National: House Urging States to Secure Voting Infrastructures Before 2018 Elections | MeriTalk

With the midterm elections of 2018 fewer than 12 months away, Congress is showing heightened concern over the potential for disastrous cyber attacks on the nation’s electronic voting systems. “Like anything else in the digital age, electronic voting is vulnerable to hacking,” said Will Hurd, R-Texas, chairman of the House Subcommittee on Information Technology. “Our voting machines are no exception.” Hurd, in opening remarks at a Nov. 29 joint hearing with the House Subcommittee on Intergovernmental Affairs on the cybersecurity of voting machines, said subcommittee members wanted to explore what impact the Department of Homeland Security designation last January of U.S. election systems as “critical infrastructure” has had on states. “It is essential that states take appropriate steps to secure their voting infrastructure,” he said.

National: Experts: States need help to protect voting machines from Russians | USA Today

Congress needs to boost funding to states to help them buy secure voting machines to prevent Russia and other hostile nations from hacking U.S. elections, election experts told a House panel Wednesday. “This is a critical need, and must be addressed immediately (to have an impact on the 2018 election),” said Edgardo Cortés, commissioner of the Virginia Department of Elections, which held statewide elections earlier this month. Experts also recommended that states stop using touchscreen voting machines and replace them with paper-based systems such as optical scanners that tabulate paper ballots and provide tangible evidence of election results. “In many electronic voting systems in use today, a successful attack that exploits a software flaw might leave behind little or no forensic evidence,” warned Matthew Blaze, an associate professor of computer and information science at the University of Pennsylvania. “This can make it effectively impossible to determine the true outcome of an election or even that a compromise has occurred.”

National: Are states prepared to protect the next election from hackers? | GCN

A Nov. 29 House hearing on the cybersecurity of voting infrastructure highlighted warnings about some machines used to cast votes and the software used to tally them, but officials were positive about the progress being made and the low likelihood that an attack could actually switch any votes. Several experts who testified at the hearing, held by the House Oversight Committee’s subcommittees on information technology and intergovernmental affairs, recommended that states should begin switching — if they haven’t already — away from direct-recording electronic voting machines. Matt Blaze, a computer science professor at University of Pennsylvania, said the complexity of DRE machines makes them very hard to secure. The vote tallies stored in internal memory, ballot definition parameters displayed to voters and electronic log files used for post-election audit are all subject to alteration.

National: The time to hack-proof the 2018 election is expiring — and Congress is way behind | Politico

Lawmakers are scrambling to push something — anything — through Congress that would help secure the nation’s voting systems ahead of the 2018 elections. But it might already be too late for some critical targets. By this point during the 2016 election cycle, Russian hackers had already been in the Democratic National Committee’s networks for at least three months. Members of both parties insist they can get something done before Election Day 2018, but concede that the window is rapidly closing. Voters in Texas and Illinois will take to the polls in the country’s first primaries in just over three months — a narrow timeline for implementing software patches, let alone finding the funds to overhaul creaky IT systems, swap out aging voting machines or implement state-of-the-art digital audits. “Not a lot of time, no question,” Senate Intelligence Chairman Richard Burr (R-N.C.), who is leading an investigation of Russia’s election-year meddling, told POLITICO.

New York: In Internet age, elections officials try to keep pace with security threats | Times Union

The advent of new voting technology has brought election-security threats that state officials are seeking to shore up with additional resources. At an Assembly hearing in Manahttan Tuesday, state Board of Elections officials said they would be seeking $27 million for the upcoming fiscal year — nearly $15.5 million more than the current year — to help enhance security as well as update the state voter registration and campaign finance systems. Election officials said at a similar hearing last year that the state’s three-tiered election systems are unlikely to be hacked, but they remain wary of threats. “We know we’re defending, but we don’t know what we’re defending against or what exact part they’re going to go (after),” state BOE Co-Executive Director Todd Valentine said.

National: Senate GOP campaign arm stole donor data from House Republicans | Politico

Staffers for Senate Republicans’ campaign arm seized information on more than 200,000 donors from the House GOP campaign committee over several months this year by breaking into its computer system, three sources with knowledge of the breach told POLITICO. The unauthorized raid on the National Republican Congressional Committee’s data created a behind-the-scenes rift with the National Republican Senatorial Committee, according to the sources, who described NRCC officials as furious. It comes at a time when House Republicans are focused on preparing to defend their 24-seat majority in the 2018 midterm elections. And it has spotlighted Senate Republicans’ deep fundraising struggles this year, with the NRSC spending more than it raised for four months in a row. Multiple NRSC staffers, who previously worked for the NRCC, used old database login information to gain access to House Republicans’ donor lists this year.

National: DHS official says ‘trust’ with states prevents sharing cyber threats to election with Congress | InsideCyberSecurity

The Department of Homeland Security’s Christopher Krebs told House lawmakers that a “trust” relationship with state officials has prevented the department from sharing specific details about cyber threats to the 2016 presidential election with Congress. Krebs said “we don’t have statutory authority to compel” states to report cyber incidents to the federal government, while expressing concern that the level of trust needed to get states to share with DHS could be undermined by passing along that information to lawmakers. Krebs, who is the senior official performing the duties of the DHS under secretary for the National Protection and Programs Directorate, testified Wednesday at a joint hearing by the House Oversight and Government Reform information technology and intergovernmental affairs subcommittees on the “cybersecurity of voting machines.”

Editorials: Electronic voting infrastructure must become more resilient against attacks | Mark Peters/The Hill

Cybersecurity for elections has been in the news a lot lately. There have been proposals for new cybersecurity efforts for election systems. There have been demonstrations of hacking voting machines. However, we’ve been missing a crucial point: election equipment cannot be made completely secure. Given that well-defended systems in other fields still suffer cybersecurity breaches, we should assume that well-secured election infrastructure will sometimes be compromised by hackers. Therefore, it is imperative that we enhance the resiliency of our election systems and processes so that they provide accurate election results even if the equipment used for registration, voting, results reporting, or other parts of the election process have been successfully hacked.

Editorials: You can’t hack paper ballots | Paul Campbell/Buffalo Reflex

Recently in this column I wrote about the problems with a cashless society, and today I am talking about the hazards of a paperless voting system. I’m sure this looks to some like I am anti-technology, but I’m not. All technologies — from television sets to the Internet — have their downsides, and these should be explored as objectively as possible. Everyone should read an excellent article on this subject in the December issue of The Atlantic magazine. The story, by Jill Leovy, is about Barbara Simons, 76, who has been an ardent fan of paper ballots for the past two decades. Just about everybody, including the League of Women Voters and the ACLU, passed her off as a crackpot for years. In the aftermath of the alleged Russian interference with the 2016 presidential election, however, the guardians of our voting system are taking a second look at Simons’ ideas. It should be noted that Simons, now retired, was a computer engineer for decades.

New York: Lawmakers: Election Hacking Will Be Long-Term Challenge | Associated Press

Officials say New York managed to dodge Russian hacking attempts last year — and they’re aiming to keep it that way. Lawmakers at a hearing on election security Tuesday said the state must take steps to protect the democratic process because the risk of hacking is here to stay. Possibilities include statewide cybersecurity guidelines for county election boards and more aggressive auditing of ballots after an election to look for discrepancies. “We know now the cyberattacks were part of a comprehensive effort by Putin’s Russia,” said Assemblyman Charles Lavine, a Democrat from Long Island and the chairman of the Committee on Election Law. “These attacks were not aberrations. Only the most naive and/or the most corrupt would believe they will not continue into the future.”

National: Russian hacking: FBI failed to tell US officials their email was targeted | The Guardian

The FBI failed to notify scores of US officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year, an investigation found. The Associated Press dedicated two months and a small team of reporters to go through a hit list of targets of Fancy Bear, a Russian government-aligned cyberespionage group, that was provided by the cybersecurity firm Secureworks. Previous investigations based on the list had shown how Fancy Bear worked in close alignment with the Kremlin’s interests to steal tens of thousands of emails from the Democratic party. The hacking campaign disrupted the 2016 US election and cast a shadow over the presidency of Donald Trump, whom US intelligence agencies say the hackers were trying to help. The Russian government has denied interfering in the American election. The special counsel Robert Mueller is leading an investigation into alleged collusion between Trump aides and Russia. Indictments have been made.

National: FBI gave heads-up to fraction of Russian hackers’ US targets |Associated Press

The FBI failed to notify scores of U.S. officials that Russian hackers were trying to break into their personal Gmail accounts despite having evidence for at least a year that the targets were in the Kremlin’s crosshairs, The Associated Press has found. Nearly 80 interviews with Americans targeted by Fancy Bear, a Russian government-aligned cyberespionage group, turned up only two cases in which the FBI had provided a heads-up. Even senior policymakers discovered they were targets only when the AP told them, a situation some described as bizarre and dispiriting. “It’s utterly confounding,” said Philip Reiner, a former senior director at the National Security Council, who was notified by the AP that he was targeted in 2015. “You’ve got to tell your people. You’ve got to protect your people.”

National: What are voting machine companies doing about cyber? | FCW

In October 2017, Sen. Ron Wyden (D-Ore.) sent letters to five of the top voting machine companies in America asking how their organizations were structured and what steps they have taken to ensure their machines are protected from cyber threats. “As our election systems have come under unprecedented scrutiny, public faith in the security of our electoral process at every level is more important than ever before,” Wyden said. “Ensuring that Americans can trust that election systems and infrastructure are secure is necessary to protecting confidence in our electoral process and democratic government.” The questions touched on a wide range of topics related to cybersecurity, such as whether the companies had experienced a recent data breach, whether they employ a chief information security officer and how frequently their products have been audited by third-party evaluators.

National: Democrats call for states to get $400M election security upgrades | The Hill

Two House Democrats are pressing their colleagues to allot $400 million for states to upgrade outdated voting equipment and secure their election systems. Democratic Reps. Bennie Thompson (Miss.) and Robert Brady (Pa.) made the appeal in a letter to leaders of the House Appropriations Committee released on Monday. “We know that Russia launched an unprecedented assault on our elections in 2016, targeting 21 states’ voting systems, and we believe this money is necessary to protect our elections from future attack,” wrote the lawmakers.  “When a sovereign nation attempts to meddle in our elections, it is an attack on our country,” they wrote. “We cannot leave states to defend against the sophisticated cyber tactics of state actors like Russia on their own.”

National: Bipartisan Harvard project issues election hacking recommendations | The Hill

A panel led by former Hillary Clinton and Mitt Romney campaign officials has released a slate of recommendations for future election operations to guard themselves against cyberattacks. The final report from Harvard’s Defending Digital Democracy project comes roughly a year after the 2016 November presidential election, ahead of which the Democratic National Committee and Clinton campaign chairman John Podesta were successfully targeted by cyberattacks. The U.S. intelligence community has tied the hacks to a broader campaign by Russia to interfere in the election. Robby Mook and Matt Rhoades, former campaign managers to Clinton and Romney, respectively, positioned the project as an effort to help future campaign operations be more secure against cyber threats, regardless of their party affiliation. 

Editorials: Texas needs to be prepared for more election hack attempts | San Antonio Express-News

The reasons remain unclear, but Russian-linked hackers targeted two Texas agencies during the 2016 presidential election. The hackers never accessed networks for the Department of Public Safety and the Texas Library and State Archives Commission, but the search for vulnerabilities by a foreign government is deeply disturbing. The Department of Homeland Security has included Texas in a group of 21 states that Russian hackers targeted during the run-up to the election. Just why DPS or the state’s library archive would be election targets is unclear. Although a Homeland Security official told Express-News reporter Allie Morris that in general terms, the hackers may have been looking for network vulnerabilities that could later be exploited in election systems. In other words, this might have been something akin to a practice run.

National: Bipartisan Harvard Panel Recommends Hacking Safeguards for Elections | Associated Press

A bipartisan Harvard University project aimed at protecting elections from hacking and propaganda will release its first set of recommendations today on how U.S. elections can be defended from hacking attacks. The 27-page guidebook shown to Reuters ahead of publication calls for campaign leaders to emphasize security from the start and insist on practices such as two-factor authentication for access to email and documents and fully encrypted messaging via services including Signal and Wickr. The guidelines are intended to reduce risks in low-budget local races as well as the high-stakes Congressional midterm contests next year. Though most of the suggestions cost little or nothing to implement and will strike security professionals as common sense, notorious attacks including the leak of the emails of Hillary Clinton’s campaign chair, John Podesta, have succeeded because basic security practices were not followed.

Florida: State may counter “growing threat” to election security | Associated Press

Saying there is a “growing threat” to Florida’s election systems, the state may spend nearly $2.4 million in the coming year on cybersecurity efforts designed to protect election-related software and systems from outside hackers. Gov. Rick Scott included the request, which initially came from state election officials, in budget recommendations he gave to the Florida Legislature last week. Scott asked for the money even though state officials have provided limited details behind efforts to infiltrate Florida’s election systems ahead of the 2016 elections. The Florida Legislature has also not held any hearings on what happened.

Wisconsin: Elections head says reduced staff poses risks | Associated Press

The head of Wisconsin elections wants the Legislature to approve hiring three additional staff, with two focused on bolstering security following news that the state’s voting systems were targeted by Russian hackers. A 28 percent reduction in staff since 2015 weakened the ability of elections workers to address voter safety and eroded fulfilling all other state and federal law requirements, Wisconsin Elections Commission Administrator Michael Haas said in a memo released Friday. “The agency for an extended period of time has been operating with less than optimal staffing,” Haas said in an interview. “We are falling behind with just our regular day-to-day responsibilities so we can be prepared for the 2018 election.”

Canada: Head of NATO tells Canada to gear itself up for Russian cyber threats in 2019 federal election | CBC News

Canada and other NATO countries must do more to counter Russia’s growing and ever-evolving cyber threats, says the head of the North Atlantic Treaty Organization. ​”This is a constantly evolving threat, and we have to constantly adapt,” NATO’s Jens Stoltenberg told CBC Radio’s The House at the Halifax International Security Forum. Stoltenberg says the digital threats come in many forms, and can target anybody. “In some ways, every country is a neighbour of Russia because [a] cyber [threat] recognizes no borders, so you might also say that Canada is a neighbour of Russia,” Estonia’s Defence Minister Jüri Luik told The House in Halifax. That digital proximity, Luik argued, means Canada should not be surprised if Russia attempts to interfere in the 2019 federal election.

National: A Year After Trump’s Victory, Our Elections Aren’t Much More Secure | Buzzfeed

The halfway point between the election of President Donald Trump and the 2018 midterms has come and gone, and it still isn’t fully clear what Russian hackers did to America’s state and county voter registration systems. Or what has been done to make sure a future hacking effort won’t succeed. US officials, obsessed for now with evidence that Russia’s intelligence services exploited social media to sway US voters, have taken solace in the idea that the integrity of the country’s voting is protected by the system’s acknowledged clunkiness. With its decentralized assortment of different machines, procedures, and contractors, who could possibly hack into all those many systems to change vote totals? … Most states’ elections officials still don’t have the security clearances necessary to have a thorough discussion with federal officials about what’s known about Russian, or others’, efforts to hack into their systems.

Malaysia: Election Commission website not secure, tech blogger warns voters | The Malaysian Insight

The Election Commission (EC) website where voters can check their voting constituency and polling station by entering their MyKad number is not secure, tech blogger Keith Rozario said. The creator of sayakenahack.com, aimed at helping victims of a massive data breach to find out if they were affected, said in a blog post that the EC site was marked as “insecure by Google Chrome because it doesn’t even have TLS”. TLS or Transport Layer Security is meant to ensure privacy and data integrity between two communicating computer applications. In the case of a voter checking their status on the EC website, TLS would ensure that data travelling between the voter’s browser and the EC on a WiFi or data connection used would be encrypted. Without TLS, he said that someone searching for their voting information on the EC website could have their data “transferred in clear across the internet for anyone in the middle to see”.

Georgia: Kennesaw State Embroiled in Controversy over Security of Election Data | Higher Education

Judging strictly by how the Center for Election Systems at Kennesaw State University is described on its official website, everything is peachy when it comes to the fact that the center is charged by the Secretary of State with ensuring the integrity voting systems throughout Georgia. “The Center maintains an arms-length working relationship with the Secretary of State and the vendor, ensuring both independence and objectivity in its work,” the center states on its website. But if you ask Marilyn R. Marks, executive director of the Coalition for Good Governance, a university has no business playing such a critical role in the oversight of a state’s election infrastructure. It’s an argument that Marks says is underscored by the fact that voter data in Georgia was exposed on the Internet for a significant period of time leading up to key elections in Georgia — a fact uncovered by a cybersecurity expert named Logan Lamb, who reported it to the center. KSU only took action when a second cybersecurity expert — Chris Grayson — found the same security gaps and reported them to Andrew Green, a colleague and KSU faculty member who lectures on information security and assurance, according to lawsuit filed by Marks’ coalition.

National: State election boards’ hands are sometimes tied when it comes to voting machine security. | Slate

Voting in the United States is highly decentralized—and in many ways that’s a good thing when it comes to security. Having different regions operate their own elections and count their own votes makes it harder for someone to forge, compromise, or change a large number of votes all at once. But that decentralization also means that individual states, counties, or districts are also often free to make bad decisions about what kind of voting technology to use—and it’s surprisingly hard to stop them. Earlier this week, North Carolina’s state elections board made a last-ditch attempt to convince a judge to prohibit counties in the state from using voting software manufactured by VR Systems on the grounds that the board hadn’t officially certified the software since 2009. On Monday—the day before Election Day—that attempt failed when Superior Court Judge Paul Ridgeway declined to intervene.

National: Election officials race to combat cyberattacks | The Hill

A year before the midterm elections, state election administrators are racing to plug vulnerabilities and update software ahead of an expected wave of cyberattacks from foreign actors. In interviews, state officials and elections experts said they are working to bolster internal security at both the state and local levels. At the same time, many said they hope Congress will act to update federal election law, in part to provide them with the resources they need to secure the democratic process. “No matter what steps we take today, cybersecurity and the cyber risk evolves and changes daily, and we just have to be vigilant and diligent going forward,” said Vermont Secretary of State Jim Condos (D). “Anybody that thinks, ‘today I’ve got it covered,’ and washes their hands of it is fooling themselves.”

National: Where hackers haven’t directly influenced polls, they’ve undermined our faith in democracy | The Register

What a difference a year makes. This time last year, Twitter pooh-poohed any suggestion that Russian agents ran accounts on its platform for purposes of subverting the US election. A month ago, it was forced to eat its words, owning up to maybe just a few paltry 201. Last week, in the course of a Congressional grilling, that estimate ticked upward a magnitude to more than 2,700. Facebook, too, upped the ante, admitting that Russian-backed content may have reached not 10 million users, as previously claimed, but 126 million. Some of this, as analysis of the @TEN_GOP Twitter account suggests, was influential. But did it influence the election? That is the $64,000 question. Or, given how much Donald Trump appears to be profiting from his election as US president, perhaps the $64m question. Not to be outdone, the UK may, finally, be asking some of the same questions. A petition politely asking the UK government to “investigate covert foreign interference in the EU referendum” was cancelled earlier this year when the general election was called. Now it is back and has hit 10,000 signatures, an official (written) response is required. 100,000 signatures means the petition will be considered for debate in Parliament.

Virginia: DHS pick worried about voting machine security during Virginia election | The Hill

President Trump’s choice to lead the Department of Homeland Security (DHS) said Wednesday that she pressed her polling place on voting machine security when she voted in Virginia this week. Kirstjen Nielsen, the nominee for Homeland Security secretary, made the comments during her confirmation hearing Wednesday morning when asked about the department’s role in protecting election infrastructure from cyberattacks. “When I went to vote this week in the Virginia election, I was quite concerned with the scanning machine and started asking a variety of questions on what the security was on the scanning machine for the ballot. I think we all have to be very aware and work with the state and locals,” Nielsen said. 

National: DHS has eye on cybersecurity issues Tuesday | CNN

As voters head to the polls on Tuesday, state and local officials are working with the federal government to monitor any potential cybersecurity issues on the first major Election Day since the 2016 election. While experts do not believe any interference with actual voting occurred last year, Russian efforts to meddle in the election — in part through hacking emails and some probing of election-related systems at the state level — have fueled a national conversation about the cybersecurity of elections. The Department of Homeland Security has taken the lead for the federal government in helping shore up election systems, which are managed at the state and local level. “We are working closely with officials in Virginia and New Jersey and other states and will have cybersecurity advisers embedded with state officials and with direct lines to DHS’ National Cybersecurity Communications Integration Center throughout the day today,” spokesman Scott McConnell told CNN in an email. “We continue to offer state and local governments our cybersecurity services, including cyber hygiene scans of Internet-facing systems and onsite risk and vulnerability assessments.”