Europe: Europe’s most hackable election | Politico

It could happen here. Three years after Russian disinformation campaigns disrupted the 2016 U.S. presidential election and possibly influenced the result of the Brexit vote, European officials are worried the European Parliament election in May is next. “In 2016 we stopped being naive,” said Liisa Past, a former chief research officer at the Estonian Information System Authority who coordinated security preparations across Europe last year. “Since then we have tested national systems for the security environment as we now know it. But the last European election was 2014 and that system hasn’t been tested in this new security environment.” The election — in which voters in 27 countries will install a new European Parliament and by extension a new crop of top EU officials — is uniquely vulnerable, officials say.

National: How the U.S. Government Shutdown Harms Security | Krebs on Security

The ongoing partial U.S. federal government shutdown is having a tangible, negative impact on cybercrime investigations, according to interviews with federal law enforcement investigators and a report issued this week by a group representing the interests of FBI agents. Even if lawmakers move forward on new proposals to reopen the government, sources say the standoff is likely to have serious repercussions for federal law enforcement agencies for years to come. One federal agent with more than 20 years on the job told KrebsOnSecurity the shutdown “is crushing our ability to take the fight to cyber criminals.” “The talent drain after this is finally resolved will cost us five years,” said the source, who asked to remain anonymous because he was not authorized to speak to the news media. “Literally everyone I know who is able to retire or can find work in the private sector is actively looking, and the smart private companies are aware and actively recruiting. As a nation, we are much less safe from a cyber security posture than we were a month ago.”

National: Unintended consequence: Federal cybersecurity workforce a potential casualty of the shutdown | The Hill

The partial shutdown of the US government may well end up damaging cybersecurity but perhaps not in the way most commonly thought. The most common and understandable concern is that the country’s current ability to respond to an emergency in the cyber domain is hampered. This line of thinking rests on the belief that the United States is not operating at full strength and, therefore, its present capacity to cope with an urgency is diminished. Admittedly, the challenge with multiple players down is not to be underestimated: It is far from ideal to take and defend the field with an incomplete roster. Moreover, bad actors may be plotting how to seize advantage during this self-inflicted window of vulnerability. Frankly, it is hard enough to ensure cybersecurity on a good day, when all hands are on deck. Having said that, there is some cause for confidence, despite prevailing circumstances. For example, from the standpoint of the Department of Homeland Security, over 80 percent of its flagship component responsible for cyber incidents — namely, the National Cybersecurity and Communications Integration Center, known as NCCIC — remains staffed. This should stand us in reasonably good (if imperfect) stead, should a crisis arise. For instance, US authorities engaged fully during the spate of DNS (domain name system) hijackings reported recently.

National: The Messy Truth About Infiltrating Computer Supply Chains | The Intercept

In October, Bloomberg Businessweek published an alarming story: Operatives working for China’s People’s Liberation Army had secretly implanted microchips into motherboards made in China and sold by U.S.-based Supermicro. This allegedly gave Chinese spies clandestine access to servers belonging to over 30 American companies, including Apple, Amazon, and various government suppliers, in an operation known as a “supply chain attack,” in which malicious hardware or software is inserted into products before they are shipped to surveillance targets. Bloomberg’s report, based on 17 anonymous sources, including “six current and former senior national security officials,” began to crumble soon after publication as key parties issued swift and unequivocal denials. Apple said that “there is no truth” to the claim that it discovered malicious chips in its servers. Amazon said the Bloomberg report had “so many inaccuracies … as it relates to Amazon that they’re hard to count.” Supermicro stated it never heard from customers about any malicious chips or found any, including in an audit it hired another company to conduct. Spokespeople for the Department of Homeland Security and the U.K.’s National Cyber Security Centre said they saw no reason to doubt the companies’ denials. Two named sources in the story have publicly stated that they’re skeptical of its conclusions.

National: America’s Election Security: How Vulnerable Are We Now? | Tom’s Guide

“Does new voting technology enable voting fraud, or does it prevent voting fraud?” rhetorically asked Blaze. “Yes.” He explained that the American election process has computers and software at every stage of the process, including voter registration and verification, the designing and distribution of ballots, the actual voting itself, and the tallying of votes and the communication of results. Machines at almost every step have been shown to be vulnerable to hacking, yet we can’t just go back to dropping envelopes in ballot boxes. “U.S. elections are the most complex in the world,” Blaze said. “You’re gonna need computers somewhere.” Fortunately, he said, policymakers and the general public are now aware of how vulnerable electronic voting systems are to tampering, and many states have taken at least initial steps to make them more secure. “Voting security is by far the hardest problem I have ever encountered,” said Blaze, who was recently a professor of computer and information services at the University of Pennsylvania but now holds the McDevitt Chair of Computer Science and Law at Georgetown University.

National: US intelligence warns of ‘ever more diverse’ threats | Associated Press

Russia’s efforts to expand its influence and China’s modernizing military are among the “ever more diverse” threats facing the U.S., according to a major intelligence report released Tuesday. The National Intelligence Strategy report, issued every four years, also singles out such potential threats as North Korea’s pursuit of nuclear weapons, the growing cyber capabilities of U.S. adversaries and global political instability. The report, which sets out the priorities for the various agencies that make up the U.S. intelligence community, notes that the United States “faces an increasingly complex and uncertain world in which threats are becoming ever more diverse and interconnected.” Director of National Intelligence Dan Coats said in a letter accompanying the report that the U.S. agencies must adapt to respond to what he calls a “turbulent and complex” environment.

India: Cyber expert claims India’s 2014 general election was ‘rigged’ | Times of India

An Indian cyber expert, seeking political asylum in the US, on Monday claimed that the 2014 general election was “rigged” through the Electronic Voting Machines (EVMs), which, he says, can be hacked. Addressing a press conference in London via Skype, the man, identified as Syed Suja, said he fled India in 2014 because he felt threatened in the country after the killing of some of his team members. He claimed the telecom giant Reliance Jio helped the BJP to get low frequency signals to hack the EVMs. Shuja said the BJP would have won Rajasthan, Chhattisgarh and Madhya Pradesh elections if his team hadn’t intercepted the BJP attempts to hack the transmissions in these states.

National: DNC targeted by Russian hackers beyond 2018 midterms, it claims | Naked Security

The Democratic National Committee (DNC) has filed a civil complaint accusing Russia of trying to hack its computers as recently as November 2018. In its court filing, the DNC argues that not only did the campaign and several Trump operatives collude with Russia to steal electronic information, but that Russia was still attempting to hack DNC systems in the run up to last year’s midterm elections. The filing describes an alleged Russian cyberattack campaign that began in July 2015 and which stole information after a hack in April 2016, when the Russians allegedly placed proprietary malware known as X-Agent on the DNC network. It claims that they monitored the malware in real time and collected data including key logs and screenshots. Using malware called X-Tunnel, the hackers exfiltrated several gigabytes of DNC data over the following days to a computer located in Illinois leased by agents of Russia’s GRU military unit, it says. Russian operatives then placed a version of X-Agent on a DNC server in June that year and hacked DNC virtual machines hosted on Amazon Web Services (AWS) in September to steal voter data, the filing also alleges.

National: America avoided election hacking in 2018. But are we ready for 2020? | ABC

Director of National Intelligence Dan Coats had cautioned that “the warning lights are blinking red again,” and experts warned that voting systems, in particular, could be at risk. Russia had likely targeted them in all 50 states in 2016 and had gained access to voter-registration files in Illinois and Arizona. But despite myriad concerns about vulnerabilities—from voting machines to tabulation systems to phishing attacks on campaigns—election hacking, by and large, did not factor in the 2018 elections. A recent report from Coats’ office to the White House confirmed as much: U.S. intelligence officials had no evidence that voting systems had been compromised, although social-media disinformation aimed at American voters had continued apace. “The Russians didn’t need to do much in 2018. They enjoy all the turmoil in the U.S. and probably take credit for 2016 outcomes,” said James Lewis, senior vice president and director of the Technology Policy Program at the Center for Strategic and International Studies. “Midterms are confusing and the Russians probably couldn’t figure out the pressure points to swing voters. If they have new tricks, they are saving them for 2020.”

National: Four cybersecurity priorities for Congress to confront active threats | The Hill

The 116th Congress may have difficulty finding common ground on most issues. But there is at least one area that presents the opportunity for bipartisan action: cybersecurity. Cyber threats do not discriminate based on party affiliation. There are four key issues within cybersecurity where this Congress has the potential to make progress with impactful legislation that would make all Americans — and our democracy — more secure. The Department of Homeland Security has made considerable progress on election security over the past 18 months. But, with 10,000 local jurisdictions responsible not just for administering elections but now for protecting our democracy against nation-state threat actors, more must be done. The answer does not lie in funding alone. Paper ballots paired with risk-limiting audits are critical; and Congress should take a hard look at the vendors who play an outsized role in our democracy. We also must share expertise and training across jurisdictions and ensure that jurisdictions are prepared to recover in the face of a cyberattack. The election security provisions in the House Democrats’ first bill are an excellent start and should not fall way to partisan rancor.

India: Electronic Voting Machines hacked in 2014, claims US-based Indian ‘cyber expert’; EC rejects allegations | Hindustan Times

A man claiming to be a cyber expert and a former employee of the Electronic Corporation of India Ltd on Monday made a series of unsubstantiated allegations about the vulnerability of electronic voting machines used in India, including in the 2014 general election. The man, named as Syed Shuja of Hyderabad origin, appeared at a news conference through Skype. He said he was based in the United States, where he got political asylum after fleeing India due to threats to his life and allegedly in a serious medical condition in 2014. According to Shuja, who said he also went by other names, 200 seats in the 2014 elections that would have been won by the Congress had been rigged in favour of the Bharatiya Janata Party by manipulating data transmission through what he called ‘military-grade modulators’ installed in various parts of the country.

Israel: With elections approaching, is Israel prepared for foreign cyber threat? | JNS

As Israeli elections approach, the country’s cyber-security watchdogs are warning about attempts by foreign actors to disrupt and manipulate this essential democratic process. The issue came to the fore earlier in January, when the head of the Shin Bet domestic intelligence agency, Nadav Argaman, reportedly told a closed-door conference that a “foreign state is planning to intervene in the elections. I don’t know at this stage in favor of whom or at whose detriment,” the intelligence chief said, adding, “I know what I’m talking about.” Thought Argaman did not mention it by name, Russia responded days later through a Kremlin spokesman, who stated that Moscow does not intervene in the elections of other countries and even advised others to refrain “from reading the Israeli media.”

National: The shutdown is breaking government websites, one by one | The Washington Post

As the government shutdown drags on, a rising number of federal websites are falling into disrepair — making it harder for Americans to access online services and needlessly undermining their faith in the Internet’s security, experts warn. In the past week, the number of outdated Web security certificates held by U.S. government agencies has exploded from about 80 to more than 130, according to Netcraft, an Internet security firm based in Britain. Various online pages run by the White House, the Federal Aviation Administration, the National Archives and the Department of Agriculture appear to be affected by the latest round of expirations, Netcraft said.

Minnesota: Bid to get federal election security money picks up early in session | Minneapolis Star Tribune

One of 21 states whose elections systems Russian hackers targeted in 2016, Minnesota is still the only one unable to use federal money awarded to improve election security across the country. But an early victory this week in the House has Secretary of State Steve Simon optimistic that he will soon be able to access that money to update the state’s voter registration system, among other upgrades, in what could be one of the first pieces of legislation to reach Gov. Tim Walz’s desk. Two House measures seeking to utilize $6.6 million in federal Help America Vote Act (HAVA) funds made available to the state last year won quick passage in House committee this week. The proposals died last year after being tied up in a broad spending package Gov. Mark Dayton vetoed as part of a feud with legislators.

National: The Shutdown Is Doing Lasting Damage to National Security | The Atlantic

As the longest government shutdown in American history drags on, it’s not just hurting the morale of America’s federal workforce and the broader American economy. It’s hurting our national security. Some of the damage is already plainly apparent—but in four crucial ways, its harms will persist long after the government reopens. We’re beginning to see indicators of short-term national- and homeland-security vulnerabilities. Airports are short on screeners; thousands of FBI agents, analysts, and staff are on furlough; and our government’s newest cybersecurity unit had barely launched before half of its staff was furloughed. Each of these lapses may cause specific problems: Dangerous weapons may slip through security, endangering the flying public; investigative leads may suffer from inattention, causing investigations of federal crimes to be delayed or go unfinished; and recent efforts to improve federal cybersecurity may be stopped before they ever really started. Moreover, given the importance this administration purports to place on immigration enforcement and border security, the irony of the Department of Homeland Security’s border agents and immigration officials not being compensated to perform their important work is hard to miss.

Editorials: Making Georgia, U.S. election systems more secure | Wenke Lee/Atlanta Journal Consitution

For the better part of the past year, I served as the cybersecurity expert to Georgia’s “Secure, Accessible, and Fair Elections (SAFE) Commission” – a group tasked with recommending new, more secure voting equipment and procedures in our state. The result of much discussion is that I (along with 24 other computer scientists at universities, labs, industry and the nonpartisan organization Verified Voting) advocated for a return to paper ballots. Now, as Congress examines the same, more states could move in this direction. I’d like to explain the irony behind why cybersecurity experts recommend voting on paper and new approaches we all must reconsider going forward.

Indiana: Governor asks for $10 million to improve election security | WSBT

Indiana’s governor is asking for $10 million to improve election security. Most of that would upgrade electronic touch screens with what’s called a voter verifiable ballot. That’s essentially a traditional paper ballot in case questions come up later. The $10 million request made by Governor Holcomb is part of a pilot program. It would initially pay for a few counties to use the new system. The hope is that the voter verifiable ballot would eventually be used by all Indiana counties. “This is much needed and is a start as we move towards that upgrade that is going to happen over the next several years,” said Chris Anderson, Elkhart county clerk.

Canada: Canada is a prime target for cybersecurity attacks in 2019 | IT World Canada

Get ready Canada.  The cybercriminals have you in their sights for 2019. Despite our smaller market size, Canada had the third most cyber incidents in the world last year, according to a recent study. This year’s federal election is likely to attract more “bad actors” who will try to use misinformation to influence public opinion, warns the Canadian Centre for Cyber Security in its latest threat assessment. Cybercrime against Canadian citizens and businesses, however, will be the biggest threat this year, the report says. “It is certain that Canadians will be affected by malicious online activity in the coming year,” said Scott Jones, head of the Cyber Security Centre.

National: ‘Abandoned’ .gov websites malfunction during US shutdown | E&T Magazine

Dozens of federal websites are malfunctioning due to their security certificates expiring during the weeks-long US government shutdown, Buzzfeed News has reported. In the US, a government shutdown occurs when Congress or the President does not approve appropriations or resolutions for funding federal operations and agencies. The current government shutdown has arisen out of the House of Representatives’ refusal to grant $5.7bn (£4.5bn) in federal funds to build a US-Mexico border wall and President Donald Trump’s refusal to accept any bill that does not provide the funds. Trump memorably claimed during his election campaign that “Mexico will pay” for the border wall; the Mexican government has declined to do so. The government shutdown is well into its third week, making it the longest-running government shutdown in the US history. During the shutdown, approximately 400,000 federal workers remain without pay until the government reopens, while many others are required to continue to perform essential work without pay.

Editorials: Cybersecurity must be top priority for 2020 presidential candidates | Jeff Kosseff/USA Today

As presidential hopefuls lay the groundwork for their 2020 campaigns, there’s plenty of speculation about their messages, their strategies and who they will snag to be their campaign managers, pollsters and state directors. One campaign position has received little attention, but it is the most important hire that a candidate can make: chief information security officer. This official is responsible for securing the campaign’s email accounts, confidential files and computer systems from hacking.

Idaho: State plans to hire a cybersecurity specialist for elections | StateScoop

Idaho Secretary of State Lawerence Denney said last week he would like to hire a cybersecurity specialist for his office to lead the state’s efforts to repel attempts to hack its election infrastructure. The new position would give Denney’s agency a full-time worker who can monitor and respond to threats against the state’s voter registration database and coordinate with clerks and other officials across Idaho’s 44 counties. Denney made the formal request to members of the Idaho state legislature last Friday, though plans for the new position have their origin in the $3.2 million grant the state received last year from the U.S. Elections Assistance Commission. According to a document Denney’s agency submitted to the EAC last July, Idaho would spend up to $220,000 in salary and benefits for a cybersecurity professional specializing in election issues.

Kenya: Cyberattacks Threaten Elections and Security, Kenyans Say | allAfrica

A majority of Kenyans are worried that cyberattacks will increase elections tampering and national security threats in future, according to a new survey. A study carried out by American-based Pew Research Centre showed 73 percent of Kenyans believe that sensitive national security information will be leaked from cyberattacks, while 72 percent said such attacks are a recipe for election interference. The research which was carried out in 26 countries globally, whose report was released over the weekend, also surveyed possibilities of cyberattacks on crucial public infrastructure such as power grids and telecommunication services.

Editorials: Congress ignored its election duties for years. That ends now. | Matthew Weil/Roll Call

House Democrats have waited eight years to regain the speakership, and now that they hold the gavel, they will clearly seek to move on pent-up priorities. For their first act out of the gate, they rolled several into one. The “For the People Act” — or H.R. 1 — runs just over 500 pages and includes proposals the Democrats have pursued during their time in the minority, such as ethics reforms, campaign finance changes, and a well-publicized section requiring presidential candidates to hand over their tax returns. But the bill also lays out a vision for election administration in 2020 and beyond, putting the voter at the center of the process instead of focusing on what is easier for government. Congress taking the lead could cause some heartburn at the state level.

Israel: Months before Shin Bet warning, Israeli cyber chief cautioned of election interferene | Haaretz

Israel’s National Cyber Directorate warned that cyber attacks could influence the outcome of the upcoming Israeli election last October, nearly three months prior to a similar statement made by the head of the Shin Bet security service. The threat is the stream of assaults on state facilities, Yigal Unna said at a conference on high tech at the Sha’arei Mishpat Academic Center of Law and Science in Hod Hasharon, which was also attended by Education Minister Naftali Bennett and Israel Defense Forces’ outgoing Chief of Staff Lt. Gen. Gadi Eisenkot.

National: Here are the big election security measures in the House Democrats’ massive new bill | CyberScoop

A giant bill House Democrats proposed on Friday includes a number of measures aimed at improving election security and voter confidence. The measures in H.R. 1 draw on provisions from several bills that were proposed but failed since the 2016 election, which experts and officials concluded was targeted by a Russian-led influence operation. Key features include a requirement that federal elections be conducted with paper ballots that can be counted by hand or optical scanners, new grants that states and municipalities can use to improve and upgrade equipment, an incident reporting requirement for election system vendors and a number of other measures meant to keep election systems’ security up-to-date. Election security experts have criticized paperless voting machines because of their vulnerability to tampering with little recourse, since they produce no auditable paper trail of each vote. Such machines were used to some extent in more than a dozen states in the recent midterm elections, according to Verified Voting. In South Carolina and Georgia, voters sued the government under the premise that their votes aren’t being properly counted with paperless machines. The bill, also called the “For the People Act,” would statutorily do away with these machines for federal elections by 2022.

National: Democrats are more concerned about election security than Republicans, survey finds | The Washington Post

Democrats are far more concerned than Republicans that a foreign power will tamper with U.S. elections and they’re more cynical about the government’s ability to respond to a major cyberattack, according to a Pew Research Center survey released Wednesday. That partisan divide on basic cybersecurity questions is a troubling signal that government’s handling of an issue officials have called a greater threat than terrorism will be hampered by the sort of partisan bickering that has bedeviled health care, immigration and other topics, experts said. A whopping 87 percent of Democrats believe a hostile power will tamper with U.S. elections compared with 66 percent of Republicans. And just 47 percent of Democrats believe the U.S. government is prepared to deal with a major cyberattack according to Pew, compared with 61 percent of Republicans.

Pennsylvania: Philadelphia officials look to make changes to county voting system | KYW

Philadelphia needs new voting machines, and they need them fast. But before officials settle on a new device, they are asking for the public’s input. Gov. Tom Wolf wants every county throughout the state to purchase a voting system with a verifiable paper trail, and officials in Philadelphia want their system to be in place by year’s end. “Security experts say that the best kind of machine is something that is air gapped from the Internet. They found that hand marked paper ballots are the best and that’s because there’s very little technology between the voter and the actual vote,” said Tim Brown, who joined a dozen other Philadelphians Thursday to give their suggestions on what they want from a new voting system at a Philadelphia City Commissioners’ comment session. 

Germany: Officials seek to bolster cyber defences ahead of European Parliament election | Reuters

German officials are racing to bolster cyber security after a far-reaching data breach carried out by a 20-year-old student laid bare the vulnerability of Europe’s largest economy ahead of a critical European Parliament election in May. Officials say they are anxious to close security gaps and raise awareness ahead of the upcoming election, where voters from across the European Union will choose lawmakers for the parliament, amid concerns that foreign powers or right-wing forces could seek to manipulate the election. “We have to think about preventive measures,” Interior Minister Horst Seehofer told Reuters.

Israel: Tel Aviv Spy Agency Claims Russia Trying To Interfere In Coming Israeli Elections | Eurasia Review

Despite Russia’s denial of any involvement in the upcoming Israeli elections, with a senior Moscow official saying that people should not read the Israeli media, intelligence sources in Tel Aviv announced there were several indications for such intervention, adding that Israel’s cyber army fended off several attacks. Director of the Shin Bet domestic security service Nadav Argaman discussed the issue, saying security forces were concerned about foreign interference that could affect the Knesset elections’ outcome. Speaking at a Friends of Tel Aviv University conference, Argaman said that a foreign country intended to launch cyber attacks in order to influence Israel’s general elections. The issue is considered an internal matter, however, several journalists attending the conference reported the news, which prompted the military censorship to issue an order banning the publication of Argaman’s statement. The military gag was later lifted when reporters threatened of filing a lawsuit, though the naming of the country in question is still prohibited.

National: Cybersecurity may suffer as shutdown persists | Roll Call

The partial government shutdown may be making some key federal departments and agencies running with skeletal staffs more vulnerable to cybersecurity breaches, experts said. Meanwhile, the House Homeland Security Committee, which oversees the Department of Homeland Security, said it remains in the dark about how the shutdown has affected the department’s mission to safeguard critical infrastructure from cyberattacks. “With so many cyber activities reliant on highly skilled contractors required to augment government personnel, government shutdowns significantly degrade the ability of the government function to meet all of their cyber mission requirements,” said Greg Touhill, president of Cyxtera Federal, a company that provides cybersecurity services to the federal government.