National: Obama cybersecurity czar: Russian hackers likely scanned election systems in all 50 states | USA Today

Russian hackers likely scanned the election systems of all 50 states for vulnerabilities in 2016 — not just the 21 states confirmed as targets by homeland security officials last year, the cybersecurity czar for former President Barack Obama told a Senate panel Wednesday. “I think it is highly likely,” Michael Daniel replied in answer to a question from Sen. Susan Collins, R-Maine, about whether Russian cyber actors at least scanned the election systems of every state. “It is more likely that we hadn’t detected it than that it didn’t occur.” States have been scrambling to improve their cyber security after Homeland Security officials revealed last year that Russian hackers tried to breach election systems in at least 21 states in 2016. Although no actual votes were changed, hackers broke into Illinois’ voter registration database.

National: State Election Officials Didn’t Know About Russian Hacking Threat Until They Read It in the News, Emails Show | HuffPost

Voters across the country were shocked to learn last year, through the disclosure of a top-secret NSA document, details of an intricate plot by Russian military hackers to infiltrate American electoral systems. New emails obtained by The Intercept through public records requests illustrate the disturbing extent to which potential targets of the attack were caught unaware, having apparently remained in the dark alongside the voting public. On June 5, 2017, The Intercept published a top-secret National Security Agency assessment that detailed and diagramed a Russian governmental plot to breach VR Systems, an e-voting vendor that makes poll book software used by several pivotal electoral battleground states, such as North Carolina and Virginia. The report attributed the scheme to the Russian General Staff Main Intelligence Directorate, or GRU. GRU’s plan, the NSA claimed, was to roll any success with VR Systems into a subsequent email attack against state voting officials across the country.

Editorials: Jay Ashcroft claims voter fraud a bigger threat than hacking | The Kansas City Star

When Missouri Secretary of State Jay Ashcroft testified Wednesday in Washington about the security of America’s election systems, he made an astonishing and troubling statement. “The evidence indicates,” he said, “that voter fraud is an exponentially greater threat than hacking of election equipment.” What? Attempts to hack into America’s election systems are well-documented. The fact that they haven’t broadly succeeded, as far as we know, doesn’t mean they aren’t an imminent threat. “It’s disappointing to see this discredited fiction repeated by an election official,” said Lawrence Norden, deputy director of the Democracy Program at the Brennan Center in New York. Minnesota Secretary of State Steve Simon, testifying at the same hearing, was clear. “Election security in general, and cybersecurity in particular, is the most significant threat to the integrity of our election system,” he said. He’s right.

National: Bill to help states secure election absent from defense spending package | StateScoop

The sponsors of a bill designed to help state election officials be briefed on threat information failed to insert any of their provisions in a defense spending package approved Monday by the U.S. Senate. Sens. James Lankford, a Republican from Oklahoma, and Amy Klobuchar, a Democrat from Minnesota, had pushed to get parts of their bill, the Secure Elections Act, included in the National Defense Authorization Act. Brought on by concerns from the intelligence community that the Russian government will repeat its 2016 efforts to influence U.S. voters ahead of this November’s midterm elections, the Secure Elections Act was designed to make it easier for state elections officials to get the security clearances necessary to be briefed on threats. It would also direct the Department of Homeland Security to share threat information with state elections officials.

National: New Government Reports Shows Federal Agencies Facing Significant Cyber Security Risks | CPO Magazine

With all the talk about cyber security risks in the news, you would think that the U.S. federal government would be doing a better job of protecting its data from cyber attacks, including the very real threat of state-sponsored hackers. Yet, as a new Office of the Management and Budget (OMB) report points out, nearly 75 percent of federal agencies are still woefully unprepared to handle cyber security risks of any kind. This all comes on the heels of the United States government eliminating the position of federal cybersecurity czar earlier this year. While the report, which was prepared in collaboration of the Department of Homeland Security (DHS), did not specifically call out which agencies were failing to respond to global cyber threats, it did suggest that the failures, gaps and inadequacies were relatively evenly distributed across the entire federal government. In fact, 71 of the 96 federal agencies reviewed were deemed to be “at risk” or “at high risk” of a cyber attack. The report defined “at risk” to mean that there were significant gaps in security preparedness, while “at high risk” means that fundamental processes were not even in place to deal with cyber security risks.

National: Senate defense bill pushes Trump to get tougher on Russian hacking | The Washington Post

The Senate wants to turn up the pressure on President Trump and his military chiefs to strike back against Russian hacking. The massive defense policy bill the Senate approved Monday night calls on Trump to curb Russian aggression in cyberspace. It gives Trump the green light to direct U.S. Cyber Command to “disrupt, defeat and deter” cyberattacks by the Russian government, conduct surveillance on Kremlin-backed hackers and partner with social media organizations to crack down on disinformation campaigns such as the ones that disrupted the 2016 election. It would also require the administration to send quarterly reports to Congress about the progress of its efforts.

Editorials: Erecting early cyber-defenses key to protecting the vote | The Palm Beach Post

Thank goodness Palm Beach County elections officials haven’t waited for the state of Florida for help in hardening our voting system from cyberattacks. First, the Legislature failed to approve money for a cyber-security unit in the state elections office, so Gov. Rick Scott is resorting to a federal grant to contract for five consultants to assist elections officials. Then the Scott administration let months go by without bothering to seek $19.2 million in federal money for cyber security that’s been available since President Trump signed the most recent spending bill, in March.

Mexico: Russian bots are accused of meddling in Mexico’s election | Business Insider

Shortly after Mexican presidential candidate Ricardo Anaya held up a placard announcing his campaign’s newest website, Debate2018.mx, during a debate on June 12, the site was overwhelmed by an influx of traffic. Anaya’s campaign said the site — which was to offer evidence of wrongdoing by campaign frontrunner Andres Manuel Lopez Obrador — likely experienced a distributed denial of service attack and that most of the traffic had come from Russia and China. But experts have cast doubt on that version of events and said homegrown cyber activity will likely play a bigger role in Mexico’s election.

National: U.S. Cyber Policy, Beyond Ones and Zeros | International Policy Digest

Critics have derided the White House’s decision this past May to scrap its Cyber Coordinator post—created by the Obama administration to consolidate policy courses of action on cybersecurity issues—as short-sighted and tone-deaf, particularly at the height of concern over Russia’s nefarious activity toward U.S. political processes. However, the move creates an opportunity to examine whether the overall U.S. approach to cybersecurity has been overly narrow relative to the Russian threat—which itself has demonstrated the need for Washington to forge partnerships with industry and to expand beyond the network-centric aspects of information warfare.

National: Politicians wary that hackers could swipe emails, upend their campaigns | The Sacramento Bee

A new reality has set in to political campaigns: Candidates must expect that their private email accounts will be hacked, and the contents splashed onto the internet, possibly squandering their chances of victory or exposing personal secrets. Email hacking is now an entrenched tactic for practitioners of political sabotage. “I think it’s here to stay. I don’t see it changing,” said Richard Ford, chief scientist at Forcepoint, an Austin, Texas, cybersecurity company. Whether politicians are swapping tales of town halls, dishing on their opponents or sharing intimacies with spouses — or others — they now know that a private conversation can explode on to the internet.

National: Voter confidence is the biggest election security challenge, DHS cybersecurity official says | The Washington Post

A top cybersecurity official at the Department of Homeland Security says the biggest election security challenge going into the midterms isn’t a technical one. It’s convincing voters that their ballots are secure. “To me the No. 1 threat is around public confidence in the process,” said Matt Masterson, who coordinates a range of DHS election security efforts as senior cybersecurity adviser within the department’s National Protection and Programs Directorate. “How are we talking about this? How are we educating the public so they have confidence in the process and will show up and vote? Because the best response to any attempts to undermine confidence in the process is to vote.” Now that voters know that nation-states such as Russia want to disrupt U.S. elections, it’s going to take a continuous effort from DHS and other government agencies at all levels to make sure they keep turning out at the polls, Masterson told me in a recent interview in his office in Arlington, Va. And that won’t go away come November. 

National: National labs will probe election tech for vulnerabilities under planned DHS program | CyberScoop

The government is currently planning a cybersecurity program that would allow federally funded national scientific laboratories to privately probe and then document security flaws existing in U.S. election technology, most of which is developed and sold by private companies, according to a senior U.S. official. Rob Karas, director of the National Cybersecurity Assessments and Technical Service team at the Homeland Security Department, said that multiple election technology vendors had already shown an interest in engaging on the effort. Karas declined to name the firms, but said the initiative will begin later this summer. The outreach process is still ongoing.

Mexico: Cyber attack on Mexico campaign site triggers election nerves | Reuters

The website of a Mexican political opposition party was hit by a cyber attack during Tuesday’s final television debate between presidential candidates ahead of the July 1 vote, after the site had published documents critical of the leading candidate. The National Action Party (PAN) said that its website, targeting front-runner Andres Manuel Lopez Obrador, likely suffered a distributed denial of service (DDoS) cyber attack with the bulk of traffic to the site nominally coming from Russia and China. Lopez Obrador’s Morena party said it had nothing to do with the outage. The Chinese and Russian embassies in Mexico did not immediately respond to requests for comment. Reuters could not confirm the PAN’s account of the attack.

National: Here’s How That $380 Million in Election Security Funding Is Being Spent | Nextgov

Homeland Security Department inspectors aren’t turning up anything shocking when they assess state and local election systems for cybersecurity vulnerabilities in advance of the 2018 midterms, an official said Tuesday. Most of what Homeland Security is turning up in the risk and vulnerability assessments are the same issues you’d see in any information technology environment, Matthew Masterson, a senior cybersecurity adviser, told members of the Senate Judiciary Committee. That includes unpatched software, outdated equipment and misconfigured systems. Homeland Security has conducted risk and vulnerability assessments of 17 states and 10 localities so far, Masterson said.

National: Democrats unveil push to secure state voting systems | The Hill

A group of Democratic senators is introducing a bill aimed at securing U.S. elections from hacking efforts, the latest response to attempted Russian interference in the 2016 presidential vote. The bill introduced Tuesday is specifically designed to ensure the integrity of and bolster confidence in the federal vote count. It would require state and local governments to take two steps to ensure that votes are counted correctly. Under the legislation, states would have to use voting systems that use voter-verified paper ballots that could be audited in the event a result is called into question. State and local officials would also be required to implement what are known as “risk-limiting audits” — a method that verifies election outcomes by comparing a random sample of paper ballots with their corresponding digital versions — for all federal elections.

National: Congress struggles with ‘more than 30 proposals’ to combat foreign election meddling | Washington Times

Congress is wrestling with more than 30 proposals “to combat different angles of the foreign election meddling issue,” according to Senate Judiciary chairman Chuck Grassley. The logjam of legislation — much of it pushed by House and Senate bipartisan efforts — comes as the 2018 midterm election season accelerates toward its November finale that will determine the balance of power in Congress and in statehouses across the nation. “There have been no fewer than 18 pieces of legislation proposed to combat different angles of the foreign election meddling issue in the Senate alone,” Mr. Grassley, Iowa Republican, said Tuesday during a Senate Judiciary Committee hearing exploring election safety and foreign influence.

National: DHS steps up security assistance for states’ election systems | GCN

State and local elections officials  preparing for the 2018 elections are strapped for time and resources, but the Department of Homeland Security’s National Protection and Programs Directorate is stepping in to help. Two weeks ago, at the request of the Elections Government Coordinating Council, NPPD released guidance on what states and localities should do with their share of the $382 million from 2018 Help America Vote Act Security Fund, said Matt Masterson, NPPD senior cybersecurity advisor, during a June 12 Senate Judiciary Committee hearing. NPPD provided insights on where the money should be used to address risks in the election process. “We focused first on common IT vulnerabilities that exist across elections — things like patching, training for phishing campaigns as well as manpower,” Masterson said.

Pennsylvania: After 2016 Russian hack attempts on voter data, registration system to be audited | Philadelphia Inquirer

Pennsylvania Auditor General Eugene DePasquale said Monday that his office will evaluate the security of the state’s voter-registration system, a target of Russian hackers before the 2016 presidential election. Pennsylvania was one of 21 states whose election data were sought by Russian hackers, the U.S. Department of Homeland Security said last year. Though there was no evidence of a breach, DePasquale said, the revelation prompted him and others to test the system’s security. “This is something that has been talked about both locally and nationally for quite some time,” DePasquale said. “I believe it is the right time to make sure we are doing everything we can to make sure our voting system in Pennsylvania is secure.”

Editorials: South Carolina must act to make voting more secure | The Times and Democrat

The General Assembly turned down a request from the State Election Commission and Gov. Henry McMaster to expedite the replacement of the state’s aging voting machines, providing only $4 million of a $20 million request to get going on a project expected to cost about $50 million over two years. With heightened concerns over election tampering, lawmakers should reconsider their decision as soon as possible. Even if all of the funding was provided next year, the earliest South Carolina voters would have access to the new machines that produce a paper trail of their votes would be the November 2020 general election. The state is unlikely to have the new machines in time for the 2020 presidential primaries or other contests held before that time.

Virginia: On primary day in Virginia, officials say they’re preparing for more cyberthreats against elections | StateScoop

As five more states hold primary elections Tuesday, one of the biggest concerns in this year’s voting cycle continues to be how secure ballot systems are. But the lead elections official in Arlington County, Virginia, is confident votes there will be counted without issue. “We have a practical, low-key approach,” said Linda Lindberg, Arlington’s director of elections. Arlington is a bit of a model citizen for how jurisdictions conduct elections. Lindberg’s “practical” hews closely to what many ballot-security advocates call for: recording votes on paper ballots, which are then counted by optical scanners. Lindberg said her office also conducts routine tests of its equipment and scans its voter-registration system for vulnerabilities.

Belgium: Intelligence watchdog warns of Russian election meddling | Politico

Belgium’s chief regulator of intelligence services warned that Russia would seek to meddle in local elections coming up in October, he told Belgian magazine Knack and newspaper Le Soir in an interview published Wednesday. Guy Rapaille, who oversees the watchdog for intelligence services in Belgium, Comité R, urged intelligence services to pay close attention to Russian meddling in Belgium’s upcoming local elections in October, as well as regional, federal and European elections in May 2019. He pointed to revelations that the Russian state had contacts with far-right parties. “In France there were sometimes troubling relations with the [far-right party of Marine Le Pen] National Front, one could imagine the same in Belgium too,” he said.

Canada: Federal government unveils plan to boost Canada’s defences against online attacks, crime | The Globe and Mail

The federal government unveiled its plan to bolster Canada’s defences against nefarious online attacks and crime Tuesday, even as it acknowledged a shortage of skilled cyberwarriors to meet the country’s needs. Backstopped by more than $500-million in new funding over the next five years, Ottawa’s newly released cybersecurity strategy lays out a range of initiatives to help Canadians, business and the government better protect against cyberthreats. The strategy was the result of nearly two years of consultations with industry, academics and other experts, and updates the first such plan released by the Harper Conservatives in 2010.

National: Senators introduce election security amendment to defense bill | The Hill

Senators are trying to pass legislation aimed at securing U.S. election systems from cyberattacks by inserting the measure into annual defense policy legislation. Sens. James Lankford (R-Okla.) and Amy Klobuchar (D-Minn.) have introduced a new version of the Secure Elections Act as an amendment to the National Defense Authorization Act (NDAA), which the upper chamber is poised to take up next week. The lawmakers, backed by a bipartisan group of co-sponsors, originally introduced the legislation last December amid rising fears over threats to voter registration databases and other digital systems as a result of Russian interference in the 2016 presidential election.

Pennsylvania: Voter registration system will be audited over hacking concerns | WITF

The state Auditor General is launching a review of Pennsylvania’s voting and registration process, following up on concerns Russians attempted to interfere in the 2016 elections. Auditor General Eugene DePasquale said the review will focus on the security of the Statewide Uniform Registry of Electors–or SURE–system, which tracks registration data on the state and county level. He noted, there’s no evidence foreign hackers successfully breached Pennsylvania’s voting and registration systems. However, he said, “there is zero question that Russians tried to hack it and to interfere in the 2016 election process in Pennsylvania, and at least 20 other states” according to the US Department of Homeland Security.

National: Industry Report Cites Mounting Threats to Election Infrastructure | Bloomberg

U.S. election systems are increasingly at risk for cyberattacks ahead of the November midterms as Russia continues information operations to sow political division, according to cybersecurity firm FireEye Inc. State and local election infrastructure is becoming a more popular target for hackers, particularly state-sponsored cyberespionage actors, the Milpitas, California-based company said in a recent report, outlining risks to voter registration, polling places and ballot submission systems. Although the U.S. primary season is well underway, FireEye said it hasn’t observed attacks against election infrastructure as of March. But following Russian meddling in the 2016 elections, “malicious actors and nation states likely already have an understanding of the flaws in the U.S. elections infrastructure and will seek to exploit opportunities where they can,” the report said.

National: Voters’ distrust of election security is just as powerful as an actual hack, officials worry | The Washington Post

As millions of people across the country vote in eight different primaries today, state officials are working hard to secure the elections from hackers. But officials say there’s a more pressing, albeit abstract, challenge: Keeping voters confident that their vote is safe. The U.S. intelligence community has concluded that a major goal of Russia’s campaign to interfere in the 2016 presidential election through cyberattacks on 21 states and national political organizations was to undermine public faith in the U.S. democratic process. By that count, election officials say, they’re already succeeding in this cycle — without breaching a single system. Just the fear of digital sabotage — and the perception that voting machines are hackable — is enough to scare voters into a lack of confidence in the democratic process, election officials lament.

National: DHS official: States will probably know first if malicious cyber-activity hits primaries | CyberScoop

The Department of Homeland Security is on standby to alert state officials about any malicious cyber-activity during Tuesday’s primary elections, but the states themselves will likely know first if something is amiss, Matthew Masterson, a senior cybersecurity adviser at DHS, told CyberScoop. With voters going to the polls in eight states, Tuesday’s primaries are a chance for DHS to test the communication protocols it has sought to ingrain in election personnel across the country. State officials, who generally have the best views of their networks, will flag potentially malicious activity for DHS, which can in turn alert other states, according to Masterson. “If we see or have information to suggest something is going on, we have the ability to immediately share it with the states,” he said in an interview. Ahead of the midterm elections, DHS has looked to “ramp up” its cyberthreat reports to state officials to get them information that is easily understood and not overly technical, Masterson added.

National: Election Assistance Commission says 26 states have received cybersecurity funding ahead of midterms | The Hill

The Election Assistance Commission (EAC) on Tuesday released a list of 26 states that have requested and received cybersecurity funding, money that aims to ensure state’s voting systems are properly secured ahead of the 2018 midterm elections. An EAC press release broke down which states have requested the cyber funds as well as how much they received. To date, these states have requested nearly $210 million in newly available funds, or about 55 percent of the total amount available. The funds were distributed under the Consolidated Appropriations Act of 2018, a bill passed by Congress that allocated $380 million in funds to the Help America Vote Act (HAVA).

National: Synack offers free penetration testing for election systems ahead of 2018 midterms | CyberScoop

One of the largest bug bounty firms in the business has launched an initiative that will allow states’ election officials to test the security of election systems ahead of the 2018 midterm elections. Redwood City, California-based Synack announced Tuesday its offering free crowdsourced remote penetration testing services to state and local governments until November. Synack co-founder Jay Kaplan told CyberScoop the idea came together after a series of meetings with government officials, including top executives at the Department of Homeland Security, that discussed how the private sector could be doing more to ward off digital meddling. After Synack’s services are completed, states and localities can harden their systems based on the test’s results.

National: In seconds, we faked our way into a political campaign, got unsecured voter data | Ars Technica

On Tuesday, polls will be open to voters in eight states, including California, which holds gubernatorial primaries among many other national, state, and local elections. Under California law (Section 2194 of the Election Code), voter data (name, address, phone, age, party affiliation) is supposed to be “confidential and shall not appear on any computer terminal… or other medium routinely available to the public.” However, there’s a big exception to that law: this data can be made available to political campaigns, including companies that provide digital analysis services to campaigns. In other words, candidates and their contractors can get voter data, but there’s little definition in the law about how those parties are required to be custodians of that data and how that data ought to be secured.