Editorials: Can Washington Protect America’s Electoral Process from the next Cyber Attack? | John Allen and Michael O’Hanlon/The National Interest

When one of us, after a four-decade career in the Marine Corps including nineteen months in command in Afghanistan, had the chance to address the National Association of Counties earlier this year, this was the key message:

We in the military have always been the ones on the front lines in defense of this country and its democracy. Now, it is you as well—those who are manning the voting centers, maintaining the voter registries, tabulating the tallies. As Congress gets fully back to work this fall, the issue of how the federal government can help local and state election authorities secure the United States against an attack needs to be front and center on their agenda—because it has become a national-security issue of very high order. In particular, Congress needs to approve and appropriate funds for an initiative like that proposed by Sen. Amy Klobuchar and Sen. Lindsey Graham, and provide several hundred million dollars to make the country’s voting more secure. Last year, a hostile power reached straight past the most sophisticated military and intelligence services on the planet, across vast seas and over towering mountain ranges, and sought to affect the fundamental outcome of the American 2016 presidential election through a strategic-influence campaign, which included cyber intrusions into the heart of the American voting system. In essence, the Russians, apparently on the direct orders of Vladimir Putin, took direct aim at America’s ability to choose its own government and thus, ultimately, its own way of life—arguably with some success.

Alaska: Glitch Leaves Alaskan Voters Out in the Cold, SEC Reveals Breach | The VAR Guy

Oops!… They did it again. For what seems like the billionth time, U.S. voter records have been exposed, this time targeting Alaska. A cache of voter records containing the personal information of nearly 600,000 voters in Alaska was inadvertently exposed online. The culprit? An unsecured CouchDB database. And just, you know, a giant oversight. The cause of the hack was discovered by researchers at the Kromtech Security Research Center, who determined that the database of about 593,000 voters (that’s every registered voter in the state of Alaska) was accidentally configured for public access. That means it was just out there, floating in the breeze without any sort of password protection or security wall, making it accessible to anyone who knew where to look. No logging in, no verification, nada.

Germany: Germany on guard against election hacks, fake news | phys.org

As the clock ticks down to elections Sunday, Germany’s cyber defense nervously hopes it’ll be third time lucky after Russia was accused of meddling in the US and French votes. But even if Berlin avoids a last-minute bombshell of leaks or online sabotage, it sees Moscow’s hand in fanning fears of Muslim migrants that are driving the rise of the hard-right.
Forecasters say Chancellor Angela Merkel is almost certain to win. But she will also face, for the first time in German post-war history, a right-wing populist and anti-immigration party will have its own group on the opposition benches. The Alternative for Germany (AfD)—which calls Merkel a “traitor” for her 2015 welcome to refugees—has been promoted especially in internet echo chambers by far-right trolls and ultra-nationalists.

Europe: EU agency to fight election hacking | EU Observer

A more robust EU cyber agency could help member states defend their elections against “hybrid attacks”, the European Commission has said. Speaking at the launch of new cybersecurity proposals in Brussels on Tuesday (19 September), Julian King, the Commission’s security chief, said some hacker attacks had “political objectives”. “They can target our democratic institutions and can be used with other tools, such as propaganda and fake news, in hybrid attacks,” he said. “We need to be as serious about security online as we are offline,” he said. He also hailed Finland’s new “centre of excellence” on hybrid warfare, which is designed to help EU countries fight novel assaults. King did not name Russia, but Russian hackers and media recently attacked the French and US elections.

Germany: Could hackers derail one of the most important elections in Europe? | The Daily Dot

There’s one shadowy figure that will likely linger in the minds of Germans on Sunday as they head to the voting booths to elect the country’s government: the hacker. Chancellor Angela Merkel and her Christian Democratic Union (CDU) party are expected to retain their position in government with a coalition of other parties. It’s the third high-profile election on mainland Europe in 2017, following the Netherlands and France. Both staved off far-right contenders to bring some stability to the European Union, which is contending with Brexit negotiations and relations with U.S. President Donald Trump. After last November’s U.S. presidential election and talk of Russian interference, German officials have repeatedly issued warnings about maintaining the election’s security. As election day approaches, the specter of hacking threats still looms.

National: Paper ballots are back in vogue thanks to Russian hacking fears | USA Today

Once about as newsworthy as water meters, the voting machines and computers used to record and tally the nation’s ballots are suddenly a hot button issue due to mounting evidence Russia tried to interfere in the 2016 U.S. presidential elections. According to the FBI, as many as 39 states had their election systems scanned or targeted by Russia. There’s no evidence of votes changed. But given the stakes, some state agencies that run elections are trying to curb any further interference prior to mid-term elections in November. Their tool of choice: Ensuring systems can’t be hacked, and if they are, making those breaches immediately obvious. To do this, some are taking the unusual move of rewinding the technological dial, debating measures that would add paper ballots — similar to how many Americans voted before electronic voting started to become widespread in the 1980s. 

Germany: The Cyber Threat To Germany’s Elections Is Very Real | The Atlantic

One afternoon in early September, a small group of journalists, policy makers, and visitors in Berlin gathered for a lunch panel discussion, titled “Who’s hacking the election—how do we stop the attackers?” Hans-Georg Maassen, the head of the Federal Office for the Protection of the Constitution (BfV), Germany’s domestic-security agency, was the guest of honor. In his remarks, he warned of the dangers of what’s known as “white propaganda”: information illegally collected and disseminated by hackers with the intent of manipulating public opinion against the German government and disrupting its upcoming parliamentary elections. “We and our partners are of the opinion that the background [of the hack on the Democratic National Committee] in the U.S. was Russian,” he said. Russian military intelligence, his office alleged, was very likely responsible for hacking and leaking top DNC officials’ emails during the 2016 campaign season, exposing sensitive internal-party communications that drove a wedge through the party. Maassen warned that a cyber attack on the German government now, so close to the country’s vote on September 24th, remained a possibility.

National: Senators propose 9/11-style commission on Russian interference | The Hill

A bipartisan pair of senators is moving to create a 9/11-style commission to examine the cyberattacks that took place during the 2016 presidential election campaign. Sens. Kirsten Gillibrand (D-N.Y.) and Lindsey Graham (R-S.C.) announced legislation on Friday to establish the National Commission on Cybersecurity of U.S. Election Systems to study the election-related cyberattacks — which the intelligence community has attributed to Russia — and make recommendations on how to guard against such activity going forward. The commission would be modeled after the 9/11 Commission tasked with investigating the Sept. 11, 2001, terrorist attacks against the United States.

Editorials: So You Want Digital Voting? Hackers Want It Even More | Kathleen Fisher/Big Think

One of the reasons why computer security is so hard is because you have to get absolutely everything right in order to have a secure system. And there’s lots of different kinds of things you can get wrong. Everything from your software was buggy, your passwords were too weak, you published your passwords accidentally, your hardware was insecure, the user made a mistake and fell victim to a phishing attack and gave their credentials to a foreign agent or a bad guy. All of those things have to be done correctly in order to have a secure system. It might seem tempting to think, you know, everybody has a cell phone so you could just use your cell phone to do voting like we do for American Idol or similar TV shows. It works for American Idol because nobody cares all that much who wins or doesn’t win. 

Alaska: Voter Database Exposed Online | HackRead

IT security researchers at Kromtech Security Center discovered an unprotected database exposed online due to misconfiguration of CouchDB containing nearly 600,000 records belonging to Alaskan voters. “The exposed data is a larger voter file called Voterbase compiled by TargetSmart, a leader in national voting databases that contains the contact and voting information of more than 191 million voters and 58 million unregistered, voting age consumers,” said researchers. The database with 593,328 records was available to the public for anyone to download without any security or login credentials. Each record contained names, date of birth, addresses, voting preferences, marital status, income details, children’s age, gun ownership related data and points which might help decide what issue the voter might be appealed to. TargetSmart CEO Tom Bonier blamed a third-party firm for the incident and told ZDNetthat “We’ve learned that Equals3, an AI software company based in Minnesota, appears to have failed to secure some of their data and some data they license from TargetSmart and that a database of approximately 593,000 Alaska voters appears to have been inadvertently exposed.”

National: Voting machines can be hacked without evidence, commission is told | Washington Times

The country’s voting machines are susceptible to hacking, which could be done in a way so that it leaves no fingerprints, making it impossible to know whether the outcome was changed, computer experts told President Trump’s voter integrity commission Tuesday. The testimony marked a departure for the commission, which was formed to look into fraud and barriers to voting, but which heard that a potentially greater threat to confidence in American elections is the chance for enemy actors to meddle. “There’s no perfect security; there’s only degrees of insecurity,” said Ronald Rivest, a professor at the Massachusetts Institute of Technology. He said hackers have myriad ways of attacking voting machines. “You don’t want to rest the election of the president on, ‘Maybe the Wi-Fi was turned on when it shouldn’t have been.’” He and two other computer security experts said bar codes on ballots and smartphones in voting locations could give hackers a chance to rewrite results in ways that couldn’t be traceable, short of sampling of ballots or hand recounts — and those work only in cases where there’s a paper trail.

Mississippi: State has halted use of Russian software in election systems, Hosemann says | Jackson Clarion- Ledger

U.S. Rep. Bennie Thompson on Friday urged Secretary of State Delbert Hosemann to remove any Kaspersky Lab software from Mississippi’s elections systems over fears of Russian hacking. But Hosemann said he made that call about a month ago, after he first heard concerns over the company’s possible ties to the Russian government. He said the Kaspersky antivirus software, sold throughout the U.S., was being used in three Mississippi counties, Adams, Franklin and Wilkinson. One has already switched to another brand and two others are in the process, Hosemann said. “On Aug. 18, we notified all our circuit clerks of potential vulnerabilities of Kaspersky software and at that time determined three of them were using it,” Hosemann said. “All have responded. One I know has already changed and two are in the process.”

Estonia: Conservative Party challenges electoral committee’s decision to allow e-voting | ERR

The Conservative People’s Party of Estonia (EKRE) has submitted an appeal to Estonia’s National Electoral Committee challenging the committee’s decision to allow e-voting in the local elections this October despite a detected security risk that could affect 750,000 ID cards.
According to EKRE parliamentary group chairman Martin Helme, the party finds that the Sept. 6 decision of the National Electoral Committee to still allow e-voting in the upcoming elections opens them up to vote manipulation and the influencing of election results, party spokespeople said. The party is seeking to have e-voting called off and the elections to be held with paper ballots exclusively.

National: Top state officials join bipartisan fight against election hacking | Politico

Two months after the campaign managers for Hillary Clinton and Mitt Romney helped launch an effort to assist campaigns in preventing future cyberattacks, four secretaries of state have signed on to work on their project. Republicans Mac Warner of West Virginia and Tom Schedler of Louisiana, and Democrats Denise Merrill of Connecticut and Nellie Gorbea of Rhode Island, are now participating in the effort to create a non-partisan playbook for campaigns. The project is in part fueled by the presidential campaign experiences of Robby Mook and Matt Rhoades, both of whom managed campaigns that fell victim to hacking by foreign entities. Mook and Rhoades have been in touch with a number of campaigns this year but won’t identify them because of the sensitivity of the issue.

Maryland: Legislators Consider Improving Election Security after Hearing with State Voting Board | Southern Maryland News

Maryland legislators learned last week the state’s electronic balloting system may need better security measures to protect voters’ information and that the lawmakers must be the ones to add those protections. The state’s electoral board told lawmakers Sept. 6 that they are powerless to make those changes, and that any security changes must directly come from the legislative body. Last year, the state’s Board of Elections voted 4-1 to certify a new system for online ballots, even though experts in cybersecurity and computer science publicly objected. While nearly all states have a system in place for signature verification, the General Assembly did not vote last year on the topic so there was no verification system in place, leaving Maryland as the only state in the nation without one, according to a report last year by Capital News Service.

West Virginia: Secretary of State Warner calls for election cyber vigilance | Martinsburg Journal

West Virginia Secretary of State Mac Warner says officials need to take a proactive role to insure the integrity of our political elections. Speaking before the Berkeley County Council on Thursday, Warner said relentless media coverage reporting Russian hacking of recent American elections may have eroded citizen confidence, and consequently affect voter turnout. “If you keep one person away from registering to vote because they don’t want their information captured somewhere, or if they keep one person from voting, because they think somehow my vote isn’t going to matter, then they’ve eroded that confidence and they’re attacking the very fundamental foundations of our democracy — which is our electoral process,” Warner said.

National: After 2016 Election Hacks, Some States Return to Paper Ballots | Governing

Citing security concerns, the Virginia Board of Elections announced last Friday that it will stop using electronic voting machines in the state. The board’s action is the latest sign that state and local election agencies are trying to address growing concerns that the nation’s election infrastructure is vulnerable to hacking. During the 2016 presidential election, Russia targeted voting systems in 21 states, according to U.S. officials. Though U.S. security officials say the cyberbreach did not impact vote-counting, they have warned of future, and more intrusive, attacks. Some states — including Virginia and Georgia, which recently announced a pilot program to use paper ballots — hope eliminating the use of electronic ballots will reduce the threat of cyberattacks.

Norway: Votes to be counted manually in fear of election hacking | The Independent Barents Observer

People goes to the polls for Parliament elections on Monday, but results are likely not ready before Tuesday. Computer counting alone is not enough. The Norwegian National Security Authority (NSM) and the Police Security Service (PST) have together with the Directorate of Elections made risk and vulnerability assessments. The government says there are no indications that anyone has attempted to affect the conduct of the elections in any way. However, the government says in a statement, «there are increasing activity and attention, both domestically and internationally, around some of the technical solutions in place. This is in and of itself a source of elevated risk.»

National: Stronger election security with less technology | GCN

With the wide variety of voting systems technology and uneven security requirements in local jurisdictions across the country, the best defense against election hacking may involve less technology, experts said. “I don’t have a lot of confidence” in the security of election equipment, said Alex Halderman, who is director of the University of Michigan’s Center for Computer Security and Society and researches voting machine security. “The machines have vulnerabilities that could allow someone to hack in and alter the software that’s running on them,” he said at a Sept. 8 Brookings Institution discussion. “You don’t even need physical access to the machines.”

National: Data breaches like Equifax could make it cheap, easy to alter voter registrations | Philadelphia Inquirer

How convenient for voters: Pennsylvania and New Jersey allow them to change registration information online, including address and party affiliation. How convenient for wannabe attackers, too: With more personal information available online, it could be cheap and easy to falsely submit thousands of changes online to voter registrations, making some legitimate voters ineligible to cast ballots. A new study found that it would have cost as little as $1,934 last year to falsely submit online changes to 10 percent of registrations in Pennsylvania, a political battleground state that was pivotal to the 2016 presidential election. A similar attack on 10 percent of New Jersey voters’ registrations would have cost just $1,069, the researchers found. “It’s clear that impostors can definitely launch these attacks, and it’s not particularly expensive to launch these attacks against these websites,” said Latanya Sweeney, a government professor at Harvard University and one of the study’s authors.

Germany: Elections vulnerable to hacking: ‘cyber-warfare’ say security pros | SC Magazine

On Thursday last week hackers from the Germany-based Chaos Computer Club warned that software being used to tabulate and transmit vote totals in Germany’s upcoming parliamentary elections contains major vulnerabilities that could threaten the integrity of the outcome and undermine voter confidence. In an organisational blog post and technical report it said that the software, PC-Wahl version 10, is susceptible to various external attacks, including those that could secretly modify vote totals before they are reported to electoral officials. To further back up its assertions, the group also published proof-of-concept attack tools on GitHub, including source code. In its release, the CCC said its findings amount to a “total loss” for PC-Wahl, as the software allegedly does not even adhere even basic principles of IT security. SC Media contacted PC-Wahl’s via email for a response, and also reached out to the offices of Dieter Sarreither, Germany’s Federal Returning Officer, who is responsible for overseeing federal elections (known in local terms as Bundestagswahl), including September 24’s parliamentary elections.

Virginia: State moves to eliminate voting machines considered top hacking target | Politico

Virginia’s election office on Friday urged the state’s election supervisors to prohibit touch-screen voting machines before November’s elections, saying the devices posed unacceptable digital risks. If approved, the move would represent one of the most dramatic actions taken to help secure elections since a 2016 presidential race rife with concerns about digital meddling and vote tampering. Election security experts have long warned that such machines are a top target for hackers. The decision would force Virginia counties to swiftly replace any touch-screen devices with machines that produce a paper trail, ensuring the state could audit its closely watched gubernatorial race this November between Democrat Ralph Northam and Republican Ed Gillespie. The state election board will vote Friday afternoon on the recommendation.

National: Is low-tech the answer to election security? | FCW

Some experts say that given uneven IT security requirements for voting systems, the best protection against election hacking may be less technology. “Based on my experience, I don’t have a lot of confidence” in the security of election equipment, said Alex Halderman, director of the University of Michigan’s Center for Computer Security and Society, at a Sept. 8 Brookings Institution discussion. “Our election systems are known to be vulnerable,” he said, adding that even if they were not manipulated by a foreign government in 2016, “I think it’s a matter of time… [attacks] will only be more sophisticated going forward.” Halderman’s research includes information security testing on the exact machines used by states during federal elections.

Germany: Software to capture votes in upcoming national election is insecure | CCC

The Chaos Computer Club is publishing an analysis of software used for tabulating the German parliamentary elections (Bundestagswahl). The analysis shows a host of problems and security holes, to an extent where public trust in the correct tabulation of votes is at stake. Proof-of-concept attack tools against this software are published with source code. Hackers of the Chaos Computer Club (CCC) have studied a software package used in many German states to capture, aggregate and tabulate the votes during elections, to see if this software was secure against external attack. The analysis showed a number of security problems and multiple practicable attack scenarios. Some of these scenarios allow for the changing of vote totals across electoral district and state boundaries. „PC-Wahl“, the software in question, has been used to record, analyse and present election data in national, state and municipal elections for multiple decades. The result of this analysis is somewhat of a „total loss“ for the software product. The CCC is publishing its findings in a report of more than twenty pages. The technical details and the software used to exploit the weaknesses are published in a repository

National: Cash-strapped states brace for Russian hacking fight | Politico

The U.S. needs hundreds of millions of dollars to protect future elections from hackers — but neither the states nor Congress is rushing to fill the gap. Instead, a nation still squabbling over the role Russian cyberattacks played in the 2016 presidential campaign is fractured about how to pay for the steps needed to prevent repeats in 2018 and 2020, according to interviews with dozens of state election officials, federal lawmakers, current and former Department of Homeland Security staffers and leading election security experts. These people agree that digital meddlers threaten the public’s confidence in America’s democratic process. And nearly everyone believes that the danger calls for collective action — from replacing the voting equipment at tens of thousands of polling places to strengthening state voter databases, training election workers and systematically conducting post-election audits. But those steps would require major spending, and only a handful of states’ legislatures are boosting their election security budgets, according to a POLITICO survey of state election agencies. And leaders in Congress are showing no eagerness to help them out.

National: Study points to potential vulnerability in online voter registration systems | Harvard Gazette

For as little as a few thousand dollars, online attackers can purchase enough personal information to perhaps alter voter registration information in as many as 35 states and the District of Columbia, according to a new Harvard study. Dubbed “voter identity theft” by study authors Latanya Sweeney, professor of government and technology in residence, research analyst Ji Su Yoo, and graduate student Jinyan Zang, the vulnerability could be exploited by internet attackers attempting to disenfranchise many voters where registration information can be changed online. Armed with personal information obtained through legitimate or illegitimate sources, hackers could learn enough to impersonate voters and change key information using the online registration systems. One tactic, researchers said, would be to simply change voters’ addresses, making it appear — to poll workers at least — as though they were voting at the wrong locations. Those voters might be forced to cast provisional ballots, which in many circumstances are not counted. The study is described in a Sept. 6 paper published in the Journal of Technology Science.

Editorials: Congress Can Help Prevent Election Hacking | Michael Chertoff/Wall Street Journal

American voters received yet another rude awakening last month. Chicago’s Board of Elections reported that names, addresses, birth dates and other sensitive information about the city’s 1.8 million registered voters had been exposed on an Amazon cloud server for an unknown period. Worse, it appears hackers might have gained access to employees’ personal accounts at Election Systems & Software, a major election technology vendor—info that could be used to hack a future U.S. election. Earlier, the Department of Homeland Security reported that foreign agents targeted voting systems in 21 states in the 2016 election, and Bloomberg News reported that hackers had successfully compromised various election-technology companies.

Estonia: Red faces in Estonia over ID card security flaw | Financial Times

Estonia suffered an embarrassing blow to its much-vaunted ID cards that underpin everything from electronic voting to online banking, just days before hosting a big EU exercise on cyber warfare. International scientists have informed Estonian officials that they have found a security risk that affects almost 750,000 ID cards and that would enable a hacker to steal a person’s identity. The Baltic country of just 1.3m people stressed there was no evidence of a hack of what it has proclaimed to be the world’s most advanced IT card system. The cards are used to access a wide range of digital services from signing documents to submitting tax returns and checking medical records, as well as by foreigners who are e-residents in the country. 

Germany: White-Hat Hackers Expose Security Gaps in German Voting Software | Bloomberg

Hackers could tamper with Germany’s election results because the country is relying on poorly protected software, according to German tech watchdog Chaos Computer Club. While Germans hand in paper ballots that are hand-counted, the results are collected and disseminated electronically, including with a software called PC-Wahl that can be manipulated, CCC said in a report released Thursday. CCC found passwords online and easily figured out others — one was “test.” The group said the software isn’t secure because it uses an older encryption method with a single secret key, rather than newer and more-secure “asymmetrical” combinations. Hackers could “influence the transmitted voting result data on a nationwide level,” CCC wrote in the report. It urged the German government to modernize its software to protect the Sept. 24 election.

Voting Blogs: New Senate Amendment Would Provide Resources To States For Election Cybersecurity | Election Academy

Senators Amy Klobuchar (DFL-MN) and Lindsey Graham (R-SC) have proposed an amendment (SA656) to the defense authorization bill that would provide states with federal dollars to upgrade their election cybersecurity. The bill, which borrows in large part from Klobuchar’s HACK Act introduced earlier this year, would require the federal government to establish best practices for cybersecurity and set up “election technology improvement grants” to help states fund improvements to meet those best practices based on a state plan laying out those proposed improvements. … You’d think that an amendment like SA656 – which both addresses the issue of cybersecurity AND makes (scarce) money available to states – would be an easy win, but there is apparently resistance because of concerns of federal intrusion into state and local control over election administration.