National: U.S. National Guard’s Evolving Mission Includes Assisting Local Governments Experiencing Cyber Attacks | Scott Ikeda/CPO

Cyber attacks on municipalities have been on the rise in the past year, particularly in smaller cities that have inadequate resources to deal with them. In the smallest of towns and cities, local government relies on state and federal resources to deal with remediation in the wake of a breach. For some, those resources now include the National Guard. Established at the national level in 1903, the National Guard is a reserve military force called upon for certain domestic emergencies; primarily, recovery efforts when natural disasters and major terrorist attacks occur. With cyber attacks evolving to target both the digital and physical infrastructure of towns and cities, states are now able to justify deploying the Guard to assist in supporting and protecting these vital services. As little as a few years ago, cyber defense was not even on the radar of most National Guard agencies. In the past two years, cyber brigades have begun to spring up around the country as the need for proactive defense and response to nation-state cyber attacks has become clear. Though each state has its own National Guard agency, many of these cyber brigades are responsible for covering multiple states. For example, the Army Nation Guard’s 91st Cyber Brigade is based in Virginia but is tasked with overseeing cyber response units in 30 states.

National: 3 Cybersecurity Threats Facing Campaigns in 2020 | Sean J. Miller/Campaigns & Elections

Cyber threats are a growing market this cycle. Security vendors, some free or low-cost, are stepping up to provide services for campaigns and groups to help protect themselves from hacking, which could come from a lengthening list of foreign adversaries. Still, awareness and adoption remain uneven, particularly down-ballot. Now, the industry vulnerabilities that exist aren’t just being probed by Russians. Other state actors are trying their hands at election inference, according to Matt Rhoades, co-founder of the non-profit group Defending Digital Campaigns, Inc. “We know that the Chinese play this game. But if you’re a Republican too, you know that the Iranians are now fully invested in this kind of effort, and they’re going to be targeting Republicans, especially, who have been hardcore on things like the Iranian nuclear deal,” Rhoades said last month during a panel at the George Washington University’s GSPM. “You have to look past just Putin.” The tactics that the state actors could use are established, with some new twists. Here are three threats campaigns face.

National: Despite Concerns About Election Security, ‘Vulnerabilities Abound’ | Alan Greenblatt/Governing

Ten days after he lost his re-election bid, Kentucky GOP Gov. Matt Bevin conceded the election. Bevin admitted defeat on Thursday following a recanvass of the vote, which he had requested and didn’t change the outcome. Beginning Nov. 5 — the night of the election — Bevin had complained that his narrow loss to Democrat Andy Beshear was due to irregularities. Bevin’s unsubstantiated complaints showed that there is more than one way to undermine confidence in elections. Although election officials worry about hacking into voting machines and registration rolls, they also worry that claims about potential problems make it harder for the public to accept the outcome of elections — especially if their preferred candidate has lost. “If I wanted to undermine the democratic system, all I really need to do is create doubt in the mind of whatever team loses,” said Michael Miller, a political scientist at Barnard College. “It’s very concerning that we’ve begun to focus on which team do [hackers] hurt, Republican or Democrat. It could be your team today, but it could be the other team tomorrow.”

National: Election vendors should be vetted for security risks, says watchdog group | Joseph Marks/The Washington Post

The federal government should start vetting companies that sell election systems as seriously as it does defense contractors and energy firms, a top election security group argues in a proposal out this morning. Under the proposal from New York University’s Brennan Center for Justice, government auditors would verify election companies and their suppliers are following a raft of cybersecurity best practices. They would also have to run background checks to ensure employees aren’t likely to sabotage machines to help Russia or other U.S. adversaries. The suggestion comes as Congress continues to fight over whether to tighten election security as candidates ramp up for the 2020 election. Senate Republicans, especially, have stalled further security measures, even as observers warn that the next election is ripe for hacking by foreign adversaries such as Russia, which interfered in the 2016 contest. Vendors of voting machines, however, have traditionally been exempt from close review by federal regulators. “These vendors are a critical part of securing our elections, but we haven’t really focused on them at all,” Lawrence Norden, director of Brennan’s election reform program and one of the authors, told me. “We need to understand that they’re critically important but also represent a vulnerability that there needs to be oversight for.”

National: Arming agencies for ransomware attacks in an election year | Stephen Moore/GCN

In the past few months, we have seen just how imperative it is to stop ransomware attacks. Ransomware has the power to rob state and local governments of thousands — or hundreds of thousands — of budget dollars and grind productivity to a halt. Recovery can cost tens of millions, as Atlanta and Baltimore discovered. Just two months ago, a coordinated attack hit 22 local Texas governments simultaneously, forcing many municipalities to rely on backup systems. Fortunately, none of the demanded $2.5 million ransom was paid, but that does not mean the event was without consequence. Cities and their elected officials have learned that failing to protect networks housing taxpayer data risks losing the trust of constituents. While ransomware attacks can happen at any time, an election year is an opportune time for adversaries to conduct attacks — on voter registration systems, for example. In an attempt to prevent a ransomware attack affecting upcoming elections, the Department of Homeland Security recently  announced a program to provide state election officials with guidance and support, as well as pen testing and vulnerability scanning of their voting systems. The rollout of this program, and future programs, serves as a major step in helping local governments protect their networks ahead of the 2020 elections and beyond.

National: Bipartisan bill to secure election tech advances to House floor | Maggie Miller/TheHill

The House Science, Space and Technology Committee on Thursday unanimously approved legislation intended to secure voting technology against cyberattacks. The Election Technology Research Act would authorize the National Institute of Standards and Technology and the National Science Foundation to conduct research on ways to secure voting technology. The legislation would also establish a Center of Excellence in Election Systems that would test the security and accessibility of voting machines and research methods to certify voting system technology. The bill is sponsored by Reps. Anthony Gonzalez (R-Ohio) and Mikie Sherrill (D-N.J.), along with committee Chairwoman Eddie Bernice Johnson (D-Texas) and ranking member Frank Lucas (R-Okla.). All four sponsors enthusiastically praised the bill during the committee markup on Thursday, with Johnson saying that “transparent, fair, and secure elections are the bedrock of our democracy,” and that attacks in 2016 on online voter registration databases “have increased Americans’ concerns about the integrity of our elections.”

National: Election Assistance Commission Needs More Authority In Face of 2020 Threats, Report Finds | Courtney Bublé/Government Executive

With less than a year until the 2020 presidential election, a new report calls on Congress to bolster the authority of the agency that serves as the nation’s elections clearinghouse and devote more funding and resources to it. The Brennan Center for Justice, a nonpartisan law and public policy institute, released a report on Tuesday that proposes a new framework for protecting election systems. Its recommendations focus on the oversight and internal operations of the Election Assistance Commission, the understaffed and underfunded federal agency responsible for promoting election administration best practices and voting machine security standards. “The federal government regulates colored pencils, which are subject to mandatory standards promulgated by the Consumer Product Safety Commission, more strictly than it does America’s election infrastructure,” said the report. Although the Homeland Security Department designated election systems as critical infrastructure in 2017 following revelations of Russian interference in the 2016 presidential election, election systems don’t receive the same type of oversight as other sectors with the critical infrastructure classification.  “While voting systems are subject to some functional requirements under a voluntary federal testing and certification regime, the vendors themselves are largely free from federal oversight,” the report said. “Under our proposal, the EAC would extend its existing certification regime from voting systems to include all vendors that manufacture or service key parts of the nation’s election infrastructure.”

National: State, local elections officials agree no ‘one-size-fits-all-approach’ exists for cybersecurity | Jory Heckman/Federal News Network

Less than a year out from the 2020 election, state and local election security personnel are gearing up to defend against cyber threats. But while these officials work directly with the Department of Homeland Security to protect this critical infrastructure, in many cases they face limited resources on a scale not seen in the federal government. More than 40 states have a secretary of state that serves as the chief election official, but in Wisconsin, an administrator is appointed by a bipartisan commission to serve in that role. Meagan Wolfe, the administrator of the Wisconsin Elections Commission, said Wisconsin is the most decentralized election administration system in the country. The state runs elections at the municipal level, whereas most other states run elections at the county level. However, resources for these offices can run thin and two-thirds of Wisconsin’s election officials work part-time. “A lot of them don’t have any type of IT support at the local level, which is very different than some of the county-based systems. The clerk might be the sole employee of that jurisdiction,” Wolfe said at the Cybersecurity Coalition’s CyberNext D.C. conference.

National: Expensive, Glitchy Voting Machines Expose 2020 Hacking Risks | Kartikay Mehrotra and Margaret Newkirk/Bloomberg

The first sign something was wrong with Northampton County, Pennsylvania’s state-of-the-art voting system came on Election Day when a voter called the local Democratic Party chairman to say a touchscreen in her precinct was acting “finicky.” As she scrolled down the ballot, the tick-marks next to candidates she’d selected kept disappearing. Her experience Nov. 5 was no isolated glitch. Over the course of the day, the new election machinery, bought over the objections of cybersecurity experts, continued to malfunction. Built by Election Systems & Software, the ExpressVote XL was designed to marry touchscreen technology with a paper-trail for post-election audits. Instead, it created such chaos that poll workers had to crack open the machines, remove the ballot records and use scanners summoned from across state lines to conduct a recount that lasted until 5 a.m. In one case, it turned out a candidate that the XL showed getting just 15 votes had won by about 1,000. Neither Northampton nor ES&S know what went wrong. Digital voting machines were promoted in the wake of a similarly chaotic scene 19 years ago: the infamous punch-card ballots and hanging chads of south Florida that tossed the presidential contest between George W. Bush and Al Gore into uncertainty.

National: Voatz smartphone voting app needs security review, senator says | Ben Popken/NBC

A smartphone voting app that has been tested in local elections around the United States should undergo a cybersecurity review, Sen. Ron Wyden, D-Ore., said Friday. In a letter sent to Defense Secretary Mark Esper, Wyden requested the review of the Voatz voting app, which has been used in elections in Colorado, Oregon and Utah as a way to make it easier for military and overseas voters to cast their ballots. According to the developer, the app combines “mobile voting” and blockchain technology to create a secure way for people to vote without having to visit a voting booth. But Wyden wrote that he is “very concerned about the significant security risks associated with voting over the internet.” He cited the National Academy of Sciences, which recommended in 2018 that no internet voting be used until much stricter security measures can be put into place. “No known technology guarantees the secrecy, security and verifiability of a marked ballot transmitted over the Internet,” the academy authors wrote. Wyden also wrote that Voatz has said it has conducted independent audits but hasn’t published the results or identified the auditors. The FBI is currently investigating an attempt to hack the Voatz app.

National: Targets of foreign election interference may get a call from US intel officials | Kevin Collier and Zachary Cohen/CNN

The US government has set up a new process to alert targets of foreign election interference in an attempt to be more transparent and counter ongoing efforts by Russia and other adversaries to influence the American political process. The FBI, Department of Homeland Security, Department of Justice and relevant intelligence agencies announced Friday that the government will notify relevant members of Congress, state and local officials, private sector and the public of foreign interference “where necessary to protect national security and the integrity of our elections,” beyond existing laws and policies. Most intelligence concerning threats to election security is initially classified, making it difficult to quickly release to the public. When Russian intelligence conducted its election interference campaign in the leadup to the 2016 election, the FBI and DHS had difficulty conveying information about some cyber threats to county and state election officials who didn’t have security clearance.

National: Swing state election websites aren’t secure against Russian hacking, McAfee says | Joseph Marks/The Washington Post

County election websites in two battleground states are highly vulnerable to hacking by Russia or another adversary that might seek to disrupt the 2020 vote by misleading voters about polling locations or spreading other false information. About 55 percent of county election websites in Wisconsin and about 45 percent in Michigan, both states that President Trump flipped from Democratic to Republican in 2016 lack a key and fairly standard security protection, according to data provided exclusively to me by the cybersecurity firm McAfee. Without this protection, called HTTPS, it’s far easier for an adversary to hijack those sites to deliver false information, divert voters to phony sites that mimic the real ones or steal voters’ information, per McAfee. (You can often tell if a site has HTTPS protection if there’s a small lock icon to the left of a Web address.) The repercussions could be huge if Russia or another country decided to manipulate sites in key counties to send voters to the wrong polling places or at the wrong times. They could even flood people seeking voting information with malicious software so they spend much of Election Day getting their phones and laptops fixed and have less time to actually go vote. In states with incredibly tight margins of victory in the last presidential election, a hacker who prevented just a few thousand people from voting in one of them in 2020 could swing an election or create broad doubt about the results.

National: Spy, law enforcement agencies step up U.S. election security measures | Mark Hosenball/Reuters

U.S. spy and law enforcement agencies on Friday said they had strengthened procedures for informing Congress, state and local governments, private business and the public about foreign interference in U.S. elections. The FBI has already given some American election candidates “defensive” briefings on evidence U.S. agencies collected of possible election interference, an FBI official told a briefing for journalists. The official, who spoke on condition of anonymity, declined to give further details regarding who might have been warned about the interference or where and how such interference might have originated. An official, also speaking on condition of anonymity, said that U.S. agencies believe that Russia, China and Iran all present continuing potential threats to the U.S. electoral system. However, officials stressed that U.S. agencies had not seen direct threats to American election systems recently. An FBI official added that the bureau has “invested a lot of time” in trying to help social media companies detect inauthentic politically related message traffic, and shares information on this with social media companies.

National: As 2020 US presidential election nears, voter systems are still vulnerable | Lydia Emmanouilidou/Public Radio International

With just a little more than a year to go before the 2020 US presidential election, security experts and lawmakers say progress has been made to guard against foreign interference. But they warn the country’s election infrastructure could be vulnerable to the types of hacking operations that took place in the lead-up to the 2016 election. One such attack was directed at the Illinois State Board of Elections, an agency that oversees and facilitates parts of election processes in the state, including a statewide voter registration system. “One of our IT people noticed that our [voter registration] system was running extremely slowly,” said Matt Dietrich, a spokesperson for the agency. “It had practically shut down.” The IT member inspected the system, and discovered that an intruder had exploited a vulnerability on the board’s online voter application, broken into the statewide voter registration database and gained access to voter information, including names, addresses and drivers’ license numbers. “It was terrifying. … We took the entire system down,” Dietrich said.

National: Every State Was Given Funding to Increase Election Security. Here’s How They Spent It | Nicole Goodkind/Fortune

The U.S. is less than a year out from one of the most consequential elections of the century, which President Donald Trump’s Department of Homeland Security has called “the big game” for foreign adversaries looking to attack and undermine the Democratic process. Congress, meanwhile, is locked in a stalemate about how to secure systems in the country’s 8,000 largely disjointed voting jurisdictions. Tuesday marks the last test of security preparedness before the 2020 elections, as certain statewide polls take place around the country. The Department of Homeland Security is gearing up “war rooms” to monitor for potential interference and test voting infrastructure, but with sluggish movement at a federal level there is little they’ll be able to do to correct any issues within the next 12 months. There is, however, one beacon of hope: 2002’s Help America Vote Act (HAVA)—a block grant issued to states to bolster election security following the Bush v. Gore hanging chad debacle some 19 years ago. In 2018, Congress used the Omnibus Appropriations Act to pad HAVA with an extra $380 million to be divided up amongst the states in proportion to their voting age population. The idea was that they spend it to prepare for the 2020 elections, and Democrats and Republicans are likely to approve at least another $250 million through the act this year.

National: Retirements pose threat to cybersecurity expertise in Congress | Maggie Miller/The Hill

Rep. Pete King’s (R-N.Y.) planned retirement after the 2020 elections is the latest in a string of House departures that look likely to deal a blow to Republican cybersecurity expertise on Capitol Hill. King said on Monday he would not seek reelection after 14 terms in the House, including serving previously as chairman of the House Homeland Security Committee and as a member of the House Intelligence Committee. Those two panels have a focus on cyber issues, such as election security and other cyber threats from foreign countries, and the departure of a longtime member such as King could make it more difficult for Congress to address growing cyber threats in the future. His resignation comes on the heels of announcements by almost two dozen other House Republicans that they will not run for reelection, with several of these members having become key players in the cybersecurity debate on Capitol Hill, including Rep. Will Hurd (R-Texas). Cybersecurity is listed as an area of interest by King on his congressional website, with the lawmaker writing, “As the only senior member of Congress serving on the two Committees with the largest cybersecurity oversight mission, I have made it my goal to ensure we are building an effective cybersecurity program across the federal government.”

National: I study blockchain. It’s not ready to use in our elections | Nir Kshetri/Fast Company

A developing technology called blockchain has gotten attention from election officials, startups, and even Democratic presidential candidate Andrew Yang as a potential way to boost voter turnout and public trust in election results. I study blockchain technology and its potential use in fighting fraud, strengthening cybersecurity, and securing voting. I see promising signs that blockchain-based voting could make it more convenient for people to vote, thereby boosting voter turnout. And blockchain systems can be effective at strengthening the security of devices, networks, and critical systems such as electricity grids, as well as protecting personal privacy. The few small-scale tests run so far have identified problems and vulnerabilities in the digital systems and government administrative procedures that must be resolved before blockchain-based voting can be considered safe and trustworthy. Therefore I don’t see clear evidence that it can prevent, or even detect, election fraud.

National: Election security drill pits red-team hackers against DHS, FBI and police | Sean Lyngaas/CyberScoop

A year from the 2020 election, sophisticated exercises to help secure the vote are kicking into high gear. On Tuesday, executives from the Boston-based firm Cybereason will conduct a tabletop exercise testing the resolve of officials from the Department of Homeland Security, FBI, and the police department of Arlington County, Virginia, among other organizations. The fictional scenario will involve attackers from an unnamed foreign adversary laying siege to a key city in a U.S. swing state. Hacking, physical attacks and disinformation via social media will be on the table as the attackers seek to flip the vote to their preferred candidate — or sow enough doubt among voters to undermine the result. One of the objectives of the red team — technical specialists from Cybereason and other private organizations — is voter suppression. That is exactly what Russian operatives aimed to achieve in 2016 and what, according to U.S. officials, they could strive for again in 2020. What participants learn from Tuesday’s event can be worked into future election-security drills, which will only grow more frequent as the 2020 vote approaches.

National: Internet Voting Is Becoming A Reality In Some States, Despite Cyber Fears | Miles Parks/NPR

For decades, the cybersecurity community has had a consistent message: Mixing the Internet and voting is a horrendous idea. “I believe that’s about the worst thing you can do in terms of election security in America, short of putting American ballot boxes on a Moscow street,” howled Sen. Ron Wyden, D-Ore., on the Senate floor this year. And yet, just a few years removed from Russia’s attack on democracy in the 2016 presidential election, and at a time of increased fear about election security, pockets of the U.S. are doing just that: experimenting with Internet voting as a means to increase turnout. Some experts are terrified. Others see the projects as necessary growth in an American voting system they call woefully stuck in a previous century. The number of people expected to vote this way in 2020 is still minuscule. But the company administering the system and advocates pushing for its use are open about wanting to fundamentally change the way Americans cast their ballots over the coming decade. The U.S. does not have a federalized election infrastructure. That means states and localities have the freedom to oversee voting how they see fit, with little oversight from the federal government. In some cases, that can lead to contradictory trends: At the same time some states implement same-day voter registration, others add more burdensome photo ID requirements. Voting technology is no different.

National: Cyber firm sows chaos in election hack simulation | Derek B. Johnson/FCW

The fictional City of Adversaria was ground zero for an Election Day security training exercise pitting law enforcement officials attempting to maintain order during an election against “K-OS,” a mysterious cyber group aiming to disrupt and undermine voter confidence. The simulated battle was part of Operation Blackout, a tabletop exercise hosted by Cybereason Nov. 5 to test how federal officials might react to a dedicated attack on election day. The company invited officials from real federal agencies like FBI and the Department of Homeland Security to sit in on both the “Blue” team representing law enforcement and “Red” team representing K-OS, to learn how to better protect election infrastructure. Ari Schwartz, former senior director of cybersecurity at the National Security Council under President Barack Obama, helped adjudicate the exercise and told FCW afterwards that in a real election, much of the planning by defenders would be gamed out in the weeks and months leading up to election day, but that unforeseen attack vectors are always out there and can throw a wrench into the gears of the best laid plans.

National: Administration officials say election security is a ‘top priority’ ahead of 2020 | Tal Axelrod/The Hill

Several administration officials Tuesday released a joint statement assuring the public that they are prioritizing election security less than a year away from the 2020 presidential race. Attorney General William Barr, Secretary of Defense Mark Esper, outgoing acting Secretary of Homeland Security Kevin McAleenan, acting director of national intelligence Joseph Maguire, FBI Director Christopher Wray and others said they have increased the level of federal support to state and local election officials and are prioritizing the sharing of threat intelligence to improve election security. “In an unprecedented level of coordination, the U.S. government is working with all 50 states and U.S. territories, local officials, and private sector partners to identify threats, broadly share information, and protect the democratic process. We remain firm in our commitment to quickly share timely and actionable information, provide support and services, and to defend against any threats to our democracy,” they said in a joint statement.

National: Feds and police are war-gaming all the ways an election can be hacked | Joseph Marks/The Washington Post

As voters head to the polls today in Virginia’s odd-year contest, federal officials and local police are war-gaming how adversaries could disrupt next year’s contest without hacking any election systems at all. Officials from the FBI, Department of Homeland Security and U.S. Secret Service are working with cops in Arlington to game out how to respond if hackers from Russia or elsewhere in 2020 disrupt electricity at polling places, shut down streetlights, or hijack radio and TV stations to suppress voter turnout and raise doubts about election results. They’ll also test how to respond if adversaries launch social media campaigns to incite fights at polling places — or to spread rumors about riots or violence that deter people from going out to vote. Cybersecurity experts and academics will play the mock hackers, lobbing new challenges at officials throughout the day. The exercise underscores how hackers could destroy public faith in an election’s outcome without changing any votes. And that’s particularly concerning because many of these potential targets are far more vulnerable than voting machines. “If you can prevent people from getting to the polls … if you can effectively disenfranchise certain segments of the population, that’s far more disruptive to the republic than taking out a few voting machines,” Sam Curry, chief security officer at Cybereason, the company organizing the war game, told me.

National: Smartphone Voting Could Expand Accessibility, But Election Experts Raise Security Concerns | Abigail Abrams/Time

ome voters with disabilities will be able to cast their ballots on smart phones using blockchain technology for the first time in a U.S. election on Tuesday. But while election officials and mobile voting advocates say the technology has the potential to increase access to the ballot box, election technology experts are raising serious security concerns about the idea. The mobile voting system, a collaboration between Boston-based tech company Voatz, nonprofit Tusk Philanthropies and the National Cybersecurity Center, has previously been used for some military and overseas voters during test pilots in West Virginia, Denver and Utah County, Utah. Now, Utah County is expanding its program to include voters with disabilities in its municipal general election as well. Two Oregon counties, Jackson and Umatilla, will also pilot the system for military and overseas voters on Tuesday. The idea, according to Bradley Tusk, the startup consultant and philanthropist who is funding the pilots, is to increase voter turnout. “We can’t take on every interest group in Washington around the country and beat them, but I think what we can do is let the genie out of the bottle,” he says.

National: Cyber officials tout reforms with one year to Election Day | Maggie Miller/The Hill

Officials and cyber experts are expressing confidence in reforms made to prevent a repeat of election hacking and foreign interference one year ahead of their biggest test yet, Election Day 2020, even as they remain vigilant. This optimism comes even as lawmakers remain sharply divided along party lines on how to address election security concerns. Sen. Ron Johnson (R-Wis.), the chairman of the Senate Homeland Security and Governmental Affairs Committee, told reporters on Thursday that he believes “great strides” have been made since 2016 by the Department of Homeland Security (DHS) and election officials. “It’s a serious issue, and one we take seriously, but when I take a look at all the threats facing this nation, it really is on the lower end of my priority list in terms of what I’m overly concerned about because it’s being addressed I think pretty effectively,” Johnson said. Democratic House Homeland Security Committee Chairman Bennie Thompson (Miss.), though, warned this week that “in just over a year, voters in many states across the country will vote for president in 2020 on machines that are old, have no paper trail, and are vulnerable to manipulation.”

National: A Plan to Crowdsource Voting Machines’ Security Problems | Andrea Noble/Defense One

A northern Virginia infrastructure-threat clearinghouse is trying to build a system to help voting-system manufacturers learn about problems with their machines. Fueled by monetary rewards and curiosity, hackers have helped companies discover and fix security vulnerabilities in a variety of technology and software applications. But one year out from the 2020 presidential election, can they do more to help secure voting systems? Technology researchers hope so. The Information Technology-Information Sharing and Analysis Center, or IT-ISAC, is evaluating the feasibility of creating a coordinated vulnerability disclosure, or CVD, program that could alert voting system companies about weaknesses. The first step in establishing a CVD program requires voting vendors to have a system in place for receiving information about discovered vulnerabilities and acting on that information—procedures several vendors have already begun to implement, said Scott Algeier, the executive director of IT-ISAC, a non-profit that serves as a clearinghouse for information on cyber threats to critical infrastructure.

National: How the threat of hacking looms over the 2020 election | Ellen Daniel/Verdict

With the UK bracing for a general election and campaigning ahead of the US 2020 presidential election now in full swing, the threat of election hacking is once more a key topic of conversation. The now infamous Democratic National Committee cyber attacks, in which hackers with ties to Russia breached the DNC network via a phishing attack, exemplified how easily democratic infrastructure can be affected by outside interference. However, four years later, the cybersecurity community is still calling for greater efforts to combat the issue. Verdict spoke to Kevin Bocek, VP of security strategy & threat intelligence at cybersecurity firm Venafi to discover the motivations behind election hacking and whether the threat can ever be fully removed. Despite the publication of the Mueller report earlier this year, and the conclusion that Russia “interfered in the 2016 presidential election in sweeping and systematic fashion”, the implications for the Western democratic system are yet to be fully addressed.

National: John Oliver on exploitable voting machines: ‘We must fix this’ | Adrian Horton/The Guardian

On Last Week Tonight, John Oliver focused on voting – a staple of American democracy and, among other things, “the only way to get Sean Spicer off of Dancing with the Stars”. Before Americans vote this Tuesday – yes, Oliver reminded, there are elections this Tuesday – it’s worth asking: “How much do you trust the system that counts your ballots?” It’s not unreasonable to have some questions about election security, Oliver continued. We now know that in 2016, Russian hackers targeted election systems in all 50 states. In that case, they targeted voter registration data; as for the machines, officials have promised that they’re secure, but a Senate report on the 2016 election infrastructure found that some were “vulnerable to exploitation by a committed adversary”. Oliver offered some context: there’s not one election system in use across the US. Some states use paper ballots, others have a print-out ballot, still others use all-electronic systems. Those electronic machines were introduced after the contested 2000 presidential election, in which the race between George W Bush and Al Gore came down to 1,000 votes in a Florida recount cast on push-pin ballots.

National: New federal guidelines could ban internet in voting machines | Eric Geller/Politico

A long-awaited update to federal voting technology standards could ban voting machines from connecting to the internet or using any wireless technology such as Wi-Fi or Bluetooth. A new draft of version 2.0 of the Voluntary Voting System Guidelines says that voting machines and ballot scanners “must not be capable of establishing wireless connections,” “establishing a connection to an external network” or “connecting to any device that is capable of establishing a connection to an external network.” If they survive a review process, the new rules would represent a landmark development in voting technology oversight, eliminating one of cybersecurity experts’ top concerns about voting machines by plugging holes that skilled hackers could exploit to tamper with the democratic process. The wireless and internet bans are included in the latest draft of the “system integrity” section of the VVSG update. A working group focused on the VVSG’s cybersecurity elements reviewed the document during an Oct. 29 teleconference.

National: Almost 100 former officials, members of Congress urge Senate action on election security | Maggie Miller/The Hill

A group of nearly 100 former members of Congress, Cabinet officials, ambassadors and other officials is urging Congress to take action to secure U.S. elections, citing “severe threats to our national security” if certain steps are not taken. The officials, all of whom are members of nonprofit political action group Issue One’s “ReFormer’s Caucus,” sent a letter to the Senate on Thursday urging members to support various bills designed to bolster election security. “Foreign interference in American elections is a national security emergency,” the group wrote. “We are alarmed at the lack of meaningful Congressional action to secure our elections. The United States cannot afford to sit by as our adversaries exploit our vulnerabilities. Congress — especially the Senate — must enact a robust and bipartisan set of policies now.” Specifically, the officials advocated for the passage of five bipartisan bills, including the Honest Ads Act, a bill meant to increase the transparency surrounding online political ads, and the Defending Elections from Threats by Establishing Redlines (DETER) Act, which would impose sanctions on countries that interfere in U.S. elections. The officials also urged the Senate to pass legislation aimed at increasing the cybersecurity of voting infrastructure and cracking down on foreign donations to U.S. elections.

National: Voting machines still easy prey for determined hackers | Derek B. Johnson/FCW

Security researchers showed lawmakers and reporters how easy it is to compromise voting machines in what has become an annual event at the U.S. Capitol. The Washington, D.C., version of the Voting Village event at the DefCon security conference in Las Vegas gives policymakers a hands-on glimpse of the technology that powers U.S. democracy. This year’s report is consistent with prior exercises: virtually every machine experts can get their hands on can be easily exploited in a number of different ways. What has changed in recent years, said Voting Village Co-founder Harri Hursti, is that the community of security researchers with first-hand experience working with these machines has grown from less than a dozen to thousands. Even though the annual event has been held for several years, fresh researchers have discovered of new vulnerabilities and attack vectors. “In this area, it’s always mind-blowing how these machines keep giving,” Hursti told FCW.