The Voting News for 08/12/2019
In early June, the Allegheny County Board of Elections held a special meeting in downtown Pittsburgh, inviting a trio of election security experts to offer advice as the county selects new voting equipment. Marian Schneider, a former Pennsylvania state elections official and the current president of Verified Voting, an election security watchdog group, gave an opening statement framing the day’s conversation in stark terms. “Twenty sixteen demonstrated what many of us have long believed…the threat to our computerized voting system was not merely theoretical, but real and persistent,” she warned, reiterating that another nation had “conducted a well-orchestrated attack on American democracy.” The members of the board solemnly listened, took copious notes, and thanked the panel for their expertise as they assessed bids offering new and more secure equipment. After the meeting, Candice Hoke, a longtime election administration and security expert who’d also been invited to speak, described the gathering as an unusual bright spot, contrasting the attention Allegheny County had devoted to the issue to many places around the country where the state of election security lags. Efforts by federal agencies to work with states and jurisdictions to improve election security are helping, Hoke says, but the bureaucrats overseeing the country’s more than 10,000 election jurisdictions are still routinely outmatched. Read More
A spike in cyberattacks in recent months has left state and local governments reeling. Baltimore faces more than $18 million in losses following a May ransomware attack. Several Florida cities were hit in June. And Los Angeles police data was hacked in late July. A 2018 report from the National Association of State Chief Information Officers (NASCIO) found one unidentified state undergoing 300 million attacks a day -- up from 150 million two years before. Cybersecurity and risk management is at the top of CIOs' list of 10 priorities for 2019, according to an annual NASCIO survey. Rhode Island was making it the biggest priority. In 2017, it became one of only two states with a cabinet-level cybersecurity position. (The other is Idaho, according to Meredith Ward, NASCIO's director of policy and research.) But this pioneering approach wasn’t long-lived in Rhode Island. Last month, the position was removed from the state’s 2020 budget. High-level officials in the state, including its CIO, are confident that cybersecurity will continue to be a priority, but others worry it will receive less attention. Read More
In the aftermath of the 2016 US presidential election, lawmakers have seen little change in security for voters. But if voting machine security standards don't change by the 2020 presidential election, Sen. Ron Wyden warns, the consequences could be far worse than the cyberattacks of 2016. The Democrat from Oregon, who is a member of the Senate Intelligence committee, told the Defcon hacking conference that US voting infrastructure is failing to keep elections secure from potential cyberattacks. He made the comments in a Friday speech at the Voting Village, a special section of the Las Vegas conference dedicated to election security. "If nothing happens, the kind of interference we will see form hostile foreign actors will make 2016 look like child's play," Wyden said. "We're just not prepared, not even close, to stop it." Election security has been a major concern for lawmakers since the 2016 election, which saw unprecedented interference by the Russians. Though no votes are believed to have been changed, the Russians targeted election systems in all 50 states, according to the Senate Intelligence Committee. Legislation to protect elections has been trudged along in Congress. Multiple members of Congress were at Defcon to discuss the issue, as well as to learn about cybersecurity policy. Read More
For the majority of Defcon, hackers couldn't crack the $10 million secure voting machine prototypes that DARPA had set up at the Voting Village. But it wasn't because of the machine's security features that the team had been working on for four months. The reason: technical difficulties during the machines' setup. Eager hackers couldn't find vulnerabilities in the DARPA-funded project during the security conference in Las Vegas because a bug in the machines didn't allow hackers to access their systems over the first two days. (DARPA is the Defense Advanced Research Projects Agency.) Galois brought five machines, and each one had difficulties during the setup, said Joe Kiniry, a principal research scientist at the government contractor. "They seemed to have had a myriad of different kinds of problems," the Voting Village's co-founder Harri Hursti said. "Unfortunately, when you're pushing the envelope on technology, these kinds of things happen." It wasn't until the Voting Village opened on Sunday morning that hackers could finally get a chance to look for vulnerabilities on the machine. Kiniry said his team was able to solve the problem on three of them and was working to fix the last two before Defcon ended. Read More
Public tests of blockchain-based mobile voting are growing.
Even as there’s been an uptick in pilot projects, security experts warn that blockchain-based mobile voting technology is innately insecure and potentially a danger to democracy through “wholesale fraud” or “manipulation tactics.”
The topic of election security has been in the spotlight recently after Congress held classified briefings on U.S. cyber infrastructure to identify and defend against threats to the election system, especially after Russian interference was uncovered in the 2016 Presidential election.
Thirty-two states permit various kinds of online voting – such as via email – for some subset of voters. In the 2016 general election, more 100,000 ballots were cast online, according to data collected by the U.S. Election Assistance Commission. The actual number is likely much higher, according to some experts.
One method of enabling online voting has been to use applications based on blockchain, the peer-to-peer technology that employs encryption and a write-once, append-many electronic ledger to allow private and secure registration information and ballots to be transmitted over the internet. Over the past two years, West Virginia, Denver and Utah County, Utah have all used blockchain-based mobile apps to allow military members and their families living overseas to cast absentee ballots using an iPhone.
Mike Queen, deputy chief of staff for West Virginia Secretary of State Mac Warner, said that while the state currently has no plans to expand the use of the mobile voting beyond military absentee voters, his office did “a ton of due diligence” on the technology before and after using it.
“Not only does blockchain make it secure, but [the blockchain-based mobile app] has a really unique biometric safeguard system in place as well as facial recognition and thumb prints,” Queen said via email after 2018 General Election.
Security experts disagree. The issues around online voting include server penetration attacks, client-device malware, denial-of-service (DoS) attacks and other disruptions, all associated with infecting voters’ computers with malware or infecting the computers in the elections office that handle and count ballots.
“If I were running for office and they decided to use blockchain for that election, I’d be scared,” said Jeremy Epstein, vice chairman of the Association for Computing Machinery’s U.S. Technology Policy Committee.
Epstein co-authored an election security report with Common Cause, the National Election Defense Council, and the R Street Institute, “Email and Internet Voting: The Overlooked Threat to Election Security.” In it, he criticized blockchain and internet voting as a ready target for online attacks by foreign intelligence and said transmission of ballots over the internet, including by email, fax and blockchain systems, are seriously vulnerable.
“Military voters undoubtedly face greater obstacles in casting their ballots. Read More Read More
Hacker summer camp is here again! You know what that means: WIRED is back in Las Vegas for the annual Black Hat and Defcon security conferences, where we’re digging into the latest and greatest hacks on display. First, let’s talk about iPhones. A researcher found it’s possible to break into one just by sending a text message. To help uncover similar vulnerabilities in the future, Apple is handing out new, hacker-friendly iPhones to its favorite security researchers, and paying up to $1.5 million in bug bounties. Moving on to planes. Boeing’s 787 jets might not be very secure, it turns out—Andy Greenberg talked to a security researcher who found multiple serious flaws in the code for one of the plane’s components. (The 787 is distinct from the 737 MAX plane grounded earlier this year, although a recent test flight of that jet had its ups and downs, as WIRED’s transportation desk reports.) That’s not all that’s happening in Vegas. Safecrackers can unlock an ATM in minutes without leaving a trace. Apple pay buttons can make websites less safe. Have you heard of DDOS attacks? Kindly meet their cousin, the DOS attack. Lily Hay Newman also looked at two very old bugs that have continued to persist, one in desk phones and another in a ubiquitous encryption algorithm. Lastly, check out this very cool fake hospital, where real medical devices get hacked on purpose. Read More
The top cybersecurity official at the Department of Homeland Security said Friday that backup paper ballots would be a necessary part of 2020 election security. "Ultimately when I look at 2020, the top priority for me is engaging as far and wide as possible, touching as many stakeholders as possible, and making sure we have auditability in the system," Chris Krebs, DHS' top cyber official, said at a DEFCON cyber conference Friday when discussing election security. "IT, key tenant, can't audit the system, can't look at the logs, you don't know what happened," he added. "Gotta get auditability, I'll say it, gotta have a paper ballot backup." Krebs said that he doesn't "have all the answers" on election security, adding that "a lot of these policy suggestions are not my job to answer -- Congress has a role here." The cyber head also called for state legislatures to pick up the slack along with federal lawmakers in addressing a lack of much needed funds to update different states' election systems. "I don't know where, for instance, the state of New Jersey is going to get their money to update their systems," Krebs said. "I don't know where some of these other states that have (paperless machines) without a paper trail associated with it — I don't know where they're going to get the money, but they need it." Read More
One of the scarier notions in the world today is the prospect of American voting machines being compromised at scale: voters thrown off rolls, votes disregarded, vote tallies edited, entire elections hacked. That’s why the nation’s lawmakers and civil servants flocked (relatively speaking) to Def Con in Las Vegas this week, where hackers at its Voting Village do their best to prove the potential vulnerabilities — including, in some cases, remote command and control — of voting systems. There are several ways to help secure voting. One, thankfully, is already in place; the decentralization of systems such that every state and county maintains its own, providing a bewildering panoply of varying targets, rather than a single tantalizing point of failure. A second, as security guru Bruce Schneier points out, is to eschew electronic voting machines altogether and stick with good old-fashioned paper ballots. Read More
Secretary of State Brad Raffensperger certified that Georgia’s new voting system is reliable and accurate Friday as state officials finalized a $107 million contract with Dominion Voting Systems. The certification of the new voting system, which combines touchscreens and paper ballots, was required before it could be used in Georgia elections. The state had announced last week that Dominion won the state’s voting contract, before certification testing had been completed.Raffensperger found that the Dominion system “has been thoroughly examined and tested,” according to his certification, filed in federal court Friday.His office didn’t release the results of certification testing Friday, which was conducted by a Huntsville, Ala.-based company called Pro V&V. But state rules give the secretary of state broad discretion to certify the voting system. Read More
Georgia’s secretary of state certified new touchscreen voting machines as election-safe in court documents Friday, bidding to put behind the acrimonious 2018 electoral season marred by reports of malfunctioning voting equipment, hourslong wait times and criticism that the state’s outdated machines were vulnerable to hacking. Republican Brad Raffensperger’s office formally awarded a $106 million contract to a Denver-based company, Dominion Voting Systems, for machines it said met state law for election security after neither losing vendor challenged Dominion’s winning bid. The developments came in court documents filed by attorneys defending state election officials against a lawsuit challenging Georgia’s current voting system and seeking statewide use of hand-marked paper ballots. Read More
The person in charge of safeguarding Macon County’s electoral system from Russian hacker attacks or other nefarious onslaughts said he’s confident local ballots are secure. Macon County Clerk Josh Tanner, recently returned from a cybersecurity conference, said much has been done to beef up system firewalls and protections in the three years since Russian hackers infiltrated the Illinois voter registration database. Tanner said state grant money — he’s not allowed to reveal how much, but it's into the thousands — paid for consultants who tested the county’s voting system earlier this year by trying to hack into it. They weren’t successful, but Tanner said the exercise produced a detailed report highlighting areas that needed beefing up. He said county clerks like himself have to be aware of defending against other threats. “There are other ways of causing mischief than just to penetrate the voting system,” said Tanner, a Republican elected in November. “There are denial of service attacks where they don’t actually penetrate your system but they can bombard it with traffic, slowing it down. The consultants help us focus on how to tie-down the system and protect it.” Read More
Before the 2016 election, the state bought voting machines equipped with Verizon modems that transmit preliminary election results to the state Board of Elections — speeding the state's ability to declare winners on election night, but also exposing the system to potential meddling. The Providence Journal delivers accurate, timely news about the moments that matter most. To receive stories like this one in your inbox, sign up here. Election hacking fears rekindled by the federal Russia probe have prompted Rhode Island election officials to take a closer look into whether the state's voting systems are vulnerable to attack. The new concerns relate to the state's decision to buy voting machines before the 2016 election equipped with their own Verizon modems that transmit preliminary election results to the state Board of Elections after the polls close. The modems have helped shorten the time it takes the state to declare winners on election night. But because any internet connection exposes a system to potential cyberattack, the federal government never certified the modem-equipped machines for states to use. And this summer the U.S. Senate committee investigating Russian efforts to breach the 2016 election urged states to tighten their election security, use only federally approved voting machines and "remove (or render inert) any wireless networking capability" such as a modem. Read More
Wisconsin elections officials are considering spending more than $800,000 to replace outdated equipment, update software and further address computer security as the state prepares for the 2020 presidential election. Among the proposals in a Wisconsin Elections Commission plan is to establish a program that would lend new computers to municipalities with outdated operating systems. More than 500 state elections system users are on computer systems that have reached the end of their life or will do so in the next six months, according to a commission memo. Some of these users have plans to update their systems, but the commission is proposing lending 250 devices to municipalities unable to replace them. The loans will be free and distributed on a first-come, first-served basis. The equipment is expected to cost up to $300,000. The commission staff knows "that at least a handful" of clerks are logging into the WisVote voter registration and election management system with operating systems that are no longer receiving security updates, according to the memo. It also notes that hundreds of clerks are using Microsoft Windows 7, which will stop providing free updates in January. Read More
Hundreds of local clerks are using outdated computer systems or aren’t installing security patches, leaving Wisconsin’s election system vulnerable to potentially devastating cyberattacks, state elections officials fear. Election officials across the country have stepped up efforts to block hackers from wreaking havoc during the 2020 contests after Russians interfered with the 2016 presidential election. Congress has been warned that there could be more foreign interference next year, when Wisconsin is expected to be a presidential swing state again. But Wisconsin Elections Commission Election Security Lead Tony Bridges said in a memo to commissioners released Friday that some local clerks are still logging into the state election system using Windows XP or Windows 7. Microsoft stopped supporting Windows XP in 2014 and said it will stop providing free security updates for Windows 7 starting in January. Bridges wrote that it’s safe to assume a large percentage of clerks won’t upgrade before the deadline or pay for updates. Even clerks with current operating systems often fail to install security patches, he said. The failure to maintain current operating systems exposes state elections to tremendous risk, Bridges wrote. He pointed to an incident in March in which a ransomware variant called Ryuk shut down vital systems in Jackson County, Georgia, including computers supporting emergency dispatch. Ransomware is software designed to shut down computer systems or data until a ransom is paid. Read More