National: DHS, FBI say election systems in all 50 states were targeted in 2016 | Ars Technica

A joint intelligence bulletin (JIB) has been issued by the Department of Homeland Security and Federal Bureau of Investigation to state and local authorities regarding Russian hacking activities during the 2016 presidential election. While the bulletin contains no new technical information, it is the first official report to confirm that the Russian reconnaissance and hacking efforts in advance of the election went well beyond the 21 states confirmed in previous reports. As reported by the intelligence newsletter OODA Loop, the JIB stated that, while the FBI and DHS “previously observed suspicious or malicious cyber activity against government networks in 21 states that we assessed was a Russian campaign seeking vulnerabilities and access to election infrastructure,” new information obtained by the agencies “indicates that Russian government cyber actors engaged in research on—as well as direct visits to—election websites and networks in the majority of US states.” While not providing specific details, the bulletin continued, “The FBI and DHS assess that Russian government cyber actors probably conducted research and reconnaissance against all US states’ election networks leading up to the 2016 Presidential elections.” DHS-FBI JIBs are unclassified documents, but they’re usually marked “FOUO” (for official use only) and are shared through the DHS’ state and major metropolitan Fusion Centers with state and local authorities. The details within the report are mostly well-known. “The information contained in this bulletin is consistent with what we have said publicly and what we have briefed to election officials on multiple occasions,” a DHS spokesperson told Ars. “We assume the Russian government researched and in some cases targeted election infrastructure in all 50 states in an attempt to sow discord and influence the 2016 election.”

National: Election machine vendors back legislation requiring post-election audits, vulnerability disclosure | InsideCyberSecurity

Two major election machine vendors stated their support for requiring post-election audits to ensure the validity of election results in the case of a cyber attack or other tampering, in response to questions recently posed by senior Senate Democrats. Sens. Amy Klobuchar (D-MN), Gary Peters (D-MI), Jack Reed (D-RI), and Mark Warner (D-VA) sent letters last month to the three largest election machine vendors asking whether the companies would support legislation around post-election audits and what cyber controls are in place to secure the vote. In its response submitted on Tuesday, Hart InterCivic wrote that “robust post-election audits are the most compelling response” to threats posed by outdated technology. “Auditing is the most transparent and effective means to demonstrate that election outcomes accurately reflect the intention of voters,” Hart wrote. “Hart unequivocally supports state efforts to strengthen auditing procedures.” Tom Burt, the president and CEO of Election Systems and Software, also supported the idea of legislation around post-election audits, writing that the company “strongly supports legislation that would expand the use of routine post-election audits. ES&S believes that successful post-election audits, including risk-limiting audits such as those which have recently occurred in several jurisdictions, will increase confidence in our country’s election process.”

National: Cybersecurity Campaign Aid Delayed by Corporate Money Fears | Bloomberg

The Federal Election Commission delayed a vote on a plan to provide free cybersecurity assistance for campaigns, with the panel’s chairwoman voicing concerns it could the open the door to corporate money in campaigns. Ellen Weintraub said she supported the goal of cybersecurity but questioned whether the proposal could grant broad leeway for providing aid to campaigns outside the limits and restrictions of campaign finance law, including a longstanding ban on corporate contributions to candidates. “We do not want to inadvertently blow a hole in the corporate contribution ban,” the Democratic chairwoman said at a commission meeting today. The nonprofit watchdog Campaign Legal Center, which had voiced similar concern about the initial proposal, has signed off on a compromise that includes language emphasizing the aid is tied to the imminent threat of illegal foreign interference in elections. The commission may take up the issue again at its scheduled April 25 meeting.

National: After Arrest of Julian Assange, the Russian Mysteries Remain | The New York Times

In June 2016, five months before the American presidential election, Julian Assange made a bold prediction during a little-noticed interview with a British television show. “WikiLeaks has a very big year ahead,” he said, just seconds after announcing that the website he founded would soon be publishing a cache of emails related to Hillary Clinton. He was right. But an indictment unsealed on Thursday charging Mr. Assange with conspiring to hack into a Pentagon computer in 2010 makes no mention of the central role that WikiLeaks played in the Russian campaign to undermine Mrs. Clinton’s presidential chances and help elect President Trump. It remains unclear whether the arrest of Mr. Assange will be a key to unlocking any of the lingering mysteries surrounding the Russians, the Trump campaign and the plot to hack an election. The Justice Department spent years examining whether Mr. Assange was working directly with the Russian government, but legal experts point out that what is known about his activities in 2016 — including publishing stolen emails — is not criminal, and therefore it would be difficult to bring charges against him related to the Russian interference campaign. Numerous significant questions are left unanswered, including what, if anything, Mr. Assange knew about the identity of Guccifer 2.0, a mysterious hacker who American intelligence and law enforcement officials have identified as a front for Russian military intelligence operatives.

National: Comey Says Trump’s Silence Invites Another Russia Election Hack | Bloomberg

Former FBI Director James Comey said the U.S. remains unprepared for another attack on its elections and faulted the attorney general for suggesting that the government was “spying” on Donald Trump’s presidential campaign in 2016. Echoing the findings of U.S. intelligence agencies, Comey said Russia intervened in the 2016 election to damage American democracy, undermine Democratic nominee Hillary Clinton and bolster Trump. Russian officials have denied the accusations. But Comey said Trump’s “denial of a fundamental attack” on the U.S. means “we’re inviting it to happen again with our president’s silence.” The former FBI leader also said he was concerned by Attorney General William Barr’s comments on Wednesday that he’s starting his own inquiry into counterintelligence decisions that may have amounted to political espionage, including actions taken during the Russia probe in 2016. “I really don’t know what he’s talking about when he talks about spying on the campaign,” Comey said. “The FBI and Department of Justice conduct court-ordered surveillance. If the attorney general has come to the belief that that should be called spying, wow, that’s going to inspire a whole lot of conversations in the Department of Justice.”

National: Divided Congress can’t agree on fix for ‘dangerous’ Russian election meddling | McClatchy

Despite clear and compelling evidence of a Russian plot to disrupt the 2016 presidential election, partisanship has all but killed any chance that Congress will pass legislation to shore up election security before voters cast their ballots next year. Republicans and Democrats in Congress largely agree with Special Counsel Robert Mueller’s finding that Russia tried to meddle in U.S. democracy — and that foreign interference remains a serious threat. “Russia’s ongoing efforts to interfere with our democracy are dangerous and disturbing,” said Senate Majority Leader Mitch McConnell, R-Kentucky, after Mueller finalized his investigation last month. But McConnell has made it clear that he’s unlikely to allow the Senate to vote on any election-related legislation for the foreseeable future. Republican Sen. Roy Blunt of Missouri, who chairs the Senate Rules Committee that has jurisdiction over election security legislation, blames House Democrats for McConnell’s hardline stance. Blunt said Democrats overreached in January when they passed H.R. 1, a sweeping measure focused on voting rights, campaign finance, and government ethics.

National: Registered to vote? Your state may be posting personal information about you online. | The Washington Post

Americans routinely hemorrhage personally identifiable information (PII) across social media and other websites. On almost a weekly basis, PII bleeds out in dramatic breaches like the recent one at Toyota that exposed 3.1 million customers or another at Georgia Tech in which an “unknown outside entity” illegally accessed data for more than 1 million students, faculty members and alumni. Some 26 million Americans were victims of identity theft in 2016, according to the Bureau of Justice Statistics. One way thieves, scammers and psychopaths perform reconnaissance on their victims is to find them via Google or social media. A fair start — but information on the Internet is often inaccurate. If I were a malicious actor looking for a victim’s PII, I’d begin where the data is government-certified. Tax records and housing data are PII treasure troves but not all records are digitized. Political contributions can be valuable — if a person gave money to a candidate over a certain amount. Yet, an exposed area still exists. States hold important personal records of American voters through their secretary of state (SOS) websites. In most states, some or all of this information is accessible to anyone with an Internet connection. I have an Internet connection. And until recently, I ran the open source intelligence division at a cybersecurity firm. So, I tried to access all 50 states’ (and the District’s) online voter registration systems. In the process, I was able to obtain personal information about the citizens of 40 different states, from Alaska to Arkansas, West Virginia to Wisconsin, New Mexico to North Carolina. In some states, that PII included personal addresses, historic voter data and race.

National: Cybersecurity toolkits ahead for elections and media people | Politico

The founder of Craigslist and the Global Cyber Alliance are teaming up to provide free cyber defense toolkits to election officials, nonprofit election rights groups and the media modeled after the ones GCA recently pioneered for small businesses. Craig Newmark Philanthropies is offering GCA more than $1 million for the project, and GCA is netting $1.5 million from other sources, the groups are announcing today. “Elections bodies and the media are facing increasingly sophisticated cyberattacks that can impair the exercise of democracy and affect election results, and they are not prepared to deal with the threat,” Phil Reitinger, president and CEO of the GCA, told MC. The idea is to assemble a set of immediately available resources, rather than just advice. “I’ve been lucky enough to do well and put my money where my mouth is and help protect the people who protect our country,” Newmark told MC.

National: Nielsen Firing Leaves Cybersecurity Concerns Without a Champion | Bloomberg

The abrupt ouster of Homeland Security Secretary Kirstjen Nielsen could be a blow to the department’s efforts to bolster America’s defenses against growing cybersecurity threats, former officials from the department, advocates and lobbyists say. “The worst-case scenario is that our adversaries use this moment of leadership transition, and use it as a Trojan Horse to launch some sort of attack,” Caitlin Durkovich, former DHS assistant secretary for infrastructure protection for the Obama administration, said in an interview. “Who’s to say that the new acting secretary’s priorities aren’t different and that there will be the same emphasis on cyber when there’s such an emphasis on immigration?” said Durkovich, who now works with risk advisory firm Toffler Associates. Nielsen may be most remembered as the face of President Donald Trump’s most hard-line immigration policies. But over her 16-month tenure, cyber specialists and federal officials have applauded her relentless championing of cybersecurity priorities. She frequently warned that increasing threats of hijacking critical infrastructure—from the electric grid to voting machines—were a greater threat to America’s security than terrorism.

National: ‘We can’t confirm him,’ Pat Roberts warns of potential Kobach nomination for DHS | The Kansas City Star

One of the GOP senators from Kris Kobach’s home state said Tuesday that the Senate would not be able to confirm the Kansas Republican if President Donald Trump taps him for a cabinet post. Kobach, the former Kansas secretary of state, has been mentioned as a potential candidate for an array of immigration-related positions since President Donald Trump pulled his nominee for the director of Immigration Customs Enforcement and announced the departure of Secretary of Homeland Security Kirstjen Nielsen. But Sen. Pat Roberts, R-Kansas, said he doesn’t believe the Republican-controlled Senate could confirm his fellow Kansan, who has gained national notoriety for championing stronger restrictions on immigration. “Don’t go there. We can’t confirm him,” Roberts whispered to The Kansas City Star when asked about Kobach Tuesday on his way into a Senate vote. “I never said that to you,” Roberts added, despite the fact that another reporter was present and The Star had not agreed to an off record conversation.

National: Lack of security clearances hampers federal Election Assistance Commission | Politico

Only half the members of a federal commission advising states on election threats have security clearances, raising questions about whether it can effectively help local and state officials defend against adversaries such as Russian hackers. And no members of the four-person Election Assistance Commission had clearances during the past two election cycles, including the period when Kremlin-linked hackers are suspected of mounting a range of cyberattacks against state election offices, the Democratic Party and Hillary Clinton’s campaign in 2016. The delay in issuing security clearances for commission members is part of a massive backlog of application approvals throughout the entire federal government. But it’s a particularly acute problem for the EAC, one of the key agencies offering guidance to state and local officials about how to protect themselves from security risks. “The people entrusted with securing our elections need to know what threats they’re supposed to address,” Sen. Ron Wyden (D-Ore.), one of the lawmakers who has focused the most on election security, told POLITICO in a statement. “An Election Assistance [Commission member] without a security clearance is like making a baseball player hit without a bat.”

National: Nielsen departure could deal a blow to Trump administration’s cybersecurity efforts | The Washington Post

Kirstjen Nielsen’s resignation as secretary of homeland security could deal a blow to the Trump administration’s cybersecurity efforts — as she was one of the last civilians in its top ranks with extensive cybersecurity expertise. That’s a dangerous position, experts say, as the nation barrels toward a 2020 election that will likely be targeted by Russian hackers and the Homeland Security Department launches a major campaign to get government and industry to stop buying technology from China’s Huawei and other companies deemed national security threats. “Hopefully whoever runs DHS will prioritize its vital cybersecurity mission, but it makes a difference if the person at the top has a background in cyber and knows from experience how important it is rather than just being told,” former State Department cyber coordinator Chris Painter told me. “DHS is spread thin among multiple priorities as it is, and without a clear mandate from department leadership that cybersecurity is a prime mission, their efforts risk being sidelined.” Nielsen – who The Post reported was forced to step down because Trump was dissatisfied with her handling of the border — had, by far, the longest cybersecurity resume of any DHS secretary in history. She advised President George W. Bush on cybersecurity and homeland security issues, founded a consulting group called Sunesis Consulting focused on cybersecurity and critical infrastructure, and served as a senior fellow at George Washington University’s Center for Cyber and Homeland Security. Her acting successor, U.S. Customs and Border Protection Commissioner Kevin K. McAleenan, by contrast, has no substantial background in the field.

National: Scrutiny and suspicion as Mueller report undergoes redaction | The Washington Post

The escalating political battle over special counsel Robert S. Mueller III’s report centers on redactions — a lawyerly editing process that has angered distrustful Democrats eager to see the all evidence and conclusions from his 22-month investigation of President Trump’s conduct and Russia’s elaborate interference operation during the 2016 campaign. Attorney General William P. Barr is redacting at least four categories of information from the report, which spans nearly 400 pages, before issuing it to Congress and the public. Legal experts say he has wide discretion to determine what should not be revealed, meaning the fight over blacked-out boxes is likely to spawn months of fights between Congress and the Justice Department, and it may end up in the courts. The first public confrontation is imminent, with Barr scheduled to appear Tuesday and Wednesday before the House and Senate Appropriations committees for hearings ostensibly about the Justice Department’s budget. He is expected to face extensive questioning about the Mueller report and his ongoing redaction process, though, and his testimony will be scrutinized for any sign he is trying to protect the president. “There’s a lot of pressure all pointing in the direction of doing a robust release,” said John Bies, who held senior roles in the Justice Department during the Obama administration and now works at American Oversight, a liberal watchdog group. “We are very hopeful the attorney general will do the right thing here and make everything public that can lawfully be made public.”

National: States slow to spend funds to enhance election security, report finds | CNN

US states and territories given $380 million in combined federal funds for election upgrades last year only spent 8.1% of that money in the first six months it was available, the agency responsible for distributing the funds said on Thursday. That money was distributed as part of a 2018 bill, which was passed after Homeland Security secretary Kirstjen Nielsen warned it is a “national security concern” that US elections can’t be audited with paper ballots.
Security experts have in recent years called for major elections to have a physical paper trail so a trustworthy audit can be performed. However, brands and types of voting equipment vary by state. Many states use some machines that don’t leave a paper trail, and five states are entirely paperless for the general population. The report from the US Election Assistance Commission only tracked spending through September 2018, and many states have since spent or plan to spend some of their money on cybersecurity features or staff or upgraded equipment that badly needs replacing.

National: States spent just a fraction of $380 million in election security money before midterms | The Washington Post

Congress scrambled in early 2018 to deliver a surge in election security money before the midterms. But it turns out that states only spent about 8 percent of the $380 million Congress approved by the time the elections rolled around. That’s the bad news in a spending report released Thursday by the Election Assistance Commission, which is responsible for disbursing the money. The good news is that states are on track to spend the majority of the money before the 2020 elections — which intelligence officials say are far likelier than the midterms to be a hacking target for Russia and other U.S. adversaries. The report highlights the lengthy process of investigations and reviews that are necessary before states can make major upgrades to specialized election equipment. Given the tight time frame — Congress approved the money in March and the EAC began disbursing it to states in June — EAC Chairwoman Christy McCormick told me that 8 percent is a reasonable amount to have spent and about what the commission expected. It’s also a warning to Congress that the clock is ticking if it wants to deliver more election security money that will make a meaningful difference in 2020.

National: States’ spending on election security expected to pick up in 2019 | StateScoop

States and territories spent just 8 percent of the $380 million in federal election-security grants in the six months after they were distributed last year, according to the U.S. Election Assistance Commission. But in a report Thursday, the commission said it expects the bulk of that funding to be spent before the 2020 presidential election. The report follows states’ spending on new voting equipment, cybersecurity resources and personnel between last April and Sept. 30, when the federal government’s 2018 fiscal year ended. But the EAC said it expects spending to pick up this year as more grant money is transferred to states and as legislatures approve spending plans. “There hasn’t been a lot of money spent, but there is a lot of activity,” Mark Abbott, the commission’s grants director, told StateScoop. Of the $31.4 million states spent through last September, more than half — $18.3 million — went toward cybersecurity, including hiring new personnel dedicated to network security, implementing risk assessments and vulnerability scans and putting up stronger firewalls around statewide voter registration systems, which were infamously targeted by Russian hackers during the 2016 presidential election.

National: Blockchain Voting: Unwelcome Disruption or Senseless Distraction? | U.S. Vote Foundation

It really gets old being a guinea pig. Not because of the cagey confines, but for the insistence of those who try their ideas out on you. Overseas and military voters continue to be the guinea pigs for unvetted online voting ideas, the new one being “blockchain voting”. We have been here before. Overseas and military voters do need continued meaningful reforms across all states, and it is good when people truly care enough to examine and invest in solutions. What we do not need is a distraction that introduces new threats to overseas and military ballot integrity. The cliché “disruption model” doesn’t belong in our elections. Particularly in light of Russia’s cyber-interference in elections in Ukraine in 2014 and the US in 2016, we should consider with extra caution the idea of putting the entire voting process online. Russia itself is pushing to use this same technology for voting. Maybe it is worth a deeper look at it before we rush to its implementation? Perhaps investment in a threat detection system, which most state election offices cannot yet afford, would, at minimum, be a wise first course of action. Typically election systems must undergo formal testing and certification. Public access and examination is crucial. With a fully online system, that requirement is far more serious. Internet voting is not the same sort of simple transaction as is online banking; it is far more complex due to the fact that there must be a separation of the transaction from the identity of the person executing it. Just because there is a “blockchain” for the transaction doesn’t make the total voting system secure. The bottom line: it should not be possible to implement these systems in real elections without full and complete public examination. It is not sufficient to declare a technology as “tested” when it is used only in private elections and by outside companies hired to do “security audits”.

National: Democrats in Congress authorize subpoenas for Trump-Russia report, legal battle looms | Reuters

U.S. congressional Democrats on Wednesday authorized a powerful committee chairman to subpoena Special Counsel Robert Mueller’s full report on Russia’s role in the 2016 election, moving closer to a legal clash with President Donald Trump’s administration. The Democratic-led House of Representatives Judiciary Committee voted to enable its chairman, Jerrold Nadler, to subpoena the Justice Department to obtain Mueller’s unredacted report and all underlying evidence as well as documents and testimony from five former Trump aides including political strategist Steve Bannon. Nadler has not yet exercised that authority, with the timing of any such move uncertain. The committee vote was 24-17 along party lines, with Democrats in favor and Trump’s fellow Republicans opposed. Attorney General William Barr, a Trump appointee, issued a four-page summary of Mueller’s main conclusions last month including that the special counsel did not establish that the Trump campaign conspired with Russia during the election.

National: U.S. senators want stiff sanctions to deter Russia election meddling | Reuters

U.S. Republican and Democratic senators will introduce legislation on Wednesday seeking to deter Russia from meddling in U.S. elections by threatening stiff sanctions on its banking, energy and defense industries and sovereign debt. Known as the “Deter Act,” the legislation is the latest effort by U.S. lawmakers to ratchet up pressure on Moscow over what they see as a range of bad behavior, from its aggression in Ukraine and involvement in Syria’s civil war to attempts to influence U.S. elections. The measure will be introduced by Senators Chris Van Hollen, a Democrat, and Marco Rubio, a Republican. They offered a similar measure last year, when it also had bipartisan support but was never brought up for a vote by the Senate’s Republican leaders, who have close ties to President Donald Trump. Trump has gone along with some previous congressional efforts to increase sanctions on Russia, although sometimes reluctantly. According to details of the legislation seen by Reuters, it would require the U.S. Director of National Intelligence (DNI) to determine, within 30 days of any federal election, whether Russia or any other foreign government, or anyone acting as an agent of that government, had engaged in election interference.

National: 2020 Census likely target of hacking, disinformation campaigns, officials say | The Washington Post

With just a year to go before the 2020 Census, the U.S. government is urgently working to safeguard against hacking and disinformation campaigns as it perfects a plan to count about 330 million people largely online for the first time. Going digital is intended to cut costs. But cybersecurity experts say it may also put the survey at unprecedented risk in a nation embroiled in fallout from Russian interference in the 2016 election. Any outside attempt to discredit or manipulate the decennial survey could drive down response rates, imperiling the integrity of data that help determine a decade’s worth of federal funding, congressional apportionment and redistricting throughout the country. “Just as with voting, completing the census is a powerful exercise in our democracy, and there are always people who want to prevent others from exercising their power,” said Indivar Dutta-Gupta, co-executive director of the Georgetown Center on Poverty and Inequality and an expert on the census. “I think there will be lots of attempts. We should be concerned.”

National: American Security Requires a Cyber-Savvy Congress | The National Interest

On March 13, Arkansas Sen. Tom Cotton and Oregon Sen. Ron Wyden submitted a bipartisan letter to the Senate sergeant-at-arms asking for an annual report tallying the number of times Senate computers have been hacked. The letter also requests the SAA adopt a policy of informing Senate leadership within five days of any new data breaches that occur. Cotton and Wyden should be lauded for requesting greater clarity regarding government cybersecurity. Yet this important and reasonable petition reveals an unfortunate reality: We expect our lawmakers to enact policy protecting our nation from cyberattacks when they don’t even know whether their own computers have been hacked. For the sake of national security, this must change. Government agencies, in general, are legally required to disclose breaches, but Congress is under no similar obligation. According to the letter, the last time there was a publicly disclosed report of a congressional data breach was in 2009. Indeed, the two examples of cyberattacks on Senate computers that Cotton and Wyden cite (one against former Virginia representative Frank Wolf in 2006 and one against former Florida senator Bill Nelson in 2009) are both at least a decade old. But a lack of data for the years since then doesn’t mean that hackers haven’t been active. In fact, in 2018, both the Democratic National Committee and the National Republican Congressional Committee lost emails in data breaches. Moreover, the Department of Defense wards off approximately thirty-six million attempted data breaches each day. 

National: Voting Machine Firms Add Lobbyists Amid Election Hacker Concerns | Bloomberg

Voting machine manufacturers are increasing their Capitol Hill presence as lawmakers demand they do more to protect U.S. elections against foreign hackers. Dominion Voting Systems — which commands more than a third of the voting-machine market without having Washington lobbyists — has hired its first, a high-powered firm that includes a longtime aide to Speaker Nancy Pelosi. The No. 1 vendor, Election Systems & Software, added two new lobbying firms last fall. Members of Congress have criticized those and other companies for their security methods and business practices.

National: Bill Seeks to Aid Senators in Protecting Personal Devices | GovInfo Security

Legislation introduced last week would give the U.S. Senate’s sergeant at arms responsibility to help secure the personal devices and online accounts used by senators and their staff to help ward off cyberattacks and other threats. The bill, known as the “Senate Cybersecurity Protection Act of 2019,” was introduced by senators Ron Wyden, D-Ore., and Tom Cotton, R-Ark., who both serve on the Intelligence Committee. While there is not yet a similar bill pending in the House to provide members with similar services, backers of the Senate bill are urging the House to take up a similar measure. The Senate bill would allow the sergeant at arms, who is already responsible for cybersecurity within the Senate, to provide voluntary cybersecurity assistance for personal accounts and devices to senators and certain staff members. This could include assistance with security for personal hardware, such as laptops, desktops, cell phones, tablets and other internet-connected devices, as well as personal accounts, including email, text messaging, cloud computing and social media as well as residential internet, healthcare and financial services, according to a summary.

National: US ripe for Russian meddling in 2020 vote, experts warn | Financial Times

In the wake of Robert Mueller’s investigation into Russian interference in the US electoral system, experts warn the nation is just as exposed as it was in 2016, raising new concerns about the 2020 presidential election. More than two years after intelligence agencies exposed Moscow’s efforts to exploit weaknesses in the US democratic system, technology companies and state governments have yet to come to terms with a foreign power’s meddling in domestic affairs of state. When it comes to the 2020 presidential vote, the US faces many of the same vulnerabilities that made its electoral system a prime target In 2016 — and perhaps some new ones, said Doug Lute, a former American ambassador to Nato and retired Army lieutenant-general who has taken up the cause of US election security. “We are more prepared in the sense that we are more aware. But we are little better prepared in terms of actual security,” said Mr Lute. He noted that Russia’s strategy in 2016 resembled an age-old Russian military doctrine: to attack on a broad front, assess strengths and weaknesses, then prepare to reattack vulnerabilities — a potentially dangerous scenario for 2020. 

National: Feds Seek To Up Their Cybersecurity Game | Forbes

The idea that the U.S. federal government could play a dominant and effective role in protecting the nation from malicious cyberattacks on everything from Internet of Things (IoT) devices to critical infrastructure to election voting systems might strike some people as absurd. Its catastrophic security failures are well known.

– The Office of Personnel Management (OPM) couldn’t protect the personally identifiable information (PII) of more than 22 million current and former federal employees.

– The National Security Agency (NSA) couldn’t protect its own stash of so-called zero-day vulnerabilities that it hoped to use to spy on, or attack, hostile nation states or terrorist groups. Instead, the stash ended up in the hands of Wikileaks.

National: Senate Democrats push to match House’s ethics and election reforms | The Washington Post

Responding to action in the House, Senate Democrats unveiled their own version of a sweeping election and ethics reform bill Wednesday — one that Senate Majority Leader Mitch McConnell has vowed never to bring to a vote. Dubbed, like the House bill, the For the People Act, the Senate legislation includes a vast suite of proposals — including measures meant to expand voting, provisions aimed at unmasking and diluting the power of moneyed interests, new ethical strictures for federal officials and a new public financing system for congressional campaigns. The bill, according to its lead author, Sen. Tom Udall (D-N.M.), has the support of all 47 senators in the Democratic caucus. The House bill passed 234 to 193 this month with unanimous Democratic support, meaning every congressional Democrat is on record in support of the bill. “Today we are seizing their momentum and the momentum of the American people,” Udall said at a news conference Wednesday. “Now the ball is in Senator McConnell’s court. . . . This should not be about Democrats versus Republicans, this is about people versus special interests.”

National: Voting-machine vendors have some serious questions to answer, senators say | CyberScoop

While the security of the 2020 election remains a prominent topic in Washington, a group of Democratic senators is raising alarms about longer-term issues that will resonate after voters are done choosing a president about 20 months from now. The three companies that make most of the voting technology used in the U.S. must be more transparent about their plans to improve their products to meet current expectations about security and performance, says a letter Wednesday by Sen. Amy Klobuchar of Minnesota and three other top Democrats. In particular, the senators say every machine should reliably produce paper records, and the companies should do far more to upgrade their products. “The integrity of our elections is directly tied to the machines we vote on — the products that you make,” says the letter from Klobuchar, Mark Warner of Virginia, Jack Reed of Rhode Island and Gary Peters of Michigan. “Despite shouldering such a massive responsibility, there has been a lack of meaningful innovation in the election vendor industry and our democracy is paying the price.”

National: Former CIA leaders give ‘briefing book’ to 2020 candidates to counteract ‘fake news’ and ‘foreign election interference’ | The Washington Post

Two former top CIA officials have compiled an unclassified report on the major national security challenges facing the United States, which they are distributing to every candidate running for president. The report, which former acting CIA directors Michael Morell and John McLaughlin call a “briefing book,” is modeled on the classified oral briefing that the intelligence community provides to the nominees of each major political party running for president, usually after the nominating conventions. The former officials said they’re distributing their briefing now, more than a year before nominees are selected, in response to “the recent rise and abundance of fake news and foreign election interference,” according to a copy reviewed by The Washington Post. The 37-page document, which has not been previously reported, was sent this month to nearly every announced candidate and will soon be sent to President Trump, the former officials said. Intelligence agencies have usually viewed their discussions with nominees as a chance to prepare a potential president for the kinds of issues that he or she will have to grapple with, and to give them a sense of the kind of capabilities and expertise that the U.S. government can bring to bear.

National: States Need Way More Money to Fix Crumbling Voting Machines | WIRED

THE 2018 MIDTERM elections were hardly a glowing reflection on the state of America’s voting technology. Even after Congress set aside millions of dollars for state election infrastructure last year, voters across the country still waited in hours-long lines to cast their ballots on their precincts’ finicky, outdated voting machines. Now, a new report published by New York University’s Brennan Center for Justice finds that unless state governments and Congress come up with additional funding this year, the situation may not be much better when millions more Americans cast their vote for president in 2020. In a survey that the center disseminated across the country this winter, 121 election officials in 31 states said they need to upgrade their voting machines before 2020—but only about a third of them have enough money to do so. That’s a considerable threat to election security given that 40 states are using machines that are at least a decade old, and 45 states are using equipment that’s not even manufactured anymore. This creates security vulnerabilities that can’t be patched and leads to machines breaking down when the pressure’s on. The faultier these machines are, the more voters are potentially disenfranchised by prohibitively long lines on election day. “We are driving the same car in 2019 that we were driving in 2004, and the maintenance costs are mounting up,” one South Carolina election official told the Brennan Center’s researchers, noting that he feels “lucky” to be able to find spare parts.

National: Senate Democrats investigate cybersecurity of election machines, introduce version of H.R. 1 | InsideCyberSecurity.com

A group of senior Senate Democrats is seeking information on what the three largest manufacturers of U.S. voting machines are doing to secure the systems ahead of the 2020 elections, while the entire Democratic Caucus on Wednesday signed on to sponsor the Senate version of House-passed H.R. 1, the “For the People Act,” which includes language on securing election machines. A letter — signed by Senate Rules ranking member Amy Klobuchar (D-MN), Intelligence ranking member Mark Warner (D-VA), Homeland Security and Governmental Affairs ranking member Gary Peters (D-MI), and Armed Services ranking member Jack Reed (D-RI) — was sent Tuesday to voting machine vendors Hart InterCivic, Dominion Voting Systems, and Election Systems and Software, or ES&S. “Despite the progress that has been made, election security experts and federal and state government officials continue to warn that more must be done to fortify our election systems,” the senators wrote. “Of particular concern is the fact that many of the machines that Americans use to vote have not been meaningfully updated in nearly two decades. Although each of your companies has a combination of older legacy machines and newer systems, vulnerabilities in each present a problem for the security of our democracy and they must be addressed.” The senators posed questions on steps the companies are taking to secure their machines ahead of 2020, and how Congress can assist in these efforts; what the plans are for updating “legacy” voting machines; whether the companies would support legislation requiring “expanded use of post-election audits”; if the companies have vulnerability disclosure programs; and if they employ full-time cybersecurity experts.