National: Here’s how hackers could cause chaos in this year’s US midterm election | MIT Technology Review

On November 6, Americans will head to the polls to vote in the congressional midterm election. In the months before the contest, hordes of foreign hackers will head to their keyboards in a bid to influence its outcome. Their efforts will include trying to get inside the digital infrastructure that supports the electoral process. There’s a worrying precedent here. Last year, the Department of Homeland Security notified 21 states that Russian actors had targeted their election systems in the months leading up to the 2016 US presidential election. DHS officials said the Russians were mainly scanning computers and networks for security holes rather than taking advantage of any flaws that were discovered. Still, that’s no cause for complacency. Intelligence officials are already warning that Russia is intent on meddling in this year’s election too, and hackers from other countries hostile to the US could join in. This week, both DHS and the Federal Bureau of Investigation said Russia is laying the groundwork for broad cyberattacks against critical US infrastructure. Last year, the DHS designated voting technology as part of that vital framework.

National: DHS chief issues stern warning to Russia, others on election meddling, cyberattacks | The Hill

Homeland Security Secretary Kirstjen Nielsen issued a stern warning to Russia and other countries looking to meddle in future U.S. elections, saying that the U.S. government will consider all options “seen and unseen” for responding to malicious attacks in cyberspace. “The United States, as you know, possesses a spectrum of response options both seen and unseen, and we will use them to call out malign behavior, punish it and deter future cyber hostility,” Nielsen said in keynote remarks at the RSA cybersecurity conference in San Francisco on Tuesday. “Our cyber defenses help guard our very democracy and all we hold dear. To those who would try to attack our democracy to affect our elections, to affect the elections of our allies, to undermine our national sovereignty, I have a simple word of warning: Don’t,” Nielsen said.

National: DHS Secretary Kirstjen Nielsen Talks Russia Hacks, Upcoming Elections | Fortune

Homeland Security Secretary Kirstjen Nielsen promised that the federal government would do all it could to prevent Russians from hacking future elections, but stopped short of guaranteeing that those measures would be effective. “I feel secure that we are and will continue to do everything we can to help state and locals secure their election infrastructure,” Nielsen said on Tuesday, avoiding answering a question about whether the U.S. voting system is hacker proof. The DHS secretary’s comments at the annual RSA cybersecurity conference in San Francisco come after members of the U.S. Senate Intelligence Committee urged Nielsen and the DHS to speed up efforts to secure the nation’s elections, according to the New York Times. In September, the DHS notified 21 U.S. states that Russia had attempted to hack their voting systems prior to the last presidential election.

National: US and UK Warn of Cybersecurity Threat From Russia | The New York Times

The United States and Britain on Monday issued a first-of-its-kind joint warning about Russian cyberattacks against government and private organizations as well as individual homes and offices in both countries, a milestone in the escalating use of cyberweaponry between major powers. Although Washington and London have known for decades that the Kremlin was trying to penetrate their computer networks, the joint warning appeared to represent an effort to deter future attacks by calling attention to existing vulnerabilities, prodding individuals to mitigate them and threatening retaliation against Moscow if damage was done. “When we see malicious cyberattacks, whether from the Kremlin or other nation-state actors, we are going to push back,” Rob Joyce, a special assistant to the president and the cybersecurity coordinator for the National Security Council, said in joint conference call with journalists by senior officials in Washington and London. That would include “all elements of U.S. power available to push back against these kinds of intrusions,” he added, including “our capabilities in the physical world.”

National: Senators, state officials to meet on election cybersecurity bill | The Hill

Two senators sponsoring legislation to secure digital election systems from cyberattacks are meeting Monday with state officials on the details of their proposal. Sens. James Lankford (R-Okla.) and Amy Klobuchar (D-Minn.) are scheduled to meet with secretaries of state to discuss the Secure Elections Act, a spokesman for Lankford confirmed. The bipartisan bill, originally introduced last December, is designed to help and incentivize state officials to make cybersecurity upgrades to their election infrastructure following Russian interference in the 2016 presidential election. The senators rolled out a revised version of the proposal in March, after some state officials, who are responsible for administering federal elections, expressed concerns with the effort. 

Connecticut: Election cybersecurity task force prepares for 2018 voting | New Canaan News

Secretary of the State Denise Merrill gathered federal, state and local officials for a meeting Monday to work on strengthening Connecticut’s election cybersecurity before ballots are cast in November. “2018 will be one of the most closely watched elections in our nation’s history,” said Merrill. “We are going to ensure through this task force the people in Connecticut know every vote will be counted, every voice will be heard.” Representatives from Department of Homeland Security, the National Guard, several state agencies, legislators and local election officials discussed how to block hackers and improve communications across the 169 towns running Connecticut’s elections.

Maryland: State pounces on federal funding for election cybersecurity | CyberScoop

All nine members of U.S. Congress representing Maryland requested this month that Republican Gov. Larry Hogan bolster the state’s election security and infrastructure before the 2018 midterms. Gov. Hogan agreed. In a letter to the governor, lawmakers wrote, “With the 2018 midterm elections fast approaching, we hope you will work quickly and collaboratively with the Maryland State Board of Elections to ensure Maryland has access to this critical federal funding.” Maryland is one of 21 states that was notified by the Department of Homeland Security (DHS) last year that Russia attempted to hack their election system. Though the tallying of votes was not thought to have been affected, and many states were only scanned by Russian actors, legislators hope that this new election security funding will prevent future hacks.

Colorado: Department of Homeland Security Testing Colorado’s Election Systems With Operation Cyber Storm | Westword

Colorado’s election systems have been under attack by cyber intruders. Networks are being poked and prodded in an attempt to bypass security measures, access control systems and manipulate or extract data. Don’t worry, though: The attacks are not real. Rather, they are simulations part of “Cyber Storm,” the nation’s largest cybersecurity exercise, overseen by the Department of Homeland Security. Colorado is one of seven states participating in the exercise, along with nearly 1,000 other “players” across the nation that range from law enforcement agencies to transportation and manufacturing networks. According to DHS, the exercises are the sixth iteration of Operation Cyber Storm, and the simulated cyber attacks are meant to expose cyber vulnerabilities and test network administrators’ preparedness, security measures and responses.

Vermont: Fear of election hacking? Not in Vermont | The Bennington Banner

When Sharon Draper first became clerk of the lakeside town of Elmore, there were about 250 registered voters. That has grown over the years to approximately 700. But for many elections, the number of voters is still not robust enough to justify the expense of using a tabulator, so the paper ballots are counted by hand. As to fraud concerns, Draper says she doesn’t worry. She knows most of the people in town. “There just are not any security issues, I feel, in a little town like Elmore,” Draper said. Since revelations that 21 states’ systems were targeted by Russian hackers in the 2016 election, security of the democratic process has been a major concern across the country. Election security has been the subject of congressional reports and hearings. Lawmakers approved an expenditure of $380 million earlier this year to help jurisdictions buttress their systems.

National: DHS security unit makes another big hire from elsewhere in government | CyberScoop

The federal agency charged with protecting U.S. infrastructure — including its computer networks — has hired Daniel Kroese, the chief of staff for Republican Rep. John Ratcliffe, as a senior adviser. The National Protection and Programs Directorate (NPPD), part of the Department of Homeland Security, brings on Kroese as the Trump administration and Congress are seeking to harden U.S. cybersecurity, including its elections systems. Kroese, who announced the hire in an email to colleagues, will arrive at NPPD with close contacts throughout Congress. The move follows NPPD’s addition of Matthew Masterson, the former chairman of the Election Assistance Commission (EAC), as another senior adviser. Masterson’s role is focused on election security. It’s not clear yet what Kroese will specialize in at NPPD.

National: Air gapping voting machines isn’t enough, says election security expert Alex Halderman | Cyberscoop

The safeguards that election officials say protect voting machines from being hacked are not as effective as advertised, a leading election security expert says. U.S. elections, including national ones, are run by state and local offices. While that decentralization could serve an argument that elections are difficult to hack, University of Michigan Professor J. Alex Halderman says that it’s more like a double-edged sword. Speaking to an audience of students and faculty at the University of Maryland’s engineering school on Monday, Halderman said that the U.S. is unique in how elections are localized. States and counties choose the technology used to run federal elections. “Each state state running its own independent election system in many cases does provide a kind of defense. And that defense is that there is no single point nationally that you can try to attack or hack into in order to change the national results,” Halderman said. But since national elections often hinge on swing states like, Virginia, Ohio or Pennsylvania, attackers can look for vulnerabilities where they would count. “An adversary could probe the election systems in all the close states, look for the ones that have the biggest weaknesses and strike there, and thereby flip a few of those swing states,” Halderman said.

National: Democrats make direct appeal to Speaker Ryan on election hacking | CNN

The top Democrats on six of the House’s key committees are appealing directly to Speaker Paul Ryan to help them obtain documents from the Trump administration related to election hacking during the 2016 contest. In a letter sent to the speaker Tuesday morning, the highest-ranking Democrats on the House Oversight, Judiciary, Homeland Security, Foreign Affairs, Intelligence and House Administration committees implored Ryan to intervene in their ongoing efforts to get the Department of Homeland Security to turn over documents related to the targeting of state election-related systems by Russian hackers. The Democrats asked the department in October to provide copies of the notifications it sent to the 21 states it identified as the target of Russian government-linked attempts to hack voting-related systems and other related documents.

National: What We Know And Don’t Know About Election Hacking | FiveThirtyEight

When talk of Russian interference in U.S. elections comes up, much of the focus has been on state-sponsored trolls on Facebook and Twitter — special counsel Robert Mueller recently indicted a number of these actors, and Congress has taken Silicon Valley to task for allowing such accounts to flourish. But there’s another side of Russian meddling in American democracy: attacks on our election systems themselves. We know that Russian hackers in 2016 worked to compromise state voting systems and the companies that provide voting software and machines to states. That could blossom into more concrete attacks this year. As I wrote earlier this week, the worst-case scenario is that on Election Day 2018, votes are altered or fabricated and Americans are disenfranchised.

Arizona: State hires cybersecurity firm to manage risk across state government | StateScoop

Arizona announced Monday that it will use a single cybersecurity firm to monitor and manage the risks to computer systems in all 133 state agencies. The company, RiskSense, is based in neighboring New Mexico and was chosen over other potential vendors in part because of its software that rates a network’s vulnerability to cyberattacks with a proprietary scoring metric modeled on personal-credit ratings. “I can have productive business conversations with people who know little about IT and security,” Mike Lettman, Arizona’s chief information security officer, said in a press release.

Florida: Warning of Russians, Florida Democrats push state to fortify election systems | Tampa Bay Times

Democrats here are pressing Florida Secretary of State Ken Detzner to seek federal funding to fortify election equipment and systems databases. “While most state systems were not breached, the U.S. Intelligence Community has repeatedly warned that Russia will try to disrupt midterm elections in November 2018,” reads a letter sent from Florida House members. “In fact, Director of National Intelligence Dan Coats told the Senate Intelligence Committee: “There should be no doubt that Russia perceived that its past efforts as successful and views the 2018 U.S. midterm election as a potential target for Russian midterm operations.”

National: Election security means much more than just new voting machines | The Conversation

In late March, Congress passed a significant spending bill that included US$380 million in state grants to improve election infrastructure. As the U.S. ramps up for the 2018 midterm elections, that may seem like a huge amount of money, but it’s really only a start at securing the country’s voting systems. A 2015 report by the Brennan Center law and policy institute at New York University estimates overhauling the nation’s voting system could cost more than $1 billion – though the price could be partially offset by more efficient contracting. Most voting equipment hasn’t been updated since the early 2000s. At times, election officials must buy voting machine hardware on eBay, because the companies that made them are no longer in business. Even when working properly, those machines are not secure: At the 2017 DEF CON hacker conference, attackers took control of several voting machines in a matter of minutes. Securing electoral systems across the U.S. is a big problem with high stakes. This federal money being provided to states now may not be the last of its kind, but it’s what’s available right away, and it must be used as efficiently as possible.

National: The Moscow Midterms | FiveThirtyEight

The first Americans to line up to vote on Nov. 6, 2018, will be the East Coast’s earliest risers. As early as 5 a.m. EST, rubbing the sleep from their eyes and clutching travel thermoses of coffee, they will start the procession of perhaps 90 million Americans to vote that day. The last to cast ballots will be Hawaiians, who will do so until 11 p.m. East Coast time. When all is said and done, the federal election will unfold something like an 18-hour-long ballet of democracy: 50 states, dozens of different kinds of voting machines and an expectation that everything should be counted up in time for TV networks to broadcast the results before Americans head to bed. Election Day 2018 is expected to unfold no differently than it has in years past. Except it might.

Arizona: Election database targeted in 2016 by criminals, not Russia: source | Reuters

A hack on an Arizona election database during the 2016 U.S. presidential campaign was carried out by suspected criminal actors and not the Russian government, a senior Trump administration official told Reuters on Sunday. The official was responding to a report on CBS News’ “60 Minutes” citing an internal government document that Russian hackers successfully infiltrated computer systems associated with at least four U.S. states, including Arizona, leading up to the 2016 election. Hackers working for the Kremlin breached systems in Illinois, a county database in Arizona, a Tennessee state website and an information technology vendor in Florida, according to the previously undisclosed Oct. 28, 2016, assessment from the Department of Homeland Security, according to the program. 

Maryland: With session over, attention turns to election security | Frederick News Post

With the close of the legislative session on Monday, all eyes are turning to the 2018 elections — and election security. On the final day of the legislative session, lawmakers passed House Bill 1331, which requires the state administrator of elections to report security breaches and significant attempted violations within a week of their discovery to the State Board of Elections, governor, legislative leaders and attorney general. Delegate Alonzo T. Washington (D-Prince George’s County) sponsored the legislation after it came to light that Russian hackers tried to penetrate Maryland’s online voter registration system in August 2016. The U.S. Department of Homeland Security (DHS) reported that voter registration databases or election agency public websites in 21 states were probed by Russian hackers during the 2016 election. At a hearing on Washington’s bill last week, Nikki Charlson, Maryland’s deputy elections administrator, said the state’s registration system was “probed,” but not “breached.”

National: “Don’t Mess With Our Elections”: Vigilante Hackers Strike Russia, Iran | Motherboard

On Friday, a group of hackers targeted computer infrastructure in Russia and Iran, impacting internet service providers, data centres, and in turn some websites. In addition to disabling the equipment, the hackers left a note on affected machines, according to screenshots and photographs shared on social media: “Don’t mess with our elections,” along with an image of an American flag. Now, the hackers behind the attack have said why they did it. “We were tired of attacks from government-backed hackers on the United States and other countries,” someone in control of an email address left in the note told Motherboard Saturday.

National: When Russian hackers targeted the U.S. election infrastructure | 60 Minutes/CBS News

The U.S. intelligence community has concluded there is no doubt the Russians meddled in the 2016 U.S. presidential election, leaking stolen e-mails and inflaming tensions on social media. While Congress and special counsel Robert Mueller investigate Russian interference, including whether the campaign of Donald Trump colluded with Russia, we have been looking into another vector of the attack on American democracy: a sweeping cyber assault on state voting systems that U.S. intelligence tied to the Russian government. Tonight, you’ll find out what happened from the frontline soldiers of a cyberwar that was fought largely out of public view, on digital battlegrounds in states throughout the country. The threat Russia posed to our democratic process was deemed so great, the Obama Administration took the unprecedented step of using the cyber hotline – the cybersecurity equivalent of the nuclear hotline – to warn the Kremlin to stop its assault on state election systems. Russian operatives had launched a widespread cyberattack against state voting systems around the country.

National: The Challenge of Machines in the 21st Century | Fair Observer

Information technology and the internet are changing the way democracy works. Recent revelations of the use of personal data to manipulate elections tell us that we live in a very different place we thought we did just weeks ago. Marketing companies, like the now infamous Cambridge Analytica, may deploy data profiling to influence human targets on social media. This involves the enveloping of the subjects within an artificial world; Christopher Wylie, the whistleblower at the center of this scandal, referred to these worlds as “cultures.” In each of these artificial cultures, political candidates would appear to each target from a different aspect, but always as a perfect candidate tailored to the psychographic profile of that particular voter. This approach, Cambridge Analytica claims, would increment the candidate’s electoral margins. There is currently no information if the use of personal data had a deciding effect on the US presidential elections. However, the process is revealing of the power online companies hold today to, in principle, manipulate its customers.

Voting Blogs: Two new cybersecurity tools for elections officials | electionlineWeekly

While states and localities are awaiting their share of the $380 million allotted by Congress to upgrade elections cybersecurity, there are two, totally free ways that they can start beefing up their security now. The Center for Internet Security (CIS), a nonprofit that harnesses the power of the global IT community to safeguard private and public organizations against cyber threats recently released A Handbook for Elections Infrastructure Security and also launched the Elections Infrastructure Sharing and Analysis Center (EI-ISAC).

Illinois: Russian ‘hack’ of 2016 voter rolls leaves Galesburg, Illinois, reeling | WFLD

Galesburg, Ill., appears to be a typical small town, nestled in the farmlands of the Midwest. But the unassuming slice of the American heartland, which was the site of an Abraham Lincoln-Stephen Douglas debate in 1858, was invaded by the Russians during the 2016 presidential election through a cyberattack on the state’s voter registration rolls. “The greatest concern that I have is that a foreign entity gets in and doesn’t change a vote, but they just create instability that enough of the American people can’t trust the vote,” Sen. James Lankford, R-Okla., told Fox News.

National: 14 states’ voting machines are highly vulnerable. How’d that happen? | McClatchy

Texas counties have doled out millions of dollars in recent months to replace thousands of old touch-screen voting machines that lack a paper record – a weakness security experts warn could allow Russians or other hackers to rig U.S. elections without detection. The problem is, many of the new machines have the same vulnerability. So do similar machines in more than a dozen states across the country. Vicki Shelly, the election administrator in San Jacinto County, Tex., north of Houston, said she received no alert from Washington or state officials before the county spent $383,000 on its new paperless touch-screen voting system made by Hart InterCivic. “Whoever’s doing all the research, it seems like we should have been in on it a little sooner,” said Shelly, one of hundreds of election officials that make up the first line of defense against attempts to tamper with U.S. election results. “Honestly, it’s very disturbing.”

National: Voting machine vendor firewall config, passwords posted on public support forum | CSO

A sysadmin at a leading voting machine vendor posted a firewall configuration file, including passwords, into a public Cisco support forum in 2011, opening the company up to possible attack. The config files expose a wealth of information useful to an attacker, including domain name, hostname, and ASA version number. While there is no evidence that the voting machine vendor was compromised, this accidental leakage of information is “juicy intelligence,” Dan Tentler, founder and CEO of Phobos Group, an attack simulation security company, tells CSO. “If you have a crack team of cat burglar types and they’re all going to break into a building, this firewall configuration file is the equivalent of finding the floor plan of the building they are planning to break into,” Tentler says.

National: Want to hack a voting machine? Hack the voting machine vendor first | CSO

Thousands of voting machine vendor employees’ work emails and plaintext passwords appear in freely available third-party data breach dumps reviewed by CSO, raising questions about the security of voting machines and the integrity of past election results. While breached sites, like LinkedIn after the 2012 breach, force users to change their passwords, a significant number of people reuse passwords on other platforms, making third-party data breaches a gold mine for criminals and spies. For many years voting machine vendors have claimed that voting machines were air gapped — not connected to the internet — and were thus unhackable. Kim Zetter debunked that idea in The New York Times in February. An attacker who managed to break into a voting machine vendor employee’s work email, because the employee used the same password as on a breached site, could leverage that to gain access to the voting machines themselves. And if voting machine vendors install remote access software on voting machines, factory backdoors that vendor employees use to remotely access the machines for maintenance, troubleshooting or election setup purposes, this turns voting machine vendor employees into targets. Hack the vendor, hack the voting machine.

National: So Your State Has Come Into Some Election Security Money. Now What? | Route Fifty

Most states won’t have risk-limiting audits in place by the November midterms, which makes how they spend the $380 million in federal funding for election security, due out within 39 days, that much more important. Congress included the money in the omnibus spending bill, at the Senate Intelligence Committee’s recommendation, to be disbursed to states under the Help America Vote Act and spent on verifiable paper balloting, post-election audits of votes and cyber defenses. The appropriation is a good first step in shoring up voting systems against Russian-connected hacking, according to election security experts, but it doesn’t come close to replacing vulnerable polling place equipment in most at-risk states. “I wouldn’t say it’s a drop in the bucket—a glass of water in the bucket,” Joe Kiniry, Free & Fair CEO and chief scientist, told Route Fifty by phone. “A big corporation spends this much money on cybersecurity in a year.”

National: Higher cyber security services demand around elections, says McAfee boss | Press Association

The chief executive of McAfee believes cyber security firms will see higher demand for election protection as authorities in countries such as the US and UK try to safeguard “integrity” at the ballot box. Chris Young said there was a growing trend of attacks targeting “major events” like the most recent Winter Olympics, with the next big focus likely to be  the highly-anticipated US midterm elections in November. “We’re now at a point where you could almost be certain than any notable event will have a corresponding set of cyber attacks with it,” he told the Press Association, adding that “election protection is going to be … bigger.”