National: Can US Elections Be Hacked? Security Experts Call For More Protections Against Election Hacking | International Business Times

More than one hundred security researchers and experts signed on to a letter sent to member of the United States Congress to warn of their belief that not enough has been done to protect against potential threats to state and federal elections. The letter, published Wednesday as a Senate Intelligence Committee hearing on Russian interference during the 2016 U.S. presidential election, argues many states are unprepared to respond to cybersecurity risks that may arise during upcoming election.The signatories laid out three primary suggestions for securing the electoral process and prevent against any potential tampering that may occur. First, the experts called on election officials to establish voter-verified paper ballots as the “official record of voter intent.” Doing so would require phasing out paperless voting machines that offer no way to verify if a vote tallied by the system corresponds to the vote intended to be cast by the voter.

National: Election Hackers Altered Voter Rolls, Stole Private Data, Officials Say | Time

The hacking of state and local election databases in 2016 was more extensive than previously reported, including at least one successful attempt to alter voter information, and the theft of thousands of voter records that contain private information like partial Social Security numbers, current and former officials tell TIME. In one case, investigators found there had been a manipulation of voter data in a county database but the alterations were discovered and rectified, two sources familiar with the matter tell TIME. Investigators have not identified whether the hackers in that case were Russian agents. The fact that private data was stolen from states is separately providing investigators a previously unreported line of inquiry in the probes into Russian attempts to influence the election. In Illinois, more than 90% of the nearly 90,000 records stolen by Russian state actors contained drivers license numbers, and a quarter contained the last four digits of voters’ Social Security numbers, according to Ken Menzel, the General Counsel of the State Board of Elections.

National: Keeping Russia Out of the Voting Booth | The American Prospect

Of all the disturbing questions raised by Russia’s interference in last year’s election, the most alarming may be how a foreign power might hack into the nation’s voting infrastructure. So far there’s no evidence that Russian cyberattacks altered U.S. vote totals in any way. But recent disclosures make clear that Russian intelligence intrusions were much broader and deeper than initially known. And the U.S. election system, while it has strengths, remains vulnerable on several fronts. Aging voting machines, the absence of a paper trail in some states, and spotty audits are all weaknesses that could be exploited in 2018 and 2020. … While most states—36 all told—use machines that produce a paper record, that still leaves 14 states that still operate machines with no voter verifiable paper trail. The absence of paper makes it virtually impossible to cross-check and confirm results after the fact.

National: Computer expert: Some voting machines can be directly hacked | Washington Examiner

A computer science professor told the Senate Intelligence Committee Wednesday that voting machines that create an electronic record of the voters’ decisions are open to fraud and computer hacking, vulnerabilities that are big enough to potentially change the outcome of some elections. J. Alex Halderman, professor of computer science at Michigan University, said he and his team began studying “direct-recording electronic” (DRE) voting machines 10 years ago and found that “we could reprogram the machine to invisibly cause any candidate to win. We also created malicious software — vote-stealing code — that could spread from machine-to-machine like a computer virus, and silently change the election outcome.” … As a computer science professor, Halderman has not only run academic trials on hacking voting machines, he has also run real-time examples.

National: Intelligence Panel Learns How to Hack Air-Gapped Voting Systems | GovInfo Security

Hackers can breach air-gapped voting machines and vote tallying systems – those not connected to internet – in an attempt to alter ballots to sway the outcome of an election, the Senate Select Committee on Intelligence has learned. “Our election infrastructure is not as distant from the internet as it may seem,” Alex Halderman, a University of Michigan computer science professor, testified Wednesday before the Senate Select Committee on Intelligence The Senate panel, as well as its House counterpart, held simultaneous hearings focused on the impact of Russian hacking on America’s election process (see Election Systems’ Hacks Far Greater Than First Realized ). At both sessions, lawmakers heard witnesses agree that Russian hackers did not alter votes in the 2016 presidential election.

National: Obama White House Knew of Russian Election Hacking, but Delayed Telling | The New York Times

The Obama administration feared that acknowledging Russian meddling in the 2016 election would reveal too much about intelligence gathering and be interpreted as “taking sides” in the race, the former secretary of homeland security said Wednesday. “One of the candidates, as you recall, was predicting that the election was going to be ‘rigged’ in some way,” said Jeh Johnson, the former secretary, referring to President Trump’s unsubstantiated accusation before Election Day. “We were concerned that by making the statement we might, in and of itself, be challenging the integrity of the election process itself.” Mr. Johnson’s testimony, before the House Intelligence Committee, provided a fresh insight into how the Obama administration tried to balance politically explosive information with the public’s need to know. That question also vexed federal law enforcement officials investigating Hillary Clinton’s use of a private email server.

New York: Cuomo: State stepping in to protect electoral system from hacking | Brooklyn Daily Eagle

The federal government is failing to coordinate a response to evidence of Russian hacking of U.S. elections, so New York state is taking action on its own, Gov. Andrew Cuomo said on Tuesday. Cuomo said in a release that he has directed the state Cyber Security Advisory Board to work with agencies and Boards of Election to assess the threats to the cyber security of New York’s elections and recommend solutions. This directive comes amidst confirmation by the intelligence community of Russian interference in the U.S. 2016 election.

National: U.S. Elections Systems Vulnerable, Lawmakers Told In Dueling Hearings | NPR

If two nearly simultaneous hearings Wednesday by the House and Senate Intelligence Committees into Russia’s meddling in last year’s presidential election revealed anything, it’s that U.S. officials saw what was going on but were all but powerless to stop it. In his prepared remarks, former Homeland Security Secretary Jeh Johnson said the Russian government, “at the direction of Vladimir Putin himself, orchestrated cyberattacks on our Nation for the purpose of influencing our election — plain and simple.” But in response to a question from the committee’s ranking member, Rep. Adam Schiff, D-Calif., Johnson said he was concerned he would be criticized “for perhaps taking sides” in an ongoing election if he publicly spoke out about the Russian meddling that he knew was going on.

National: We just learned the government knows Russia will sabotage the next election. Now what? | The Washington Post

The Senate Intelligence Committee held a hearing this morning on Russian efforts to interfere in the 2016 election, and on what the government knows about Russian intentions to meddle in future contests. The Committee heard from three federal officials, two from the Department of Homeland Security, and one from the FBI. Together, those officials made clear that not only did Russians peddle in propaganda and fake news in an effort boost the fortunes of Donald Trump over Hillary Clinton in 2016; they also penetrated election systems via cyber warfare. But they also hinted at another important truth, which a forward looking one. Here it is: The very core of our democracy is at extraordinary risk if we are not prepared to prevent Russian interference in our next election, which is less than 18 months away.

National: Congress urged to increase voting system security | CNN

More than 100 cybersecurity and voting experts are urging the government to make the U.S. voting system more secure. The experts — which come from various industries, from business and academia to technology non-profits — signed a letter addressed to Congress on Wednesday suggesting how three major objectives need to take place to protect the integrity of the system and restore voter confidence. The letter comes as Jeanette Manfra, acting deputy undersecretary for cybersecurity and communications at DHS, told the Senate Intelligence Committee hackers targeted election-related systems in 21 states last year. The letter alleges many jurisdictions are unprepared to handle an increase in cybersecurity risks. To start, the experts believe all jurisdictions should create voter-verified paper ballots and phase out electronic voting machines.

National: Security experts warn lawmakers of election hacking risks | ZDNet

More than a hundred security researchers and computer science experts have warned in a letter to lawmakers that not enough is being done to ensure the integrity of state and federal elections. The letter, published Wednesday, argues many US states are “inadequately prepared” to respond to cybersecurity risks with upcoming elections. The hundred-plus co-signatories, including cryptographer Matthew Blaze, security expert Bruce Schneier, and PGP creator Phil Zimmermann, say the US “needs prompt action to ensure prudent elections security standards.” The experts also outlined several recommendations that would “form the basis of robust, enforceable, sensible federal standards that can restore needed confidence in American elections,” including ensuring that any electronic election machines produce a voter-verified paper ballot to establish the “official record of voter intent.”

National: Federal officials say they’re stepping up efforts to protect election systems | USA Today

State election chiefs said Wednesday that federal homeland security officials haven’t shared enough intelligence information about Russian attempts to access last year’s election — possibly hampering efforts to better protect their systems. “We need this information to defend state elections,” Indiana Secretary of State Connie Lawson, president-elect of the National Association of Secretaries of State, told members of the Senate Intelligence Committee. The committee held a hearing on Russia’s interference in last year’s elections as part of its ongoing investigation. “We were woefully unprepared to defend and respond (to Russian meddling) and I am hopeful that we will not be caught flat-footed again,” said Sen. Richard Burr, R-N.C., the committee’s chairman. “I am deeply concerned that, if we do not work in lock step with the states to secure our elections, we could be here in two or four years talking about a much worse crisis.”

National: The Microsoft security hole at the heart of Russian election hacking | Computerworld

Russian hacking of the 2016 election went deeper than breaking into the Democratic National Committee and the Clinton campaign — the Russians also hacked their way into getting information about election-related hardware and software shortly before voting began. The Intercept published a top-secret National Security Agency document that shows exactly how the Russians did their dirty work in targeting election hardware and software. At the heart of the hack is a giant Microsoft security hole that has been around since before 2000 and still hasn’t been closed. And likely never will. Before we get to the security hole, here’s a little background about how the Russian scheme worked, spelled out in detail by the secret NSA document. Allegedly, Russia’s military intelligence agency, the GRU, launched a spearphishing campaign against a U.S. company that develops U.S. election systems. (The Intercept notes that the company was likely “VR Systems, a Florida-based vendor of electronic voting services and equipment whose products are used in eight states.”) Fake Google Alert emails were sent from noreplyautomaticservice@gmail.com to seven of the company’s employees. The employees were told they needed to immediately log into a Google website. The site was fake; when at least one employee logged in, his credentials were stolen.

National: DHS Never Ran Audit to See if Votes Were Hacked | Daily Beast

Despite assurances from the U.S. intelligence community that Russian hacking only influenced the 2016 U.S. election—and didn’t change vote tallies—there was never actually a formal federal audit of those systems, the Department of Homeland Security said. And while DHS offered free security scans to any state that wanted them, many states—even ones that took up the DHS offer, like Michigan and Maine—either use audit procedures that are considered inadequate or don’t audit their election results at all. “I think there’s a presumption amongst both the general public and lawmakers that DHS did some sort of investigation,” said Susan Greenhalgh, who serves as Elections Specialist at Verified Voting, a nonprofit devoted to U.S. election integrity. “It didn’t happen. That doesn’t mean that something happened, but it also means it wasn’t investigated.”

National: Despite NSA Claim, Elections Vendor Denies System Was Compromised In Hack Attempt | NPR

The Florida elections vendor that was targeted in Russian cyberattacks last year has denied a recent report based on a leaked National Security Agency document that the company’s computer system was compromised. The hackers tried to break into employee email accounts last August but were unsuccessful, said Ben Martin, the chief operating officer of VR Systems, in an interview with NPR. Martin said the hackers appeared to be trying to steal employee credentials in order to launch a spear-phishing campaign aimed at the company’s customers. VR Systems, based in Tallahassee, Fla., provides voter registration software and hardware to elections offices in eight states. “Some emails came into our email account that we did not open. Even though NSA says it’s likely that we opened them, we did not,” Martin says. “We know for a fact they were never opened. They did not get into our domain.”

National: ‘The mother lode of all leaks’: A massive data breach exposed ‘information that can be used to steal an election | Business Insider

A data analytics firm hired by the Republican National Committee last year to gather political information about US voters accidentally leaked the sensitive personal details of roughly 198 million US citizens earlier this month, as its database was left exposed on the open web for nearly two weeks. Deep Root Analytics, a conservative data firm contracted by the RNC as part of a push to ramp up its voter analytics operation in the wake of Mitt Romney’s defeat in the 2012 presidential election, stored details about approximately 61% of the US population on an Amazon cloud server without password protection for those two weeks.

National: Why the G.O.P. Voter Data Leak Is Scarier than It Seems | Vanity Fair

Facebook and Google aren’t the only companies hoovering up every kilobyte of our digital lives—our late-night shopping habits, social-media posts, travel plans, and celebrity obsessions—and turning that personal data into dollar signs. As the recent leak of nearly 200 million voter profiles shows, political analytics companies are major players in the Big Data space, too—and their methods, if not their security protocols, are getting ever more sophisticated. The terabyte of data that Gizmodo reports Deep Root Analytics left on a cloud server, without password protection, included “home addresses, birth dates, and phone numbers,” along with “advanced-sentiment analyses used by political groups to predict where individual voters fall on hot-button issues such as gun ownership, stem-cell research, and the right to abortion, as well as suspected religious affiliation and ethnicity.” Even more worrying, some of the firm’s voter-registration data was cross-referenced against Reddit users’ profiles, suggesting a wide-ranging, multi-platform effort to build psychological profiles of American citizens. None of this is illegal, nor is it clear whether such information is particularly useful. Gizmodo reports show that the Republican National Committee paid Deep Root $983,000 last year, and that other conservative groups paid millions more. But as The New York Times revealed last year, preference-prediction software peddled by companies like Cambridge Analytica is still an imperfect science.

National: US Election Officials, Cybersecurity Experts to Testify on Russian Hacking | VoA News

Just how extensively Russia penetrated state election systems across America last year and how to prevent a repeat will be the focus of an extensive public hearing by the Senate Intelligence Committee on Wednesday. “We’re trying to focus on all aspects — the aggressive nature of Russia’s attempt to hack all the way down to the state level,” the committee’s chairman, Republican Richard Burr of North Carolina, told VOA. The panel will hear from cybersecurity and counterintelligence officials at the FBI and the Department of Homeland Security, as well as state election officials and a representative of America’s secretaries of state for all 50 states — officials who are tasked with certifying elections.

Florida: Security threats on voting system loom as Florida’s elections officials gather in Polk County | Tampa Bay Times

Voting experts in Florida, the national epicenter of electoral suspense, have one concern above all others as they prepare for the 2018 election. Click. Cybersecurity. Efforts by Russian hackers to attack computers in Florida last fall failed, but shed light on potential vulnerabilities of an election system managed locally and in mostly small counties with limited technological resources. “It’s the main topic of conversation,” Pinellas County Supervisor of Elections Deborah Clark said at a conference of election supervisors. “I just don’t think you can have too many people looking at this stuff.” As Clark and dozens of her colleagues mingled at the Omni Champions Gate near Walt Disney World on Tuesday, they said they are more security-conscious than ever. On Thursday, officials will attend a seminar titled “Election Integrity in the Current Political and Media Environment.”

New York: Governor directs review of voting infrastructure cybersecurity | The Hill

New York Gov. Andrew Cuomo (D) on Tuesday asked for a review of the cybersecurity of the state’s voting infrastructure amid growing concern over the extent of Russia’s efforts to interfere in the 2016 election. Cuomo announced that he has directed the state’s cybersecurity advisory board to work with state agencies as well as the state and county boards of election to evaluate cyber threats to New York’s election infrastructure and make any recommendations for additional security measures. The governor’s announcement noted, however, that there have yet to be any “credible reports” about disruptions of election infrastructure in the state.

National: A Republican contractor’s database of nearly every voter was left exposed on the Internet for 12 days, researcher says | The Washington Post

A Republican analytics firm’s database of nearly every registered American voter was left vulnerable to theft on a public server for 12 days this month, according to a cybersecurity researcher who found and downloaded the trove of data. The lapse in security was striking for putting at risk the identities, voting histories and views of voters across the political spectrum, with data drawn from a wide range of sources including social media, public government records and proprietary polling by political groups. Chris Vickery, a risk analyst at cybersecurity firm UpGuard, said he found a spreadsheet of nearly 200 million Americans on a server run by Amazon’s cloud hosting business that was left without a password or any other protection. Anyone with Internet access who found the server could also have downloaded the entire file.

New York: Cuomo to order review of New York voting cyber security | New York Daily News

Responding to reports of Russian interference in the 2016 presidential elections, Gov. Cuomo Monday ordered a review of the state’s election-related cyber security efforts, the Daily News has learned. “The integrity of the electoral system is essential to a functioning democracy,” Cuomo said. The state Cyber Security Advisory Board will work with two state agencies and the state and county boards of election to assess potential risks and develop recommendations for new security measures within 90 days.

Canada: Cyber threats against Canadian democratic processes will increase, warns spy agency | IT World Canada

Canada’s electronic spy agency has warned the country’s political parties, candidates and news media that it is “highly probable” the increasing cyber threat activity against democratic processes around the world will be seen here. In a report issued Friday the Communications Security Establishment (CSE), which looks after protecting federal networks, said specifically it expects “that multiple hacktivist groups” will very likely deploy cyber capabilities in an attempt to influence the democratic process — including disrupting political parties, candidates and the media — during the 2019 Canadian federal election. “We anticipate that much of this activity will be low-sophistication, though we expect that some influence activities will be well-planned and target more than one aspect of the democratic process.” For example, it notes that in 2015 the hactivist group Anonymous leaked reports about the redevelopment of Canada’s key diplomatic centres in Britain.

National: There’s No Way to Know How Compromised U.S. Elections Are | The Atlantic

It’s not really all that hard to hack American democracy. That fact should be driven home by a recent article from The Intercept detailing the contents of a highly classified NSA report that found evidence of a massive Russian cyberattack on voting software and against over 100 election officials. While the NSA concluded the attack was carried out by the most sophisticated of hackers—the Russian military—their entry methods were relatively vanilla. They gained access to the credentials and documents of a voting system vendor via a spear-phishing attack, and then used those credentials and documents to launch a second spear-phishing attack on local elections officials, which if successful could have compromised election officials’ systems and whatever voter data they possessed.

Editorials: Mr. Trump’s Dangerous Indifference to Russia | The New York Times

A rival foreign power launched an aggressive cyberattack on the United States, interfering with the 2016 presidential election and leaving every indication that it’s coming back for more — but President Trump doesn’t seem to care. The unprecedented nature of Russia’s attack is getting lost in the swirling chaos of recent weeks, but it shouldn’t be. American intelligence agencies have concluded that Russia took direct aim at the integrity of American democracy, and yet after almost five months in office, the commander in chief appears unconcerned with that threat to our national security. The only aspect of the Russia story that attracts his attention is the threat it poses to the perceived legitimacy of his electoral win. If not for the continuing investigation into possible collusion between the Trump campaign and the Russians — and whether Mr. Trump himself has obstructed that investigation — the president’s indifference would be front-page news. So let’s take a moment to recall the sheer scope and audacity of the Russian efforts.

Editorials: It’s now clear US voting is hackable. Here are 6 things we must do to prevent chaos. | Suzanne Mello-Stark/Vox

There’s never a good time, politically speaking, to raise questions about our voting system’s vulnerability to hackers. But we can no longer avoid the issue. Bloomberg News reported this week that the US government determined that Russian hackers penetrated the voting systems in 39 states in the weeks leading up to the November 2016 election. The hacks did not involve changing votes — typically they were forays into voter registration databases — but in at least one case, in Illinois, the hackers tried to delete voter data, Bloomberg reported. US officials complained to the Russians, who denied involvement, but President Obama decided not to alert the public, because he didn’t want people to lose faith in the system. To this day, President Trump’s aides suggest that Democrats who call for an investigation into Russian hacking are sore losers. But the evidence that Russia attempted to influence our 2016 election has become unignorable. In January 2017, the CIA, FBI, and NSA jointly released an assessment that Russia used cyber tools to influence American public opinion (specifically, to “denigrate Secretary Clinton”).

Voting Blogs: It is Time For Members of Congress to Step Up and Protect Our Election | Lawrence Norden/Brennan Center for Justice

On Monday night, the Intercept published a leaked National Security Agency report that recounts a Russian military intelligence cyberattack against a voter registration software company. According to the report, Russian government hackers appear to have used “data obtained from that operation to … launch a voter registration–themed spear-phishing campaign targeting U.S. local government organizations.” On one level, this story was not particularly surprising. Even before the Intercept article, we knew—based upon previous news reports, as well as a January report from American intelligence agencies—that hackers working on behalf of the Russian government were targeting state and local voter registration databases. And there is nothing in the NSA report or the Intercept piece that supports the idea that Russian hacks against election offices and registration system prevented anyone from voting or changed vote totals in any way. (It always bears repeating that the voter registration system and vote tallying systems are different. An attack against the registration system will not change vote totals on a voting machine.)

California: Secretary of state expresses ‘serious concern’ with NSA after hacking document leaked | Times Standard

After a leaked National Security Agency document alleged Russian operatives attempted to hack into a Florida voter polling software company used by Humboldt County in the 2016 presidential election, California Secretary of State Alex Padilla sent a letter to the federal agency Thursday questioning why the state was not notified earlier. “As the chief elections officer in the most populous state in the nation, I am seriously concerned about the NSA’s failure to provide timely and critical information to America’s elections officials,” Padilla wrote to NSA Director Admiral Michael Rogers. “… We must be prepared and remain vigilant. Proper preparation requires clear and consistent collaboration among federal, state, and local officials. The NSA cannot afford to sit on critical information that could be used to defend against cyber-attacks.”

Florida: Hackers attacked 4 Florida school districts, allegedly hoped to hack voting systems | Network World

We’ve heard a lot about Russians attackers attempting to hack the US election, but another hacking group also allegedly wanted to interfere with the election; they attempted to pivot from compromised school districts to state voting systems. The Miami Herald reported that MoRo, a group of hackers based in Morocco, penetrated “at least four Florida school district networks” and purportedly searched for a way “to slip into other sensitive government systems, including state voting systems.” According to United Data Technologies (UDT), the firm which investigated the breaches “incidents,” the hackers successfully phished people working in the school districts, tricking them into clicking on an image in email which allowed malware into the system. The article does note that the hackers also targeted an unnamed Florida city network with a similar attack.

Canada: Cyberthreat to Canadian elections increasing amid lingering concerns about Russia, spy agency warns | National Post

Canada’s electronic spy agency says the threat of cyberattacks on the country’s electoral process is increasing and steps must be taken to counter it. The warning is contained in a new report released Friday by the Communications Security Establishment amid lingering questions and concerns about the role Russia may have played in the last U.S. presidential election. The agency says so-called “hacktivists” and cybercriminals did launch low-level attacks during Canada’s last election in 2015, but those attacks had no discernible impact. At the same time, there were no indications that foreign countries tried to influence the election through cyberattacks or other online methods.