homeland Security. The agenda was to build up discussions and strategic collaboration ahead of the November 2020 state, federal and presidential elections, according to Facebook. Tech company representatives and government officials talked about potential threats, as well as how to better share information and detect threats, the social network said. Chief executives from the companies did not attend, said a person briefed on the meeting, who declined to be identified for confidentiality reasons.

National: DNC move against phone-in caucuses pits cybersecurity vs. voter participation | Joseph Marks/The Washington Post

The Democratic National Committee’s decision to recommend scrapping phone-in virtual caucuses in Iowa and Nevada is pitting security hawks, who say those systems are ripe for hacking, against Democratic activists who want to increase voter participation. The DNC announcement on Friday comes after a test of the phone-in systems showed they were vulnerable to hacking, as my colleagues Isaac Stanley-Becker and Michael Scherer reported. That confirmed the suspicions of cybersecurity experts who have long argued there’s no way to ensure the authenticity of votes that aren’t cast in person — including votes cast by email, websites or mobile phones. But it was a blow to activists who want to make it easier for people to participate in the democratic process — and who say lengthy in-person caucuses exclude people who work long hours or are caring for young children. Iowa and Nevada developed their phone-in systems after the DNC urged caucus states in 2018 to either switch to primaries — which are speedier  — or make it easier for people to participate remotely. The Iowa system would have allowed voters to register for a unique PIN number and use that PIN when they called in to vote for a candidate, my colleagues reported. The DNC move also sparked the ire of some 2020 presidential hopefuls.

National: Cyber Experts Warn Of Vulnerabilities Facing 2020 Election Machines | Miles Parks/NPR

A group of guys are starring into a laptop, exchanging excited giggles. Every couple minutes there’s an “oooooh” that morphs into an expectant hush. The Las Vegas scene seems more like a college dorm party than a deep dive into the democratic process. Cans of Pabst Blue Ribbon are being tossed around. One is cracked open and spews foam all over a computer keyboard. “That’s a new vulnerability!” someone yells. The laptop that’s drawing the most attention in this moment is plugged into a voting machine that was used just last year in Virginia. “Right now, we’re trying to develop a way to remotely control the voting machine,” said a hacker named Alex. He’s seated next to Ryan, and like a lot of the hackers at the Defcon conference, they didn’t feel comfortable giving their full names. What they’re doing — messing around with voting equipment, the innards of democracy — falls into a legal gray area. The voting machine looks sort of like a game of Operation. The cover is off and dozens of cords are sticking out, leading to multiple keyboards and laptop computers. No one could get that kind of access on a real Election Day, which is when most people come into contact with voting machines for a few minutes at most. Election supervisors are quick to point out that any vulnerabilities found under these conditions aren’t indicative of problems that actually could be exploited during an election. All the same, hackers like Alex and Ryan say the work they’re doing is important because it’s the highest profile public investigation of the equipment U.S. citizens use to vote. And if they can exploit it, so could government-sponsored specialists working for another nation’s intelligence agency.

National: FEC shutdown — Democracy dies in daylight, too | Renée Graham/The Boston Globe

The Federal Election Commission is essentially toast. Last week, Matthew Petersen, its Republican vice chairman, resigned, leaving the six-member panel with only three members — one person short of the requisite quorum. “Without a quorum, certain Commission activities will not take place,” said FEC commissioner Caroline C. Hunter in a statement. “For example, the Commission will not be able to hold meetings, initiate audits, vote on enforcement matters, issue advisory opinions, or engage in rulemakings.” In one of his last actions, Petersen, along with Hunter, also a Republican, stopped the FEC from using its powers as intended. They blocked an investigation into a report that Alexander Torshin (a Russian central banker close to Russian President Vladimir Putin) and Maria Butina used the NRA as “a conduit” to illegally funnel money between Russia and the Trump campaign. Butina later pleaded guilty to conspiring to act as an unregistered foreign agent of the Russian state. She was sentenced to 18 months in prison. Now the FEC’s dysfunction is tumbling toward disaster. The regulatory agency charged with enforcing campaign finance laws in federal elections has been kneecapped during a general election season already under a sustained attack by enemies both foreign and domestic.

National: States Upgrade Election Equipment — Wary Of ‘A Race Without A Finish Line’ | Pam Fessler/NPR

With five months before primary season begins, election officials around the country are busy buying new voting equipment. Their main focus is security, after Russians tried to hack into U.S. election systems in 2016. Intelligence officials have warned that similar attacks are likely in 2020, from either Russia or others intent on disrupting U.S. elections. Federal, state and local authorities are trying to improve the security of the nation’s voting systems before that happens. One way they’re doing that is by purchasing more machines that produce paper ballots, which can be used to verify results in the event of a cyberattack on electronic systems. … Marian Schneider, a former Pennsylvania election official, thinks whatever the counties decide, this state is in much better shape than it was in 2016, when more than 80 percent of its machines had no paper records. “You couldn’t check them. Whatever the computer said, the computer said. You were done,” Schneider says. “This is a sea change for Pennsylvania and it’s a good thing.” But Schneider, who runs Verified Voting, a national group that’s long promoted paper ballots, also says paper alone is not enough. “You have to check the paper afterwards. You have to randomly sample those ballots and make sure that the results that the software reported matches what’s on the paper ballots,” she says. She’s talking about something called a risk-limiting audit, which is becoming an increasingly popular way to verify election results. Pennsylvania is among a dozen states now testing the idea.

National: Election Security And Voting Machines: What You Need To Know | Philip Ewing/NPR

Voting systems in the United States have come a long way since the hanging chads of the 2000 recount in Florida — but now cybersecurity is as big a concern as ballot fidelity. Here’s what you need to know.

The good news

There are about 3,200 counties or their equivalents across the United States and its territories, ranging in size from Los Angeles County with around 10 million residents to Kalawao County, Hawaii, with fewer than 100. Most counties — more than 70% — have populations under about 50,000, says the National Association of Counties. That huge breadth and diversity means that most elections truly are local and it would be nearly impossible for a foreign adversary to touch them all with a single effort. Elections in the United States remain, as then-FBI Director James Comey famously told Congress, “a bit of a hairball.”

The bad news

A huge breadth and diversity of counties means a huge breadth and diversity of security capabilities. Also, every jurisdiction that runs elections in the United States doesn’t present the same kind of appeal to a foreign interference campaign. The results of a close election can depend on turnout in only a few key states or other locations, meaning some locations are under much more pressure than others.

At the same time, evidence about successful interference in an election system anywhere in the United States would raise questions about the integrity of elections everywhere. Russian cyberattackers have been able to gain access to voter databases and other systems around country, but U.S. officials say they believe no votes have been changed.

National: States brace for ransomware assaults on voter registries | Laura Hautala/CNET

Extortionists have recently shut down municipal computer systems in Texas, Maryland, Florida and New York, threatening to erase databases unless the cities pay a ransom. Now officials around the country are concerned the tool the hackers used, known as ransomware, could be tapped to target state voter registration rolls and disrupt confidence as the nation heads into the 2020 election. Illinois, for example, is making its voter registration database accessible only from a closed fiber optic network, rather than the open internet, according to Matt Deitrich, a spokesman for the State Board of Elections. The Prairie State is making progress, though it still has a way to go, he says. Less than a third of its 108 jurisdictions currently connect to the database via the dedicated network. The security effort is worth it, Deitrich says. If a hacker successfully hits even one county’s election agency with ransomware, that can create the impression the whole system is compromised. “It’s a phenomenon that can undermine voter confidence,” Deitrich said. Ransomware would be a new feature of election hacking, which came to public attention after intelligence officials said Russian hackers probed voter registries during the 2016 presidential campaign. A ransomware attack in 2020 could prove devastating, preventing voters from registering or poll workers from confirming voter eligibility, officials say. The hackers’ goal wouldn’t be changing the votes that were cast, but spreading doubt that eligible voters were able to make their voices heard.

National: Report highlights Instagram, deepfake videos as key disinformation threats in 2020 elections | Maggie Miller/The Hill

Instagram will likely be the main social media platform used to disseminate disinformation during the 2020 election, while altered “deepfake” videos of candidates will pose a threat as well, according to a report out on Wednesday.  The report on disinformation tactics during the 2020 election, put together by New York University’s (NYU) Stern Center for Business and Human Rights, also pinpointed China, Russia, and Iran as countries likely to launch such attacks against the U.S. in the lead up to the elections. But foreign states will not be alone, with NYU finding that domestic sources of disinformation, such as users within the U.S. creating and circulating it, will be more prevalent than overseas ones. Voter suppression will be the main target of both streams of disinformation, with the report warning that “unwitting Americans” could also be manipulated into participating in rallies and protests. The report from NYU emphasized that while “social media companies are playing better defense than they did in 2016,” it called on them “to step up their games in anticipation of 2020.”

National: Advocates push Census Bureau to prepare for security breaches, disinformation ahead of 2020 count | Bill Lambrecht/San Antonio Express-News

As the first U.S. census to be conducted mainly online gets underway in the coming months, warnings from the Government Accountability Office about “substantial cybersecurity challenges” and disinformation campaigns raise concerns about how such a massive operation – collecting the names, addresses and birth dates of more than 300 million people – could be undermined by malicious actors on social media. Analysts monitoring the internet say they see no evidence of concerted efforts to sow bad information about the 2020 count. Yet in one instance, a post on a neo-Nazi website encouraged people to seek temporary Census Bureau employment in order to turn in immigrants who are living in the country illegally. Census workers are sworn to protect such information. Census experts note the potential lure of the census to people with ill intent. The decennial count is the basis for drawing congressional and legislative districts for a decade and determining where more than $800 billion gets distributed annually. In Texas, an undercount of the state’s fast-growing Latino population could threaten billions in tax dollars and the prospects of gaining three seats in the U.S. House from population shifts.

National: 2020 presidential election: What the NSA is doing to prepare and how the agency tackled the 2018 midterms | Olivia Gazis/ CBS News

The National Security Agency has begun revealing some of its preparations for the 2020 presidential elections, drawing in part from from its previous successes during the 2018 midterm elections. But officials also warned that cyber threats from foreign adversaries were evolving, accelerating and likely to reach a growing number of targets. NSA officials outlined a three-part approach they said was key to ensuring the security of the 2018 midterms: They first sought to understand adversaries’ activities, and then shared, chiefly through the FBI and Department of Homeland Security, information with potential targets. Along with U.S. Cyber Command, the military’s cyber defense arm, officials said they also imposed unspecified “costs” on those aiming to disrupt U.S. political processes. “[W]e said… if there is an adversary or adversaries that are attempting to either influence or interfere in our elections, we’re going to take them on,” General Paul Nakasone, who leads both the NSA and U.S. Cyber Command, said at the annual Intelligence and National Security Alliance (INSA) Summit last week.  

National: Republicans and Democrats agree that the U.S. should strengthen election security. So why doesn’t Mitch McConnell? | Evan Crawford/The Washington Post

The Senate Intelligence Committee recently released the first volume in what will be a series of reports on Russian interference in the 2016 election. Here’s the most startling thing we learned: Russian hackers targeted election infrastructure not just in 21 or 39 states, as previously reported — but in 50 states. These efforts ranged from scanning state election websites to test for vulnerability to gaining access to the Illinois voter database and being “in a position to delete or change voter data,” according to the Senate report, though no evidence has emerged that any data was actually changed. In response, the committee made recommendations to ensure a more secure 2020 election. Election experts have long been calling for many of these actions, including increased communication between federal, state and local election officials; post-election audits; and updated voting equipment. Many of these measures were part of a bill that the House passed, the Securing America’s Federal Elections Act. But Senate Majority Leader Mitch McConnell (R-Ky.) has effectively blocked this legislation from being considered in the Senate. So where does the public stand on these issues? There’s a bipartisan consensus about election security.

National: Alex Halderman Speaks About Election Cybersecurity at CyberSec & AI Prague Conference | Avast/Security Boulevard

Alex Halderman was researching election hacking a decade before the 2016 U.S. presidential race made it front-page news. The computer science professor at the University of Michigan brought change to India’s elections, turned a U.S. voting machine into a Pac-Man arcade game, and warned Congress twice about the vulnerabilities that await 2020’s U.S. elections. Yet he is bringing a decidedly low-tech solution – a return to the backup of a “paper trail” for ballots – to one of cybersecurity’s biggest challenges when he speaks to the top minds in artificial intelligence at the CyberSec & AI Prague conference in October. Halderman has researched elections in India, Estonia, Australia, and the United States and found that – as in other areas of modern life – tech can introduce as well as address cybersecurity problems. “Countries around the world are turning to computer technology and internet-connected systems to try to make elections better, but the fact is that opens up whole new categories of risk.”

National: No Quorum At FEC Means Election Law Enforcement Is On Hold | Brian Naylor/NPR

Barring some kind of miraculous last-minute reprieve, Friday will be the last business day that the Federal Election Commission will be able to function for quite a while, leaving the enforcement of federal campaign finance laws unattended ahead of the 2020 election. The commission’s vice chairman, Matthew Petersen, announced his resignation earlier this week, to take effect at the end of the month. With Petersen gone, the FEC will be down to three members, and won’t have a quorum. In addition to collecting campaign finance data, the FEC investigates potential campaign finance violations, issues fines and gives guidance to campaigns about following election law — but not without a working quorum of at least four commissioners. “To not have the FEC able to take action right now is deeply concerning,” says Daniel Weiner, a former senior counsel at the FEC, who’s now with the Brennan Center for Justice at New York University law school. In particular, Weiner is concerned about another attempt by Russia or other actors to interfere in the 2020 election.

National: Fancy Bear Dons Plain Clothes to Try to Defeat Machine Learning | Robert Lemos/Dark Reading

An analysis of a sample published by the US government shows Russian espionage group APT28, also known as Fancy Bear, has stripped down its initial infector in an attempt to defeat ML-based defenses. The APT28 cyber-espionage group, often called “Fancy Bear” and linked to Russia, has stripped much of the malicious functionality from its initial infector, hiding it in a sea of benign code, according to an analysis published today by Cylance, a subsidiary of Blackberry. The approach shows that the group has developed greater operational sophistication, says Josh Lemos, vice president of research and intelligence at Cylance (and no relation to the author). The authors of the implant appear to be trying to hide in plain site by using well-known libraries, such as OpenSSL, and a widely used compiler, POCO C++, resulting in 99% of the more than 3 megabytes of code being classified as benign, according to Cylance’s analysis. Those steps, taken along with other newly adopted tactics, suggest the group is trying a different approach to dodge evolving defenses, Lemos says.

National: Blockchain e-voting: Backed by US candidate, hacked in Moscow | Sarah Wray/SmartCitiesWorld

The debate over blockchain-based political voting re-emerged recently as Democratic US presidential hopeful Andrew Yang backs the technology to boost voter numbers and security, while a French researcher has hacked into the blockchain-based voting system which officials plan to use next month for the 2019 Moscow City Duma election. On his campaign website, Yang states that voting should be available via mobile devices with verification through blockchain. He argues that modernising voting with decentralised ledger technology could increase security, reduce inconsistent processes between states and restore confidence in democracy. Philip Boucher, a European Policy Research Service (EPRS) policy analyst, explains the theory behind blockchain voting: “In elections, we usually have a central authority that records, checks and counts all of the votes. With blockchain, the process is decentralised so everyone can hold a copy of the full voting record on their own devices. The data is encrypted to protect the identity of individual voters. Illegitimate votes cannot be added and the historical record cannot be changed because everyone holds a copy and can check that all of the votes comply with the rules and are counted properly.” Some have even suggested that in future, blockchain votes could be encoded into ‘smart contracts’ so that the results automatically take effect “like a self-implementing manifesto”. Several countries and local authorities have explored or experimented with the idea of digital voting.

National: FEC vice chairman resigns, leaving agency unable to vote | Maggie Miller/The Hill

The vice chairman of the Federal Election Commission (FEC) submitted his resignation letter to President Trump on Monday, leaving the agency without the necessary number of commissioners to vote on proposed actions. Matthew Petersen, a Republican who has served as a commissioner since 2008, wrote that he will formally step down on Aug. 31. “Throughout my service, I have faithfully discharged my duty to enforce the law in a manner that respects free speech rights, while also fairly interpreting the relevant statutes and regulations and providing meaningful notice to those subject to FEC jurisdiction,” Petersen wrote. “I am honored to have served the American people in this capacity and to have fulfilled the oath taken 11 years ago.” A spokesperson for the FEC confirmed Petersen’s resignation, declining to comment further. His departure leaves the agency with only three of the four members required to vote on proposed actions.

National: As Russia Eyes 2020, America’s Election Watchdog Is Out of Commission | Nicole Goodkind/Newsweek

The Federal Election Commission, an independent agency that enforces all campaign finance law and ensures the integrity of political campaigns, lost its vice chairman Monday evening, essentially rendering the agency useless. In order to take any official enforcement or regulatory action, the agency is required to have a quorum of four members on its board, but the resignation of Matthew Petersen, effective this week, leaves the commission with only three members, all of whom are still working even though their six-year terms of service have all expired. There were already three vacancies before this week’s kerfuffle. The FEC issued about $33.6 million in fines between 1999 and 2008, but over the last 10 years that dropped to $11.4 million. Yet, election security has become an increasingly important issue. Just last month, former special counsel Robert Mueller ominously warned Congress that Russia had lofty plans to interfere in the next election. “They’re doing it as we sit here and they expect to do it during the next campaign,” he said.

National: Ransomware threat raises National Guard’s role in state cybersecurity | Benjamin Freed/StateScoop

National Guard units already play a large role in state governments’ cybersecurity activities, such as protecting election systems, but the threat of ransomware to cripple a state or city organization is a growing concern for uniformed personnel, the top military official overseeing the National Guard across the United States said. While Americans are long used to seeing guardsmen and women roll into to disaster-stricken areas after a hurricane or wildfire, deployments following cyberattacks are increasingly common, Air Force Gen. Joseph Lengyel said Friday on a conference call with reporters, likening the recent ransomware incidents in Texas and Louisiana to a “cyber storm,” though not quite a “cyber hurricane.” “We’re seeing the whole of the first responder networks come to assist and mitigate the damage and get everything back up and running, and the National Guard is part of that response,” he said.

National: U.S. officials fear ransomware attack against 2020 election | Christopher Bing/Reuters

The U.S. government plans to launch a program in roughly one month that narrowly focuses on protecting voter registration databases and systems ahead of the 2020 presidential election. These systems, which are widely used to validate the eligibility of voters before they cast ballots, were compromised in 2016 by Russian hackers seeking to collect information. Intelligence officials are concerned that foreign hackers in 2020 not only will target the databases but attempt to manipulate, disrupt or destroy the data, according to current and former U.S. officials. “We assess these systems as high risk,” said a senior U.S. official, because they are one of the few pieces of election technology regularly connected to the Internet. The Cybersecurity Infrastructure Security Agency, or CISA, a division of the Homeland Security Department, fears the databases could be targeted by ransomware, a type of virus that has crippled city computer networks across the United States, including recently in Texas, Baltimore and Atlanta. “Recent history has shown that state and county governments and those who support them are targets for ransomware attacks,” said Christopher Krebs, CISA’s director. “That is why we are working alongside election officials and their private sector partners to help protect their databases and respond to possible ransomware attacks.”

National: Federal officials working with states to protect elections | Andrew Selsky/Associated Press

Huddled in small groups in a remote town in Oregon, county and state elections officials tried to overcome hacking attempts, power failures and other problems as election day approached and finally arrived. It was a tabletop exercise, held as federal officials work to bolster defenses against interference in the 2020 elections, with states being a main line of defense against attempts by Russia or others to disrupt the elections. Officials from the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency traveled to La Grande, a town located in ranching country in northeast Oregon, for Wednesday’s exercise with county and state officials. During the event held on the campus of Eastern Oregon University, the officials had to work through various scenarios, like official websites being hacked, disinformation being spread on social media and electrical power and communications going down, Oregon Elections Director Stephen Trout said in a telephone interview. Disinformation involves deliberately spreading falsehoods and rumors, while misinformation — another election security threat that experts point to — entails simply disseminating incorrect or misleading information.

National: Groups push lawmakers for hearings on voting machine security | Maggie Miller/The Hill

Voting rights and election security groups on Monday urged two House and Senate committees to hold hearings on the security of voting machines. The groups, which include the National Election Defense Coalition, Electronic Privacy Information Center, R Street Institute and Public Citizen, asked the House Administration Committee and the Senate Rules and Administration Committee in a letter to schedule election security hearings that include testimony from voting machine vendors and election security experts. “The security of our nation’s elections is acutely dependent on the vendors that supply our computerized voting systems,” the groups wrote. “The voting system vendors have operated with little oversight and no regulation for decades.” “Given the gravity and urgency of this issue, we write to you to urge the committees to hold a hearing on election system security featuring sworn testimony from officers of the voting system vendors to shed more light on their practices which directly impact the security of the nation,” they added. The groups cited reports in recent months that certain voting systems rely on outdated Windows 7 operating systems, that one major election machine vendor installed remote access software on its election systems and concerns about a lack of transparency from voting machine vendors.

National: DHS cyber agency to prioritize election security, Chinese threats | Maggie Miller/The Hill

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) plans to prioritize election security, cybersecurity at federal agencies, and the “persistent threat” posed by China, among its many goals. The agency laid out its key priorities in a new “strategic intent” document released on Thursday, which CISA Director Christopher Krebs described in the introduction as the “keystone” for the agency. Among Krebs’s operational priorities is addressing Chinese threats to U.S. supply chains and to the rollout of 5G networks, bolstering election security efforts at the state and local level, and protecting the cybersecurity of industrial control systems. Other priorities are protecting federal networks against cyber attacks, such as ransomware incidents that have increasingly spread across the country, and defending “soft targets” and crowded venues from physical threats. CISA is the primary agency responsible for assisting state and local governments with securing elections, replacing the former National Protection and Programs Directorate in a law that took effect last year.

National: Internet-Connected Election Systems Found in 10 U.S. States | Scott Ikeda/CPO Magazine

There has been much talk in the media about interference in United States presidential elections, but most of it has centered around the use of media and disinformation to influence votes. There is a widespread assumption that the voting machines themselves are safe from hacking; though many are electronic, these election systems are not supposed to be connected to the internet. A new report from Vice’s Motherboard indicates that these systems are not nearly as secure as anyone thought they were, including election officials. Researchers told Motherboard that a particular type of election system that is only supposed to connect to the internet for several minutes to transfer votes has been found to sometimes stay connected for months, and in some cases these machines were constantly connected and were exposed for at least a year. The election systems found to be vulnerable are made by a specific manufacturer: Election Systems & Software (ESS). ESS is the largest voting systems company in the country, with at least 260,000 machines in place in 21 states including in some swing states. Security researchers found backend systems that were connected to the internet when they were not supposed to be, distributed across a number of states including the key “battleground” centers of Florida, Michigan and Wisconsin.

National: IT Security Pros: Encryption Backdoors Would Be Election Hacking Risk | Phil Muncaster/Infosecurity Magazine

The IT security community overwhelmingly believes that government-mandated encryption backdoors will put countries at a greater risk of election hacking, according to new Venafi research. The security vendor polled over 380 security professionals at Black Hat USA 2019 in Las Vegas earlier this month, following recent comments by attorney general, William Barr. Like his predecessors, Barr last month claimed that strong data encryption in tech products is effectively creating a “law-free zone” exploited by terrorists and criminals as it “seriously degrades” the ability of law enforcement to detect and prevent crimes. Also like many others, he argued that government-mandated backdoor access “can and must be done,” claiming that if they only tried hard enough, tech firms could find a solution which could enable lawful access to data without undermining security for all users. This argument has been repeatedly shot down, not only by the tech firms themselves, but also world-renowned cryptography experts. Last year they backed senator Ron Wyden’s demands that the FBI explain the technical basis for its repeated claims that encryption backdoors can be engineered without impacting user security.

National: Election Security Lessons from DEFCON 27 | Ciara Torres-Spelliscy/Brennan Center for Justice

Given the extent of foreign interference in the 2016 election, every American should be concerned about election security in 2020. But what can computer hackers teach us about it? To find out, I went to Las Vegas earlier this month to attend DEFCON 27, the largest annual hacking conference in the United States, knowing this was probably my last chance to see a legal election hacking. Voting machines are protected from reverse engineering under the Digital Millennium Copyright Act. But the Library of Congress, which has certain authorities under the law, set a three-year window to allow third parties access to voting machines to test their security. Barring an extension by the Library of Congress, 2019 is the third and last year these hacks are legal. DEFCON is a huge event, and I saw fellow conference-goers all over Las Vegas with their distinctive glowing badges. I was only interested in the DEFCON Voting Village, which included a large assortment of voting equipment for participants to test, hack, and break.

National: Democrats call for a Senate vote on elections reform package | Jennifer McDermott/Associated Press

Democratic congressmen held an event Thursday in Rhode Island to try to pressure Republican Senate Majority Leader Mitch McConnell into allowing a vote on a comprehensive elections and ethics reform package. Maryland Democratic Rep. John Sarbanes, who is the bill’s main author, met with Rhode Island Rep. David Cicilline and Sen. Sheldon Whitehouse in North Providence. The influence of big money in politics is impeding efforts to address climate change, gun violence and prescription drug costs, they said. Activists working on those issues attended the event. “This isn’t just some theory, like wouldn’t it be good to reform government because good government is an abstract idea,” Cicilline said. “It has a direct effect on people’s lives. The corrupting influence of money and its impact on public policy is hurting the American people.”

National: Microsoft ElectionGuard aims to fix America’s broken voting | Mark Wilson/Fast Company

Voting is broken. From the hanging chad debacle of 2000 to the 2018 midterms when decade-old touchscreen computers cast the wrong votes, to long lines outside polling places, our democratic right to elect our own officials is constantly at odds with unreliable equipment and balloting policies that vary from one district to the next. And this is all not to mention that voting machines are absurdly hackable. It’s enough to make people not want to vote at all. But what if you could vote however you wanted to vote? Which could mean at home or, if you’re a person with a disability, with the assistance of specialized hardware? What if you could go online later and ensure your vote was your vote, and that it counted? What if you could write your own piece of software to do a recount of, or audit, your small town’s mayoral election instantly? That’s the vision of ElectionGuard, a new project by Microsoft, which debuted this summer at the Aspen Security Forum. ElectionGuard is an open code standard, that anyone can audit, freely use, and plug into, to create secure digital voting machines that remove many of the barriers of voting. Microsoft teamed up with Tucker Viemeister, a renowned industrial designer who spent years at prestigious firms including Frog, Smart Design, and Rockwell Group designing devices like hair dryers and coffee makers, to build something of a concept car for the future of voting—mostly out of off-the-shelf parts.

National: State Election Infrastructure Is Still Vulnerable, Report Finds | by Phil Goldstein/StateTech Magazine

The 2020 presidential election is more than 14 months away, but some experts are warning that state governments face an uphill battle in defending election infrastructure from cyberattacks. According to a recent report, “Defending Elections: Federal Funding Needs for State Election Security,” many election security projects at the state level are either unfunded or underfunded. The report calls on the federal government to provide more funding for state-level election security measures ahead of next year’s election. “In administering our elections, states face security challenges of unprecedented magnitude,” the report concludes. “They are, in many cases, ill-equipped to defend themselves against the sophisticated, well-resourced intelligence agencies of foreign governments. States should not be expected to defend against such attacks alone. Our federal government should work to provide the states with the resources they need to harden their infrastructure against cybersecurity threats.” The paper was authored by a bipartisan group of organizations including the Brennan Center for Justice, the Alliance for Securing Democracy, the R Street Institute and the University of Pittsburgh Institute for Cyber Law, Policy, and Security.