Massachusetts: Hackers in Boston gamed out an election day nightmare – and won | Fifth Domain

The hackers leaned back in their chairs and scanned through options to disrupt election day as if they were reading from a menu of chaos. Fake bomb threats. Orchestrated traffic jams. A botnet of faux Twitter accounts to spread discord. In a simulated exercise put on by the Boston-based cybersecurity firm Cybereason Sept. 20, a team of seven hackers tried to outwit a group of current and former law enforcement officials from the Massachusetts area. In the end, the hackers did not need to be selective about their options. They decided to combine all of their ideas into a concoction of havoc to pick apart the simulated voting day.

National: How Vulnerable Are Electronic Voting Machines? | WBUR

A federal judge ruled this week that Georgia does not have to replace its electronic voting machines with machines that create paper records before the election in November. In her ruling, though, the judge noted she’s “gravely concerned” about Georgia’s slow pace in addressing electronic voting vulnerabilities. Here & Now’s Jeremy Hobson talks with Marian Schneider, president of Verified Voting, a nonpartisan nonprofit that advocates for accurate and verifiable elections, about those vulnerabilities and how secure electronic voting machines are.

On her opinion of the judge’s ruling in Georgia: “I do think that it’s a significant decision, but I think that the judge was concerned about the amount of time before the election, that there wasn’t enough time to smoothly implement paper ballots. “There’s only seven weeks between now and the election, and the early voting would start soon, too. So I think that was a greater concern for the court, but I think the judge made a lot of very significant findings about the vulnerabilities that are present in paperless computer systems that count our votes.”

National: State Elections Agencies Focus on Voting Security Ahead of Midterms | StateTech

During the last election, Russian cyberattackers looking for vulnerabilities scanned 21 state election systems, including those in Illinois, over the 2016 campaigns. While the Department of Homeland Security says the scanning activity did not necessarily breach systems, some individual states have reported compromised data. This year, for instance, the Illinois State Board of Elections reported a 2016 breach of its voter registration system, detailing a SQL injection attack of unknown origin that exposed records in the state’s voter registration database. Since the attack, the Illinois board has worked with state IT experts as well as DHS cybersecurity professionals to keep the database of 18 million records and the servers on which it resides safe from attackers, says Matt Emmons, the agency’s IT director. And there are plenty of hackers out there.

National: DOD’s new cyber strategy stresses election security | FCW

The Defense Department’s newly released cyber strategy draws attention to election meddling, infrastructure protection and greater reliance on commercial technology to get ahead of the curve. A summary of the DOD’s cyber strategy released Sept. 18 boasted an assertive stance on election meddling and attribution, calling out cyber “challenges to [U.S.] democratic processes” as a means for Russia, China, North Korea and Iran to inflict damage without engaging in armed conflict. However, the Pentagon remained firm in its infrastructure protection role. DOD will partner with the private sector and other agencies on improved information sharing “to reduce the risk that malicious cyber activity targeting U.S. critical infrastructure could have catastrophic or cascading consequences,”  the document indicated.

National: Cleanup time for tech firms as midterm elections approach | AlphaStreet

Investigations carried out by federal agencies showed that hackers exploited seemingly minor flaws in the electronic voting system to manipulate the vote tally in the last presidential election. The findings might not surprise Americans as much as it would have done a few years ago, because now we know a bigger threat is hanging over the election process. Skeletons of the illegal online campaign launched by Russian agencies a couple of years ago to rig the presidential election are still tumbling out of the closets of technology companies like Facebook (FB) and Google (GOOG). With the midterm polls around the corner, the security agencies are busy plugging all the loopholes in the system to ensure a free and fair election. That the attackers managed to hack important government websites and breached huge volumes of voter data show the severity of the campaign, and that justifies the extra alert this time. Reports show that hackers, with possible Russia connections, are already doing the groundwork to interfere in the November election.

National: Could white hat hackers boost security of voting machines? | Fifth Domain

Government officials and cybersecurity experts are arguing that companies need to embrace vulnerability disclosure programs to guard against hacking amid pushback from the largest voting machine company in the United States, which has portrayed efforts to test their systems as a tactic of foreign spy-craft. Vulnerability disclosure programs that invite hackers to test computer systems are a show of strength, participants in a Sept. 18 event at the Atlantic Council argued. “Not having a vulnerability disclosure program amounts to cybersecurity negligence,” said Marten Mickos, the head of Hacker One. It’s a myth that companies can test their systems on their own, said Chris Nims, chief information security officer at Oath, a cybersecurity company. Even large companies who perform penetration testing on their own products cannot catch all vulnerabilities, he argued. “The reality is that is simply not true.”

National: Wyden: Senators need protection from ongoing Russian hacking campaign | Politico

Russian hackers behind the 2016 Democratic National Committee hack appear to be targeting the personal email of senators and their staffers, according to Sen. Ron Wyden. In a letter today to Senate leaders, the Oregon Democrat urged support for legislation that would allow the Sergeant at Arms to protect those email systems. The letter from Wyden follows reports in January that the Russian hacking group Fancy Bear — which the U.S. intelligence community identified as one group that penetrated the DNC in the lead-up to the 2016 election — was going after Senate offices.

Wisconsin: Adams County clerk resigns following investigation into unauthorized computer access | WKOW

A meeting to hear charges against Cindy Phillippi was scheduled for Wednesday morning. But the hearing was canceled after Phillippi, through her attorney, submitted a 5-page resignation agreement to the Adams County Board during a closed door session Tuesday night. The resignation is effective Wednesday. The agreement does not include an admission of liability. Phillippi will be on paid leave through the end of the year. Board Chair John West said she will continue to provide consultation during the transition period.

Sweden: IT sector advises Swedish government on elections and voting system | Computer Weekly

Swedish IT sector is helping the government make election systems more secure and reduce external influence. The security measures assembled and implemented around the 2018 election in Sweden were devised in consultation with leading actors within Sweden’s private IT sector. The primary role of the IT suppliers was to advise government panels, which included the national security service (Säpo), the National Police Board (Rikspolisstyrelsen), the National Civil Contingencies Agency and the National Election Authority. Säpo was at the head of a government-commissioned election taskforce that organised an IT-based protective shield around the voting process and implemented measures to minimise hostile external inference.

National: The Cyberthreats That Most Worry Election Officials | Wall Street Journal

As Election Day gets closer, one issue looms large for voters and election officials alike: cybersecurity. Hoping to quell fears about foreign hackers and repel potential threats, many states and counties are beefing up their plans to deal with cyberattacks. They’re shoring up systems to protect their voter databases and hiring security experts to assess the strength of their defenses. They’re coordinating with social-media organizations to stamp out deliberately fraudulent messages that could mislead voters about how to cast a ballot. And they’re banding together to share information and simulating how to respond to potential emergencies. One simulation-based exercise, held by the Department of Homeland Security in mid-August, gathered officials from 44 states, the District of Columbia and multiple federal agencies, the DHS says. “There absolutely is more emphasis on contingency planning” since 2016, says J. Alex Halderman, a professor of computer science at the University of Michigan. 

National: Symantec takes on election hacking by fighting copycat websites | CNET

Symantec is offering a free tool for US campaigns and election officials to fight fraudulent websites, the company announced Tuesday. The feature could help take away an important weapon in the election hacking arsenal: the spoof website. Lookalike websites could imitate official government sites and report false information about candidates or voting. What’s more, they’ve already been used to imitate a login page to trick campaign workers to enter their valuable usernames and passwords.  That approach, called phishing, was key to letting hackers gain access to the emails and internal documents of important Democratic Party organizations and key figures in Hillary Clinton’s 2016 presidential campaign, according to an indictment of the Russian hackers alleged to have stolen and leaked emails from the groups.

Georgia: This Judge Just Cast More Doubt on Elections Security Right Before Midterms | InsideSources

Right before midterms, a United States District Court judge found that Georgia’s electronic voting machines are extremely vulnerable to hacking and foreign meddling — including from Russia — but ruled against changing the state’s elections systems to avoid voter confusion and chaos. But by simply highlighting the vulnerability of Georgia’s electronic voting machines, the judge may have already undermined voter confidence just weeks before the midterms. The new ruling from Judge Amy Totenberg in Curling v. Kemp found that Georgia’s electronic voting machines are so easily hacked that it is irresponsible for a locality or state to use them without a paper audit trail. Georgia’s machines do not have paper audit trails. Totenberg admonished the state of Georgia for not properly addressing election security issues in time for the 2018 midterm elections, reminding them that “2020 elections are around the corner” and that “if a new balloting system is to be launched in Georgia in an effective manner, it should address democracy’s critical need for transparent, fair, accurate, and verifiable election processes that guarantee each citizen’s fundamental right to cast an accountable vote.”

Wisconsin: Elections Commission hires new staff aimed at increasing elections security | WISC

With less than two months until the November election, the Wisconsin Elections Commission has hired several new staff members to help with election security. The federal government awarded the commission nearly $7 million in grants for election security. “We’re using a significant amount of that money on hiring new people, as well as for system enhancements for security,” said Reid Magney, public information officer for the Wisconsin Elections Commission. The elections commission will hold a meeting on Aug. 25 to ask clerks and members of the public how they should spend the rest of the grant money.

National: Voting Machines: A Weak Link | EE Times

In my community, we vote by filling in circles on a paper sheet that goes into a scanner — we have a paper trail. Can such a process still be hacked? Yes, though paperless voting machines can more easily be hacked. Professors Ronald Rivest of MIT and J. Alex Halderman of the University of Michigan explained on Sept. 13 in a session at EmTech MIT on how hackers can alter elections. According to Rivest, about 80% of voting jurisdictions in the U.S. have some sort of paper trail in the event of voting-machine hacks. If, however, you vote in Delaware, Georgia, Louisiana, New Jersey, South Carolina, or Nevada, there is no way to hand-count the votes should the need arise; votes are electronically recorded. The map below reveals that many other states use a mixture of paper and paperless voting systems. 

National: The Latest Casualty of States’ Rights: Your Vote | WhoWhatWhy

From racial segregation to environmental destruction to voter suppression, the concepts of “federalism” and “states’ rights” have a long-running association with some of the worst outcomes of American conservatism. And we may soon add “endangering American democracy” to that list. These political philosophies are being invoked to sink a key election-security bill — at a time when midterm elections are being actively probed and prodded for weaknesses by potentially hostile nation-states. The Secure Elections Act (SEA), which seemed poised to become a rare bipartisan slam-dunk, may not even make it to a vote now that the bill has been pulled from committee, reportedly under order of the Trump White House.

National: 5 states will vote without paper ballots; experts want that to change | ABC

When voters go to the polls in five states, a verified paper trail will not follow them. At a time of heightened concerns over election interference, election-security experts have called for that to change, suggesting paper results – visually confirmed by voters – would help state officials recover in the event of meddling or simple mistakes. “That presents a greater risk because there’s no way to detect if things have gone wrong,” said Marian Schneider, former deputy secretary of voting and administration in Pennsylvania and the president of the group Verified Voting. Paper ballots – or, at least, auditable paper trails, in which voters can see their choices recorded on a printed roll of paper – have been recommended by experts from Homeland Security Secretary Kirstjen Nielsen to the Brennan Center for Justice’s Democracy Program to the Defending Digital Democracy Project at Harvard’s Belfer Center. A large swath of Americans, however, will vote without them.

Wisconsin: How Hackers Could Attack Wisconsin’s Elections And What State Officials Are Doing About It | Wisconsin Public Radio

A private vendor inadvertently introduces malware into voting machines he is servicing. A hacker hijacks the cellular modem used to transmit unofficial Election Day results. An email address is compromised, giving bad actors the same access to voting software as a local elections official. These are some of the potential vulnerabilities of Wisconsin’s election system described by cybersecurity experts. State officials insist they are on top of the problem and that Wisconsin’s elections infrastructure is secure because, among other safeguards, voting machines are not connected to the internet and each vote is backed by a paper ballot to verify results. In July, the Wisconsin Center for Investigative Journalism reported that Russian hackers have targeted websites of the Democratic Party of Wisconsin, the state Department of Workforce Development and municipalities including Ashland, Bayfield and Washburn. Elections in this swing state are administered by 1,853 municipal clerks, 72 county clerks and the Wisconsin Elections Commission.

Wisconsin: State tries to avoid voter data breach that happened in Illinois | Milwaukee Journal Sentinal

Wisconsin officials say they have taken multiple steps in recent months to guard against the type of attack that Russian hackers unleashed on Illinois when they allegedly stole data from hundreds of thousands of Illinois voters before the 2016 election. But the August rollout of vote tallying through the WisVote system — in which clerks inadvertently reported duplicate votes in nine counties — shows more work needs to be done. In 2016, cyber actors gained access to 200,000 voter records in Illinois, according to an April report from FireEye, a California-based cybersecurity firm.

Illinois: Not all WCIL counties on board with election cyber security upgrades | Herald-Whig

The state of Illinois is working to beef up voter security through its Cyber Navigator Program, a program that will require at least half of the $13.9 million in federal funding the state received for election upgrades. The program, which is still being finalized, will provide training and grants to local election officials. The state will conduct risk assessments of each participating county to ensure that clerks are using best practices, and the program will also put all participating counties on a centralized, more secure internet network. The program is a reaction to Russian hacking in the 2016 election, which gave hackers access to 76,000 active Illinois voter registrations. As the state works to coordinate the logistics, some West Central Illinois counties are split on its value.

Wisconsin: Stolen Votes: Understanding the real cybersecurity threats to Wisconsin elections | The Milwaukee Independent

A private vendor inadvertently introduces malware into voting machines he is servicing. A hacker hijacks the cellular modem used to transmit unofficial Election Day results. An email address is compromised, giving bad actors the same access to voting software as a local elections official. These are some of the potential vulnerabilities of Wisconsin’s election system described by cybersecurity experts. State officials insist they are on top of the problem and that Wisconsin’s elections infrastructure is secure because, among other safeguards, voting machines are not connected to the internet and each vote is backed by a paper ballot to verify results. In July, the Wisconsin Center for Investigative Journalism reported that Russian hackers have targeted websites of the Democratic Party of Wisconsin, the state Department of Workforce Development and municipalities including Ashland, Bayfield and Washburn. Elections in this swing state are administered by 1,853 municipal clerks, 72 county clerks and the Wisconsin Elections Commission.

Wyoming: FBI partners with Wyoming, Cheyenne officials to prevent election hacking | Wyoming Tribune Eagle

Election officials and candidates from across the state came to Cheyenne on Friday to get an intensive course in cybersecurity from the FBI. The event was a chance for the FBI to partner with the Wyoming Secretary of State’s Office to help educate county clerks and candidates for elected office. Experts from both government agencies spent Friday covering types of threats the group could face, how to keep their organizations secure and what steps they should take if they become the target of a suspected hack. “I call it Cyber 101. We want to educate them regarding potential cyber threats, but also the tools available to them to potentially mitigate the threats,” said FBI Denver Special Agent in Charge Calvin Shivers. “We wanted to take a proactive posture and educate our elected officials, our candidates, our clerks of court regarding potential threats.

National: How to hack an election—and what states should do to prevent fake votes | MIT Technology Review

Donald Trump won the 2016 presidential election thanks to the votes of just 107,000 people in three states. The intricacies of the Electoral College help create situations where a relatively small number of US citizens can decide who wins the presidency. How susceptible could these votes be to tampering? The answer: a lot more than you might realize. In a live demonstration at MIT Technology Review’s EmTech conference today, J. Alex Halderman, professor of computer science and engineering at the University of Michigan, showed just how easy it would be to meddle with vote tallies to directly change election outcomes. Halderman brought an AccuVote TSX machine to the stage in a live demonstration of the dangers. He had three volunteers use the machine to vote in a mock election between George Washington and Benedict Arnold. Cameras pointing at the screen and projected above the stage showed the three voters casting their ballots for Washington. Yet when Halderman printed the returns from the machine, the reported result was a two-to-one victory for Arnold. 

National: The Overlooked Weak Link in Election Security | ProPublica

More than one-third of counties that are overseeing elections in some of the most contested congressional races this November run email systems that could make it easy for hackers to log in and steal potentially sensitive information. A ProPublica survey found that official email accounts used by 11 county election offices, which are in charge of tallying votes in 12 key U.S. House of Representatives races from California to Ohio, could be breached with only a user name and password – potentially allowing hackers to vacuum up confidential communications or impersonate election administrators. Cybersecurity experts recommend having a second means of verifying a user’s identity, such as typing in an additional code from a smartphone or card, to thwart intruders who have gained someone’s login credentials through trickery or theft. This system, known as two-factor verification, is available on many commercial email services. “Humans are horrific at creating passwords, which is why ‘password’ is the most commonly used password,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., who has pushed for security fixes in the voting process. This means increasingly we need something other than passwords to secure access to our accounts, especially email, which tends to undergird all our other accounts.”

National: Feds brief House Oversight on election security for 2018 midterm elections | Washington Examiner

The House Oversight Committee held a classified briefing on election security and foreign influence on Thursday, with less than two months until the midterm elections. “As we near midterm elections, we must take every step possible to safeguard our electoral process and ensure our fellow citizens have confidence in the security of elections,” said committee Chairman Trey Gowdy, R-S.C., in a statement.

Voting Blogs: Creating a culture of proactive security: Colorado’s EPIC TTX prepares for almost any scenario | electionlineWeekly

There was a fire, a tornado, and the heating system went down in the ballot-tabulation room. There was fake news on social media and real news media in the room. Polls opened late and stayed open late. The state voter registration database went down. Tabulation machines failed to tabulate. There were concerned citizens and advocates demanding to know what was happening. And then there was Olga from Sputnik News who seemed overly curious about everything. Those were just some of the scenarios and situations faced by Colorado county elections officials and staff participating in the secretary of state’s EPIC table top exercise last week in Englewood.

Ohio: Cybersecurity Reserve Could Soon Respond to Network Emergencies | Government Technology

Armed with keyboards and processors, Ohio’s newest security force may one day deploy not to deal with natural disasters, but rather network disasters. Maj. Gen. Mark E. Bartman, Ohio’s adjutant general, said that under the direction of Gov. John Kasich, he started the Ohio Cyber Collaboration Committee to determine what Ohio needs to do to improve cybersecurity and training. Part of those efforts, he said, is to create an Ohio Cyber Reserve Force, a team of civilian information-technology experts that could be activated by the governor, working for the Ohio National Guard, to respond to major cyberattacks against state or local infrastructures. “If there is a major incident within the state then the governor could call them out and put them on state active duty, just like we do with the National Guard,” Bartman said.

Virginia: State spends none of $9 million grant on midterm election security | WUSA

Days after officials in Washington disclosed none of a $3 million grant is securing the District’s midterm election infrastructure, the same story played out across the Potomac – on a scale triple the size. Virginia received a $9 million grant from the federal government – a new investment designed to improve election security in the face of undiminished hacking threats. But the critical swing state with several competitive House races will spend none of the $9 million to prepare for the midterm elections, according to interviews and record requests reviewed by WUSA9.

National: What election security funding means for state and local CIOs | GCN

For years, cybersecurity was considered an issue for IT teams and was often not prioritized when creating and executing policy. However, recent events have demonstrated the many ways that cyberattacks can impact a country’s critical infrastructure, bringing essential operations to a halt and even endangering citizens. These attacks have come in the form of ransomware at schools and hospitals, data breaches at major financial institutions and large-scale distributed denial-of-service attacks that have knocked organizations of all types offline. As a result, politicians and government bodies have come to recognize the critical importance of cybersecurity in protecting national infrastructure. As digital transformation increases technology use across public infrastructure, the attack surface continues to grow. Government CIOs and IT teams are working to deploy security measures that enable transformation, rather than slow it down. For instance, Fortinet’s latest Global Threat Landscape Report found that government agencies use, on average, 255 different applications a day on their networks.

National: Better cooperation between states and U.S. can help safeguard midterm elections, officials say | St. Louis Post-Dispatch

U.S. Homeland Security Secretary Kirstjen Nielsen during a visit to the St. Louis area on Monday pledged the government’s assistance to states battling threats to election security, calling interference with elections one of the “principal national security threats.” Nielsen was a guest speaker at a two-day seminar on election security that began Monday at the headquarters of World Wide Technology in West Port Plaza. The event, hosted by Missouri Secretary of State Jay Ashcroft, was also attended by 10 other secretaries of state on Monday, and more were expected Tuesday. Nielsen has recently spoken about a growing need for cybersecurity in elections, reversing the course of an administration that has been criticized for not doing enough.

National: This fall you may be voting with obsolete voting machines and ancient software | NBC

The state of Illinois has improved its cyber defenses since hackers broke into its voter database in 2016 — but the actual machines that will record votes in this fall’s midterms are another story. Most of the state’s voting machines need to be replaced, says Steve Sandvoss, executive director of the Illinois State Board of Elections. How many? “It depends on which counties you ask,” said Sandvoss, “but I would say 80, maybe 90 percent. That’s the figure I’m hearing.” Illinois is not alone. Despite compromises of election systems in seven states in 2016, NBC News has interviewed a wide variety of experts in the two years since that election who say a majority of both the nation’s voting machines and the PCs that tally the votes are just not reliable. Most of the nation’s voting machines, for example, are close to 15 years old.