Colorado: Denver Offers Blockchain Voting to Military, Overseas Voters | The Denver Post

The city of Denver will allow thousands of voters to cast their ballots with a smartphone application this year. The pilot program is one of the first U.S. deployments of a phone-based voting system for public elections — but it will only be available to military members and voters living in other countries. The city has invited all of its international voters — about 4,000 people — to use the app in the May 2019 election. The idea of digital voting has been met with skepticism from some elections security experts, but Denver officials say it could make life easier for a limited set of voters. “This pilot enables us to offer that convenience for our military and overseas citizens who have the most difficult time voting and participating in the democratic process here at home,” said Deputy Elections Director Jocelyn Bucaro.

Europe: Russian hackers target European governments ahead of election: FireEye | CNBC

Russian hackers have targeted European government systems ahead of the EU parliament election, cybersecurity firm FireEye said Thursday. The company found that two state-sponsored hacking groups, APT28 and Sandworm, used spear phishing — the practice of sending out emails designed to look like they’re from a trusted party — in an attempt to obtain government information. FireEye said European government institutions were sent emails with links to websites that appeared to be authentic, luring a person into changing their password and thus sharing their credentials with hackers. APT28, more popularly known as Fancy Bear, is believed to be linked to Russian military intelligence agency GRU and has been labeled as one of the malicious actors behind the 2016 Democratic National Convention hack.

Canada: Several webpages from Elections Canada and MPs lack basic data protections, expert says | CBC

Several Elections Canada webpages and personal websites from MPs don’t have the basic encryption necessary to stop your information from being hacked as it’s sent from point A to point B. Pages to request publications from Elections Canada, as well as the websites of Liberal, Conservative and NDP MPs use an outdated, unprotected chain to carry information you send to them through the network. Liberal Democratic Institutions Minister Karina Gould, Conservative Finance Critic Pierre Poilievre and the NDP’s Ruth Ellen Brosseau had this deficiency on the “contact me” form that asks for personal information — like your email, name and address — before sending feedback to your MP. Gould and other Liberal MPs updated their sites after queries from CBC News. 

Indonesia: Russian, Chinese language Hackers Interfering With Indonesian Presidential Election | Brinkwire

Indonesia has identified China and Russia as sources of an ongoing wave of relentless cyber assaults intended to disrupt the country’s presidential elections on April 17. The attacks originate in Russia and China, said Arief Budiman, head of Indonesia’s General Elections Commission or KPU. Budiman also said some of the cyberattacks are attempts to “manipulate or modify” content. Others aim to create ghost voters, or fake voter identities. “They try to hack our system,” according to Budiman. “Not only every day. Almost every hour,” he said. The KPU head said it remains unclear if the motive of this continuing wave of attacks is “to disrupt Indonesia” or to help one of the candidates win. Incumbent president Joko Widodo is squaring-off against Prabowo Subianto, a former special forces general in the election.

Switzerland: Experts Find Serious Problems With Switzerland’s Online Voting System | Motherboard

Switzerland made headlines this month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack. But after source code for the software and technical documentation describing its architecture were leaked online last week, critics are already expressing concern about the system’s design and about the transparency around the public test. Cryptography experts who spent just a few hours examining the leaked code say the system is a poorly constructed and convoluted maze that makes it difficult to follow what’s going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly. “Most of the system is split across hundreds of different files, each configured at various levels,” Sarah Jamie Lewis, a former security engineer for Amazon as well as a former computer scientist for England’s GCHQ intelligence agency, told Motherboard. “I’m used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding.”

Ukraine: Security service ready to take on Russian election hackers | AFP

At the headquarters of Ukraine’s SBU more than a dozen local and Western security experts watch a simulated foreign cyber attack on several big screens ahead of this month’s presidential vote. During the joint EU-Ukraine cyber security drills the Westerners pretend to be hackers attacking the country’s central election commission, while the Ukrainians seek to neutralise them. The exercises held in Kiev last week involved around a hundred experts and were part of efforts to prevent arch-foe Russia from interfering in the crucial March 31 election. Ukrainian security officials said they had registered a growing number of distributed denial-of-service attacks and phishing attempts to gain access to computers of the country’s ministries and other state structures in recent months.

National: ‘We’re doubling down.’ DHS insists it’s not reducing election security efforts | The Washington Post

The Homeland Security Department is actually surging its efforts to protect elections against foreign hackers during the two years leading up to the 2020 elections — not winding them down, the agency’s top cybersecurity official insists. Chris Krebs, who leads DHS’s Cybersecurity and Infrastructure Security Agency, was punching back Thursday against a Daily Beast report citing anonymous staffers who said the department was reducing its election security efforts following the midterms to invest more in border security and other Trump administration priorities. “The department’s election security and countering foreign influence security-related efforts are not going anywhere,” Krebs said. “In fact, we’re doubling down.” The article made waves in the security community because even a perception that the government isn’t serious about securing elections against Russian hackers could damage trust in the result in the 2020 election.  Federal officials — including Krebs himself — have warned Russia may have viewed the midterms as merely a “warm-up” for 2020 when more Americans will be looking for signs of foreign influence. That stakes for officials such as Krebs are especially high because President Trump has wavered on whether he believes Russia was responsible for its hacking and disinformation campaign to influence the 2016 presidential contest.

National: CISA says it’s ramping up election security efforts for 2020 | FCW

The head of the Department of Homeland Security’s cybersecurity wing is pushing back on a media report that the agency has scaled back personnel and resources from its combatting foreign election interference. Cybersecurity and Infrastructure Security Agency Director Chris Krebs hosted a conference call with reporters less than 24 hours after The Daily Beast published a story that quoted multiple anonymous DHS officials who said two CISA task forces focused on coordinating the department’s response to foreign influence in U.S. elections were significantly downsized shortly after the mid-terms. Krebs didn’t deny that personnel levels for the task forces were reduced. He characterized the task forces as temporary vehicles to address an emerging threat while CISA worked to hire staff and build more permanent institutional capacity to tackle the issue.

National: DHS Guts Task Forces Protecting Elections From Foreign Meddling | The Daily Beast

Two teams of federal officials assembled to fight foreign election interference are being dramatically downsized, according to three current and former Department of Homeland Security officials. And now, those sources say they fear the department won’t prepare adequately for election threats in 2020. “The clear assessment from the intelligence community is that 2020 is going to be the perfect storm,” said a DHS official familiar with the teams. “We know Russia is going to be engaged. Other state actors have seen the success of Russia and realize the value of disinformation operations. So it’s very curious why the task forces were demoted in the bureaucracy and the leadership has not committed resources to prepare for the 2020 election.”

National: This key House Republican is open to mandates on states for election security | The Washington Post

As the House Homeland Security Committee meets for the first election security hearing of 2019 today, Congress is still far away from a grand bargain to help protect state election systems from foreign hackers. But the goalposts may be changing with Democrats in charge of the House. The new top Republican on the committee, Rep. Mike Rogers (Ala.), tells me he’s ready to impose requirements on states to secure their election systems against hackers. He called for a baseline of security states must meet before receiving money from the government to upgrade outdated and vulnerable voting machines and secure other election infrastructure. “We want to get some minimum standards that have to be adhered to,” Rogers tells me. And he says he’s willing to work with Democrats to get it done.

National: House Democrats, Republicans cross swords over election security bill | Politico

Democrats and Republicans have clashed before over H.R. 1, the House Dems’ sweeping package of democracy and governance proposals, but today the fight goes directly to the election security provisions of the bill. The House Homeland Security panel holds a hearing today on the measure with testimony from DHS’s top cyber official, Cybersecurity and Infrastructure Security Agency Director Chris Krebs, Election Assistance Commission Chairman Thomas Hicks and others. A CISA official told MC: “Director Krebs will confirm election security remains a priority for CISA in the run up to 2020, laying out the Agency’s plan to work with State and local election officials on broader engagement, better defining risk to election systems, and understanding the resources to manage that risk.” At least one witness — Jake Braun, a former Obama administration official who now works as executive director of the University of Chicago’s Cyber Policy Initiative and an organizer of DEF CON’s Voting Village — endorses the bill’s election security ideas in his prepared testimony. He praises the provisions mandating auditable paper trails and authorizing voting infrastructure research and development funds.

National: State and Local Elections Experts Weigh-In on Security Concerns | MeriTalk

With the 2020 national election cycle on the horizon, House Homeland Security Committee Chairman Bennie Thompson, D-Miss., convened a hearing Wednesday to examine the how the United States was working to secure its elections. The hearing, broken into two panels, heard from senior Federal election officials, as well as state and local election officials. During the first half of the hearing Christopher Krebs, director of the newly minted Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS), stressed that election cybersecurity is on the upswing. However, the second half of the hearing held a slightly different tone, with California Secretary of State Alex Padilla declaring that “our democracy is under attack.”

National: Cyber chief pushes audits as key to election security | FCW

The nation’s top cybersecurity official told Congress that the ability to audit voting machines after elections is critical for ballot security. “The area that I think we need to invest the most in the nation is ensuring auditability across infrastructure,” Christopher Krebs, head of the Cybersecurity and Infrastructure Security Agency said at a Feb. 13 hearing of the House Homeland Security Committee. “If you don’t know what’s happening and you can’t check back at what’s happening in the system — you don’t have security.” While 34 states and the District of Columbia have some laws mandating post-election audits, according to the National Conference of State Legislatures, Congress has been unable to agree on how hard or soft to make such language in legislation. Krebs and Election Assistance Commission (EAC) Chair Thomas Hicks endorsed the need for greater auditability, though both deferred to states on the question of whether it should be done digitally or by hand.

Ukraine: Official: Hacking intensifies as election nears | Associated Press

Russian hackers are redoubling their efforts in the run-up to presidential elections in Ukraine, according to the head of Ukraine’s cyber-police. Serhii Demediuk said in an interview with The Associated Press that Russian-controlled digital saboteurs are stepping up attacks on the Central Elections Commission and its employees, trying to penetrate electronic systems in order to manipulate information about the March 31 election. “On the eve of the election and during the counting of votes there will be cyberattacks on certain objects of critical infrastructure. This applies to the work of the polling stations themselves, districts, and the CEC,” he said. “From what we are seeing, it will be manipulation aimed at distorting information about the results of elections, and calling the elections null or void,” Demediuk said.

National: Senate committee leaders worry no one’s in charge on cybersecurity | The Washington Post

Responsibility for the nation’s cybersecurity is spread piecemeal throughout the government without a single person or agency in charge. That creates dangerous gaps that U.S. adversaries could exploit to hack the government or critical infrastructure, two prominent Senate Republicans told me. Homeland Security Chairman Ron Johnson (Wis.) and Mike Rounds (S.D.), chair of the Armed Services Committee’s cyber panel, are mulling how they might create a centralized government authority for cybersecurity issues. The goal would be an office that could make sure the Homeland Security, Defense and Justice departments are effectively sharing information and working toward common goals, the senators said. For example, the Defense Department, which is authorized to conduct clandestine military activities in cyberspace, might not be as clued in as DHS is to how some of those activities could prompt retaliation against U.S. businesses. Rounds also noted that some parts of the government were concerned for several years that Chinese telecom giant Huawei could use its position inside global telecommunications infrastructure to spy on behalf of the Chinese government — but the U.S. did not act until recently.

Minnesota: Federal election security funding due for Minnesota hits snag in Legislature | Star Tribune

Minnesota Secretary of State Steve Simon is increasing pressure on legislators to help his office claim $6.6 million in federal dollars to increase election security. Minnesota was one of 21 states whose election systems were targeted by Russian hackers in 2016, but it is the only state to still not access federal Help America Vote Act (HAVA) funding approved by Congress last year. After Capitol leaders initially pointed to the measure as a slam-dunk for early passage, it has yet to reach the desk of Democratic Gov. Tim Walz. A proposal in the GOP-controlled Senate would release just a fraction of the money right away, leaving most of the money subject to late-session budget debate. “This is cause for concern and something I think should inspire all of us to act quickly,” Simon told the Senate’s elections committee. Simon’s plea comes fresh off a recent visit to the U.S. Department of Homeland Security this month. “We need the full authorization immediately,” he said.

Virginia: Applicants of Virginia election security post had personal info exposed | WTOP

Virginia elections’ next chief information officer likely had their personal information exposed, after a job posting for the position included a username and password that could be used to view applicants’ resume and personal details. The Department of Elections told WTOP Tuesday afternoon it is “taking action” to address the issue, which allowed a reporter to see names, resumes, salary information, references, education history, home addresses, emails and phone numbers of 96 people who had applied to be head IT security for Virginia elections. By 5 p.m. Tuesday, the login credentials had been deactivated. The personal information of the applicants appeared to have been exposed since the application window ended more than a week ago, although it is unclear how many people may have accessed the data. Those who applied between Jan. 17 and Feb. 3 live and work across Virginia and the country. Several have military experience or have worked as government contractors, according to the resumes, cover letters and other information they provided on the state Department of Human Resource Management’s Recruitment Management System.

Europe: EU elections 2019: How vulnerable are we to cyber meddling? | 150sec

“The online anarchy of election rules must end”: Věra Jourová, EU Commissioner for Justice, has good reasons to be nervous. From 23rd to 26th of May, all eyes will turn to Brussels as the next European elections will decide on the future trajectory almost half a billion EU citizens. But after the string of cyber attacks on elections from the USA to CEE countries Poland, Bulgaria, Latvia and the Czech Republic, it would be naive to assume that the EU elections would not be targeted. But is Brussels prepared? “With anti-Europeans on their way to winning more than one-third of seats in the next European Parliament, the stakes in the May 2019 election are unusually high”, warns a new report of the European Council of Foreign Relations published this month. The EU increasingly resembles a battleship drifting through a continent in crisis: Brexit looms over Europe, extreme right-wing and eurosceptic parties are mushrooming and political divisions seem to be digging its trenches deeper every week.

Israel: Elections exposed to cyber manipulations | Al-Monitor

In June 2017, the Knesset Science and Technology Committee devoted a hearing to the cyber threat against Israel’s elections. Experts assured lawmakers that ballots are not under threat because the Central Elections Committee has an independent, closed-circuit system that cannot be hacked. “We decided not to go over to computerized voting, mostly because of what happened in the US presidential election,” an Israeli source close to the elections committee told Al-Monitor. “We would rather count the votes [by hand] at a slower pace, and ascertain that there is no possible infiltration of a computerized system by external elements.”

Russia: What Happens If Russia Cuts Itself Off From the Internet | WIRED

The world’s internet infrastructure has no central authority. To keep it working, everyone needs to rely on everyone else. As a result, the global patchwork of undersea cables, satellites, and other technologies that connect the world often ignores the national borders on a map. To stay online, many countries must rely on equipment outside their own confines and control. Nation-states periodically attempt to exert greater authority over their own portions of the internet, which can lead to shutdowns. Last month, for example, the government of the Democratic Republic of Congo turned off its internet during a highly contested presidential election. Now Russia, too, wants to test whether it can disconnect itself from the rest of the world, local media reported last week. But Russia is much larger than the DRC, and it has significantly more sophisticated infrastructure. Cutting itself off would be an onerous task that could have myriad unintended consequences. If anything, the whole project illustrates just how entangled—and strong—the global internet has become. “What we have seen so far is that it tends to be much harder to turn off the internet, once you built a resilient internet infrastructure, than you’d think,” says Andrew Sullivan, CEO of Internet Society, a nonprofit that promotes the open development of the internet.

Bulgaria: Deputy PM: Bulgaria must be ready for malicious cyber attacks in elections | IBNA

Bulgaria must be ready for malicious cyber attacks, Deputy Prime Minister Tomislav Donchev said on February 11, warning that there was no election process exempt from attempts to “hit” it. Election processes are within Donchev’s portfolio as deputy head of government. Bulgaria is scheduled to go to the polls twice in 2019, in European Parliament elections in May and mayoral and municipal elections in the autumn. Donchev’s comment came a day after Tsvetan Tsvetanov, parliamentary leader of Prime Minister Boiko Borissov’s centre-right GERB party, said that he was sure that Russia would try to interfere in Bulgaria’s elections this year.

Russia: Russia to disconnect from the internet as part of a planned test | ZDNet

Russian authorities and major internet providers are planning to disconnect the country from the internet as part of a planned experiment, Russian news agency RosBiznesKonsalting (RBK) reported last week. The reason for the experiment is to gather insight and provide feedback and modifications to a proposed law introduced in the Russian Parliament in December 2018. A first draft of the law mandated that Russian internet providers should ensure the independence of the Russian internet space (Runet) in the case of foreign aggression to disconnect the country from the rest of the internet.

Editorials: There’s No Good Reason to Trust Blockchain Technology | Bruce Schneier/WIRED

In his 2008 white paper that first proposed bitcoin, the anonymous Satoshi Nakamoto concluded with: “We have proposed a system for electronic transactions without relying on trust.” He was referring to blockchain, the system behind bitcoin cryptocurrency. The circumvention of trust is a great promise, but it’s just not true. Yes, bitcoin eliminates certain trusted intermediaries that are inherent in other payment systems like credit cards. But you still have to trust bitcoin—and everything about it. Much has been written about blockchains and how they displace, reshape, or eliminate trust. But when you analyze both blockchain and trust, you quickly realize that there is much more hype than value. Blockchain solutions are often much worse than what they replace. First, a caveat. By blockchain, I mean something very specific: the data structures and protocols that make up a public blockchain. These have three essential elements. The first is a distributed (as in multiple copies) but centralized (as in there’s only one) ledger, which is a way of recording what happened and in what order. This ledger is public, meaning that anyone can read it, and immutable, meaning that no one can change what happened in the past.

National: Security Experts Uneasy as US Barrels Into 2020 Election | Courthouse News

Cautious about the government’s efforts to safeguard the 2020 presidential race, election-security experts worry that the job is too formidable to finish in the time that remains. One issue at stake is outdated voting machines and technology, but Maurice Turner, a senior technologist with the Center for Democracy and Technology, warned that equipment updates require legislatures to make funding appropriations. With the first 2020 primaries scheduled for February, the process of issuing, receiving and evaluating proposals along can take months. After that comes testing and configuration, another months-long process, before the machines can be delivered on a large scale. “No election official wants to be rolling out new equipment 30 or 60 days before the general election,” Turner said in a phone interview, “so they’re going to need to identify other races, other contests they can test this equipment on.”

Europe: Europe hopes to fend off election hackers with ‘cyber sanctions’ | Politico

A regime for “cyber sanctions” is taking shape — and it could already hit mischievous election hackers in May. The European Union is closing in on a procedure that would allow it to sanction foreign hacker groups when they target the upcoming EU election. A plan drafted by the EU’s diplomatic service has been presented to national cyber experts and will be forwarded to foreign affairs attachés later this month, three officials briefed on the plan told POLITICO, asking not to be named because of the sensitivity of the ongoing talks. The measures would not only allow EU countries to slap sanctions on hacker groups that succeed in intruding into IT systems, but also those attempting to get in, like the suspected Russian intelligence officers who allegedly plotted but failed to hack into the Hague-based Organisation for the Prohibition of Chemical Weapons last year, the officials said.

Estonia: A Russian Neighbor Has Cybersecurity Lessons for the Rest of Us | Bloomberg

Estonia is the first member state in the European Union that might be called Extremely Online. Over the past decade, the Baltic republic of 1.3 million people fully digitized its government services and medical data. More than 30 percent of Estonians voted online in the last elections, and most critical databases don’t have paper backups. To sleep a little better at night, the country has recruited volunteer hackers to respond to the kinds of electronic attacks that have flummoxed the U.S. and other countries in recent years. While many are civilians, these men and women, numbering in the low hundreds, have security clearances and the training to handle such attacks. Their sturdy, bearded commander, Andrus Padar, previously a military reservist and policeman, says the threat is taken as a given: “We have a neighbor that guarantees we will not have a boring life.”

Indonesia: Cyber Challenge in Focus with Looming 2019 Elections | The Diplomat

Late last week, Indonesia’s military chief issued a call to the country’s security forces to upgrade their digital skills to confront a range of challenges. His comments were just the latest in a long string of similar statements issued by Indonesian officials highlighting the country’s cyber challenges as it prepares to head into presidential elections in April. As I have noted before in these pages, along with other Asian states, Indonesia has been taking steps to confront some of the cyber challenges it has long faced. Indonesia is one of the world’s most vulnerable countries to cyber attacks, and the challenge has grown at an alarming rate over the past few years including under President Joko “Jokowi” Widodo, with the full spectrum of challenges including not just national security or e-commerce, but also in the distribution of so-called fake news and even issues related to e-voting.

Switzerland: Government offers reward for hacking its electronic vote system | AFP

The Swiss government has issued a 150,000 Swiss franc (US$149,790) challenge to online hackers; break into our new generation electronic voting system and we’ll reward you. The federal chancellery announced a dummy run election will be held from February 25 to March 24 and invited anyone who wants to display their online piracy talents to sign up at https://onlinevote-pit.ch. They can then “try to manipulate the vote count, to read the votes cast, to violate voting secrecy or to bypass security systems,” it said in a statement. The amount of the reward paid out will depend upon the level of intrusion achieved by each hacker.

National: The U.S. military is quietly launching efforts to deter Russian meddling | The Washington Post

With little public fanfare, U.S. Cyber Command, the military’s new center for combating electronic attacks against the United States, has launched operations to deter and disrupt Russians who have been interfering with the U.S. political system. Like other U.S. cyberwar activities, the disruption effort against Russia is cloaked in secrecy. But it appears to involve, in part, a warning to suspected Russian hackers that echoes a menacing phrase that’s a staple of many fictional crime and spy thrillers: “We know where you live.” Beginning last fall, before the midterm elections, Cyber Command began directly contacting Russians who were linked to operations, such the Internet Research Agency, that allegedly helped coordinate Moscow’s campaign to subvert the 2016 presidential election. The apparent aim was to put people on notice that their covers had been blown, and that their ability to work and travel freely might be affected.

Australia: Parliament Reports Cyberattack on Its Computer Network | The New York Times

The Australian Parliament said on Friday that hackers had tried to break into its computer network, which includes lawmakers’ email archives, but that so far there were no indications that data had been stolen. “Following a security incident on the parliamentary computing network, a number of measures have been implemented to protect the network and its users,” Parliament’s presiding officers, Tony Smith and Scott Ryan, said in a joint statement. “All users have been required to change their passwords. This has occurred overnight and this morning.” “There is no evidence that any data has been accessed or taken at this time, however this will remain subject to ongoing investigation,” the statement read. Australian news outlets reported that security agencies were investigating the possibility that a foreign government was behind the attack, possibly China’s.