GovtechThe U.S. military has the capability, the willingness and, perhaps for the first time, the official permission to preemptively engage in active cyberwarfare against foreign targets. The first known action happened as the 2018 midterm elections approached: U.S. Cyber Command, the part of the military that oversees cyber operations, waged a covert campaign to deter Russian interference in the democratic process. It started with texts in October 2018. Russian hackers operating in the Internet Research Agency – the infamous “troll factory” linked to Russian intelligence, Russian private military contractors and Putin-friendly oligarchs – received warnings via pop-ups, texts and emails not to interfere with U.S. interests. Then, during the day of the election, the servers that connected the troll factory to the outside world went down.Full Article: U.S. Military Steps Up Cyberwarfare Effort.
For years security professionals and election integrity activists have been pushing voting machine vendors to build more secure and verifiable election systems, so voters and candidates can be assured election outcomes haven’t been manipulated. Now they might finally get this thanks to a new $10 million contract the Defense Department’s Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking.
The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and verifiable systems. The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA. The voting system will also be designed to create fully verifiable and transparent results so that voters don’t have to blindly trust that the machines and election officials delivered correct results.
At the headquarters of Ukraine’s SBU more than a dozen local and Western security experts watch a simulated foreign cyber attack on several big screens ahead of this month’s presidential vote. During the joint EU-Ukraine cyber security drills the Westerners pretend to be hackers attacking the country’s central election commission, while the Ukrainians seek to neutralise them. The exercises held in Kiev last week involved around a hundred experts and were part of efforts to prevent arch-foe Russia from interfering in the crucial March 31 election. Ukrainian security officials said they had registered a growing number of distributed denial-of-service attacks and phishing attempts to gain access to computers of the country’s ministries and other state structures in recent months.Full Article: Ukraine ready to take on Russian election hackers.
Indonesia: Russian, Chinese language Hackers Interfering With Indonesian Presidential Election | Brinkwire
Indonesia has identified China and Russia as sources of an ongoing wave of relentless cyber assaults intended to disrupt the country’s presidential elections on April 17. The attacks originate in Russia and China, said Arief Budiman, head of Indonesia’s General Elections Commission or KPU. Budiman also said some of the cyberattacks are attempts to “manipulate or modify” content. Others aim to create ghost voters, or fake voter identities. “They try to hack our system,” according to Budiman. “Not only every day. Almost every hour,” he said. The KPU head said it remains unclear if the motive of this continuing wave of attacks is “to disrupt Indonesia” or to help one of the candidates win. Incumbent president Joko Widodo is squaring-off against Prabowo Subianto, a former special forces general in the election.Russian, Chinese language Hackers Interfering With Indonesian Presidential Election – Brinkwire.
State election officials told members of Congress Wednesday that even after the $380 million the federal government distributed last year for states to shore up the security around their election systems, more will be needed to replace dated voting equipment and to combat future cyberthreats. But the officials who testified before the House Homeland Security Committee were not unanimous in how new funds should be awarded, some wary that the federal government would put too many requirements and deadlines on states for spending additional election-assistance money. “The most important feature to a good election security bill is to create one that provides necessary resources to the states without creating unfunded or underfunded mandates and strangling restrictions through federal overreach,” Alabama Secretary of State John Merrill said in his opening remarks.Full Article: Election officials ask Congress for new wave of security funding.
National: ‘We’re doubling down.’ DHS insists it’s not reducing election security efforts | The Washington Post
The Homeland Security Department is actually surging its efforts to protect elections against foreign hackers during the two years leading up to the 2020 elections — not winding them down, the agency’s top cybersecurity official insists. Chris Krebs, who leads DHS’s Cybersecurity and Infrastructure Security Agency, was punching back Thursday against a Daily Beast report citing anonymous staffers who said the department was reducing its election security efforts following the midterms to invest more in border security and other Trump administration priorities. “The department’s election security and countering foreign influence security-related efforts are not going anywhere,” Krebs said. “In fact, we’re doubling down.” The article made waves in the security community because even a perception that the government isn’t serious about securing elections against Russian hackers could damage trust in the result in the 2020 election. Federal officials — including Krebs himself — have warned Russia may have viewed the midterms as merely a “warm-up” for 2020 when more Americans will be looking for signs of foreign influence. That stakes for officials such as Krebs are especially high because President Trump has wavered on whether he believes Russia was responsible for its hacking and disinformation campaign to influence the 2016 presidential contest.Full Article: The Cybersecurity 202: 'We're doubling down.' DHS insists it's not reducing election security efforts - The Washington Post.
The head of the Department of Homeland Security’s cybersecurity wing is pushing back on a media report that the agency has scaled back personnel and resources from its combatting foreign election interference. Cybersecurity and Infrastructure Security Agency Director Chris Krebs hosted a conference call with reporters less than 24 hours after The Daily Beast published a story that quoted multiple anonymous DHS officials who said two CISA task forces focused on coordinating the department’s response to foreign influence in U.S. elections were significantly downsized shortly after the mid-terms. Krebs didn’t deny that personnel levels for the task forces were reduced. He characterized the task forces as temporary vehicles to address an emerging threat while CISA worked to hire staff and build more permanent institutional capacity to tackle the issue.Full Article: CISA says it's ramping up election security efforts for 2020 -- FCW.
Blockchain, the ingenious database technology best known for underpinning the faddish digital currency Bitcoin, is reviving the utopian fantasies of the early internet era. In an influential manifesto from that time, “A Declaration of the Independence of Cyberspace,” published in 1996, the essayist and activist John Perry Barlow opposed the idea of government regulation of the internet, offering instead an anarchical vision of an online world in which a decentralized network of people existed free from all authorities and intermediaries save for their own “social contract.” Whatever else Barlow’s statement might have been, it was not prophetic. The online world today is full of authorities and intermediaries — search engines, social media platforms, cloud computing services, internet service providers — all of which exert considerable control over cyberspace and are themselves shaped by laws and regulations. It is hard to imagine a cyberlibertarian paradise emerging from that.Full Article: Is Blockchain Technology Overhyped? - The New York Times.
Florida: Palm Beach, ground zero for 2018 vote recount, didn’t apply for election security cash | Politico
Palm Beach County officials failed to tap election security funds available for the 2018 midterms, making it the only jurisdiction in the state that didn’t seek a share of the federal aid. Nearly $2 million in federal funds was made available to the state for hardware and software support, including server installations and network monitoring, ahead of the 2018 midterm elections. In a presentation to the House Transportation and Tourism Appropriations Subcommittee on Wednesday, state elections director Maria Matthews said 66 of 67 Florida counties applied for the funds, news that angered lawmakers. “Once again, the Palm Beach supervisors office has proven that they have been woefully mismanaged,” said state Rep. Blaise Ingoglia, a Spring Hill Republican who led the Republican Party of Florida during the 2018 election cycle. “It’s clear to me that making deadlines was not their forte.”Full Article: Palm Beach, ground zero for 2018 vote recount, didn’t apply for election security cash.
Swiss authorities are trumpeting the fact that more than 2,000 would-be hackers from around the world have taken up an invitation to try to find holes in Switzerland’s groundbreaking online voting system — and potentially earn tens of thousands of francs (dollars) if they succeed. The Federal Chancellery and Swiss regions, known as cantons, expressed satisfaction at the high response barely a week after launching a registration for IT experts to help crack a planned update to Switzerland’s 15-year-old e-voting system. Among countries in Europe, only Estonia has a similar online voting program, a Swiss official said. The effort amounts to a coming-of-age of Swiss e-voting, or online voting, systems: After over 200 trials and the rollout of e-voting already in 14 of Switzerland’s 26 cantons, authorities now believe they’ve developed “completely verifiable systems” that they hope to introduce for the first time this year.Full Article: Hackers flock to hunt for cracks in Swiss e-voting system - StarTribune.com.
Worries over election hacking have led officials in Europe and the U.S. to consider a return to hand-counting paper ballots. Switzerland, however, is moving in the opposite direction, toward absentee electronic voting. It’s a useful way of keeping turnouts from falling, and the systems can be made secure and reliable. Since the scare of 2016, when U.S. intelligence services asserted that malicious Russian actors came close to hacking electronic voting systems and even cracked some voter databases, at least one country – the Netherlands – went back to counting paper ballots by hand throughout the tabulation process, not just at local polling stations. Dozens of U.S. states used hand-counting either solely or for backup in the 2018 midterm elections, and the states that failed to do so were criticized for ignoring security. … Recent research shows that electronic voting doesn’t boost interest in elections by much. In Estonia, which introduced e-voting in 2005, more than 30 percent of the vote is now cast online but the total turnout has remained stable – and low. Yet studies have also shown that having e-voting as an option can arrest a decline in turnout: Easy absentee voting is habit-forming.Full Article: Election Hacking: Bucking the Trend, Swiss Rely on Online Voting - Bloomberg.
Two teams of federal officials assembled to fight foreign election interference are being dramatically downsized, according to three current and former Department of Homeland Security officials. And now, those sources say they fear the department won’t prepare adequately for election threats in 2020. “The clear assessment from the intelligence community is that 2020 is going to be the perfect storm,” said a DHS official familiar with the teams. “We know Russia is going to be engaged. Other state actors have seen the success of Russia and realize the value of disinformation operations. So it’s very curious why the task forces were demoted in the bureaucracy and the leadership has not committed resources to prepare for the 2020 election.”Full Article: Trump’s DHS Guts Task Forces Protecting Elections From Foreign Meddling.
National: This key House Republican is open to mandates on states for election security | The Washington Post
As the House Homeland Security Committee meets for the first election security hearing of 2019 today, Congress is still far away from a grand bargain to help protect state election systems from foreign hackers. But the goalposts may be changing with Democrats in charge of the House. The new top Republican on the committee, Rep. Mike Rogers (Ala.), tells me he’s ready to impose requirements on states to secure their election systems against hackers. He called for a baseline of security states must meet before receiving money from the government to upgrade outdated and vulnerable voting machines and secure other election infrastructure. “We want to get some minimum standards that have to be adhered to,” Rogers tells me. And he says he’s willing to work with Democrats to get it done.Full Article: The Cybersecurity 202: This key House Republican is open to mandates on states for election security - The Washington Post.
Democrats and Republicans have clashed before over H.R. 1, the House Dems’ sweeping package of democracy and governance proposals, but today the fight goes directly to the election security provisions of the bill. The House Homeland Security panel holds a hearing today on the measure with testimony from DHS’s top cyber official, Cybersecurity and Infrastructure Security Agency Director Chris Krebs, Election Assistance Commission Chairman Thomas Hicks and others. A CISA official told MC: “Director Krebs will confirm election security remains a priority for CISA in the run up to 2020, laying out the Agency’s plan to work with State and local election officials on broader engagement, better defining risk to election systems, and understanding the resources to manage that risk.” At least one witness — Jake Braun, a former Obama administration official who now works as executive director of the University of Chicago’s Cyber Policy Initiative and an organizer of DEF CON’s Voting Village — endorses the bill’s election security ideas in his prepared testimony. He praises the provisions mandating auditable paper trails and authorizing voting infrastructure research and development funds.Full Article: House Democrats, Republicans cross swords over election security bill today - POLITICO.
With the 2020 national election cycle on the horizon, House Homeland Security Committee Chairman Bennie Thompson, D-Miss., convened a hearing Wednesday to examine the how the United States was working to secure its elections. The hearing, broken into two panels, heard from senior Federal election officials, as well as state and local election officials. During the first half of the hearing Christopher Krebs, director of the newly minted Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS), stressed that election cybersecurity is on the upswing. However, the second half of the hearing held a slightly different tone, with California Secretary of State Alex Padilla declaring that “our democracy is under attack.”Full Article: State and Local Elections Experts Weigh-In on Security Concerns – MeriTalk.
The nation’s top cybersecurity official told Congress that the ability to audit voting machines after elections is critical for ballot security. “The area that I think we need to invest the most in the nation is ensuring auditability across infrastructure,” Christopher Krebs, head of the Cybersecurity and Infrastructure Security Agency said at a Feb. 13 hearing of the House Homeland Security Committee. “If you don’t know what’s happening and you can’t check back at what’s happening in the system — you don’t have security.” While 34 states and the District of Columbia have some laws mandating post-election audits, according to the National Conference of State Legislatures, Congress has been unable to agree on how hard or soft to make such language in legislation. Krebs and Election Assistance Commission (EAC) Chair Thomas Hicks endorsed the need for greater auditability, though both deferred to states on the question of whether it should be done digitally or by hand.Full Article: Cyber chief pushes audits as key to election security -- FCW.
Russian hackers are redoubling their efforts in the run-up to presidential elections in Ukraine, according to the head of Ukraine’s cyber-police. Serhii Demediuk said in an interview with The Associated Press that Russian-controlled digital saboteurs are stepping up attacks on the Central Elections Commission and its employees, trying to penetrate electronic systems in order to manipulate information about the March 31 election. “On the eve of the election and during the counting of votes there will be cyberattacks on certain objects of critical infrastructure. This applies to the work of the polling stations themselves, districts, and the CEC,” he said. “From what we are seeing, it will be manipulation aimed at distorting information about the results of elections, and calling the elections null or void,” Demediuk said.Full Article: Ukrainian official: Hacking intensifies as election nears | The Seattle Times.
Responsibility for the nation’s cybersecurity is spread piecemeal throughout the government without a single person or agency in charge. That creates dangerous gaps that U.S. adversaries could exploit to hack the government or critical infrastructure, two prominent Senate Republicans told me. Homeland Security Chairman Ron Johnson (Wis.) and Mike Rounds (S.D.), chair of the Armed Services Committee’s cyber panel, are mulling how they might create a centralized government authority for cybersecurity issues. The goal would be an office that could make sure the Homeland Security, Defense and Justice departments are effectively sharing information and working toward common goals, the senators said. For example, the Defense Department, which is authorized to conduct clandestine military activities in cyberspace, might not be as clued in as DHS is to how some of those activities could prompt retaliation against U.S. businesses. Rounds also noted that some parts of the government were concerned for several years that Chinese telecom giant Huawei could use its position inside global telecommunications infrastructure to spy on behalf of the Chinese government — but the U.S. did not act until recently.Full Article: The Cybersecurity 202: Senate committee leaders worry no one’s in charge on cybersecurity - The Washington Post.
Minnesota: Federal election security funding due for Minnesota hits snag in Legislature | Star Tribune
Minnesota Secretary of State Steve Simon is increasing pressure on legislators to help his office claim $6.6 million in federal dollars to increase election security. Minnesota was one of 21 states whose election systems were targeted by Russian hackers in 2016, but it is the only state to still not access federal Help America Vote Act (HAVA) funding approved by Congress last year. After Capitol leaders initially pointed to the measure as a slam-dunk for early passage, it has yet to reach the desk of Democratic Gov. Tim Walz. A proposal in the GOP-controlled Senate would release just a fraction of the money right away, leaving most of the money subject to late-session budget debate. “This is cause for concern and something I think should inspire all of us to act quickly,” Simon told the Senate’s elections committee. Simon’s plea comes fresh off a recent visit to the U.S. Department of Homeland Security this month. “We need the full authorization immediately,” he said.Full Article: Federal election security funding due for Minnesota hits snag in Legislature - StarTribune.com.
Virginia elections’ next chief information officer likely had their personal information exposed, after a job posting for the position included a username and password that could be used to view applicants’ resume and personal details. The Department of Elections told WTOP Tuesday afternoon it is “taking action” to address the issue, which allowed a reporter to see names, resumes, salary information, references, education history, home addresses, emails and phone numbers of 96 people who had applied to be head IT security for Virginia elections. By 5 p.m. Tuesday, the login credentials had been deactivated. The personal information of the applicants appeared to have been exposed since the application window ended more than a week ago, although it is unclear how many people may have accessed the data. Those who applied between Jan. 17 and Feb. 3 live and work across Virginia and the country. Several have military experience or have worked as government contractors, according to the resumes, cover letters and other information they provided on the state Department of Human Resource Management’s Recruitment Management System.Full Article: Applicants of Virginia election security post had personal info exposed | WTOP.