National: Assessing the Bipartisan Secure Elections Act | Lawfare

On Dec. 21, all eyes were on the Republican bill to cut taxes. Yet a bipartisan group of six senators also had their eyes on the far less sexy (but still important!) topic of election hacking. They quietly introduced a bill called the Secure Elections Act that, if passed, would be a good down payment on improving the confidence we can have in the integrity of our elections. This short, stocking-stuffer size review will: review some of the core questions around election security, assess the bill’s provisions to improve information sharing, its grant program, and its bug bounty, and conclude with some tough realism about additional work that needs to be undertaken to protect our elections.

National: Election Assistance Commission announces meeting next week on securing mid-terms | InsideCyberSecurity

The U.S. Election Assistance Commission has announced that it will be holding a public meeting on Jan. 10 to review steps for securing the nation’s election system in advance of mid-term voting this fall. “Ahead of the 2018 midterm elections, the U.S. Election Assistance Commission will host an all day summit to highlight a spectrum of issues that state and local election officials will face as they work to administer a secure, accessible and efficient 2018 Election,” according to a Federal Register notice issued today. The congressionally mandated commission will hear from witness on “topics such as election security, voting accessibility, and how to use election data to improve the voter experience,” according to the announcement.

Oklahoma: Lankford Prioritizing Cybersecurity Ahead of 2018 Elections | Public Radio Tulsa

Another round of federal elections is just months away, and Oklahoma Sen. James Lankford has a bill to guard them against foreign interference. Provisions of the Secure Elections Act would help push out paperless voting systems and encourage all states to audit their elections after they’re finished. Lankford told CNN states will still be running their elections. “But where states are not keeping up their equipment, we need to be able to encourage those states and help provide some grants to those states to say, ‘Go take care of your equipment,'” Lankford said. “We don’t want to have at the end of the next election a guess that the election had fraud in it, that they got into an election system.”

National: Pressure builds to improve election cybersecurity | The Hill

Congressional efforts to secure election systems from cyberattacks are picking up steam with lawmakers under pressure to prevent hacks in the 2018 midterms. After the revelation that Russia tried to probe election systems in 21 states in the 2016 election, security experts, state officials and others demanded federal action to help states upgrade outdated voting machines and bolster security around voter registration databases. Last week, a bipartisan coalition of six senators introduced the Secure Elections Act, which includes a measure authorizing grants for states to upgrade outdated voting technology and shore up their digital security. “It is imperative that we strengthen our election systems and give the states the tools they need to protect themselves and the integrity of voters against the possibility of foreign interference,” Sen. James Lankford (R-Okla.), a Senate Intelligence Committee member, said when unveiling the bill.

National: The latest 2018 election-hacking threat: A 9-month wait for government help | Politico

States rushing to guard their 2018 elections against hackers may be on a waiting list for up to nine months for the Department of Homeland Security’s most exhaustive security screening, according to government officials familiar with the situation. That means some states might not get the service until weeks before the November midterms and may remain unaware of flaws that could allow homegrown cyber vandals or foreign intelligence agencies to target voter registration databases and election offices’ computer networks, the officials said. Russian hackers targeted election systems in at least 21 states in 2016, according to DHS. The scanning, known as a “risk and vulnerability assessment,” is the crème de la crème of security exams: DHS personnel come in person to do an intensive, multiweek probing of the entire system required to run an election. But department officials acknowledge that it’s of limited use if it doesn’t come soon enough for states to correct their flaws before voters go to the polls. The nine-month wait is “not a good metric” for states hoping to boost their security, admitted Christopher Krebs, one of the DHS officials leading election security efforts. ”We are working to prioritize.”

National: American Elections Remain Unprotected | The Atlantic

Two weeks before the inauguration of President Donald Trump, the U.S. intelligence community released a declassified version of its report on Russia’s interference in the 2016 election. It detailed the activities of  a network of hackers who infiltrated voting systems and stole documents from the Democratic National Committee and Hillary Clinton’s presidential campaign. It also issued a stark warning: “Moscow will apply lessons learned from its Putin-ordered campaign aimed at the U.S. presidential election to future influence efforts worldwide, including against U.S. allies and their election processes.” Since then, current and former officials, including former Pentagon official Michael Vickers and former CIA deputy director Michael Morell have said that the Russians will interfere in U.S. elections again, in potentially new and sophisticated ways.

National: Why the 2018 Midterms Are So Vulnerable to Hackers | The New Yorker

The first primary of the 2018 midterm elections, in Texas, is barely eight weeks away. It’s time to ask: Will the Russian government deploy “active measures” of the kind it used in 2016? Is it possible that a wave of disinformation on Facebook and Twitter could nudge the results of a tight congressional race in, say, Virginia or Nevada? Will hackers infiltrate low-budget campaigns in Pennsylvania and Nebraska, and leak their e-mails to the public? Will the news media and voters take the bait? By most accounts, the answer is likely to be yes—and, for several reasons, the election may prove to be as vulnerable, or more so, than the 2016 race that brought Donald Trump to the White House. Part of the explanation is political: the 2018 midterms are shaping up to be extraordinarily competitive. Consider the spectacle currently unfolding in Virginia. Before the most recent election, on November 7th, Republicans controlled Virginia’s House of Delegates by a comfortable sixteen-seat majority. In a wave of Democratic wins, propelled by the state’s highest turnout in twenty years, the Republican majority nearly evaporated. Final control of the House now rests on the results of the 94th District, which is deadlocked at 11,608 votes apiece. The Virginia Board of Elections planned to draw the name of a winner out of a pitcher, a tactic unused in Virginia in more than four decades, but, on December 26th, the state postponed the plan, because of pending court challenges. If the Republican incumbent David Yancey loses to the Democrat Shelly Simonds, the House will be tied fifty-fifty, and the two parties will share power.

Editorials: Election Security in our Hackable World | John Odum/HuffPost

I wear a lot of hats as the Montpelier, Vermont City Clerk, and in my capacity as election administrator for the state Capital for six years now, it should come as no surprise that a frequent topic of conversation has been the security of our elections systems. In an attempt to respond to concerns expressed by my constituents, I decided to brush off my IT credentials (I have served as a network and database administrator for political parties and non-profits in the past ) to get a first-hand sense of the threats rather than just tacking to the winds of either the doomsayers or the nothing-to-see-here crowds. Now a CEH (Certified Ethical Hacker) and looking at security for the first time from the outside in, I can respond with a smidge more authority on the question “should we be worried?” The answer is yes and no.

National: Bipartisan Senate bill would boost election security aid to states | FCW

A new bipartisan Senate bill seeks to boost the level of federal support to state local officials in order to protect the nation’s election infrastructure from foreign cyber interference. The Secure Elections Act would authorize block grants for states to upgrade their voting machines, direct the Department of Homeland Security to “promptly” share election cybersecurity threat information with state and local governments and empower state and local election officials with the necessary security clearances to review classified threat information. The bill is sponsored by Sens. James Lankford (R-Okla.), Amy Klobuchar (D-Minn.), Kamala Harris (D-Calif.), Susan Collins (R-Maine) and Lindsay Graham (R-S.C.).

National: Jailed Russian says Russia’s FSB ordered him to hack DNC in 2016 | The Kansas City Star

A jailed Russian who says he hacked into the Democratic National Committee computers on the Kremlin’s orders to steal emails released during the 2016 U.S. presidential election campaign now claims he left behind a data signature to prove his assertion. In an interview with Russia’s RAIN television channel made public Wednesday, Konstantin Kozlovsky provided further details about what he said was a hacking operation led by the Russian intelligence agency known by its initials FSB. Among them, Kozlovsky said he worked with the FSB to develop computer viruses that were first tested on large, unsuspecting Russian companies, such as the oil giant Rosneft, later turning them loose on multinational corporations.

National: Bipartisan group of lawmakers backs new election security bill | The Hill

A bipartisan coalition of Senate lawmakers introduced legislation on Thursday meant to strengthen U.S. election cybersecurity following Russian election interference. The bill would authorize block grants for states to upgrade outdated voting technology. It would also create a program for an independent panel of experts to develop cybersecurity guidelines for election systems that states can implement if they choose, and offer states resources to implement the recommendations. In addition, the legislation aims to expedite the process by which state officials receive security clearances necessary to review sensitive threat information and instructs the Department of Homeland Security (DHS) and other federal entities to more quickly share this information with relevant state officials. The “Secure Elections Act” was introduced Thursday morning by Sens. James Lankford (R-Okla.), Susan Collins (R-Maine), Lindsey Graham (R-S.C.), Amy Klobuchar (D-Minn.), Kamala Harris (D-Calif.), and Martin Heinrich (D-N.M.).

New York: Cuomo Introduces Comprehensive Election Reform Proposal | Spectrum News

Gov. Andrew Cuomo, D-NY, is introducing a comprehensive election reform package as part of his 2018 State of the State agenda. The “Democracy Agenda” calls for significant changes regarding transparency for online political advertising as well as measures the governor said will eliminate unnecessary voting barriers. The first proposal would add paid internet and digital advertisements to the state’s definition of political communication, which currently encompasses television, print and radio. The updated definition would require all online advertisers to include disclosures about who is responsible for the communication.

National: Senators ready to introduce bipartisan bill funding election cybersecurity efforts | InsideCyberSecurity

A bipartisan group of senators is set to introduce a bill this week that would increase assistance to states for cybersecurity during U.S. elections, in response to attempted interference by foreign state actors during the 2016 election. The bill is sponsored by Sens. Amy Klobuchar (D-MN), Lindsey Graham (R-SC), James Lankford (R-OK) and Kamala Harris (D-CA). Rep. Mark Meadows (R-NC) will offer a companion bill in the House, though this will not see action before the end of the year. “You can’t get more bipartisan than that,” Klobuchar said, noting the broad ideological diversity of the sponsors. “When you look at the fact that 21 states were hacked into, attempts were made to steal information, voters’ information, we can’t wait, and so that’s why we are working very hard to get it done at the end of the year,” Klobuchar told Inside Cybersecurity.

National: Democrats push for Homeland Security, FBI briefing on Russian attacks on voting systems | The Hill

A group of nearly two-dozen Democratic lawmakers wants the Department of Homeland Security (DHS) and FBI to brief the entire Congress on Russia’s efforts to target state voter systems ahead of the 2016 election. The Democratic lawmakers asked House Speaker Paul Ryan (R-Wis.) to arrange such a briefing in a letter sent Tuesday, labeling Moscow’s efforts to target election-related systems an “attack.” The letter was signed by House Democrats representing 18 of the 21 states identified by Homeland Security earlier this year as Russian targets before the 2016 election.

North Carolina: Elections website was hacked, but it wasn’t as damaging as it could have been | News & Observer

As the fear of election equipment being hacked grows, the State Board of Elections and Ethics Enforcement wants to get ahead of any potential threats by having additional staff members to address cybersecurity. In a presentation to the Joint Legislative Election Oversight Committee on Friday, Kim Strach, executive director of the state board, said election security is something everyone needs to be concerned about. Strach said there are two types of hacks that the state board has to keep an eye out for – internal and external.

South Carolina: South Carolina election agency can withhold cybersecurity documents, attorney general’s office says | Post and Courier

Amid intensified focus on election cybersecurity, South Carolina’s top government lawyers have advised the state’s election agency that it does not need to publicly release documents about how it is protecting voting systems. Citing a “significant increase” in open records requests about cybersecurity, State Election Commission Director Marci Andino requested an opinion from Attorney General Alan Wilson’s office about whether cybersecurity matters fall under an exception to the law that excludes information relating to “security plans and devices.” Assistant Attorney General Matthew Houck responded in an opinion that a court likely would find that the security plans exemption would apply to cybersecurity infrastructure, allowing the agency to withhold documents about the state’s protection systems.

National: Senators to introduce bipartisan bill to prevent foreign cyber interference in elections | CBS

A bipartisan group of senators are introducing a bill early next week to improve and streamline information about cyber threats between state and federal entities, in the wake of Russia’s believed interference during the 2016 election, according to a top aide to one of the senators involved. The bill, spearheaded by Sen. James Lankford, R-Oklahoma, and also sponsored by Sen. Lindsey Graham, R-South Carolina, Sen. Amy Klobuchar, and Sen. Kamala Harris, D-California, is intended to better the communication between the Department of Homeland Security, the intelligence community and state election offices, in efforts to thwart future interference in U.S. elections by foreign actors. The bill, which will include resources for states, is also intended to help states identify and prepare against cyber attacks.

National: Homeland Security, private sector launch election security group | The Hill

The Department of Homeland Security (DHS), the Election Assistance Commission and a bevy of voting equipment industry and nonprofit groups met to launch an election security Sector Coordinating Council (SCC) on Thursday. The meeting further solidifies their decision last year to treat elections as critical infrastructure. The SCC will represent the private sector as Homeland Security deliberates strategies and policies to protect critical infrastructure. “No one entity — whether private or public — can manage the risk to our critical election infrastructure on its own,” said David Wulf, acting deputy assistant secretary for the DHS Office of Infrastructure Protection in a statement announcing the election SCC.

National: ACLU Adds Data Security Concerns To Lawsuit Challenging Kobach Fraud Commission | KMUW

A federal lawsuit filed by the American Civil Liberties Union questions the security of a multistate voter registration database championed by Kansas Secretary of State Kris Kobach. The ACLU this week added concerns about personal privacy and data security to its list of complaints against President Donald Trump’s voter fraud commission. The national organization also claims that the commission violated sunshine laws on public meetings and public documents. Kobach is vice chairman of the commission, which has sought individual-level voter registration records from all 50 states, though some states refused to hand them over. The ACLU lawsuit cites concerns that the data-gathering effort would become a target for hackers, and by way of example points to indications that Kansas’ multistate Crosscheck voter registration system may not be secure.

California: Millions of California voter records exposed in unprotected MongoDB | SC Magazine

California officials are investigating a report that an unprotected MongoDB database has been discovered possibly containing the names of every California voter. Kromtech Security’s Bob Diachenko that earlier this month Kromtech came across an database named cool_db containing 19.2 million voter records gathered in two collections that was fully unprotected and thus open for anyone to view. One batch contained voter registration data for a local district and the other the millions of records. “Kromtech researchers were unable to identify the owner of the database or conduct a detailed analysis due to the fact that the database has been deleted by cyber criminals and there is a ransom note demanding 0.2 bitcoin ($2,325.01 at the time of discovery),” he said. 

National: Senator presses White House to improve election cyber protections | FCW

On the day that a special election in Alabama captured national attention, Sen. Ron Wyden (D-Ore.) sent a letter urging National Security Advisor H.R. McMaster to take additional steps to secure the nation’s election infrastructure and provide support to state and local governments ahead of next year’s mid-term elections. Specifically, Wyden asked McMaster to designate a senior White House election security czar to brief Congress of executive branch election security efforts, direct the National Institute for Standards and Technology and the Department of Homeland Security to grade states on their election infrastructure and designate political campaigns as critical infrastructure. Wyden, who has been one of Congress’ most vocal advocates of increased election security, also is asking that the U.S. Secret Service expand its presidential candidate security detail to include cybersecurity. In the Dec. 12 letter, Wyden noted that 14 states still use direct-recording electronic, or DRE, voting machines that don’t allow for paper-based election audits and rely on outdated operating systems with known vulnerabilities.

California: Hackers demand ransom for California voter database | The Hill

Hackers have deleted a database of potential California voters with more than 19 million entries, demanding around $3,500 to restore it. Researchers at the security firm MacKeeper’s Kromtech research group first noticed the issue, but have not been able to identify the database’s owner to notify them. “We decided to go public to let everyone who was affected know,” said Bob Diachenko, head of communications for Kromtech. Kromtech primarily searches for misconfigured databases on cloud storage accounts that accidentally reveal private information to the public. In early December, they found a misconfigured database on an Amazon cloud account containing what appeared to be information on 19 million Californian citizens, including contact and mailing information as well as voting precinct information. But while the company was investigating the misconfigured files, they noticed the files were suddenly removed and replaced with a ransom note demanding 0.2 bitcoin, or about $3,500. 

National: US Officials, Lawmakers Warn More Cyberattacks Coming | VoA News

The United States is bracing for another wave of cyberattacks focused on disrupting or undermining the 2018 midterm elections, with some officials warning this is just the beginning of a much deeper and broader threat. Intelligence and security officials, as well as policymakers and other experts talking both on the record and on background say what began with a Russian effort to influence the 2016 presidential election has evolved. They expect the next round of Russian efforts to be more sophisticated and more widespread, likely to include a combination of disinformation campaigns on social media along with the potential hacking of vulnerable targets.

National: Russian hacker claims he hacked the DNC during the 2016 election ‘under the orders’ of the FSB | IBT

A Russian hacker has reportedly confessed that Russia’s state intelligence agency ordered him to hack the Democratic National Committee’s servers during the 2016 US presidential election. The hacker, Konstantin Kozlovsky, reportedly testified in court to carrying out the attacks at the request of Russia’s Federal Security Service (FSB), considered to be the successor of the Soviet security agency the KGB. During the election campaign, hackers stole thousands of private DNC emails that were later steadily leaked by WikiLeaks in the months leading up to the November election, drawing heavy scrutiny and media attention. US intelligence agencies concluded earlier this year that Russian President Vladimir Putin ordered a complex influence campaign to help sway the election in Donald Trump’s favour using leaks, cyberattacks, a disinformation campaign and more. Putin has vehemently denied any involvement in the DNC hack or influencing the electoral process of another nation.

Georgia: FBI mum on Georgia’s wiped election server | GCN

Georgia is currently facing a lawsuit in federal court by voters and advocacy groups that claim a June 2017 special election may have been compromised because of insufficient security practices by Georgia officials and the organization that oversaw election infrastructure, Kennesaw State University (KSU). The special election was to fill the seat vacated by Tom Price, who resigned from the House of Representatives to serve as Secretary of Health and Human Services before resigning from that post. The plaintiffs in the lawsuit allege that Georgia’s voter registration data was hosted on the same server as the vote tabulation databases, the software used to program ballots and the passwords for both voting machines and election supervisors. Further, all of this data was connected to a public-facing website that was accessible for at least 10 months to anyone with an internet connection and technical expertise.

Editorials: Ohio must take steps to secure elections | Kathleen Clyde/The Toledo Blade

Computer hacks and cybersecurity threats have been in the news a lot lately. Millions of Americans’ data were breached in the Equifax hack and a huge number of accounts were compromised at Yahoo. Worse than those reports, it was recently confirmed that Ohio was one of the 21 states reported on over the summer whose systems hackers attempted to breach in the lead up to the 2016 election. Foreign interference with our elections and the electronic machinery they run on is one of the biggest cyber threats we face because it’s a matter of national security. Our enemies want to create chaos at best and change outcomes of our elections at worst. It’s a direct attack on our society, the American way of life, and our ability to self-govern.

National: Senate Intel chair doesn’t plan legislative push on election cyber | FCW

Sen. Richard Burr (R-N.C.) hinted that the Senate Intelligence Committee’s report on Russian interference in the 2016 election will be light on legislative proposals for Congress and focus more on recommendations to state and local governments about how best to protect the integrity of their election systems. “The determination of how states run their elections: states. It’s their responsibility, and we don’t want to do anything to change that,” Burr said during a Dec. 6 Council on Foreign Relations event on hacked elections and online influence operations. While Burr did not give a timeline on when — or if — the final report will be released to the public, he said he expects the committee will make the section on election security available to states before the 2018 election primary season kicks off in earnest. However, he downplayed expectations that the end product would contain recommendations for Congress. “These are not necessarily initiatives that involve federal legislation,” Burr said.

Georgia: Is the FBI investigating Georgia’s wiped election server? | FCW

At a Dec. 7 House hearing, FBI Director Christopher Wray declined to answer questions about whether the bureau retained data on a Georgia election server before it was wiped clean by state election officials, then declined to answer whether the FBI was investigating the matter. Rep. Hank Johnson (D-Ga.) raised the specter of an investigation into a server containing voting data from a recent special election to fill the seat vacated by Tom Price, who resigned from the House of Representatives to serve as Secretary of Health and Human Services before resigning from that post. … Joe Kiniry, CEO of Free and Fair, a company that tests election systems for cybersecurity vulnerabilities, praised Johnson’s line of questioning. He said the combination of Georgia’s reliance on paperless voting, outsourcing of election operations to a third-party and “really bad security processes” by KSU created a perfect storm that inevitably led to lawsuits but also opportunity. “I believe that the positive outcome of all of this will be that, eventually, Georgia will replace its election system with machines that have paper ballot records, Kiniry said.

National: States raise security concerns about Crosscheck voter database during call with Kobach’s office | Lawrence Journal World

Officials from Kansas Secretary of State Kris Kobach’s office conducted a conference call Thursday with election officials from several other states to discuss concerns about the Crosscheck program, a multistate database of voter registration information that Kansas manages and that some critics have said is not secure. Bryan Caskey, director of elections in the secretary of state’s office, confirmed Thursday that the conference call took place, but he said the issue of security concerns only came up “at a very high level.” “I would describe it as more of a kickoff conference call that we do at the start of every election year,” Caskey said. The Crosscheck database was originally launched in the early 2000s when Ron Thornburgh served as secretary of state.

Illinois: Cook County says it can fix election hacking, if it just had the money | USA Today

Illinois’ most populous county has a plan to keep hackers out, after the state’s voter registration list was breached during last year’s presidential race. There’s one big sticking point: the money. The director of elections for Illinois’ Cook County and a group including Ambassador Douglas Lute will present a strategy to bolster U.S. election systems’ defenses against foreign intruders on Thursday. That roadmap comes with a request for the federal government to fund their plan, underlining a hurdle for many municipalities as they head into the 2018 midterm and 2020 presidential elections. While last year’s general election made clear the voting system was vulnerable to hackers, and the federal government has instructed the nation’s 9,000 election officials to make their voting rolls safer, many municipalities lack funding to make these changes.