National

National: Democrats launch ‘full court press’ on election security | Joseph Marks/The Washington Post

Democrats are pressing hard this week in what could be their final chance to pass legislation aimed at protecting the 2020 contest against Russian hackers. Senate Democrats have failed for months to force Senate Majority Leader Mitch McConnell (R-Ky.) to allow a vote on bills committing an additional $600 million to election security and also mandating security reforms such as paper ballots and post-election cybersecurity audits. Now they’re shifting tactics and trying to force some of that funding into a must-pass spending bill. Round one of the fight starts Thursday at a Senate Appropriations Committee meeting where the top-ranking Democrat, Sen. Patrick Leahy (Vt.), and the top Democrat on the committee’s general government panel, Sen. Chris Coons (Del.), will try to force the money into the Republican draft of a spending bill. If that doesn’t work, Democrats can keep trying to push Republicans to add the measure through the lengthy give-and-take of the appropriations process that’s likely to drag on for several months. Aides for Leahy and Coons declined to tell me precisely what was in the amendment they’ll be introducing Thursday, but Sen. Ron Wyden (D-Ore.) and other senators are pushing for at least the $600 million that’s included in legislation already passed by the House. If the last-ditch effort fails, many Americans are likely to cast votes in 2020 in a process still governed by the same lax rules as in 2016 – when a Russian hacking and disinformation operation upended the election and severely damaged voters’ confidence in the democratic process. The federal government has surged its cybersecurity help to state election officials since then and several states and localities have voluntarily improved protections, but the improvements are far from universal.

Full Article: The Cybersecurity 202: Democrats launch ‘full court press’ on election security - The Washington Post.

National: Election security funds caught in crosshairs of spending debate | Maggies Miller-The Hill

Funding to bolster election security efforts at the state level could become a sticking point during the ongoing government spending talks, with the House approving the funds while Republicans in the Senate remain staunchly opposed. The spotlight will be on the Senate on Tuesday, as the Appropriations Subcommittee on Financial Services and General Government marks up its portion of the annual spending bill, with the full committee due to vote on the bill Thursday. While the subcommittee will wait until after the markup to release its version of the annual financial services and general government funding bill, which includes appropriations for the Election Assistance Commission (EAC), it’s unlikely to include election security funds due to Republican opposition. This could become a factor in negotiations between the House and Senate over government funding bills and make it even more difficult for Congress to approve funding legislation prior to the end of the fiscal year on Sept. 30, which is needed to avert a shutdown.

Full Article: Election security funds caught in crosshairs of spending debate | TheHill.

National: How state election officials are contributing to weak security in 2020 | Joseph Marks/The Washington Post

It’s not just a question of paper ballots. The offices charged with administering elections across the country are falling short on a slew of basic cybersecurity measures that could make the 2020 contest far more vulnerable to hacking, according to a report out this morning. Numerous state election offices aren’t patching their computer systems against known digital attacks and rely heavily on outdated, weak software, the report from the cybersecurity company NormShield found. They’re not fully protecting their websites against attacks or taking technical steps that would help prevent hackers from impersonating employees over email. And employee emails and passwords have leaked online. Any one of those vulnerabilities could be the weak spot that allows hackers to compromise a swath of election systems — especially since several states with the worst security practices were swing states, the company’s Chief Security Officer Bob Maley told me. He declined to disclose how specific states fared at this time.

Full Article: The Cybersecurity 202: How state election officials are contributing to weak security in 2020 - The Washington Post.

National: How counties are war-gaming Election Day cyberattacks | Joseph Marks/The Washington Post

If Russian hackers seek to disrupt the 2020 election, it will be county election officials on the front lines. And some are diving in to war games so they can be ready for anything Moscow or another U.S. adversary can throw at them. Election officials from New Jersey’s 21 counties huddled at tables in a hotel ballroom here, hashing out how they’d respond to Election Day cyberattacks. In some attack scenarios, hackers shut down voter registration databases, loaded voter files with phony information, or compromised county social media accounts so they start spreading false information about polling locations. They also prepared for what happens if attackers locked up election office computers with ransomware or shut down cellphone towers across multiple states. How the U.S. fares during an Election Day hack is likely to rest on the response of local election administrators in the first few hours, state and federal officials told me. “The county level is where all the risk is,” a Homeland Security Department cybersecurity official who was helping one county with its response-planning told me. “They own it in a way no state official does and certainly no federal official could. It’s always live or die at the county level.” The war-games are a sign of how drastically local politics has changed in this new era of cyberwar — preparing responses to attacks by a powerful nation-state is a far cry from more ordinary tasks of getting poll workers to voting locations on time and planning contingency operations for storms or other physical disasters. And there’s no turning back, as federal offiicals have warned Russia is likely to try to repeat its hacking and disinformation campaign in 2020 and other U.S. adversaries, including China, Iran and North Korea, may try as well.

Full Article: The Cybersecurity 202: How counties are war-gaming Election Day cyberattacks - The Washington Post.

National: Cyber firm examines supply-chain challenge in securing election ecosystem | Charlie Mitchell/InsideCyberSecurity.com

State election officials are doing a better job of securing systems but still need to pay more attention to “internet facing infrastructure” and possible weak links in their supply chains, according to a new report from NormShield, a cybersecurity firm that develops risk scorecards for companies. According to NormShield, “We noticed … that states may be focusing on their internal assets and may not be examining their broader cyber ecosystem footprint. So we undertook the exercise of examining that broader footprint to better understand what election system integrity looks like from that perspective.” The firm did not examine cyber hygiene around voting machines, but did look at “Network Connected Systems and Components” as identified in the Center for Internet Security “Handbook for Elections Infrastructure Security.” It found significant improvements between an initial scan in July and a follow-up August, according to the report issued today. “NormShield privately provided its findings to the Secretaries of State and election commissions in July in order to empower them with the information needed to remediate vulnerabilities,” the firm said. “NormShield ran a second scan in August and found significant improvement in the security posture of several election commissions.”

Full Article: Cyber firm examines supply-chain challenge in securing election ecosystem | InsideCyberSecurity.com.

National: Former Homeland Security secretaries call for action to address cybersecurity threats | Maggie Miller/TheHill

Three former secretaries of the Department of Homeland Security (DHS) on Monday testified that cybersecurity threats to elections and other critical infrastructure are major issues that could impact the security of the nation. Former DHS Secretaries Michael Chertoff, Janet Napolitano and Jeh Johnson all discussed the severity of cyber threats to the U.S. while testifying in New York City during a field hearing at the National September 11 Memorial Museum held by the Senate Homeland Security and Governmental Affairs Committee. Napolitano, who served as secretary under former President Obama from 2009 through 2013, listed cybersecurity as one of the top three threats DHS “can and must confront,” pointing to vulnerabilities in election infrastructure, utility grids and other critical infrastructure as putting the country at risk.  “Our adversaries and international criminal organizations have become more determined and more brazen in their efforts to attack us and to steal from us,” Napolitano said. “We need a whole of government and a whole of public and private sector response to this threat, and it needs to happen immediately.

Full Article: Former Homeland Security secretaries call for action to address cybersecurity threats | TheHill.

National: Even conservative Democrats are savaging GOP over election security | Joseph Marks/The Washington Post

A group of centrist House Democrats that usually aims for bipartisanship is coming out swinging against Senate Majority Leader Mitch McConnell (R-Ky.) and other Republicans for blocking election security legislation. Members of the Democrats’ Blue Dog Coalition, which includes the conservative wing of the party, charged Republican senators with endangering the country’s democratic process for not forcing a vote on election security legislation during a press briefing. And they leveled their most pointed criticism at McConnell, who has steadfastly refused to allow major election security bills to get a vote on the Senate floor. “The underlying trust of our citizens in their electoral system and who they choose to elect is at the base of this whole process,” Rep. Tom O’Halleran (D-Ariz.) said. “The question should be put day in and day out to Mr. McConnell: ‘Why are you not wanting to protect the electoral system in this nation?’”

Full Article: The Cybersecurity 202: Even conservative Democrats are savaging GOP over election security - The Washington Post.

National: Here’s why Mitch McConnell is blocking election security bills | Joseph Marks/The Washington Post

As Congress returns this week, Mitch McConnell remains the one-man roadblock for Democrats’ election security bills. He’s still refusing to allow a vote, even as Democrats deride him as “Moscow Mitch” and accuse him of inviting Russia to interfere on Republicans’ behalf in the 2020 election. But why is McConnell so staunchly opposed? Republicans and Democrats offer a fairly straightforward theory: McConnell is wary of drawing the ire of President Trump, who has repeatedly wavered on whether Russia interfered in the presidential contest — and seems to view traditionally bipartisan discussions about election security as delegitimizing his unexpected 2016 victory over Hillary Clinton. “This is a narrative that the White House doesn’t want to approach,” David Jolly, a former Republican House member from Florida and an outspoken Trump critic, told me. “The president’s not comfortable talking about it. He’s someone with a fragile ego. And McConnell is happy to coordinate with this White House. That’s the only thing that explains it.” McConnell is likely also concerned about the political fallout for Republican senators, several of whom have supported and even co-sponsored election security bills in the past, says a former Democratic Senate staffer who worked extensively on cybersecurity issues during the Obama administration.

Full Article: The Cybersecurity 202: Here’s why Mitch McConnell is blocking election security bills - The Washington Post.

National: Americans Prepare To Safeguard 2020 Vote. Is It Too Much — Or Will It Be Enough? | Philip Ewing/ NPR

Americans are preparing more than ever to safeguard voting as the nation looks ahead to the Democratic primaries and the general election next year. What no one can say for certain today is whether all the work may turn out to be supeous — or whether it’ll be enough. National security officials have been clear about two things: First, that the Russian government attacked the 2016 election with a wave of “active measures” documented in prosecution documents and the final report of former Justice Department special counsel Robert Mueller. And second, that those measures have never stopped and that interference is likely in coming elections. With that understanding, the United States has spent hundreds of millions of dollars since 2016 to change practices at every level of government. A lot has changed

Full Article: Americans Prepare To Safeguard 2020 Vote. Is It Too Much — Or Will It Be Enough? : NPR.

National: Expanding the Definition of “Election Systems” also Expands Cyber Security Funding Options | Steve Smith/Governing

In our previous article, the concept of elections systems as an integrated ecosystem of both specific (voter registration, vote collection, results reporting) and general (citizen data from multiple agencies) applications was presented. The point was that elections systems exist in perpetuity and not just in and around an election cycle and that data associated with elections are submitted and in process all year every year. The perpetual nature of the elections systems ecosystem has not traditionally been addressed with matching funding streams. The federal government has been reactive, appropriating funds via the Help America Vote Act (HAVA) on as as-needed basis, as in the aftermath of situations like the 2016 federal election, in which alleged vote tampering was reported. HAVA funding reaches state and local governments too late to take action in the current election cycle and results in the creation of reserve funds that remain until they can be effectively be utilized for future election cycles. State and local governments rely heavily on federal funding like HAVA funding to make large-scale investments in elections systems, which often further delays the impact these investments can have due to long and time-consuming procurement processes.

Full Article: Expanding the Definition of “Election Systems” also Expands Cyber Security Funding Options.

National: Democrats make renewed push for election security | Maggie Miller/The Hill

Congressional Democrats are shining the spotlight back on election security as they struggle to push various bills across the finish line in the face of Republican opposition. Democrats in both the House and Senate are renewing efforts to force the GOP-controlled Senate to allow votes on election security measures that have been stalled due to Republican concerns about federalizing elections and re-litigating the 2016 election interference by Russia. Both House Majority Leader Steny Hoyer (D-Md.) and Senate Minority Leader Charles Schumer (D-N.Y.) on Thursday sent letters to colleagues detailing their goals around election security for the fall. “We must continue our push to protect our elections at the federal, state, and local levels, especially in the upcoming Senate appropriations process,” Schumer wrote, while criticizing Senate Majority Leader Mitch McConnell (R-Ky.) for not allowing any votes on the topic. Hoyer wrote that “the House may take up additional legislation to strengthen election security.” A spokesperson for Hoyer did not respond to a request for details about which legislation Hoyer was referring to.

Full Article: Democrats make renewed push for election security | TheHill.

National: Lankford goes around roadblock on election security measures: ‘I’ve not waited on the bill to get passed’ | Randy Krehbiel/Tulsa World

U.S. Sen. James Lankford’s name is coming up in connection with Senate Majority Leader Mitch McConnell in a potentially uncomfortable way for such stories about election security that refer to McConnell as “Moscow Mitch.” Also often mentioned is Lankford’s pending legislation on the subject and his warnings about the vulnerability of U.S. elections and voting technology. Lankford, though, said he’s OK with being set up as something of a foil against the leader of his own party. “I’ve been working on this 2½ years,” Lankford said in Tulsa last week. “When people say my name’s being dropped (into the discussion), it’s because I’ve been working on it. And I think it should actually get done.” Lankford feels so strongly about it that he’s been going around his congressional colleagues to get security measures implemented.

Full Article: Lankford goes around roadblock on election security measures: 'I've not waited on the bill to get passed' | News | tulsaworld.com.

National: Distrust, Staffing and Funding Shortages Imperil Election Security | Courtney Bublé/Government Executive

pecial Counsel Robert Mueller was emphatic when he testified before the House Intelligence Committee on July 24 about Russian interference in the 2016 election: “It wasn’t a single attempt. They’re doing it as we sit here, and they expect to do it during the next campaign.” In an earlier, less partisan era, Mueller’s warning likely would have galvanized lawmakers and propelled them to action to ensure the security and integrity of American elections. While federal agencies have taken critical steps to improve security around U.S. elections since 2016, those efforts have been hampered by inadequate funding; staffing problems; mixed messages from Congress and the administration; and, not insignificantly, by Constitutional questions—states and localities hold primary authority for administering elections, and some Republicans worry about the federal government usurping state powers in the name of security. But the special counsel’s warning had no such galvanizing effect. Hours after Mueller testified in the House, Sen. Cindy Hyde-Smith, R-Miss., blocked, without giving a reason, election security bills in the Senate, one of which would have required campaigns to alert the FBI and the Federal Election Commission about election assistance offers from foreign countries. The next day, Senate Majority Leader Mitch McConnell, R-Ky., denied the Democrats’ request for a vote on the House-passed Securing America’s Federal Elections Act, which would have authorized $775 million to bolster state election systems and required paper ballots as a guard against vote tampering. McConnell said the legislation, which passed the House with just a single Republican vote, would nationalize election authorities that “properly belong to the states.”  While few things are more fundamental to democracy than the integrity of the election system, finding a bipartisan consensus for ensuring that integrity has been elusive, and as a result, agencies’s efforts are far less effective than they could be otherwise.

Full Article: Distrust, Staffing and Funding Shortages Imperil Election Security - Government Executive.

National: Voting Machine Makers Give U.S. Access in Fight Against Hackers | Chris Strohm and Alyza Sebenius/Bloomberg

Companies that make voting machines and election systems have given the Homeland Security Department access to engineering details and operations so the U.S. can identify potential vulnerabilities hackers might exploit heading into the 2020 election, a department official said. The new cooperation has allowed Homeland Security to map out the ecosystem of election voting systems and processes to help state and local governments, as well as private companies, defend against hackers, Jeanette Manfra, assistant director for cybersecurity, said at an Intelligence and National Security Summit on Thursday. Makers of voting machines and election systems are cooperating voluntarily, representing a breakthrough for the government, Manfra said in an interview after the conference in the Washington suburbs. “I think we’ve made a lot of progress with the vendors of those systems,” Manfra said. “We know what makes up the systems and how it actually works.” Officials, citing Russian interference in the 2016 campaign, predicted lively combat between hackers and government protectors of cybersecurity in the run-up to next year’s presidential election.

Full Article: Voting Machine Makers Give U.S. Access in Fight Against Hackers - Bloomberg.

National: ‘No One Is Accountable for This’: Why the 2020 Campaigns Are Struggling With Security | Uri Friedman/The Atlantic

It’s the eve of Election Day 2020, and political reporters have just received an incendiary email. Donald Trump’s campaign has sent out grainy cellphone footage of his Democratic challenger, Joe Biden, at a private meeting with wealthy donors, ridiculing Americans who voted for the president in 2016 and plotting how to trick them into backing him instead. Except Biden never made the remarks and Trump never shared them. A few overeager journalists post the video on Twitter before fully investigating its authenticity, causing the clip to spread on social media faster than the presidential campaigns and the press can expose it as a fraud. U.S. authorities will eventually attribute the deception to North Korean hackers, impersonating the Trump campaign’s domain name and deploying deepfake technology to keep their preferred nuclear-talks counterpart in office. But that won’t happen for weeks, well after Americans have chosen their next leader. Such a hypothetical scenario isn’t implausible. In fact, it’s a type of threat that the email-security firm Agari flagged in a recent report. Three and a half years have passed since John Podesta, the chairman of Hillary Clinton’s presidential campaign, fell for a phishing email—granting Russian hackers, and thereby the world, access to his Gmail account and coming to embody the devastating ways foreign governments can meddle in democratic politics. In light of that trauma, the current crop of presidential campaigns has made progress in fortifying their digital operations. But according to those who have worked with the campaigns on these efforts, they nevertheless remain vulnerable to attack and lack cybersecurity best practices. “The risk is more than reasonable that another Podesta-like attack could take place,” Armen Najarian, Agari’s chief marketing officer, told me.

Full Article: How Secure Are the 2020 Campaigns? - The Atlantic.

National: New NSA cyber lead says agency must share more info about digital threats | Joseph Marks/The Washington Post

The NSA is the U.S. government’s premier digital spying agency and it has a well-earned reputation for keeping secrets. But the agency needs to stop keeping so many things confidential and classified if it wants to protect the nation from cyberattacks. That’s the assessment from Anne Neuberger, director of NSA’s first Cybersecurity Directorate, which will launch Oct. 1 and essentially combine the work of many disparate NSA divisions dealing with cybersecurity, including its offensive and defensive operations. The directorate’s mission is to “prevent and eradicate” foreign hackers from attacking critical U.S. targets including election infrastructure and defense companies, Neuberger said yesterday during her first public address since being named to lead the directorate in July. Neuberger acknowledged the difficulty of her mission during an onstage interview at the Billington Cybersecurity Summit, but also said the growing hacking threats from Russia, China and other U.S. adversaries mean the nation “must” achieve it. “The nation needs it … the threat demands it and the nation deserves that we achieve it,” Neuberger said. That mission also means, however, that NSA, which was once colloquially known as “no such agency” and has traditionally kept mum to protect its own hacking operations and secret sources, must start sharing more threat data with cybersecurity pros in the private sector, she said. And the NSA will have to share that information far more quickly than it has in the past when many recipients hcomplained that, by the time they get the information, it’s no longer useful, she said. In some instances, the agency will have to look for “creative approaches” to share that information, Neuberger told reporters after her talk.

Full Article: The Cybersecurity 202: New NSA cyber lead says agency must share more info about digital threats - The Washington Post.

National: Blue Dog Democrats urge action on election security | Maggie Miller/The Hill

The leaders of the House Blue Dog Coalition and the House Blue Dog Task Force on National Security on Thursday sent a letter to House and Senate leaders calling for action to prevent foreign interference in U.S. elections and to secure election systems. The House Blue Dog Coalition, a group of 26 moderate Democrats, urged congressional leaders to “put politics aside and pursue bipartisan solutions” to bolster election security ahead of 2020. “We are calling on Congress to take further action to secure our elections, punish Russia for its attempts to meddle in the 2016 and 2018 elections, and deter our adversaries from meddling in future U.S. elections,” the leaders of the Blue Dog Coalition and the Task Force wrote. “The threat to our national security could not be more clear.” The letter was sent to Speaker Nancy Pelosi (D-Calif.), House Majority Leader Steny Hoyer (D-Md.), Minority Leader Kevin McCarthy (R-Calif.), Senate Majority Leader Mitch McConnell (R-Ky.) and Senate Minority Leader Charles Schumer (D-N.Y.).  The House has passed two major election security bills earlier this year, both along party lines. The SAFE Act, passed in June, would provide states with $600 million for election security efforts, and would also ban voting machines from being connected to the internet and from being manufactured outside the U.S. The House also approved the For the People Act, which includes sweeping language on election security and voting reform. Both bills have been blocked from a vote in the Senate by Republicans, who cite concerns around federalizing elections.

Full Article: Blue Dog Democrats urge action on election security | TheHill.

National: Big Tech Companies Meeting With U.S. Officials on 2020 Election Security | Mike Isaac and Davey Alba/The New York Times

Facebook, Google, Twitter and Microsoft met with government officials in Silicon Valley on Wednesday to discuss and coordinate on how best to help secure the 2020 American election, kicking off what is likely to be a marathon effort to prevent the kind of foreign interference that roiled the 2016 election. The daylong meeting, held at Facebook’s headquarters in Menlo Park, Calif., included security teams from the tech companies, as well as members of the F.B.I., the Office of the Director of National Intelligence and the Department of Homeland Security. The agenda was to build up discussions and strategic collaboration ahead of the November 2020 state, federal and presidential elections, according to Facebook. Tech company representatives and government officials talked about potential threats, as well as how to better share information and detect threats, the social network said. Chief executives from the companies did not attend, said a person briefed on the meeting, who declined to be identified for confidentiality reasons.

Full Article: Big Tech Companies Meeting With U.S. Officials on 2020 Election Security - The New York Times.

National: DNC move against phone-in caucuses pits cybersecurity vs. voter participation | Joseph Marks/The Washington Post

The Democratic National Committee’s decision to recommend scrapping phone-in virtual caucuses in Iowa and Nevada is pitting security hawks, who say those systems are ripe for hacking, against Democratic activists who want to increase voter participation. The DNC announcement on Friday comes after a test of the phone-in systems showed they were vulnerable to hacking, as my colleagues Isaac Stanley-Becker and Michael Scherer reported. That confirmed the suspicions of cybersecurity experts who have long argued there’s no way to ensure the authenticity of votes that aren’t cast in person — including votes cast by email, websites or mobile phones. But it was a blow to activists who want to make it easier for people to participate in the democratic process — and who say lengthy in-person caucuses exclude people who work long hours or are caring for young children. Iowa and Nevada developed their phone-in systems after the DNC urged caucus states in 2018 to either switch to primaries — which are speedier  — or make it easier for people to participate remotely. The Iowa system would have allowed voters to register for a unique PIN number and use that PIN when they called in to vote for a candidate, my colleagues reported. The DNC move also sparked the ire of some 2020 presidential hopefuls.

Full Article: The Cybersecurity 202: DNC move against phone-in caucuses pits cybersecurity vs. voter participation - The Washington Post.

National: Cyber Experts Warn Of Vulnerabilities Facing 2020 Election Machines | Miles Parks/NPR

A group of guys are starring into a laptop, exchanging excited giggles. Every couple minutes there’s an “oooooh” that morphs into an expectant hush. The Las Vegas scene seems more like a college dorm party than a deep dive into the democratic process. Cans of Pabst Blue Ribbon are being tossed around. One is cracked open and spews foam all over a computer keyboard. “That’s a new vulnerability!” someone yells. The laptop that’s drawing the most attention in this moment is plugged into a voting machine that was used just last year in Virginia. “Right now, we’re trying to develop a way to remotely control the voting machine,” said a hacker named Alex. He’s seated next to Ryan, and like a lot of the hackers at the Defcon conference, they didn’t feel comfortable giving their full names. What they’re doing — messing around with voting equipment, the innards of democracy — falls into a legal gray area. The voting machine looks sort of like a game of Operation. The cover is off and dozens of cords are sticking out, leading to multiple keyboards and laptop computers. No one could get that kind of access on a real Election Day, which is when most people come into contact with voting machines for a few minutes at most. Election supervisors are quick to point out that any vulnerabilities found under these conditions aren’t indicative of problems that actually could be exploited during an election. All the same, hackers like Alex and Ryan say the work they’re doing is important because it’s the highest profile public investigation of the equipment U.S. citizens use to vote. And if they can exploit it, so could government-sponsored specialists working for another nation’s intelligence agency.

Full Article: In 2020, Millions Will Cast Ballots Using Insecure Machines, Experts Say : NPR.