United Kingdom: “Highly likely” cross-government cell will be used to monitor interference and threats if election called | Derek du Preez/Diginomica

Senior civil servants giving evidence to the House of Lords Committee on Democracy and Digital Technology today gave insight into cross-Government work being carried out to monitor interference, disinformation and threats during elections – including the creation of an ‘election cell’ on the day of voting. Natalie Bodek, the acting deputy director of the elections division within the Cabinet Office, and Sarah Connolly, director of security and online harms at DCMS, both shared insights into how the government is collaborating across departments and agencies, as well as with social media giants, to monitor interference. Defending democracy from misinformation and digital interference has become a huge area of concern for governments across the world. Whilst no evidence has been found of online foreign interference in UK elections, it has been highlighted as a top priority by senior politicians and experts. Evidence on the topic has been collected by Parliamentary committees for some time now. A Commons Select Committee recently said that the “UK is clearly vulnerable to covert digital influence campaigns”.

National: Election Security And Voting Machines: What You Need To Know | Philip Ewing/NPR

Voting systems in the United States have come a long way since the hanging chads of the 2000 recount in Florida — but now cybersecurity is as big a concern as ballot fidelity. Here’s what you need to know.

The good news

There are about 3,200 counties or their equivalents across the United States and its territories, ranging in size from Los Angeles County with around 10 million residents to Kalawao County, Hawaii, with fewer than 100. Most counties — more than 70% — have populations under about 50,000, says the National Association of Counties. That huge breadth and diversity means that most elections truly are local and it would be nearly impossible for a foreign adversary to touch them all with a single effort. Elections in the United States remain, as then-FBI Director James Comey famously told Congress, “a bit of a hairball.”

The bad news

A huge breadth and diversity of counties means a huge breadth and diversity of security capabilities. Also, every jurisdiction that runs elections in the United States doesn’t present the same kind of appeal to a foreign interference campaign. The results of a close election can depend on turnout in only a few key states or other locations, meaning some locations are under much more pressure than others.

At the same time, evidence about successful interference in an election system anywhere in the United States would raise questions about the integrity of elections everywhere. Russian cyberattackers have been able to gain access to voter databases and other systems around country, but U.S. officials say they believe no votes have been changed.

National: States brace for ransomware assaults on voter registries | Laura Hautala/CNET

Extortionists have recently shut down municipal computer systems in Texas, Maryland, Florida and New York, threatening to erase databases unless the cities pay a ransom. Now officials around the country are concerned the tool the hackers used, known as ransomware, could be tapped to target state voter registration rolls and disrupt confidence as the nation heads into the 2020 election. Illinois, for example, is making its voter registration database accessible only from a closed fiber optic network, rather than the open internet, according to Matt Deitrich, a spokesman for the State Board of Elections. The Prairie State is making progress, though it still has a way to go, he says. Less than a third of its 108 jurisdictions currently connect to the database via the dedicated network. The security effort is worth it, Deitrich says. If a hacker successfully hits even one county’s election agency with ransomware, that can create the impression the whole system is compromised. “It’s a phenomenon that can undermine voter confidence,” Deitrich said. Ransomware would be a new feature of election hacking, which came to public attention after intelligence officials said Russian hackers probed voter registries during the 2016 presidential campaign. A ransomware attack in 2020 could prove devastating, preventing voters from registering or poll workers from confirming voter eligibility, officials say. The hackers’ goal wouldn’t be changing the votes that were cast, but spreading doubt that eligible voters were able to make their voices heard.

Iowa: DNC recommends scrapping Iowa’s virtual caucus plan | Brianne Pfannenstiel and Barbara Rodriguez/Des Moines Register

The Democratic National Committee on Friday unraveled months of progress the Iowa Democratic Party had made toward making its caucuses more accessible and inclusive, throwing the process into turmoil. The DNC announced it would not recommend approval of plans by Iowa and Nevada to enact virtual caucuses, citing broad cybersecurity concerns. The rejection upends Iowa’s plans just five months before caucus night, adding another layer of uncertainty to what has always been a complicated, volunteer-driven exercise in organizing. And it calls into question the long-term viability of the Iowa caucus system as Democrats here debate whether expanding access outweighs the importance of being first. Iowa Democratic Party chairman Troy Price struck a conciliatory tone and reassured Iowa Democrats that their place leading off the presidential nominating process is secure this February. “Iowa will be a caucus, and Iowa will be first,” he said multiple times during an afternoon news conference at the party’s headquarters in Des Moines. But as the DNC actively encourages states to move away from caucuses and toward primaries, even some Iowans questioned whether it’s time to abandon Iowa’s closely guarded caucus system.

Canada: 19 million Canadians have had their data breached in eight months | Francesca Fionda/CTV News

An estimated 19 million Canadians have been affected by data breaches between November 2018 and June 2019, according to numbers obtained by “Attention Control with Kevin Newman,” a new podcast that launched Monday. The numbers come from 446 breaches that were reported to the Office of the Privacy Commissioner of Canada (OPC). Victims of these kinds of data breaches are vulnerable to identity theft, financial crime, even violence in some cases. The new reporting laws that require businesses to report breaches where there could be a real risk of significant harm to the OPC and the people affected came into effect last November. Between then and June 2019, the OPC received 446 breach reports, nearly six times the number of reports received during the same time period under the previous voluntary reporting system.

National: 2020 presidential election: What the NSA is doing to prepare and how the agency tackled the 2018 midterms | Olivia Gazis/ CBS News

The National Security Agency has begun revealing some of its preparations for the 2020 presidential elections, drawing in part from from its previous successes during the 2018 midterm elections. But officials also warned that cyber threats from foreign adversaries were evolving, accelerating and likely to reach a growing number of targets. NSA officials outlined a three-part approach they said was key to ensuring the security of the 2018 midterms: They first sought to understand adversaries’ activities, and then shared, chiefly through the FBI and Department of Homeland Security, information with potential targets. Along with U.S. Cyber Command, the military’s cyber defense arm, officials said they also imposed unspecified “costs” on those aiming to disrupt U.S. political processes. “[W]e said… if there is an adversary or adversaries that are attempting to either influence or interfere in our elections, we’re going to take them on,” General Paul Nakasone, who leads both the NSA and U.S. Cyber Command, said at the annual Intelligence and National Security Alliance (INSA) Summit last week.  

National: Republicans and Democrats agree that the U.S. should strengthen election security. So why doesn’t Mitch McConnell? | Evan Crawford/The Washington Post

The Senate Intelligence Committee recently released the first volume in what will be a series of reports on Russian interference in the 2016 election. Here’s the most startling thing we learned: Russian hackers targeted election infrastructure not just in 21 or 39 states, as previously reported — but in 50 states. These efforts ranged from scanning state election websites to test for vulnerability to gaining access to the Illinois voter database and being “in a position to delete or change voter data,” according to the Senate report, though no evidence has emerged that any data was actually changed. In response, the committee made recommendations to ensure a more secure 2020 election. Election experts have long been calling for many of these actions, including increased communication between federal, state and local election officials; post-election audits; and updated voting equipment. Many of these measures were part of a bill that the House passed, the Securing America’s Federal Elections Act. But Senate Majority Leader Mitch McConnell (R-Ky.) has effectively blocked this legislation from being considered in the Senate. So where does the public stand on these issues? There’s a bipartisan consensus about election security.

National: Alex Halderman Speaks About Election Cybersecurity at CyberSec & AI Prague Conference | Avast/Security Boulevard

Alex Halderman was researching election hacking a decade before the 2016 U.S. presidential race made it front-page news. The computer science professor at the University of Michigan brought change to India’s elections, turned a U.S. voting machine into a Pac-Man arcade game, and warned Congress twice about the vulnerabilities that await 2020’s U.S. elections. Yet he is bringing a decidedly low-tech solution – a return to the backup of a “paper trail” for ballots – to one of cybersecurity’s biggest challenges when he speaks to the top minds in artificial intelligence at the CyberSec & AI Prague conference in October. Halderman has researched elections in India, Estonia, Australia, and the United States and found that – as in other areas of modern life – tech can introduce as well as address cybersecurity problems. “Countries around the world are turning to computer technology and internet-connected systems to try to make elections better, but the fact is that opens up whole new categories of risk.”

National: Fancy Bear Dons Plain Clothes to Try to Defeat Machine Learning | Robert Lemos/Dark Reading

An analysis of a sample published by the US government shows Russian espionage group APT28, also known as Fancy Bear, has stripped down its initial infector in an attempt to defeat ML-based defenses. The APT28 cyber-espionage group, often called “Fancy Bear” and linked to Russia, has stripped much of the malicious functionality from its initial infector, hiding it in a sea of benign code, according to an analysis published today by Cylance, a subsidiary of Blackberry. The approach shows that the group has developed greater operational sophistication, says Josh Lemos, vice president of research and intelligence at Cylance (and no relation to the author). The authors of the implant appear to be trying to hide in plain site by using well-known libraries, such as OpenSSL, and a widely used compiler, POCO C++, resulting in 99% of the more than 3 megabytes of code being classified as benign, according to Cylance’s analysis. Those steps, taken along with other newly adopted tactics, suggest the group is trying a different approach to dodge evolving defenses, Lemos says.

Editorials: Why November 4, 2020 could be a very bad day | Chris Cillizza/CNN

Since almost the moment Donald Trump won the White House in 2016, people have had November 3, 2020 — aka Election Day — circled on their calendars. For Trump haters, that first Tuesday in November next year is the moment when they can put an end to what they believe is a colossal mistake. For Trump backers, Election Day 2020 is their chance to prove that 2016 was no fluke — and that they want another four years of the billionaire businessman in the White House. But what if the vote on November 3, 2020 doesn’t actually settle anything? There’s been polling evidence for some time that Americans are losing faith in the ability of Americans elections to be conducted fair and squarely. In an NPR/Marist University poll conducted just before the 2018 midterm elections, almost half — 47% — of respondents said that they lacked faith that all votes cast would be counted fairly. That number was even higher among non-white voters — of whom almost 6 in 10 said it was likely not all votes would be counted. Two in 5 voters said they did not believe American elections were fair in that same poll. Other more recent data suggests there is no slackening in the doubts about fair elections. And after the events of the last three years, it’s not hard to see why there’s rising doubt among the public about fair elections.

Editorials: Trump’s hostility to election security preparedness | Elaine Kamarck/Brookings

From the very beginning of his presidency, Donald Trump has denied or downplayed Russian interference in the 2016 campaign. He has, at various times, dismissed the whole idea as a hoax, as fake news, or as an excuse by Democrats for why they lost the election. At other times, he has proclaimed his innocence vis-à-vis Russian campaign interference. From the earliest days of his presidency when he fired FBI Director James Comey in an effort to stop the investigation, he has denigrated and dismissed the entire issue. In its place he has insisted that the real problem in 2016 was not Russian interference but rather illegal voting by immigrants. The president’s beliefs have put him at odds with his own government and his own appointees, creating some awkward moments as the machinery of the federal government comes into conflict with the tweets of the chief executive. In spite of the president’s antipathy towards the effort, the gears of government managed to grind on, even in the White House. On September 12, 2018, President Trump issued Executive Order 13848 titled “Executive Order on Imposing Certain Sanctions in the Event of Foreign Interference in a United States Election.” The order requires a post-election audit by the intelligence community, under the direction of the ODNI (Office of the Director of National Intelligence) and mechanisms to place sanctions—such as confiscation of property—on those who take actions to interfere in U.S. elections.

Iowa: Fearing Hackers, D.N.C. Plans to Block Iowa’s ‘Virtual’ Caucuses | Reid J. Epstein/The New York Times

The Democratic National Committee is preparing to block Iowa Democrats’ plans to allow some caucusgoers to vote by phone next year, bowing to security concerns about the process being hacked, according to four people with knowledge of the decision. The committee’s announcement, expected to come by Friday afternoon in the form of a recommendation to the party’s Rules and Bylaws Committee, serves as a major setback to Democrats who have long hoped to expand the caucus-state electorate beyond those voters able to attend a winter-night gathering for several hours. The Iowa Democrats’ plan would have allowed voters not attending a traditional caucus to register their preference during one of six “virtual caucuses” over the phone. But D.N.C. security officials told the rules committee at a closed-door session in San Francisco last week that they had “no confidence” such a system could remain safe from hostile hackers. The D.N.C.’s leadership concluded that the technology that exists is not secure and poses too large a risk of interference from a foreign adversary, according to officials with knowledge of the deliberations. Several presidential campaigns expressed concern to top party officials that Iowa’s results could be compromised, people familiar with the discussions said Thursday.

Nevada: DNC to recommend scrapping Iowa, Nevada virtual caucus plans | Associated Press

The Democratic National Committee will recommend scrapping state plans to offer virtual, telephone-based caucuses in 2020 due to security concerns, sources tell The Associated Press. The final choice whether to allow virtual caucuses in Iowa and Nevada is up to the party’s powerful Rules and Bylaws Committee. But opposition from DNC’s executive and staff leadership makes it highly unlikely the committee would keep the virtual caucuses, leaving two key early voting states and the national party a short time to fashion an alternative before the February caucuses. The state parties had planned to allow some voters to cast caucus votes over the telephone in February 2020 instead of showing up at traditional caucus meetings. Iowa and Nevada created the virtual option to meet a DNC mandate that states open caucuses to more people, but two sources with knowledge of party leaders’ deliberations say there are concerns that the technology used for virtual caucuses could be subject to hacking. The sources spoke on condition of anonymity because they were not authorized to disclose internal party discussions.

Finland: Security agencies collaborate after cyber attacks | Gerard O’Dwyer/Computer Weekly

Finland’s National Bureau of Investigations (NBI) has joined forces with the National Cyber Security Centre (NCSC) to investigate a series of significant cyber attacks against state-run public services websites in the country in August. The most serious targeted attacks left the national police service and other public websites inaccessible to users. The NBI and the NCSC now plan to work more closely with public and private organisations to increase expertise and capability to better defend Finland’s critical IT infrastructure against cyber attacks. Hackers launched a sustained denial-of-service (DoS) assault on a number of popular public websites on 21 August that caused serious disruption to server functionality, connectivity and public services. The DoS strike was latest hostile cyber assault by hackers targeting high-profile public services websites in Finland. Previously, hackers had launched attacks against the City of Lahti’s municipal computer system and the IT system managing the official online results for the Finnish parliamentary elections in April.

Italy: The Five Star digital voting platform that could threaten a government deal in Italy | Franck Iovene/AFP

If Italy’s political parties can agree on a government deal, it would still need to clear a final hurdle: the online voting platform of the Five Star Movement (M5S), which has long championed so-called ‘digital democracy’.
The platform, named after the 18th-century French philosopher Jean-Jacques Rousseau, is supposed not only to empower ordinary citizens but guarantee transparency — but it has been slammed as secretive and vulnerable to cyber attacks. Launched in 2016, it currently has some 100,000 members, M5S chief Luigi Di Maio said in July. But critics have lamented a lack of official documentation or certification from a third party to attest that this figure is correct. The M5S’s blog says the number of people registered on “Rousseau” rose from 135,000 in October 2016 to nearly 150,000 in August 2017, before dropping to 100,000 a year later. But political analysts say it cannot be seen as representative of M5S supporters, as the membership numbers are a drop in the ocean compared to the 10.7 million Italians who voted for M5S in the 2018 general election.

National: Ransomware threat raises National Guard’s role in state cybersecurity | Benjamin Freed/StateScoop

National Guard units already play a large role in state governments’ cybersecurity activities, such as protecting election systems, but the threat of ransomware to cripple a state or city organization is a growing concern for uniformed personnel, the top military official overseeing the National Guard across the United States said. While Americans are long used to seeing guardsmen and women roll into to disaster-stricken areas after a hurricane or wildfire, deployments following cyberattacks are increasingly common, Air Force Gen. Joseph Lengyel said Friday on a conference call with reporters, likening the recent ransomware incidents in Texas and Louisiana to a “cyber storm,” though not quite a “cyber hurricane.” “We’re seeing the whole of the first responder networks come to assist and mitigate the damage and get everything back up and running, and the National Guard is part of that response,” he said.

National: U.S. officials fear ransomware attack against 2020 election | Christopher Bing/Reuters

The U.S. government plans to launch a program in roughly one month that narrowly focuses on protecting voter registration databases and systems ahead of the 2020 presidential election. These systems, which are widely used to validate the eligibility of voters before they cast ballots, were compromised in 2016 by Russian hackers seeking to collect information. Intelligence officials are concerned that foreign hackers in 2020 not only will target the databases but attempt to manipulate, disrupt or destroy the data, according to current and former U.S. officials. “We assess these systems as high risk,” said a senior U.S. official, because they are one of the few pieces of election technology regularly connected to the Internet. The Cybersecurity Infrastructure Security Agency, or CISA, a division of the Homeland Security Department, fears the databases could be targeted by ransomware, a type of virus that has crippled city computer networks across the United States, including recently in Texas, Baltimore and Atlanta. “Recent history has shown that state and county governments and those who support them are targets for ransomware attacks,” said Christopher Krebs, CISA’s director. “That is why we are working alongside election officials and their private sector partners to help protect their databases and respond to possible ransomware attacks.”

National: Federal officials working with states to protect elections | Andrew Selsky/Associated Press

Huddled in small groups in a remote town in Oregon, county and state elections officials tried to overcome hacking attempts, power failures and other problems as election day approached and finally arrived. It was a tabletop exercise, held as federal officials work to bolster defenses against interference in the 2020 elections, with states being a main line of defense against attempts by Russia or others to disrupt the elections. Officials from the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency traveled to La Grande, a town located in ranching country in northeast Oregon, for Wednesday’s exercise with county and state officials. During the event held on the campus of Eastern Oregon University, the officials had to work through various scenarios, like official websites being hacked, disinformation being spread on social media and electrical power and communications going down, Oregon Elections Director Stephen Trout said in a telephone interview. Disinformation involves deliberately spreading falsehoods and rumors, while misinformation — another election security threat that experts point to — entails simply disseminating incorrect or misleading information.

Editorials: Prediction: 2020 election is set to be hacked, if we don’t act fast | Adam K. Levin/The Hill

Since 1993, hackers have traveled to Las Vegas from around the world to demonstrate their skills at DefCon’s annual convention, and every year new horrors of cyber-insecurity are revealed as they wield their craft. Last year, for example, an eleven-year-old boy changed the election results on a replica of the Florida state election website in under ten minutes. This year was no exception. Participants revealed all sorts of clever attacks and pathetic vulnerabilities. One hack allowed a convention attendee to commandeer control of an iPhone with a non-Apple-issue charging cord, one that is identical to the Apple version. Another group figured out how to use a Netflix account to steal banking information. But for our purposes, let’s focus on election security because without it democracy is imperiled. And if you think about it, what are the odds of something like DefCon being permitted in the People’s Republic of China? Speaking of China (or Russia or North Korea or Iran or…) will the 2020 election be hacked? In a word: Yes.

National: Groups push lawmakers for hearings on voting machine security | Maggie Miller/The Hill

Voting rights and election security groups on Monday urged two House and Senate committees to hold hearings on the security of voting machines. The groups, which include the National Election Defense Coalition, Electronic Privacy Information Center, R Street Institute and Public Citizen, asked the House Administration Committee and the Senate Rules and Administration Committee in a letter to schedule election security hearings that include testimony from voting machine vendors and election security experts. “The security of our nation’s elections is acutely dependent on the vendors that supply our computerized voting systems,” the groups wrote. “The voting system vendors have operated with little oversight and no regulation for decades.” “Given the gravity and urgency of this issue, we write to you to urge the committees to hold a hearing on election system security featuring sworn testimony from officers of the voting system vendors to shed more light on their practices which directly impact the security of the nation,” they added. The groups cited reports in recent months that certain voting systems rely on outdated Windows 7 operating systems, that one major election machine vendor installed remote access software on its election systems and concerns about a lack of transparency from voting machine vendors.

Florida: Election security audit complete but details unclear | Mike Vasilinda/WIXT

A security audit of all 67 Florida counties ordered by Gov. Ron DeSantis has been completed, but once a report is published, it’s not going to advertise what problems were found.  “The secretary, basically, reported to us they had visited all 67 counties already,” said Okaloosa County Supervisor of Elections Paul Lux, who is the former president of the Florida State Association of Supervisors of Elections. “And they are in the process of producing a remediation report and we’ll go from there.” Lux added he was not aware of how much remediation has been ordered. DeSantis ordered the security audit in May after Special Counsel Robert Mueller’s report said Russians successfully hacked two Florida counties in 2016. “There was no manipulation. It didn’t have any effect,” DeSantis said in May. But he said the FBI would not let him name the counties, partly because the FBI said it would help the hackers learn how they were detected.

Iowa: Secretary of State raises concerns of cyber threats to elections | Rod Boshart/The Courier

Iowa Secretary of State Paul Pate on Wednesday likened the ongoing struggle against forces trying to hack the state’s election network to a “war.” “It’s a war for public opinion, and it’s a war, if you will, for minds rather than a physical one,” Pate said in pointing to efforts by Russians, North Koreans, Chinese and others trying to disrupt the U.S. election process and weaken the American public’s trust. “Their manipulation of the social media, their manipulation of certain types of probes that they’re doing is to try to create doubt, to make Americans question their elections process,” Pate told reporters. “So, yes, I consider that a war. I consider it something we need to push back and not tolerate.” Pate raised concerns about challenges to Iowa’s election process during a breakfast meeting with members of the Westside Conservative Club. He also shared his worries that any snafu in the upcoming 2020 Democratic “virtual” caucuses could have a “devastating” impact and jeopardize Iowa’s starting position in the presidential selection process every four years.

Florida: Russian hackers likely to target Florida again in 2020 election, experts warn | Peter Stone/The Guardian

Florida’s record as a vital swing state made it a target for meddling in the 2016 election when Russians breached two county voting systems and a software vendor and now concerns are being raised about voting security in the state for the 2020 ballot, say election and cyber security experts, federal reports and Democrats. With FBI director Christopher Wray and other intelligence officials predicting more Russian and possibly other foreign interference in the next elections, experts say Florida is again a likely target for Russian hackers, or others bent on disrupting voting, which potentially could alter tallies and create other problems. “Obviously, Florida will be a critical state in 2020 and Florida election officials should assume they will be targeted again,” said Larry Norden, who runs the election reform program at the Brennan Center for Justice. Election security experts are concerned about several potential problem areas, including software that stores sensitive voter registration data, the short timetable for any post-election audits and Florida’s history of voting snafus. Some of Florida’s election problems in 2016 were highlighted in April by special counsel Robert Mueller’s report about Russian interference and in a July Senate intelligence committee study on Russian meddling and election security issues nationwide.

Rhode Island: Protecting elections in Rhode Island | Providence Journal

Secretary of State Nellie Gorbea’s most important job is to make sure Rhode Island elections are on the up-and-up. Unfortunately, she has unilaterally blocked the public from obtaining information that was previously available in digital form to check on the accuracy of the voter lists she maintains. (In this year’s session, the legislature balked at Ms. Gorbea’s attempt to deny the public such information by law.) And now it turns out that she bought voting machines that could be liable to hacking. The issue came to light recently through a Vice.com investigation, which found that, for a period of time, Rhode Island’s elections system was connected to the internet. The public had been assured the machines were walled off from potential hacking. Researchers were able to find online the reporting system for results from the entire state. Not good. The problem is striking a balance between quick reporting of results — which in itself helps protect our elections from fraud — and making sure machines are free from tampering. Modems in the voting machines Ms. Gorbea bought transmit election results quickly to the state Board of Elections after the polls close.

International: Governments risk cyber attacks if they continue to demand encryption backdoors | Sara Barker/Security Brief

Governments that flout encryption best practice and mandate the inclusion of backdoors into technology are putting their entire countries at risk, according to security professionals. With election time looming, backdoors are perfect targets for cyber attackers who look to target election infrastructure. It was only last year with ‘Five Eyes’ nations (United States, Canada, United Kingdom, Australia, and New Zealand) were lobbying for technology providers to build backdoors into their solutions. According to 384 IT professionals polled at Black Hat USA 2019, 74% believe that countries with government-mandated encryption backdoors are more susceptible to nation-state attacks. Furthermore, many professionals believe that backdoors won’t make countries any safer – 72% believe laws that allow governments to access encrypted personal data will not make countries safer from terrorists.

Canada: Cyber-risk ramps up during elections | Allan Bonner and Brennen Schmidt/Winnipeg Free Press

It’s almost federal election time — that means many Canadian voters will be trying to guess whether political parties will do what they say they will if elected. That’s a difficult guess. But what about judging a political party’s credibility on a policy issue by seeing whether it practises what it preaches? Here’s an easy example: cybersecurity is in the news. It’s in the budget, too. A while ago, the federal government devoted hundreds of millions of dollars to the threat. And every day there’s news from the U.S. about past and present meddling in the political process. There are also serious worries about future elections, and even the need for paper ballots to ensure the meddling isn’t in cyberspace or a cloud somewhere. Fans of detective novels and movies enjoy the denouement at the end when the culprit is exposed.

National: DHS cyber agency to prioritize election security, Chinese threats | Maggie Miller/The Hill

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) plans to prioritize election security, cybersecurity at federal agencies, and the “persistent threat” posed by China, among its many goals. The agency laid out its key priorities in a new “strategic intent” document released on Thursday, which CISA Director Christopher Krebs described in the introduction as the “keystone” for the agency. Among Krebs’s operational priorities is addressing Chinese threats to U.S. supply chains and to the rollout of 5G networks, bolstering election security efforts at the state and local level, and protecting the cybersecurity of industrial control systems. Other priorities are protecting federal networks against cyber attacks, such as ransomware incidents that have increasingly spread across the country, and defending “soft targets” and crowded venues from physical threats. CISA is the primary agency responsible for assisting state and local governments with securing elections, replacing the former National Protection and Programs Directorate in a law that took effect last year.

National: Internet-Connected Election Systems Found in 10 U.S. States | Scott Ikeda/CPO Magazine

There has been much talk in the media about interference in United States presidential elections, but most of it has centered around the use of media and disinformation to influence votes. There is a widespread assumption that the voting machines themselves are safe from hacking; though many are electronic, these election systems are not supposed to be connected to the internet. A new report from Vice’s Motherboard indicates that these systems are not nearly as secure as anyone thought they were, including election officials. Researchers told Motherboard that a particular type of election system that is only supposed to connect to the internet for several minutes to transfer votes has been found to sometimes stay connected for months, and in some cases these machines were constantly connected and were exposed for at least a year. The election systems found to be vulnerable are made by a specific manufacturer: Election Systems & Software (ESS). ESS is the largest voting systems company in the country, with at least 260,000 machines in place in 21 states including in some swing states. Security researchers found backend systems that were connected to the internet when they were not supposed to be, distributed across a number of states including the key “battleground” centers of Florida, Michigan and Wisconsin.

National: IT Security Pros: Encryption Backdoors Would Be Election Hacking Risk | Phil Muncaster/Infosecurity Magazine

The IT security community overwhelmingly believes that government-mandated encryption backdoors will put countries at a greater risk of election hacking, according to new Venafi research. The security vendor polled over 380 security professionals at Black Hat USA 2019 in Las Vegas earlier this month, following recent comments by attorney general, William Barr. Like his predecessors, Barr last month claimed that strong data encryption in tech products is effectively creating a “law-free zone” exploited by terrorists and criminals as it “seriously degrades” the ability of law enforcement to detect and prevent crimes. Also like many others, he argued that government-mandated backdoor access “can and must be done,” claiming that if they only tried hard enough, tech firms could find a solution which could enable lawful access to data without undermining security for all users. This argument has been repeatedly shot down, not only by the tech firms themselves, but also world-renowned cryptography experts. Last year they backed senator Ron Wyden’s demands that the FBI explain the technical basis for its repeated claims that encryption backdoors can be engineered without impacting user security.

National: Election Security Lessons from DEFCON 27 | Ciara Torres-Spelliscy/Brennan Center for Justice

Given the extent of foreign interference in the 2016 election, every American should be concerned about election security in 2020. But what can computer hackers teach us about it? To find out, I went to Las Vegas earlier this month to attend DEFCON 27, the largest annual hacking conference in the United States, knowing this was probably my last chance to see a legal election hacking. Voting machines are protected from reverse engineering under the Digital Millennium Copyright Act. But the Library of Congress, which has certain authorities under the law, set a three-year window to allow third parties access to voting machines to test their security. Barring an extension by the Library of Congress, 2019 is the third and last year these hacks are legal. DEFCON is a huge event, and I saw fellow conference-goers all over Las Vegas with their distinctive glowing badges. I was only interested in the DEFCON Voting Village, which included a large assortment of voting equipment for participants to test, hack, and break.