A bipartisan Harvard University project aimed at protecting elections from hacking and propaganda will release its first set of recommendations today on how U.S. elections can be defended from hacking attacks. The 27-page guidebook shown to Reuters ahead of publication calls for campaign leaders to emphasize security from the start and insist on practices such as two-factor authentication for access to email and documents and fully encrypted messaging via services including Signal and Wickr. The guidelines are intended to reduce risks in low-budget local races as well as the high-stakes Congressional midterm contests next year. Though most of the suggestions cost little or nothing to implement and will strike security professionals as common sense, notorious attacks including the leak of the emails of Hillary Clinton’s campaign chair, John Podesta, have succeeded because basic security practices were not followed.
Canada: Head of NATO tells Canada to gear itself up for Russian cyber threats in 2019 federal election | CBC News
Canada and other NATO countries must do more to counter Russia’s growing and ever-evolving cyber threats, says the head of the North Atlantic Treaty Organization. ”This is a constantly evolving threat, and we have to constantly adapt,” NATO’s Jens Stoltenberg told CBC Radio’s The House at the Halifax International Security Forum. Stoltenberg says the digital threats come in many forms, and can target anybody. “In some ways, every country is a neighbour of Russia because [a] cyber [threat] recognizes no borders, so you might also say that Canada is a neighbour of Russia,” Estonia’s Defence Minister Jüri Luik told The House in Halifax. That digital proximity, Luik argued, means Canada should not be surprised if Russia attempts to interfere in the 2019 federal election.
Saying there is a “growing threat” to Florida’s election systems, the state may spend nearly $2.4 million in the coming year on cybersecurity efforts designed to protect election-related software and systems from outside hackers. Gov. Rick Scott included the request, which initially came from state election officials, in budget recommendations he gave to the Florida Legislature last week. Scott asked for the money even though state officials have provided limited details behind efforts to infiltrate Florida’s election systems ahead of the 2016 elections. The Florida Legislature has also not held any hearings on what happened.
The halfway point between the election of President Donald Trump and the 2018 midterms has come and gone, and it still isn’t fully clear what Russian hackers did to America’s state and county voter registration systems. Or what has been done to make sure a future hacking effort won’t succeed. US officials, obsessed for now with evidence that Russia’s intelligence services exploited social media to sway US voters, have taken solace in the idea that the integrity of the country’s voting is protected by the system’s acknowledged clunkiness. With its decentralized assortment of different machines, procedures, and contractors, who could possibly hack into all those many systems to change vote totals? … Most states’ elections officials still don’t have the security clearances necessary to have a thorough discussion with federal officials about what’s known about Russian, or others’, efforts to hack into their systems.
The Election Commission (EC) website where voters can check their voting constituency and polling station by entering their MyKad number is not secure, tech blogger Keith Rozario said. The creator of sayakenahack.com, aimed at helping victims of a massive data breach to find out if they were affected, said in a blog post that the EC site was marked as “insecure by Google Chrome because it doesn’t even have TLS”. TLS or Transport Layer Security is meant to ensure privacy and data integrity between two communicating computer applications. In the case of a voter checking their status on the EC website, TLS would ensure that data travelling between the voter’s browser and the EC on a WiFi or data connection used would be encrypted. Without TLS, he said that someone searching for their voting information on the EC website could have their data “transferred in clear across the internet for anyone in the middle to see”.
Judging strictly by how the Center for Election Systems at Kennesaw State University is described on its official website, everything is peachy when it comes to the fact that the center is charged by the Secretary of State with ensuring the integrity voting systems throughout Georgia. “The Center maintains an arms-length working relationship with the Secretary of State and the vendor, ensuring both independence and objectivity in its work,” the center states on its website. But if you ask Marilyn R. Marks, executive director of the Coalition for Good Governance, a university has no business playing such a critical role in the oversight of a state’s election infrastructure. It’s an argument that Marks says is underscored by the fact that voter data in Georgia was exposed on the Internet for a significant period of time leading up to key elections in Georgia — a fact uncovered by a cybersecurity expert named Logan Lamb, who reported it to the center. KSU only took action when a second cybersecurity expert — Chris Grayson — found the same security gaps and reported them to Andrew Green, a colleague and KSU faculty member who lectures on information security and assurance, according to lawsuit filed by Marks’ coalition.
National: State election boards’ hands are sometimes tied when it comes to voting machine security. | Slate
Voting in the United States is highly decentralized—and in many ways that’s a good thing when it comes to security. Having different regions operate their own elections and count their own votes makes it harder for someone to forge, compromise, or change a large number of votes all at once. But that decentralization also means that individual states, counties, or districts are also often free to make bad decisions about what kind of voting technology to use—and it’s surprisingly hard to stop them. Earlier this week, North Carolina’s state elections board made a last-ditch attempt to convince a judge to prohibit counties in the state from using voting software manufactured by VR Systems on the grounds that the board hadn’t officially certified the software since 2009. On Monday—the day before Election Day—that attempt failed when Superior Court Judge Paul Ridgeway declined to intervene.
Pennsylvania: Is your vote safe? Penn State panel casts doubts, but county elections chief says not to worry | Press & Journal
A Nov. 1 forum on election security at Penn State Harrisburg raised concerns about the vulnerability of voting systems nationally and in Pennsylvania to cyber attack. … Marian Schneider, a former special adviser to Gov. Tom Wolf on election policy and one of three speakers at the Penn State Harrisburg event, said it is “irrelevant” whether Russian meddling in the 2016 presidential election actually altered the outcome in any way. She quoted former FBI Director John Comey saying that the Russians “will be back, and they will be bolder.” “If you conclude that they had some success with the election last year, they may embolden other actors, whether nation-state attackers or within the United States,” said Schneider, who was deputy secretary for elections and administration in the Pennsylvania Department of State from 2015 to 2017. “I think this is the new normal in elections and the Russian effort shows us what could possibly happen.
A year before the midterm elections, state election administrators are racing to plug vulnerabilities and update software ahead of an expected wave of cyberattacks from foreign actors. In interviews, state officials and elections experts said they are working to bolster internal security at both the state and local levels. At the same time, many said they hope Congress will act to update federal election law, in part to provide them with the resources they need to secure the democratic process. “No matter what steps we take today, cybersecurity and the cyber risk evolves and changes daily, and we just have to be vigilant and diligent going forward,” said Vermont Secretary of State Jim Condos (D). “Anybody that thinks, ‘today I’ve got it covered,’ and washes their hands of it is fooling themselves.”
National: Where hackers haven’t directly influenced polls, they’ve undermined our faith in democracy | The Register
What a difference a year makes. This time last year, Twitter pooh-poohed any suggestion that Russian agents ran accounts on its platform for purposes of subverting the US election. A month ago, it was forced to eat its words, owning up to maybe just a few paltry 201. Last week, in the course of a Congressional grilling, that estimate ticked upward a magnitude to more than 2,700. Facebook, too, upped the ante, admitting that Russian-backed content may have reached not 10 million users, as previously claimed, but 126 million. Some of this, as analysis of the @TEN_GOP Twitter account suggests, was influential. But did it influence the election? That is the $64,000 question. Or, given how much Donald Trump appears to be profiting from his election as US president, perhaps the $64m question. Not to be outdone, the UK may, finally, be asking some of the same questions. A petition politely asking the UK government to “investigate covert foreign interference in the EU referendum” was cancelled earlier this year when the general election was called. Now it is back and has hit 10,000 signatures, an official (written) response is required. 100,000 signatures means the petition will be considered for debate in Parliament.