National: Cyber firm sows chaos in election hack simulation | Derek B. Johnson/FCW
The fictional City of Adversaria was ground zero for an Election Day security training exercise pitting law enforcement officials attempting to maintain order during an election against "K-OS," a mysterious cyber group aiming to disrupt and undermine voter confidence. The simulated battle was part of Operation Blackout, a tabletop exercise hosted by Cybereason Nov. 5 to test how federal officials might react to a dedicated attack on election day. The company invited officials from real federal agencies like FBI and the Department of Homeland Security to sit in on both the "Blue" team representing law enforcement and "Red" team representing K-OS, to learn how to better protect election infrastructure. Ari Schwartz, former senior director of cybersecurity at the National Security Council under President Barack Obama, helped adjudicate the exercise and told FCW afterwards that in a real election, much of the planning by defenders would be gamed out in the weeks and months leading up to election day, but that unforeseen attack vectors are always out there and can throw a wrench into the gears of the best laid plans.National: Administration officials say election security is a ‘top priority’ ahead of 2020 | Tal Axelrod/The Hill
Several administration officials Tuesday released a joint statement assuring the public that they are prioritizing election security less than a year away from the 2020 presidential race. Attorney General William Barr, Secretary of Defense Mark Esper, outgoing acting Secretary of Homeland Security Kevin McAleenan, acting director of national intelligence Joseph Maguire, FBI Director Christopher Wray and others said they have increased the level of federal support to state and local election officials and are prioritizing the sharing of threat intelligence to improve election security. “In an unprecedented level of coordination, the U.S. government is working with all 50 states and U.S. territories, local officials, and private sector partners to identify threats, broadly share information, and protect the democratic process. We remain firm in our commitment to quickly share timely and actionable information, provide support and services, and to defend against any threats to our democracy,” they said in a joint statement.Louisiana: Cyberattack on St. James Parish government didn’t stop early voting nor affect schools | David J. Mitchell/The Advocate
A cyberattack that forced the shutdown of St. James Parish government's computer network did not interrupt early voting for runoff elections Nov. 16 or affect the public schools, according to state and parish school officials. "There was no stop in voting, just a change of the means," Tyler Brey, spokesman for the Louisiana Secretary of State's office, said Thursday. Workers in the parish's Registrar of Voters offices had to switch from electronic voting machines to scanned paper ballots for several hours earlier this week while the state took its own system offline as a security precaution. Brey said voting continued Thursday on standard electronic machines and is expected to do so until early voting ends Saturday. In addition to the statewide runoffs for governor and secretary of state, voters in some parts of St. James will be deciding on two Parish Council seats: District 4 in the Convent area and District 5 in western St. James. Parish officials said Wednesday a phishing attack that state investigators believe originated in Russia hit the parish's computer network.National: Smartphone Voting Could Expand Accessibility, But Election Experts Raise Security Concerns | Abigail Abrams/Time
ome voters with disabilities will be able to cast their ballots on smart phones using blockchain technology for the first time in a U.S. election on Tuesday. But while election officials and mobile voting advocates say the technology has the potential to increase access to the ballot box, election technology experts are raising serious security concerns about the idea. The mobile voting system, a collaboration between Boston-based tech company Voatz, nonprofit Tusk Philanthropies and the National Cybersecurity Center, has previously been used for some military and overseas voters during test pilots in West Virginia, Denver and Utah County, Utah. Now, Utah County is expanding its program to include voters with disabilities in its municipal general election as well. Two Oregon counties, Jackson and Umatilla, will also pilot the system for military and overseas voters on Tuesday. The idea, according to Bradley Tusk, the startup consultant and philanthropist who is funding the pilots, is to increase voter turnout. “We can’t take on every interest group in Washington around the country and beat them, but I think what we can do is let the genie out of the bottle,” he says.National: Cyber officials tout reforms with one year to Election Day | Maggie Miller/The Hill
Officials and cyber experts are expressing confidence in reforms made to prevent a repeat of election hacking and foreign interference one year ahead of their biggest test yet, Election Day 2020, even as they remain vigilant. This optimism comes even as lawmakers remain sharply divided along party lines on how to address election security concerns. Sen. Ron Johnson (R-Wis.), the chairman of the Senate Homeland Security and Governmental Affairs Committee, told reporters on Thursday that he believes “great strides” have been made since 2016 by the Department of Homeland Security (DHS) and election officials. “It’s a serious issue, and one we take seriously, but when I take a look at all the threats facing this nation, it really is on the lower end of my priority list in terms of what I’m overly concerned about because it’s being addressed I think pretty effectively,” Johnson said. Democratic House Homeland Security Committee Chairman Bennie Thompson (Miss.), though, warned this week that "in just over a year, voters in many states across the country will vote for president in 2020 on machines that are old, have no paper trail, and are vulnerable to manipulation.”National: A Plan to Crowdsource Voting Machines’ Security Problems | Andrea Noble/Defense One
A northern Virginia infrastructure-threat clearinghouse is trying to build a system to help voting-system manufacturers learn about problems with their machines. Fueled by monetary rewards and curiosity, hackers have helped companies discover and fix security vulnerabilities in a variety of technology and software applications. But one year out from the 2020 presidential election, can they do more to help secure voting systems? Technology researchers hope so. The Information Technology-Information Sharing and Analysis Center, or IT-ISAC, is evaluating the feasibility of creating a coordinated vulnerability disclosure, or CVD, program that could alert voting system companies about weaknesses. The first step in establishing a CVD program requires voting vendors to have a system in place for receiving information about discovered vulnerabilities and acting on that information—procedures several vendors have already begun to implement, said Scott Algeier, the executive director of IT-ISAC, a non-profit that serves as a clearinghouse for information on cyber threats to critical infrastructure.National: How the threat of hacking looms over the 2020 election | Ellen Daniel/Verdict
With the UK bracing for a general election and campaigning ahead of the US 2020 presidential election now in full swing, the threat of election hacking is once more a key topic of conversation. The now infamous Democratic National Committee cyber attacks, in which hackers with ties to Russia breached the DNC network via a phishing attack, exemplified how easily democratic infrastructure can be affected by outside interference. However, four years later, the cybersecurity community is still calling for greater efforts to combat the issue. Verdict spoke to Kevin Bocek, VP of security strategy & threat intelligence at cybersecurity firm Venafi to discover the motivations behind election hacking and whether the threat can ever be fully removed. Despite the publication of the Mueller report earlier this year, and the conclusion that Russia “interfered in the 2016 presidential election in sweeping and systematic fashion”, the implications for the Western democratic system are yet to be fully addressed.Florida: State and federal officials promise transparency but sidestep specifics on election security | Jeffrey Schweers/Tallahassee Democrat
State, local and federal officials asked the public to trust their ongoing efforts to strengthen Florida's election system against foreign and domestic threats leading up to the 2020 elections, but they refused to give any details. “We are committed to the maximum amount of transparency as possible,” Secretary of State Laurel Lee told more than a dozen reporters Friday at a 30-minute Tallahassee news conference hosted by Larry Keefe, U.S. Attorney for Florida's northern district. She dodged a barrage of questions about why the state won't say which counties were hacked in 2016, what vulnerabilities her office found during a review of the election systems of all 67 counties, and whether the state would disclose any future breaches or potential breaches to the public. A week ago, she sidestepped the same questions during a 30-minute interview with the Tallahassee Democrat citing security issues. Keefe said Friday's news conference was ushering in an "unprecedented" collaboration among state, federal and local officials responsible for election security, vowing his office will investigate and prosecute any election tampering.Illinois: State Elections Board: ‘We’re Under Constant Threat’ from Foreign Interference | Paris Schutz/WTTW
The 2020 election is just under a year away, and both federal and state election authorities say the threat of foreign interference is ramping up. Illinois was one of several states whose election infrastructure was attacked by Russians in 2016, and officials say they’ve made big changes to make sure it doesn’t happen again. But can voters be sure the new measures will work? The Illinois State Board of Elections says it has received $13.2 million in federal aid since 2016 to deal with foreign interference. As outlined in the Mueller report, Russian hackers successfully breached an Illinois voter database that included information such as names, addresses and voter registration status. The breach affected 76,000 Illinois voters, but the board says there is no evidence that hackers manipulated any of that information to try and change voter registration status and, ultimately, impact the outcome of the election. But they say it was a wakeup call.Virginia: We now know that Russia specifically targeted Virginia elections in 2016 | Mike Valerio/WUSA
Russian hackers with the Kremlin’s military intelligence unit targeted Virginia’s election infrastructure in 2016 – a cyber operation now confirmed by current and former state election officials. The Russian effort searched for vulnerabilities within Virginia’s online election infrastructure, authorities familiar with the matter said. The specific Russian actions targeting Virginia have not been previously reported. Analysts within the Department of Homeland Security eventually traced the suspicious activity to the GRU, the Russian military spy agency. The attempts to break into Virginia’s election systems did not change any votes, steal any personal information, or affect any voting during the presidential election, the officials stressed. Yet Richmond first received notice of the Russian reconnaissance only after hackers looked for weaknesses within the state’s election websites. Federal investigators disseminated a critical cyber bulletin known as a FLASH alert only days after malicious actors broke into Illinois’s voter database in the summer of 2016. The alert detailed how the Illinois Board of Elections reported an unusual surge in online traffic – traffic later traced back to Russia.National: New federal guidelines could ban internet in voting machines | Eric Geller/Politico
A long-awaited update to federal voting technology standards could ban voting machines from connecting to the internet or using any wireless technology such as Wi-Fi or Bluetooth. A new draft of version 2.0 of the Voluntary Voting System Guidelines says that voting machines and ballot scanners “must not be capable of establishing wireless connections,” “establishing a connection to an external network” or “connecting to any device that is capable of establishing a connection to an external network.” If they survive a review process, the new rules would represent a landmark development in voting technology oversight, eliminating one of cybersecurity experts’ top concerns about voting machines by plugging holes that skilled hackers could exploit to tamper with the democratic process. The wireless and internet bans are included in the latest draft of the “system integrity” section of the VVSG update. A working group focused on the VVSG’s cybersecurity elements reviewed the document during an Oct. 29 teleconference.National: Almost 100 former officials, members of Congress urge Senate action on election security | Maggie Miller/The Hill
A group of nearly 100 former members of Congress, Cabinet officials, ambassadors and other officials is urging Congress to take action to secure U.S. elections, citing “severe threats to our national security” if certain steps are not taken. The officials, all of whom are members of nonprofit political action group Issue One’s “ReFormer’s Caucus,” sent a letter to the Senate on Thursday urging members to support various bills designed to bolster election security. “Foreign interference in American elections is a national security emergency,” the group wrote. “We are alarmed at the lack of meaningful Congressional action to secure our elections. The United States cannot afford to sit by as our adversaries exploit our vulnerabilities. Congress — especially the Senate — must enact a robust and bipartisan set of policies now.” Specifically, the officials advocated for the passage of five bipartisan bills, including the Honest Ads Act, a bill meant to increase the transparency surrounding online political ads, and the Defending Elections from Threats by Establishing Redlines (DETER) Act, which would impose sanctions on countries that interfere in U.S. elections. The officials also urged the Senate to pass legislation aimed at increasing the cybersecurity of voting infrastructure and cracking down on foreign donations to U.S. elections.National: Voting machines still easy prey for determined hackers | Derek B. Johnson/FCW
Security researchers showed lawmakers and reporters how easy it is to compromise voting machines in what has become an annual event at the U.S. Capitol. The Washington, D.C., version of the Voting Village event at the DefCon security conference in Las Vegas gives policymakers a hands-on glimpse of the technology that powers U.S. democracy. This year's report is consistent with prior exercises: virtually every machine experts can get their hands on can be easily exploited in a number of different ways. What has changed in recent years, said Voting Village Co-founder Harri Hursti, is that the community of security researchers with first-hand experience working with these machines has grown from less than a dozen to thousands. Even though the annual event has been held for several years, fresh researchers have discovered of new vulnerabilities and attack vectors. "In this area, it's always mind-blowing how these machines keep giving," Hursti told FCW.National: Four ways to address electronic voting security concerns | Earl D. Matthews/StateScoop
Despite the $380 million in federal grants made to states to update the security of their election systems, we are still woefully unprepared to deal with potential attacks on our essential digital voting infrastructure. With the 2020 election cycle fast approaching, there is tremendous urgency to address the underlying issues that jeopardize the sanctity of our elections.
As former director of cyber operations and chief information security officer for the U.S. Air Force, as well as with my more recent experience working in the cybersecurity sector, I have a fairly unique perspective on how our state governments should be addressing election security. In my view, the main cause of our cybersecurity-unpreparedness is that we are not looking at the problem holistically, nor are we fully appreciating the complexity involved. Solutions being posed only address part of the problem and inevitably fall short, thus putting our democracy at serious risk.
States are ultimately responsible for election systems and their security, but cybersecurity solutions vendors can also contribute to this effort. Below are four steps that state governments should take, working with the technology community, to effectively address vulnerabilities in the voting system and better protect our democratic process through cybersecurity practices, people and technology.
1. Mandate transparency from e-voting hardware and software providers about security of their software and require them to identify security vulnerabilities.
What I’m talking about is mandating cybersecurity hygiene, much in the same way that companies require cybersecurity hygiene of the organizations with which they do business or form partnerships. There is a broad range of commercial providers of election system technology, each playing a different role in the overall e-voting system ecosystem — some of which have begun offering free, open-source versions of their software to governments — making it critical for providers to be transparent about potential vulnerabilities in their systems. Similar to how Microsoft releases patches and upgrades when new threats are discovered to offer users greater protections, this needs to happen in our election system as well. As part of this transparency, ongoing monitoring and measurement of the effectiveness of each component also needs to be conducted, which leads to my next point.
2. Instate continuous, automated measurement and monitoring of the effectiveness of security controls.
States need to understand how systems are protecting against new and existing vulnerabilities, and this needs to be automatically monitored on an ongoing basis with cooperation from each software provider. Too often, assumptions are made that security technology and protocols are working as they’re supposed to — but given the complexity of IT environments, the number of software elements that need to work together and the volume of network and access changes made every day, misconfigurations that compromise performance are common. To ensure optimal performance of the overall security environment requires quantifiable measurement and evidence that controls are working as they should.
3. Limit access for government employees to certain portions of the election system based on role and need.
In the business world, insider threats pose greater risks to organizations than external forces, and the same can be true for governments.