National: US still ‘not prepared’ in event of a serious cyber attack and Congress can’t help if it happens | Iain Thomson/The Register

Despite some progress, the US is still massively underprepared for a serious cyber attack and the current administration isn’t helping matters, according to politicians visiting the DEF CON hacking conference. In an opening keynote, representatives Ted Lieu (D-CA) and James Langevin (D-IL) were joined by hackers Cris Thomas, aka Space Rogue, and Jen Ellis (Infosecjen) to discuss the current state of play in government preparedness. “No, we are not prepared,” said Lieu, one of only four trained computer scientists in Congress. “When a crisis hits, it’s too late for Congress to act. We are very weak on a federal level, nearly 20 years after Space Rogue warned us we’re still there.” Thomas testified before Congress 20 years ago about the dangers that the internet could pose if proper steps weren’t taken. At today’s conference he said there was much still to be done but that he was cautiously optimistic for the future, as long as hackers put aside their issues with legislators and worked with them. “As hackers we want things done now,” he said. “But Congress doesn’t work that way; it doesn’t work at the ‘speed of hack’. If you’re going to engage with it, you need to recognise this is an incremental journey and try not to be so absolutist.”

National: Schumer calls for $1 billion national investment in election security | David Lombardo/Times Union

Election cybersecurity has the potential to be a growth industry as federal lawmakers push a $1 billion investment in safeguarding next year’s elections. The proposed spending was highlighted Monday by U.S. Sen. Charles E. Schumer, D-N.Y., who stopped in East Greenbush for a tour of the Center for Internet Security, which helps government agencies prevent hacking of elections. The non-profit company also worked with the presidential campaigns of Donald Trump and Hillary Clinton to buttress their systems from cyber attacks in 2016. The money for cybersecurity grants is part of legislation that would also require states to collect paper ballots, set minimum cybersecurity standards, direct federal officials to craft preventative measures states can implement, and impose testing of voting system vulnerabilities. Paper ballots are already used as a safeguard for New York elections. The U.S. Constitution empowers states to administer elections, which has resulted in varying standards across the country.

National: Analysis shows 2020 votes still vulnerable to hacking | Mary Clare Jalonick/Associated Press

More than one in 10 voters could cast ballots on paperless voting machines in the 2020 general election, according to a new analysis, leaving their ballots more vulnerable to hacking. A study released by the Brennan Center for Justice at NYU School of Law on Tuesday evaluates the state of the country’s election security six months before the New Hampshire primary and concludes that much more needs to be done. While there has been significant progress by states and the federal government since Russian agents targeted U.S. state election systems ahead of the 2016 presidential election, the analysis notes that many states have not taken all of the steps needed to ensure that doesn’t happen again. The report also notes that around a third of all local election jurisdictions were using voting machines that are at least a decade old, despite recommendations they be replaced after 10 years. The Associated Press reported last month that many election systems are running on old Windows 7 software that will soon be outdated. “We should replace antiquated equipment, and paperless equipment in particular, as soon as possible,” the report recommends.

National: Hackers Take on Darpa’s $10 Million Voting Machine | Lily Hay Newman/WIRED

For the last two years, hackers have come to the Voting Village at the DefCon security conference in Las Vegas to tear down voting machines and analyze them for vulnerabilities. But this year’s Village features a fancy new target: a prototype secure voting machine created through a $10 million project at the Defense Advanced Research Projects Agency. You know it better as Darpa, the government’s mad science wing. Announced in March, the initiative aims to develop an open source voting platform built on secure hardware. The Oregon-based verifiable systems firm Galois is designing the voting system. And Darpa wants you to know: its endgame goes way beyond securing the vote. The agency hopes to use voting machines as a model system for developing a secure hardware platform—meaning that the group is designing all the chips that go into a computer from the ground up, and isn’t using proprietary components from companies like Intel or AMD. “The goal of the program is to develop these tools to provide security against hardware vulnerabilities,” says Linton Salmon, the project’s program manager at Darpa. “Our goal is to protect against remote attacks.” Other voting machines in the Village are complete, deployed products that attendees can take apart and analyze. But the Darpa machines are prototypes, currently running on virtualized versions of the hardware platforms they will eventually use. A basic user interface is currently being provided by the secure voting firm VotingWorks.

National: Mayberry v. Moscow: How Local Officials Are Preparing to Defend the 2020 Elections | AJ Vicens/Mother Jones

In early June, the Allegheny County Board of Elections held a special meeting in downtown Pittsburgh, inviting a trio of election security experts to offer advice as the county selects new voting equipment. Marian Schneider, a former Pennsylvania state elections official and the current president of Verified Voting, an election security watchdog group, gave an opening statement framing the day’s conversation in stark terms. “Twenty sixteen demonstrated what many of us have long believed…the threat to our computerized voting system was not merely theoretical, but real and persistent,” she warned, reiterating that another nation had “conducted a well-orchestrated attack on American democracy.” The members of the board solemnly listened, took copious notes, and thanked the panel for their expertise as they assessed bids offering new and more secure equipment. After the meeting, Candice Hoke, a longtime election administration and security expert who’d also been invited to speak, described the gathering as an unusual bright spot, contrasting the attention Allegheny County had devoted to the issue to many places around the country where the state of election security lags. Efforts by federal agencies to work with states and jurisdictions to improve election security are helping, Hoke says, but the bureaucrats overseeing the country’s more than 10,000 election jurisdictions are still routinely outmatched.

National: Are States Taking Cybersecurity Seriously Enough? | Katherine Barrett & Richard Greene/Governing

A spike in cyberattacks in recent months has left state and local governments reeling. Baltimore faces more than $18 million in losses following a May ransomware attack. Several Florida cities were hit in June. And Los Angeles police data was hacked in late July. A 2018 report from the National Association of State Chief Information Officers (NASCIO) found one unidentified state undergoing 300 million attacks a day — up from 150 million two years before. Cybersecurity and risk management is at the top of CIOs’ list of 10 priorities for 2019, according to an annual NASCIO survey. Rhode Island was making it the biggest priority. In 2017, it became one of only two states with a cabinet-level cybersecurity position. (The other is Idaho, according to Meredith Ward, NASCIO’s director of policy and research.) But this pioneering approach wasn’t long-lived in Rhode Island. Last month, the position was removed from the state’s 2020 budget. High-level officials in the state, including its CIO, are confident that cybersecurity will continue to be a priority, but others worry it will receive less attention.

National: Senator: Status quo on voting machine security is a ‘danger to our democracy’ | Alfred Ng/CNET

In the aftermath of the 2016 US presidential election, lawmakers have seen little change in security for voters. But if voting machine security standards don’t change by the 2020 presidential election, Sen. Ron Wyden warns, the consequences could be far worse than the cyberattacks of 2016. The Democrat from Oregon, who is a member of the Senate Intelligence committee, told the Defcon hacking conference that US voting infrastructure is failing to keep elections secure from potential cyberattacks. He made the comments in a Friday speech at the Voting Village, a special section of the Las Vegas conference dedicated to election security. “If nothing happens, the kind of interference we will see form hostile foreign actors will make 2016 look like child’s play,” Wyden said. “We’re just not prepared, not even close, to stop it.”  Election security has been a major concern for lawmakers since the 2016 election, which saw unprecedented interference by the Russians. Though no votes are believed to have been changed, the Russians targeted election systems in all 50 states, according to the Senate Intelligence Committee. Legislation to protect elections has been trudged along in Congress. Multiple members of Congress were at Defcon to discuss the issue, as well as to learn about cybersecurity policy.

National: DARPA’s $10 million voting machine couldn’t be hacked at Defcon (for the wrong reasons) | Alfred Ng/CNET

For the majority of Defcon, hackers couldn’t crack the $10 million secure voting machine prototypes that DARPA had set up at the Voting Village. But it wasn’t because of the machine’s security features that the team had been working on for four months. The reason: technical difficulties during the machines’ setup. Eager hackers couldn’t find vulnerabilities in the DARPA-funded project during the security conference in Las Vegas because a bug in the machines didn’t allow hackers to access their systems over the first two days. (DARPA is the Defense Advanced Research Projects Agency.) Galois brought five machines, and each one had difficulties during the setup, said Joe Kiniry, a principal research scientist at the government contractor.  “They seemed to have had a myriad of different kinds of problems,” the Voting Village’s co-founder Harri Hursti said. “Unfortunately, when you’re pushing the envelope on technology, these kinds of things happen.” It wasn’t until the Voting Village opened on Sunday morning that hackers could finally get a chance to look for vulnerabilities on the machine. Kiniry said his team was able to solve the problem on three of them and was working to fix the last two before Defcon ended.

National: Why blockchain-based voting could threaten democracy | Lucas Mearian/Computerworld

Public tests of blockchain-based mobile voting are growing. Even as there’s been an uptick in pilot projects, security experts warn that blockchain-based mobile voting technology is innately insecure and potentially a danger to democracy through “wholesale fraud” or “manipulation tactics.” The topic of election security has been in the spotlight recently after Congress held classified…

National: Election Systems Are Even More Vulnerable Than We Thought | Louise Matsakis/WIRED

Hacker summer camp is here again! You know what that means: WIRED is back in Las Vegas for the annual Black Hat and Defcon security conferences, where we’re digging into the latest and greatest hacks on display. First, let’s talk about iPhones. A researcher found it’s possible to break into one just by sending a text message. To help uncover similar vulnerabilities in the future, Apple is handing out new, hacker-friendly iPhones to its favorite security researchers, and paying up to $1.5 million in bug bounties. Moving on to planes. Boeing’s 787 jets might not be very secure, it turns out—Andy Greenberg talked to a security researcher who found multiple serious flaws in the code for one of the plane’s components. (The 787 is distinct from the 737 MAX plane grounded earlier this year, although a recent test flight of that jet had its ups and downs, as WIRED’s transportation desk reports.) That’s not all that’s happening in Vegas. Safecrackers can unlock an ATM in minutes without leaving a trace. Apple pay buttons can make websites less safe. Have you heard of DDOS attacks? Kindly meet their cousin, the DOS attack. Lily Hay Newman also looked at two very old bugs that have continued to persist, one in desk phones and another in a ubiquitous encryption algorithm. Lastly, check out this very cool fake hospital, where real medical devices get hacked on purpose.

National: Top DHS cyber official calls paper ballot backups necessary for 2020 election | Kevin Collier and Caroline Kelly/CNN

The top cybersecurity official at the Department of Homeland Security said Friday that backup paper ballots would be a necessary part of 2020 election security. “Ultimately when I look at 2020, the top priority for me is engaging as far and wide as possible, touching as many stakeholders as possible, and making sure we have auditability in the system,” Chris Krebs, DHS’ top cyber official, said at a DEFCON cyber conference Friday when discussing election security. “IT, key tenant, can’t audit the system, can’t look at the logs, you don’t know what happened,” he added. “Gotta get auditability, I’ll say it, gotta have a paper ballot backup.” Krebs said that he doesn’t “have all the answers” on election security, adding that “a lot of these policy suggestions are not my job to answer — Congress has a role here.” The cyber head also called for state legislatures to pick up the slack along with federal lawmakers in addressing a lack of much needed funds to update different states’ election systems. “I don’t know where, for instance, the state of New Jersey is going to get their money to update their systems,” Krebs said. “I don’t know where some of these other states that have (paperless machines) without a paper trail associated with it — I don’t know where they’re going to get the money, but they need it.”

National: Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials | Kim Zetter/Motherboard

For years, U.S. election officials and voting machine vendors have insisted that critical election systems are never connected to the internet and therefore can’t be hacked. But a group of election security experts have found what they believe to be nearly three dozen backend election systems in 10 states connected to the internet over the last year, including some in critical swing states. These include systems in nine Wisconsin counties, in four Michigan counties, and in seven Florida counties—all states that are perennial battlegrounds in presidential elections. Some of the systems have been online for a year and possibly longer. Some of them disappeared from the internet after the researchers notified an information-sharing group for election officials last year. But at least 19 of the systems, including one in Florida’s Miami-Dade County, were still connected to the internet this week, the researchers told Motherboard. The researchers and Motherboard have been able to verify that at least some of the systems in Wisconsin, Rhode Island, and Florida are in fact election systems. The rest are still unconfirmed, but the fact that some of them appeared to quickly drop offline after the researchers reported them suggests their findings are on the mark.

National: You can easily secure America’s e-voting systems tomorrow. Use paper – Bruce Schneier | The Register

While various high-tech solutions to secure electronic voting systems are being touted this week to election officials across the United States, according to infosec guru Bruce Schneier there is only one tried-and-tested approach that should be considered: pen and paper. It’s the only way to be sure hackers and spies haven’t delved in from across the web to screw with your vote. “Paper ballots are almost 100 per cent reliable and provide a voter-verifiable paper trail,” he told your humble Reg vulture and other hacks at Black Hat in Las Vegas on Thursday. “This isn’t hard or controversial. We use then all the time in Minnesota, and you make your vote and it’s easily tabulated.” The integrity of the election process depends on three key areas: the security of the voter databases that list who can vote; the electronic ballot boxes themselves, which Schneier opined were the hardest things to hack successfully; and the computers that tabulate votes and distribute this information.

National: Here’s how the Justice Department wants to befriend ethical hackers – The Washington Post

The Justice Department’s relationship with the cybersecurity research community has historically been tempestuous, but Leonard Bailey is on a mission to improve it. That’s what brings him here, to the BSides cybersecurity conference. The head of the cybersecurity unit of DOJ’s computer crimes division is extending an open invitation today to ethical hackers to air some grievances and offer policy advice, in a talk called: “Let’s Hear from the Hackers: What Should DOJ do Next?” Bailey wants to ensure hackers are willing to work with government on improving cybersecurity — instead of staying away because they’re suspicious of government. “It’s about figuring out how to make sure that their ability to help us improve [the nation’s] cybersecurity is not taken off the playing field,” Bailey tells me. “They have a valuable resource and they can be helping everyone.” This marks a drastic change — in terms of both outreach and attitude — from previous years. Tensions have soared as ethical hackers accused DOJ of being too quick to prosecute them for benign research aimed at improving cybersecurity — and of not being transparent enough about the rules for what constitutes a digital crime.

National: The government’s relationship with ethical hackers has improved, security experts say | Joseph Marks/The Washington Post

The relationship between ethical hackers and the federal government is better now than it was in 2013, when then-National Security Agency chief Keith Alexander first spoke at the Black Hat cybersecurity conference — not long after Edward Snowden revealed the government’s sweeping surveillance programs. That’s the conclusion of 72 percent of experts who responded to an informal survey by The Cybersecurity 202 before the kickoff of this year’s conference in Las Vegas. The experts are part of the The Network, an ongoing survey of more than 100 cybersecurity experts from government, academia and the private sector. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.) When Alexander spoke in 2013, many security researchers were enraged about the newly disclosed surveillance programs, which they said ran roughshod over Americans’ privacy rights and made their jobs harder. Alexander’s defense of the programs fell especially flat, many survey respondents said, since at that time the U.S. government often failed to distinguish between ethical hackers, who tried to make the Internet safer by finding and patching computer bugs, and criminal hackers who tried to exploit those bugs to steal people’s money and information.

National: Black Hat 2019: What We Expect | Neil J. Rubenking and Max Eddy/PCMag

The annual DEF CON hacking conference started as an accident in 1993, and has been going and growing ever since. Black Hat, launched in 1997 by DEF CON founder Jeff Moss (aka Dark Tangent), is its more formal cousin. To paraphrase a welcome speech by Moss a few years ago, friends said to him, “Hey, why don’t you invite more people, charge them a lot of money, and make them wear suits?” The suits are gone, for the most part, but Black Hat gets bigger every year, with 19,000 attendees last year. Black Hat consists of two very different parts. From Saturday to Tuesday, security experts and aspiring experts pay thousands of dollars to participate in training sessions intended to hone their skills in a wide range of security tasks. The press is not invited. On Wednesday and Thursday, the conference switches to briefings, where security experts and academics from all over the world share their latest discoveries, new vulnerabilities, and cutting-edge research.

National: Def Con draws election officials to Las Vegas in effort to combat hackers | Miranda Willson/Las Vegas Sun

Ahead of the annual hacker and cybersecurity conference Def Con in Las Vegas this weekend, organizers anticipate that the part of the event devoted to election security will entice more local, state and federal election officials than ever before. Drawing tens of thousands of hackers, researchers, lawyers and others interested in cybersecurity every year to Las Vegas, Def Con has included a so-called “Voting Village” in its weekend-long programming for the past three years to address election security and how to protect elections from hacking. This is the first time that Def Con explicitly invited local and state election officials to attend, and many seem to be taking advantage of the opportunity, said Harri Hursti, co-founder of the Voting Village and founder of computer and network security company Nordic Innovation Labs. “We never intended this to be a main or big thing. It became a big thing because of popular demand,” Hursti said. Among those attending the conference are representatives from the Clark County Election Department and the Nevada Secretary of State’s Office.

National: Key House Republican demands answers on federal election security efforts | Maggie Miller/The Hill

Illinois Rep. Rodney Davis, the top Republican on the House Administration Committee, demanded answers from the Election Assistance Commission (EAC) on Monday regarding election security oversight issues. In a letter to the EAC, Davis posed a series of questions, citing the committee “Majority’s inadequate oversight of your Commission” during an EAC oversight hearing on May and the recent testimony by former special counsel Robert Mueller as key factors in sending the letter.  “I remain committed to ensuring that local election officials have every resource they need to provide for a secure election in 2020,” Davis wrote. “Effective and focused oversight over the EAC is critically important in this mission.” Questions included what steps the EAC is taking to ensure there is a plan in place to coordinate with the Department of Homeland Security in the event of a threat to election infrastructure in 2020, how the EAC is communicating its activities to the public, and details around the new Voluntary Voting Systems Guidelines 2.0, which are a national voluntary set of standards for voting systems. Davis gave the EAC until Sept. 2 to respond. A spokesperson for the EAC told The Hill the commission has “received the letter and will respond to Congress within the agreed upon deadline.”

National: Judge signals interest in removing Mueller report redactions | Darren Samuelsohn/Politico

A federal judge signaled Monday he’s considering removing the Mueller report’s redactions. During more than two hours of oral arguments in Washington, District Judge Reggie Walton appeared on several occasions to side with attorneys for BuzzFeed and the nonprofit Electronic Privacy Information Center, which are seeking to remove the black bars covering nearly 1,000 items in former special counsel Robert Mueller’s final 448-page final report. Walton didn’t issue an opinion from the bench on the case, which centers on a pair of consolidated lawsuits filed against the Justice Department under the Freedom of Information Act. But the judge, an appointee of President George W. Bush, sounded increasingly skeptical of the government’s arguments pressing him to leave the redactions untouched. “That’s what open government is about,” Walton said during one exchange, citing the resolution of a 2008 sex crimes case against financier Jeffrey Epstein as an example of how obfuscating the reasons behind not prosecuting high-profile people generates public distrust in the country’s criminal justice system.

National: Bipartisan Agreement on Election Security—And a Partisan Fight Anyway | Scott R. Anderson, Eugenia Lostri, Quinta Jurecic, Margaret Taylor/Lawfare

The good news is that national security bipartisanship in Congress lives. The bad news is that the only place it lives is in the pages of the Senate Intelligence Committee report on Russian election interference. The report, released on July 25, offers a thorough—if often redacted—assessment of Russian threats against U.S. voting infrastructure in 2016. It paints an alarming picture of the scope and scale of Russia’s efforts and an equally alarming picture of the degree of vulnerability that persists in U.S. election systems heading into the 2020 election. While it describes no evidence of vote tallies being manipulated or votes being changed, it does describe how “Russian government-affiliated cyber actors conducted an unprecedented level of activity against state election infrastructure in the run-up to the 2016 U.S. elections.” The report is a serious work and reflects a level of bipartisan cooperation that is vanishingly rare in Washington these days. The committee and its staff should be commended for that. The problem is that while both sides appear to agree on the nature of the threat, Republicans and Democrats remain sharply divided over what, if anything, to do about it. And that division became painfully apparent the very day the committee released the report.

National: Former DHS, intelligence leaders launch group to protect presidential campaigns from foreign interference | Maggie Miller/The Hill

Two former Homeland Security secretaries, along with other former top intelligence officials, launched a non-profit group on Tuesday intended to protect presidential campaigns from foreign interference, such as cyber attacks, at no cost. The new U.S. CyberDome group’s Board of Advisors will be chaired by former Department of Homeland Security (DHS) Secretary Jeh Johnson, who served under former President Obama. Other members of the board will include former DHS Secretary Michael Chertoff, who served under President George W. Bush, former CIA Director Michael Morell, former Director of National Intelligence Lt. Gen. James Clapper, and Brig. Gen. Francis Taylor, the former DHS under secretary of Intelligence and Analysis. The former leaders put together the organization due to alarm over how exposed political campaigns were to cyber interference and the lack of protection available to campaigns and voters to protect against these threats. It will work with charities and other donors to provide funding for cyber protections for presidential campaigns.

National: Voting machines run on antiquated operating systems | Grant Gross/Washington Examiner

As the presidential election nears, lawmakers and security experts are raising questions about the security of electronic voting machines used in many parts of the country. The latest concerns focus on devices running Windows 7 and other older operating systems. The Associated Press reports that the “vast majority” of the nation’s 10,000 election jurisdictions use Windows 7 or older operating systems to create ballots, program voting machines, tally votes, and report counts. … Meanwhile, some election security experts say the use of old operating systems is only one concern of many. Electronic voting machines are vulnerable to security risks, claimed Marian Schneider, president of Verified Voting, a group pushing for paper audits of electronic voting machines.

“Software can present risks,” she said. “This is a software issue.”

Electronic voting machines should undergo regular security audits, suggested Jamie Cambell, a security consultant and founder of GoBestVPN, which is a site that reviews virtual private networks. Those security audits should be open-sourced so that multiple security experts can review them, he recommended.

“There are many things that can make electronic voting machines insecure,” Cambell added. “It’s not just the machines or operating systems. It can be the way that the machines store and transmit the data.”

National: 5 big takeaways from Politico’s national survey of election offices | Eric Geller/Politico

Paperless voting machines are a glaring weakness in U.S. election infrastructure. They are dangerous, experts say, because they lack paper voting records, making them vulnerable to malfunctions or intrusions that could undetectably change votes. With top U.S. intelligence officials predicting the return of Russian hackers in 2020, cybersecurity experts have urged state and local governments to replace their paperless machines as soon as possible. Since March, POLITICO has been tracking their progress. The nationwide picture is mixed: Some states and counties are moving quickly to buy paper-based machines and others are doing nothing at all. Here are the five big takeaways from POLITICO’s nationwide survey:

1) Many counties don’t have enough money to upgrade

In hundreds of small counties, election officials can’t afford to buy new voting machines, however insecure their current systems are. Between schools, infrastructure, police, environmental protection and emergency services, counties have enough on their plate without having to worry about their voting machines.

The fact that these machines are used so infrequently is another reason they often slip down the list of counties’ spending priorities. It’s hard to justify buying new voting machines when there are overcrowded schools or crumbling hospitals. “It is a huge expense for small rural counties,” said Cheri Hawkins, the clerk in Shackelford, Texas. “I would love to be able to update!”

National: Russian Election Hacking Could Be Much Worse in 2020 | Jonathan Chait/New York Magazine

What if Trump fails to win the Electoral College in 2020? Would he refuse to accept the results of an election? The first thing to remember is that he already has. Back when Hillary Clinton was viewed as 2016’s likely victor, one widely expressed fear was that Donald Trump would not abide by the outcome, threatening the tradition of peaceful transfer of power that has survived more than two centuries. What happened instead was something nobody anticipated: Trump won — and still refused to accept the election results. He has never stopped insisting that the national vote, which his opponent carried by nearly 3 million ballots, was stolen. He has periodically charged that millions of undocumented immigrants cast votes for Clinton and that this fraud was carried out, for some reason, in California, rather than in states where it might have had some bearing on the outcome. In a recent address to the Turning Point USA Teen Summit, Trump went further. “Don’t kid yourself, those numbers in California and numerous other states, they’re rigged,” he said to applause. “You got people voting that shouldn’t be voting. They vote many times, not just twice, not just three times. They vote — it’s like a circle. They come back; they put a new hat on. They come back; they put a new shirt. And in many cases, they don’t even do that. You know what’s going on. It’s a rigged deal.”

National: EAC plans Windows 7 confab | Tim Starks/Politico

The EAC will convene state and local election supervisors, federal officials and cyber experts to discuss the ramifications of Microsoft sunsetting support for Windows 7, which is still used in many voting systems. “It is essential that the election community and the EAC have a full appreciation not only for the scope of this specific software issue, but also the issues of patching and internet connectivity more broadly,” EAC Chairwoman Christy McCormick told Sen. Ron Wyden (D-Ore.) in a July 26 letter. Wyden had asked how the EAC was handling the issue, including whether it would decertify machines running Windows 7 before the Jan. 15, 2020, sunset. McCormick didn’t answer that question but noted that decertification “has wide-reaching consequences” and that the EAC has an established policy for when to initiate it. Election Systems & Software, one of the companies still selling Windows 7-based voting systems, has submitted new technology for certification that runs on Windows 10 and Windows Server 2016, McCormick told Wyden. “The test plan has been approved by the EAC,” she wrote, “and testing is underway.” Based on the EAC’s conversations with vendors, she said, “we are confident that they are working to address” the Windows 7 issue. The vendors “are in direct contact with Microsoft,” she added, and “have received commitments from Microsoft regarding software support.” She did not say whether Microsoft had promised free updates for these products; the company plans to charge everyone else for continued Windows 7 support.

National: DARPA wants help cracking the election security problem | Kelsey D. Atherton/Fifth Domain

If election security is an engineering problem, the Defense Advanced Research Projects Agency is heading to the right place to solve it. The Pentagon’s blue skies projects agency is taking its System Security Integrated Through Hardware and Firmware (SSITH) to the 2019 DEF CON hacking conference to demonstrate its capabilities before the dark lords and apprentices of the underground community. SSITH will be on display as part of the conference’s Voting Village, where researchers will explore what can and cannot be done to interfere with voting machines and, by extension, elections. “We expect the voting booth demonstrator to provide tools, concepts and ideas that the election enterprise can use to increase security; however, our true aim is to improve security for all electronic systems. This includes election equipment, but also defense systems, commercial devices and beyond,” said Dr. Linton Salmon, the program manager leading SSITH, in a release from DARPA. DARPA sees securing faith in the literal machinery of elections as a national security issue. To prove that faith in the security systems is warranted, they have prepped the “SSITH voting system demonstrator,” with processors mounted on programmable arrays and installed in a ballot box. To get to the system, hackers can enter via either an Ethernet port or a USB port, loading software to try and get past the system’s hardware gatekeeping and security functions.

National: Experts’ Views On NSA Launching New Cyber-Security Directorate | Sophanith Song/The Organization for World Peace

The National Security Agency (NSA) has announced its intention to create “cybersecurity directorate” in order to defend against foreign cyber interference. The cyber defense arm launch date is currently set to be this fall.  According to the NSA, Anne Neuberger, who is currently the Director’s Senior Advisor, will be leading the Cybersecurity Directorate. The advisor also used to serve as NSA assistant deputy director of operations, chief risk officer and head of the NSA/US Cybercom Election Security Small Group that involved in working to prevent foreign interference with 2018 US midterm elections. The launch of this initiative was believed to be motivated by the upcoming 2020 general election. The NSA continued by stating that this approach to this cybersecurity objective will prepare the NSA in a suitable state to corporate with a key partner across the United States government such as the US Cyber Command, Department of Homeland Security and Federal Bureau of Investigation. The initiative will also prepare the NSA to easily share information with the customer with equipped security measure against malicious attacks. According to the Wall Street Journal, the NSA recently concur with a “broader fusion” of intelligence agency’s offensive and defensive portfolio.

National: Congress’ fight over election security bills | Mary Clare Jalonick/Associated Press

While House Democrats are haggling over whether to consider impeachment of President Donald Trump, Senate Democrats are focusing on a different angle in former special counsel Robert Mueller’s report — securing future elections from foreign interference. Democrats have tried to pass several election security bills in recent weeks only to have them blocked by Republicans, who say they are partisan or unnecessary. The federal government has stepped up its efforts to secure elections since Russians intervened in the 2016 presidential election, but Democrats say much more is needed, given ongoing threats from Russia and other countries. Senate Majority Leader Mitch McConnell has seethed in response to criticism over the issue, including some Democrats’ new moniker for him: “Moscow Mitch.” In an angry floor speech on Monday, he noted that Congress has already passed some bills on the subject, including ones that give money to the states to try to fix security problems. McConnell also left the door open to additional action, saying “I’m sure all of us will be open to discussing further steps.” Senate Minority Leader Chuck Schumer predicted that Democrats’ “relentless pushing” will work. “We’re forcing his hand,” Schumer said. The top Democrat on the Senate intelligence committee, Virginia Sen. Mark Warner, said Thursday that he’s “much more optimistic than even 10 days ago” that the Senate will ultimately pass something on election security. Warner said he believes that in his home state, at least, the issue “has broken through” with voters more than other aspects of Mueller’s probe. But action will have to wait until at least September, with senators having scattered from Washington for the summer recess.

National: Inside the DEF CON hacker conference’s election security-focused Voting Village | Joe Uchill/Axios

The DEF CON hacker conference’s Voting Village event has become a testing ground for our national debate over voting security, referenced by Senate reports, several congressmen and even a presidential candidate (albeit incorrectly, see below). This year’s version, happening next week, comes with some upgrades. The big picture: Now in its third year, the event is traditionally one of the only places where many security researchers get a chance to audit the security of election systems.

Background: Voting Village burst onto the scene in 2017, when it took hackers only a matter of minutes to discover serious problems with machines. That was despite it being the first time many of the hackers had seen the systems.

National: Schumer predicts McConnell will take up election security | Burgess Everett/Politico

Mitch McConnell rarely budges in the face of political pressure. But Chuck Schumer thinks election security is an exception. The Senate minority leader predicted on Thursday that the majority leader will buckle and take up federal election security, a once-bipartisan issue. But though Democrats have continued their push in the House and Senate, McConnell (R-Ky.) has thus far resisted. “I predict that the pressure will continue to mount on Republican senators, especially Leader McConnell, and they will be forced to join us and take meaningful action on election security this fall,” Schumer said. “My prediction is our relentless push is going to produce results.” Though McConnell rarely rethinks opposition to legislation, he did allow criminal justice reform legislation on the Senate floor last year that he initially declined to take up. But that pressure came from President Donald Trump, not the party trying to oust him as majority leader.