As local officials across the country scramble to hack-proof their voting systems ahead of the midterm elections, there’s one state that is paving the way as a leader in election security.
Colorado has done virtually everything election experts recommend states do to stave off a repeat of 2016, when Russian hackers targeted 21 states as part of the Russian government’s massive election interference campaign.
The state records every vote on a paper ballot. It conducts rigorous post-election audits favored by voting researchers. Nearly every county is equipped with up-to-date voting machines. Election officials take part in security trainings and IT workers test computer networks for weaknesses.
Secretary of State Wayne Williams told me the state benefited from having some of those measures in place before 2016. Once the extent of Russia’s digital campaign in the presidential election became clear, he made it a priority to invest more in them, he said.
“If people perceive a risk, they're less likely to participate in voting,” Williams said. “We want to protect people from that threat, and we want to people to perceive that they are protected from that threat.”
Although there’s no evidence that votes were altered in 2016, the stakes are high.
The Senate Intelligence Committee, which is investigating Russia’s interference, released a report this week affirming that states should be the main entities running elections. But lawmakers said they’re still concerned about potential vulnerabilities in election infrastructure.
For instance, the committee found, voting systems across the United States are outdated. Thirteen states use machines that don’t have paper records of votes as backup counting systems, and five of those states use paperless machines exclusively. What’s more, lawmakers fear the vendors of election equipment and software may be “an enticing target for malicious cyber actors” – and authorities at all levels have little insight into their security practices.
Despite these concerns, there is near consensus on how states should secure their election systems.
The recommendations from experts and the federal government boil down to three main steps:
- Switch to paper ballots or voting machines that produce a paper trail. This creates a physical record of the vote and, unlike electronic voting machines or machines connected to the Internet, hand-marked ballots can’t be hacked.
- Check the results using a “risk-limiting audit,” which counts a sample of ballots by hand and compares them to machine tallies and is especially effective in close races. While a majority of states require post-election audits, experts widely agree that only risk-limiting audits are comprehensive enough to detect a cyberattack.
- Conduct frequent and rigorous risk assessments — and make sure election workers are well trained to identify it when something goes wrong.
Nationwide, states are taking a variety of measures to bolster their election systems ahead of November, from replacing old equipment to conducting vulnerability tests to hiring new staff. But few, if any, have gone as far as Colorado has — indeed, many states don’t have the funding to make the upgrades.
Although more than half of all states require post-election auditing, only Colorado, Rhode Island and New Mexico use risk-limiting audits. Delaware, Georgia, Louisiana, New Jersey and South Carolina all rely exclusively on electronic voting machines without a paper audit trail. Pennsylvania is struggling to replace its outdated, hackable equipment.
“Colorado is certainly hitting all the high points that we’ve been arguing others should,” said Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology and an expert on voting systems. “It’s hard to compare states apples-to-apples because they’re so different, but Colorado has really been a leader.”
Williams said Colorado's voting process helped put it ahead of the curve: The state allows citizen initiatives and tax debt decisions to be included on ballots, so he says that paper ballots are just more practical given the long list of items people are asked to vote on.
The state has been proactive in other ways, too. Its county clerks, for example, use two-factor authentication to access voter registration databases, which Russian hackers targeted in 2016. And in 2017 it became the first state in the country to complete a statewide risk-limiting audit.
“In Colorado, even if something happens, I don’t have to worry about it because there’s a process in place,” said Marian Schneider, president of the nonprofit organization Verified Voting. “It’s almost like a disaster recovery plan for elections — that if a disaster were to befall the vote count, we could recover from it.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: John Bolton, President Trump's national security adviser, and his aides are considering ending the position of White House cybersecurity coordinator, Politico's Eric Geller reported yesterday.
Rob Joyce, who currently holds the position, heads to the National Security Agency on Friday. “Bolton’s deputy, Mira Ricardel, supports the idea of eliminating the coordinator role, according to two of the sources,” Geller writes. “ 'She’s thinking about whether to simply pick up the [cyber] function on her own,' said [a former U.S. official], who added that the odds were '60-40' that the White House would eliminate the job.”
.@RobJoyce45's last day as WH cyber coordinator is Friday.— Eric Geller (@ericgeller) May 9, 2018
Bolton and his deputy, Mira Ricardel, are discussing the idea of her taking over supervision of the National Security Council's cyber team.
Bolton, per one sources, is not very interested in the nuances of cyber policy.
— A few more juicy details from the story:
- The decision to eliminate the post may not be a done deal. Christopher Krebs, a top DHS cyber official, was apparently seeking suggestions for a new coordinator at the RSA Conference in San Francisco.
- Yet others said White House staffers were told not to offer their own replacement ideas. One former official said the aides in charge of cybersecurity issues on the National Security Council were “a little on pins and needles when they heard that.”
Chris Painter, who served as State Department cyber coordinator during the Obama administration, said terminating the position “would be a huge step backwards:”
This would be a huge step backwards. The time is right to prioritize, not demote, these issues & focused WH coordination & leadership is vital. Sending any signal that we are not prepared to lead makes a difference to our allies & adversaries alike. https://t.co/1AyhSlWVEU— Chris Painter (@C_Painter) May 9, 2018
PATCHED: The House Foreign Affairs Committee yesterday passed a bill aiming to encourage ethical hackers to explore the State Department's online systems in search of weaknesses or bugs, Nextgov's Joseph Marks writes.
The legislation, titled Hack Your State Department Act, would direct the secretary of state to "design and establish a Vulnerability Disclosure Program (VDP) to improve Department of State cybersecurity and a bug bounty program to identify and report vulnerabilities of internet-facing information technology," according to the text of the bill.
While large private tech companies frequently use bug bounties to find vulnerabilities, the federal government has lagged behind, according to Marks.
"The bill also requires the State Department to report to Congress on how many digital bugs participants find and how long it takes the department to patch them," Marks writes.
From Rep. Ted Lieu (D-Calif.), one of the authors of the bill:
Pleased the House Foreign Affairs Committee today (1) passed my bill with @RepTedYoho to establish a bug bounty program similar to the Pentagon's program, HR 5433, and (2) passed the bill I am partnering with @RepSchneider on to strengthen the Global Engagement Center, HR 5681.— Ted Lieu (@tedlieu) May 9, 2018
PWNED: Security researcher Alec Muffett discovered that notifications from messages received via the Signal desktop app on a Mac remain in the operating system's notification bar even if the messages were set to disappear, Motherboard's Lorenzo Franceschi-Bicchierai writes.
#HEADSUP: #Security Issue in #Signal. If you are using the @signalapp desktop app for Mac, check your notifications bar; messages get copied there and they seem to persist — even if they are "disappearing" messages which have been deleted/expunged from the app. pic.twitter.com/CVVi7rfLoY— Alec Muffett (@AlecMuffett) May 8, 2018
"To be clear, this is not a major threat for most people — someone would still need to hack or otherwise get their hands on your Mac computer to read the messages,” Franceschi-Bicchierai writes. “But if you’re an at-risk user such as a humanitarian worker, a political aide, or journalist and are worried about those scenarios, you should be aware of the issue.”
And hey, there's a fix. Franceschi-Bicchierai's report explains how to adjust the settings of the Signal desktop app to mask the name and content of the messages that appear in the notifications bar.
— Atlanta Mayor Keisha Lance Bottoms (D) on Wednesday said the ransomware attack that her city suffered in March underscored the public's lack of awareness about cybersecurity. Few constituents cared, she said, until a digital attack prevented people from paying bills online, StateScoop's Benjamin Freed reports.
“My 70-year-old constituent might not understand it, unless she can’t pay her water bill,” Bottoms told the Smart Cities New York conference, as quoted by Freed. “Or a 21-year-old can’t pay his parking ticket to get his license back.”
The SamSam ransomware virus that struck Atlanta crippled online municipal services such as city employees' emails and court scheduling, Freed writes. The hackers demanded the payment in bitcoin of the equivalent of about $51,000. The city did not pay the ransom.
“Atlanta has gradually been able to restore its systems, but the recovery has been costly,” Freed writes. “Over the past seven weeks, Bottoms' government has spent more than $5 million on emergency tech contracts, giving the still-new mayor something of a crash course on cybersecurity.”
.@KeishaBottoms: "Over the course of our campaign, we had had at least 100 forums, and we had talked about every single thing I thought there was to talk about, and cybersecurity was not a topic of conversation.” #SCNY18— Benjamin Freed (@brfreed) May 9, 2018
— Online activists and several tech companies started a public push to restore the net neutrality rules the Federal Communications Commission voted to end last year, The Washington Post's Brian Fung reports. The campaign comes as Democratic senators, with the support of Sen. Susan Collins (R-Maine), moved to force a procedural vote to undo the FCC's decision.
“The senators are putting forward the resolution on Wednesday under what's known as the Congressional Review Act, a law that permits Congress to review — and reject — administrative decisions by federal agencies,” Fung writes. “In this case, the resolution (or CRA, for short) would overturn the FCC's repeal vote, effectively bringing back the net neutrality rules and making it harder for the agency to attempt to repeal them again.”
“Today, we enter this historic final stretch here in the Senate in the battle to save net neutrality,” Sen. Edward J. Markey (D-Mass.) said. “This is a fight for the most powerful platform for commerce and communications in the history of the planet: the Internet.”
Tumblr was among those supporting the move to restore net neutrality rules and tweeted that the survival of “free and open internet as we know it” is at stake:
🚨 This is a Red Alert for #NetNeutrality. We only need one more vote in the Senate to save free and open internet as we know it. Learn more here: https://t.co/LUNA5STTWV @battleforthenet pic.twitter.com/fiVrSbuzAK— Tumblr (@tumblr) May 9, 2018
More government cybersecurity news:
— Chinese tech company ZTE announced yesterday that it has terminated “major operating activities” following sanctions from the Trump administration, the New York Times's Raymond Zhong writes.
“One of China’s most internationally successful technology suppliers, with about $17 billion in annual revenue, ZTE is facing a death sentence,” Zhong writes. “The Commerce Department has blocked its access to American-made components until 2025, saying the company failed to punish employees who violated trade controls against Iran and North Korea.”
More in cybersecurity news from the private sector:
— Iran may respond to Trump’s decision to pull out of the nuclear deal with cyberoperations against Western banks, governments, and energy providers, threat intelligence company Recorded Future said in a report released Wednesday. (I explored this issue in yesterday's Cybersecurity 202.)
Our research team, Insikt Group, conducted interviews with a former Iranian hacker with first-hand knowledge of Iran’s offensive cyber efforts. Read the #analysis here: https://t.co/3R5k65m1R5 #ThreatIntelligence #Cybersecurity— Recorded Future (@RecordedFuture) May 9, 2018
Here are some of the report’s assessments:
- “The Islamic Republic has abandoned its typically deliberate and methodical approach to cyber operations on only two known occasions, in 2012 and in 2014, when a quick reactionary response was required. We assess that when Iranian cyber operators respond to the U.S. withdrawal from the JCPOA [Joint Comprehensive Plan of Action] that the operations will be staffed and executed by capable, but less trusted contractors.”
- “Further, we assess that staffing these operations with less trusted contractors could result in a scenario where the Islamic Republic has difficulty controlling the scope and scale of the destructive cyberattacks once they have begun.”
- “Based on our source’s conversations with other hackers in Iran, there are over 50 estimated contractors vying for Iranian government-sponsored offensive cyber projects. Only the best individuals or teams succeed, are paid, and remain in business.”
— And BuzzFeed's Kevin Collier has a good read on another kind of confrontation in cyberspace: “Two rival Persian Gulf nations have for the past year been conducting a tit-for-tat battle of leaked emails in US news outlets that appears, at least in part, to have been an effort to influence Trump administration policy toward Iran,” Collier writes. "The unfolding battle alarms transparency advocates who fear it will usher in an era in which computer hacking and the dissemination of hacked emails will become the norm in international foreign policy disputes."
— After Copenhagen's electric bike-sharing system was hacked last week, the company that maintains the bikes sent employees to manually restore its approximately 2,000 bikes around the Danish capital, Motherboard's Samantha Cole reports.
“In a Facebook post, Bycyklen wrote that its entire database was deleted in a 'primitive' hacking scheme that seemed to be carried out by someone with intimate knowledge about the system’s structure,” Cole writes.
- Senate Appropriations Subcommittee hearing about the Commerce Department’s budget request for fiscal year 2019.
- Gigamon Federal Cybersecurity Summit in Washington.
- secureCISO event in Chicago.
Gina Haspel, Trump's nominee for CIA director, said she would not restore the agency's enhanced interrogation program for suspected terrorists:
Trump keeps doing things that rile Europe:
This man says his neighborhood was wrecked by fiery lava but says Hawaii is “still beautiful”: