National: States using chunk of federal $380M to safeguard voting | Associated Press

Racing to shore up their election systems before November, states are using millions of dollars from the federal government to tighten cybersecurity, safeguard their voter registration rolls and improve communication between county and state election officers. The U.S. Election Assistance Commission released a report Tuesday showing how states plan to spend $380 million allocated by Congress last spring to strengthen voting systems amid ongoing threats from Russia and others. All but a fraction of the money has already been sent to the states, the District of Columbia and U.S. territories. The largest chunk — roughly 36 percent — is being spent to improve cybersecurity in 41 states and territories. More than a quarter of the money will be used to replace voting equipment in 33 states and territories, although the bulk of this is unlikely to happen until after the Nov. 6 midterm elections.

National: Majority of election security grants going toward cybersecurity, equipment upgrades | CyberScoop

About a third of federal funding meant to improve election technology will be spent on cybersecurity-related improvements, while another third will be used to upgrade old equipment, according to plans released Tuesday by states and the U.S. Election Assistance Commission. In March, Congress appropriated $380 million for states to use for upgrades to election infrastructure, under the Help America Vote Act. It’s the first time the federal distributes HAVA funding since 2010. “The 380 [million] is something new in terms of additional funding, but it’s in that same realm of ensuring that our voting process remain secure and that vote of confidence remains high,” Tom Hicks, chairman of the EAC, told CyberScoop.

National: New bill would require paper ballots to secure election results | CNET

The Russians can’t hack paper. On Tuesday, nine Senators introduced a bill that would require state and local governments to use paper ballots in an effort to secure elections from hackers. The bill would also require rigorous audits for all federal elections to ensure that results match the votes. “Leaving the fate of America’s democracy up to hackable election machines is like leaving your front door open, unlocked and putting up a sign that says ‘out of town,'” Sen. Ron Wyden, a Democrat from Oregon, said in a . “Any failure to secure our elections amounts to disenfranchising American voters.”

National: Kids at hacking conference show how easily US elections could be sabotaged | The Guardian

At the world’s largest hacking conference, there was good news and bad news for fans of free and fair elections. The good news is that hacking the US midterms – actually changing the recorded votes to steal the election for a particular candidate – may be harder than it seems, and most of the political actors who could pose a threat to the validity of an election are hesitant to escalate their attacks that far. The bad news is that it doesn’t really matter. While the actual risk of a hacker seizing thousands of voting machines and altering their records may be remote, the risk of a hacker casting the validity of an election into question through one of any number of other entry points is huge, and the actual difficulty of such an attack is child’s play. Literally.

Editorials: Time is running out to secure our elections | James Lankford and Amy Klobuchar/The Hill

In 2016, Russia attacked the United States. Not with bombs or guns, but with a sophisticated well-funded cyberattack and information warfare directed by President Vladimir Putin designed to undermine the values we hold most dear. Russian entities launched cyberattacks against at least 21 states and attacked U.S. voting system software companies. Every top U.S. intelligence official has warned us, including Director of National Intelligence Dan Coats, who recently described our digital election infrastructure as “literally under attack,” and sounded the alarm that “the warning lights are blinking red again.” Far from being chastened by these reports, our foreign adversaries have only become emboldened. Microsoft has already detected phishing attacks targeting at least three midterm campaigns this year.

Nevada: State targets $4.3M in US grants to safeguard voter rolls | Associated Press

The state of Nevada is spending nearly $4.3 million in federal grants to shore up its election systems, with the bulk of the money targeted for safeguarding voter registration rolls and lesser amounts to tighten cybersecurity and improve communication between county and state election officers. The money is included in a report the U.S. Election Assistance Commission released Tuesday showing how states plan to spend $380 million allocated by Congress last spring to strengthen voting systems amid ongoing threats from Russia and others under the Help America Vote Act. The largest chunk nationally — roughly 36 percent — is being spent to improve cybersecurity in 41 states and territories.

Australia: MP warns of cyber threat to Australian elections | Computerworld

The shadow assistant minister for cyber security, Gai Brodtmann, has called for the government to classify Australia’s election systems as a “critical infrastructure sector” under the Trusted Information Sharing Network in order to “overlay the appropriate scrutiny and assurance mechanisms to assure the Australian people of the cyber resilience of their democracy”. The Labor MP, who earlier this month announced she would not contest the next election, cited concerns over alleged attempts to influence the US and French elections as well as the denial of service attacks on the 2016 Census. The TISN is an initiative to boost information sharing and collaboration between critical infrastructure operators.

Nigeria: Social media bots cast dubious shadow over 2019 elections | Pulse.ng

In the run up to the 2015 presidential election, a public relations firm named Cambridge Analytica attempted to influence Nigerian voters by orchestrating a smear campaign against eventual winner, Muhammadu Buhari.
When Cambridge Analytica’s efforts to influence Nigeria’s elections were made public earlier this year, many were shocked as to the length the firm (formerly SCL Elections) went to ensure the re-election victory of then-president, Goodluck Jonathan. On the prompting of an unnamed Nigerian billionaire, the data mining firm hacked Facebook to harvest the profile of millions of users and target what was determined to be their worst fears. In a video the firm produced, people were filmed being dismembered, having their throats cut and bled to death, and also burned to death in a bid to portray Muslims as violent and Buhari as the man that will impose Sharia Law that’ll make that sort of violence commonplace in the country.

Editorials: I Just Hacked a State Election. I’m 17. And I’m Not Even a Very Good Hacker. | River O’Connor/Politico

It took me around 10 minutes to crash the upcoming midterm elections. Once I accessed the shockingly simple and vulnerable set of tables that make up the state election board’s database, I was able to shut down the website that would tally the votes, bringing the election to a screeching halt. The data were lost completely. And just like that, tens of thousands of votes vanished into thin air, throwing an entire election, and potentially control of the House or Senate—not to mention our already shaky confidence in the democratic process itself—into even more confusion, doubt, and finger-pointing. I’m 17. And I’m not even a very good hacker. I’ve attended the hacking convention DEF CON in Las Vegas for over five years now, since I was 11 years old. While I have a good conceptual understanding of how cyberspace and the internet work, I’ve taken only a single Python programming class in middle school. When I found out that the Democratic National Committee was hosting a security competition for kids and teens, however, my interest in politics fed into curiosity about how easy it might be to mess with a U.S. election. Despite that limited experience, I understood immediately when I got to Las Vegas this year why the professionals tend to refer to state election security as “child’s play.”

National: Russian hackers targeting more US political groups, Microsoft says | The Guardian

Microsoft says it has uncovered new Russian hacking attempts targeting US political groups before the midterm elections. The company said a group linked to the Russian government created fake internet domains that appeared to spoof two US conservative organisations: the Hudson Institute and the International Republican Institute. Three other fake domains were designed to look as if they belonged to the Senate. Microsoft did not offer any further description of the fake sites. The revelation came just weeks after a similar Microsoft discovery led the senator Claire McCaskill, a Missouri Democrat who is running for re-election, to reveal that Russian hackers tried unsuccessfully to infiltrate her Senate computer network.

Editorials: Election Security Bill Without Paper Records and Risk Limiting Audits? No Way. | Electronic Frontier Foundation

The Senate is working on a bill to secure election infrastructure against cybersecurity threats, but, unless amended, it will widely miss the mark. The current text of the Secure Elections Act omits the two most effective measures that could secure our elections: paper records and automatic risk limiting audits. Cybersecurity threats by their very nature can be stealthy and ambiguous. A skillful attack can tamper with voting machines and then delete itself, making it impossible to prove after the fact that an election suffered interference. Paper records ensure that it is possible to detect and quickly correct for such interference. Automatic audits ensure that such detection actually happens.

Indiana: New campaign to increase awareness of Indiana voting security launched | Wash Times Herald

If the Indiana election system were human, it would be the “healthiest 200-year-old you’ll ever find,” according to a radio ad released Monday by the office of Secretary of State Connie Lawson. The audio is part of a $500,000 campaign by Lawson’s office in partnership with an Indianapolis marketing firm to increase public awareness around cybersecurity, voting and the relationship between the two ahead of the Nov. 6 general election. “In Indiana, the security of our voting system is of the utmost importance. This public awareness campaign demonstrates to voters that proper precautions are in place to secure their vote,” Lawson said in the campaign announcement. “We take great care to prepare our election administrators for each cycle, and in partnership with counties, other states, and the federal government we are developing new answers to security concerns and election policy.”

Maryland: A Russian Oligarch Bought Maryland’s Election Vendor. Now These Senators Are Questioning the Rules | Roll Call

Maryland’s Democratic senators want a Senate committee to require disclosures of foreign investments in U.S. election systems, an alarm bell set off by a Russian oligarch’s connection to their state’s voter registration system. The request to the Rules and Administration Committee comes from Sen. Benjamin L. Cardin and Sen. Chris Van Hollen. Van Hollen is also the chairman of the Democratic Senatorial Campaign Committee. The Maryland senators have been alarmed by a Russian oligarch’s investment connection to ByteGrid LLC, which handles the Old Line State’s voter registration database and candidate management operations. “As the Rules Committee prepares to mark up the Secure Elections Act, we respectfully request that you sponsor an amendment requiring that an election infrastructure vendor submit a report to the Chair of the [Election Assistance Commission] and the Secretary of [the Department of Homeland Security] identifying any foreign national that directly or indirectly owns or controls the vendor, as well as any material change in ownership resulting in ownership or control by a foreign national,” Cardin and Van Hollen wrote Monday.

Australia: Want to hack the Western Australia government? Try ‘Password123’ | Computerworld

A staggering 60,000 out of 234,0000 active accounts at a range of WA government agencies were potentially at risk of a dictionary attack due to their weak passwords, a review by the state’s auditor general has found. The state’s auditor general today upheld a venerable WA government information security tradition, slamming agencies for poor practices when it came to passwords and other protective measures. For the report, the WA Office of the Auditor General obtained encrypted password data from 23 Active Directory environments across 17 agencies. Using a selection of password dictionaries it found that tens of thousands of users had chosen weak passwords including “Password123” (1464 accounts), “password1” (813), “password” (184), “password2” (142) and “Password01” (118). “‘After repeatedly raising password risks with agencies, it is unacceptable that people are still using Password123 and abcd1234 to access critical agency systems and information,” said Western Australia’s auditor general, Caroline Spencer.

National: States add intrusion sensors to election systems to thwart hacking | CNN

A growing number of states are installing a cyber-intrusion sensor system supplied by the Department of Homeland Security in response to fears that election systems my be hacked by foreign adversaries during the 2018 midterm elections and beyond. To date, 36 states have installed the intrusion detection sensors, known as “Albert,” according to a DHS official. The monitoring system was developed by the Center for Internet Security, a nonprofit organization that is working with DHS on election security and coordination. Rather than block cyber threats outright, Albert alerts officials to potentially malign activity to be investigated by experts. In those states, 74 sensors in 38 counties have been installed so far, according to the official, up from 14 before the 2016 presidential election. The new numbers were first reported by Reuters.

National: How DHS is gearing up to protect the midterms from hackers | CNBC

With all the concern over cybersecurity heading into the midterm elections, it’s actually quite difficult for outsiders to directly manipulate votes. Unlike corporate networks and email systems, voting machines aren’t connected to the internet, making them hard to access. So as government officials prepare for the hotly contested congressional elections in November, their focus is more on protecting the integrity of the systems that support the pre- and post-voting periods than on the ballots themselves. “This is about more than just voting machines,” Jeanette Manfra, the top cybersecurity official at the Department of Homeland Security, told CNBC in an interview on Wednesday. “If an [attacker] was intent on sowing discord, how could they do that? It involves us looking at the broad elections administration process.”

National: In Congress, election security proposals aim at 2020 cycle | FCW

While most of the discussion around election security tends to focus on protecting the 2018 fall elections, much of the federal guidance and legislative proposals currently under consideration would likely have limited impact this year. Two bills in Congress – The Secure Elections Act and the PAVE Act – would implement a number of best-practice policies around cybersecurity and vote tabulation that are endorsed by most experts. Yet some of the most impactful provisions from those bills, such as grant funding to replace obsolete or out-of-support voting machines or require states to use paper ballots, would take years to implement before states realized results.

California: FBI probing cyber attack on congressional campaign in California – sources | Reuters

The U.S. Federal Bureau of Investigation is investigating a cyber attack on the congressional campaign of a Democratic candidate in California, according to three people close to the campaign. The hackers successfully infiltrated the election campaign computer of David Min, a Democratic candidate for the House of Representatives who was later defeated in the June primary for California’s 45th Congressional district. The incident, which has not been previously reported, follows an article in Rolling Stone earlier this week that the FBI has also been investigating a cyber attack against Hans Keirstead, a California Democrat. He was defeated in a primary in the 48th Congressional district, neighboring Min’s. Paige Hutchinson, Min’s former campaign manager, declined to comment. An FBI spokeswoman said the bureau cannot confirm or deny an investigation.

Florida: Election officials seek info as support builds for Nelson’s Russian-hack claim | McClatchy

Florida election officials said Saturday they are seeking more information to combat any possibility of ongoing hacking efforts on county voting systems, as support mounted over the weekend for Sen. Bill Nelson’s recent claims that Russian operatives have “penetrated” some county voter registration databases in Florida ahead of the 2018 elections. A U.S. government official familiar with the matter confirmed to McClatchy on Saturday an NBC news report that Nelson was right when he said Russian hackers had “penetrated” some of Florida’s county voting systems. The official spoke on the condition of anonymity because of the sensitivity of the matter. Leaders of the Senate Intelligence Committee told Nelson recently that operatives working for Russia penetrated some county voter registration databases in Florida. That appears to represent new information about fallout from a Russian hacking operation nearly two years ago and not evidence of a fresh attack, the government official familiar with the matter said. And on Saturday, Nelson defended himself against claims by Gov. Rick Scott, his likely opponent in a hotly contested U.S. Senate election, that he was careless with classified information.

Verified Voting in the News: West Virginia is testing a mobile voting app for the midterms. What could go wrong? | Vox

On November 6, West Virginians who are serving in the military or living overseas will be able to vote in a brand new way — via an app on their smartphone. But in a climate that’s rife with fear of US election hacking, this new method of voting is raising some questions. …  As mentioned earlier, Voatz relies on blockchain to record the votes. Blockchain, in brief, is a digital ledger that records data — in this case, your vote — but once it’s published, it can’t be canceled or altered. Voatz says its blockchain is “permissioned,” which means you need to be an authenticated user to access it, ostensibly making it more protected. But the problem, according to Philip Stark, a professor of statistics at the University of California Berkeley, is that blockchain does nothing to solve the really difficult problems of voting online. “The one-sentence summary is it’s a scam,” he said of Voatz. “They are not doing what they claim to be doing.”

National: More U.S. states deploy technology to track election hacking attempts | Reuters

A majority of U.S. states has adopted technology that allows the federal government to see inside state computer systems managing voter data or voting devices in order to root out hackers. Two years after Russian hackers breached voter registration databases in Illinois and Arizona, most states have begun using the government-approved equipment, according to three sources with knowledge of the deployment. Voter registration databases are used to verify the identity of voters when they visit polling stations. The rapid adoption of the so-called Albert sensors, a $5,000 piece of hardware developed by the Center for Internet Security www.cisecurity.org, illustrates the broad concern shared by state government officials ahead of the 2018 midterm elections, government cybersecurity experts told Reuters.

National: Hacking an American Election Is Child’s Play, Just Ask These Kids | Roll Call

In March, Hawaii Democrat Rep. Tulsi Gabbard introduced the Securing America’s Elections Act to require the use of paper ballots as backup in case of alleged election hacking. Now voting advocates are suing Georgia to do the same thing. Some voting systems are so easy to hack a child can do it. Eleven year old Emmett Brewer hacked into a simulation of Florida’s state voting website in less than 10 minutes at the DefCon hacking conference last week in Las Vegas, according to Time. Of the approximately 50 children age 8 to 17 who took part in the Election Voting Hacking Village at DefCon, 30 were able to hack into imitation election websites within three hours, Time reported. The kids were able to rewrite vote tallies so that they totaled as much as 12 billion, and change the names of parties and candidates, according to the Guardian.

National: U.S. states demand better access to secrets about election cyber threats | Reuters

U.S. state election officials are demanding better access to sometimes classified federal government information about hacking threats to voting systems. With less than three months until the November midterm elections, 44 states, the District of Columbia, and numerous counties on Wednesday participated in a simulation that tested the ability of state and federal officials to work together to stop data breaches, disinformation and other voting-related security issues. They did not simulate a cyber attack, but rather played out various scenarios to learn how to react if there were one. The Department of Homeland Security, Office of the Director of National Intelligence, U.S. Cyber Command, Justice Department and the FBI participated.

Georgia: Counties respond to hacking, security threat | Atlanta Journal Constitution

As Georgians prepare to cast their ballots in a nationally watched gubernatorial race, the security and reliability of the state’s election system remains a point of concern for many voters and security experts. Polls show that a large percentage of Americans believe there’s a concerted effort underway by foreign entities to undermine American Democracy and promote discord, using everything from fake Facebook accounts to Russian Twitter bots. But perhaps nothing strikes fear in the hearts of voters in Georgia and across the country more than the notion that their ballots could be changed by hackers. In the metro area, elections officials in Fulton, DeKalb, Cobb, Gwinnett, Henry, Clayton and Fayette counties told The Atlanta Journal-Constitution they are working with the Secretary of State’s office to ensure every ballot cast in November is counted and reported accurately. They say their systems and processes are battle tested and secure. Still, there’s a growing clamor for more precautions. The state’s weaknesses have been well documented. Georgia uses electronic voting machines and is one of only five states that don’t have paper backups that can be used to audit results.

Ukraine: Scant resources leave 2019 votes vulnerable to hacking | Kyiv Post

At a glance, Valeriy Striganov seems like an unremarkable Ukrainian civil servant. But he has a monumental mission: as head of the Central Election Commission’s (CEC) IT Department, Striganov is tasked with protecting the upcoming March 2019 presidential elections from a cyber attack. “We find malware every day,” Striganov said with a laugh, peering out from behind a Republic of Gamers-branded laptop that he bought for his job. The question for Ukraine’s cyber security professionals is not so much whether an attack on the election will take place — that is almost completely assured. Rather, it’s how such an offensive will take place.

California: Documents Reveal Successful Cyberattack in California Congressional Race | Rolling Stone

FBI agents in California and Washington, D.C., have investigated a series of cyberattacks over the past year that targeted a Democratic opponent of Rep. Dana Rohrabacher (R-CA). Rohrabacher is a 15-term incumbent who is widely seen as the most pro-Russia and pro-Putin member of Congress and is a staunch supporter of President Trump. The hacking attempts and the FBI’s involvement are described in dozens of emails and forensic records obtained by Rolling Stone. The target of these attacks, Dr. Hans Keirstead, a stem-cell scientist and the CEO of a biomedical research company, finished third in California’s nonpartisan “top-two” primary on June 5th, falling 125 votes short of advancing to the general election in one of the narrowest margins of any congressional primary this year. He has since endorsed Harley Rouda, the Democrat who finished in second place and will face Rohrabacher in the November election.

National: Hackers are out to jeopardize your vote | MIT Technology Review

Russian hackers targeted US electoral systems during the 2016 presidential election. Much has been done since then to bolster those systems, but J. Alex Halderman, director of the University of Michigan’s Center for Computer Security and Society, says they are still worryingly vulnerable (see “Four big targets in the cyber battle over the US ballot box”). MIT Technology Review’s Martin Giles discussed election security with Halderman, who has testified about it before Congress and evaluated voting systems in the US, Estonia, India, and elsewhere.

Lots of things, from gerrymandering to voter ID disputes, could undermine the integrity of the US electoral process. How big an issue is hacking in comparison?

Things like gerrymandering are a question of political squabbling within the rules of the game for American democracy. When it comes to election hacking, we’re talking about attacks on the United States by hostile foreign governments. That’s not playing by the rules of American politics; that’s an attempt to subvert the foundations of our democracy.

National: DHS works to strengthen election security on heels of bipartisan legislation | BiometricUpdate

What one congressional observer called, “a day late and a dollar short,” the bipartisan Prevent Election Hacking Act of 2018 (HR 6188) was recently introduced and referred to the House Committee on House Administration. If passed, it would “direct the Secretary of [the Department of] Homeland Security [DHS] to establish a program to improve election system cybersecurity by facilitating and encouraging assessments by independent technical experts to identify and report election cybersecurity vulnerabilities, and for other purposes.” An industry cybersecurity official said on background to Biometric Update that, “HR 6188’s potentially ground breaking — sorry, overstated deliberately — concept of outsourcing cybersecurity execution to the private sector is something worth looking into.”

California: Legislature approves new Office of Elections Cybersecurity to repel attacks and combat disinformation | StateScoop

California is poised to officially create an Office of Elections Cybersecurity, a new bureau dedicated to combating cyberattacks directed at the state’s voting systems and correcting disinformation directed at voters. The new agency, which will be housed under the secretary of state’s office, was approved this week by both houses of the state legislature. The Office of Elections Cybersecurity will be responsible for disseminating information on cyberthreats against voting systems to county- and city-level elections officials. It is also designed to be a point of contact for federal officials to coordinate responses and to oversee cybersecurity training for local boards of elections, which are often less equipped than larger government agencies to fend off threats from foreign intelligence agencies. Federal officials have said that Russian hackers attempted to penetrate voter registration systems in at least 21 states — including California — during the 2016 presidential race, and have said this year that Kremlin-backed actors continue to target U.S. election infrastructure.

California: Voting Machines Aren’t the Only Vectors for Attack, California Election Officials Say | Government Technology

California election officials are guarding their voting machines and registration lists against Russian hackers — although no one has spotted any. “I operate under the assumption that hacking is actually happening and California is a target,” Secretary of State Alex Padilla says. “This year, there’s a big focus on several congressional races that could determine the House majority. The stakes in California have national implications.” But would the Russians actually try to change election outcomes? “I have no doubt that if they could, they would,” says Padilla, a Democrat who’s heavily favored to win reelection in November. Hacking into California’s voting system and altering votes, however, is considered by most experts to be practically impossible. That’s because voting machines aren’t hooked up to the internet. State law forbids it. A hacker might attack one machine but couldn’t reach into the entire vote-collecting system.