The midterm elections are less than six months away, but an overwhelming 95 percent of digital security experts surveyed by The Cybersecurity 202 say state election systems are not sufficiently protected against cyberthreats.
We brought together a panel of more than 100 cybersecurity leaders from across government, the private sector, academia and the research community for a new feature called The Network — an ongoing, informal survey in which experts will weigh in on some of the most pressing issues of the field. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.) Our first survey revealed deep concerns that states aren’t prepared to defend themselves against the types of cyberattacks that disrupted the 2016 presidential election, when Russian hackers targeted election systems in 21 states.
“We are going to need more money and more guidance on how to effectively defend against the sophisticated adversaries we are facing to get our risk down to acceptable levels,” said one of the experts, Rep. Jim Langevin (D-R.I.), who co-chairs the Congressional Cybersecurity Caucus.
Congress in March approved $380 million for all 50 states and five territories to secure their election systems, but Langevin says he wants more. He introduced legislation with Rep. Mark Meadows (R-N.C.) that would provide election security funding to states if they adhere to new federal guidelines for identifying weaknesses in their systems and auditing election results. “I hope Congress continues to work to address this vital national security issue,” Langevin said.
Each state is responsible for running its own elections, and many state officials view attempts by the federal government to intervene with skepticism — if not outright opposition. But some experts said the magnitude of the threats from state-sponsored adversaries is too great for states to deal with alone.
“Given the gravity of the nation-state threats we face, much more needs to be done at every level — including a strong declarative policy that this activity is unacceptable and will trigger a strong response,” said Chris Painter, who served as the State Department’s top cyber diplomat during the Obama and Trump administrations.
Dave Aitel, chief executive of Immunity Inc. and a former National Security Agency security scientist, went further: “Protecting systems from cyberthreats from nation-states can really only be done on a national level. It's insane we have state-level control of these systems.”
Experts generally agreed that most states are more secure than they were in 2016. Officials have undertaken a variety of measures to improve security — including conducting vulnerability tests of computer networks and voting machines and hiring new IT staff.
But securing this kind of technology isn't easy. “ ‘Election systems’ are massive, distributed IT systems with thousands of endpoints and back-end systems that hold and process large volumes of highly sensitive data,” said Jeff Greene, senior director of global government affairs and policy at Symantec. “Protecting such systems is no small feat, and election systems are no different. While [the Department of Homeland Security] and the state and local governments have in recent years dialed up their efforts, there are no easy fixes.”
Several experts said that state voter registration databases are particularly vulnerable — and make an appealing target for attackers who want to sow confusion and undermine confidence in the voting process.
“The voting machines themselves are only part of the story,” said Matt Blaze, a cryptographer and computer science professor at the University of Pennsylvania. “The ‘back end’ systems, used by states and counties for voter registration and counting ballots, are equally critical to election security, and these systems are often connected, directly or indirectly, to the Internet.”
There’s no evidence that Russian hackers actually changed any votes in 2016, but they did probe online voter rolls and even breached the statewide voter database in Illinois. “Few if any state and local IT departments are equipped to protect this infrastructure against the full force of a hostile intelligence service, and these systems are very attractive targets for disruption,” Blaze said.
“The level of expertise is quite uneven” across the states, added Daniel Weitzner, founding director of the MIT Internet Policy Research Initiative who was U.S. deputy chief technology officer for Internet policy during the Obama administration. “Of particular concern is the voter registration systems. Imagine how much fear, uncertainty and doubt [that] Russia or any other malicious actor could sow if they raise questions about the accuracy of the voting rolls. That's every bit as bad as actually changing votes, and much easier to do.”
Jay Kaplan, co-founder of the cybersecurity firm Synack, notes a bright spot: The Election Assistance Commission has a national voting system certification program to independently verify that a voting system meets security requirements.
“However, testing for this certification is completely optional,” said Kaplan, who held previous roles in the Defense Department and at the National Security Agency. “States can set their own standards for voting systems…. As such, some states are significantly more buttoned up than others. The reality is states are understaffed, underfunded, and are too heavily reliant on election-system vendors securing their own systems.”
On top of that, millions of Americans will vote this year on old, hack-prone digital machines that produce no paper trail. Without a paper record, it's nearly impossible to audit the final vote tally. Federal officials and experts recommend scrapping such machines in favor of paper ballots.
Too many states “have taken a less than strategic approach and once again waited too long to start addressing vulnerabilities within their processes and technology,” said Mark Weatherford, a former deputy undersecretary for cybersecurity at the Department of Homeland Security in the Obama administration and chief information security officer in both California and Colorado.
“Additionally, because of significant investments in electronic voting technology, it's difficult for non-technologists to acknowledge economic sunk costs and re-prioritize current funding to address these … problems,” said Weatherford, a senior vice president and chief cybersecurity strategist at vArmour.
Nico Sell, co-founder of the software maker Wickr, put the problem into perspective: “We will teach the kids how to hack the election system this summer at r00tz at Def Con,” she said. (r00tz is an ethical hacking program for children between 8 and 16 years old held in Las Vegas alongside the Def Con security conference.)
Many experts are worried that states lack the resources to build their defenses in time for the midterms, even with more federal assistance. “What isn’t clear is where our defenses and resiliency have improved if at all,” said Jessy Irwin, head of security at Tendermint. “This is a difficult problem to solve, and it takes something we don't have enough of to get 50 states and a few territories flying in formation: time.”
Less than five percent of experts who responded to the survey said they were confident that state election systems were well protected.
Cris Thomas, who goes by the name Space Rogue and works for IBM X-Force Red, said that while registration databases, websites and other systems may still be vulnerable, “the election systems themselves are sufficiently protected.”
And the patchwork nature of U.S. elections is actually a bonus when it comes to deterring would-be attackers, said one expert who spoke on the condition of anonymity.
“State balloting systems are diverse and decentralized. They’re administered by some 3,000 counties, making it difficult for malicious actors to uniformly attack voting infrastructure on a vast scale,” the expert said.
That expert was satisfied with the efforts by state and federal officials to secure the vote. “Public and private authorities are taking steps to defend against nation-state attacks. The recent omnibus spending bill provides monies to states for election security; threat data are being shared between states and federal agencies (albeit probably slowly and tentatively); and election officials are utilizing best practices, such as conducting post-election audits and not connecting voting machines to the Internet,” the expert said.
“But bolstering our cyberdefenses, however fundamental, will only take us so far,” the expert added. “The White House needs to authorize agencies to disrupt cyberattacks and information operations at their sources and up the ante for prospective attackers as part of America’s broader deterrence posture.”
As another expert who participated in the survey put it: “The high level of interest has led to more eyes on the process, which itself helps deter would-be hackers.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
— More reactions from The Network's group of cybersecurity experts about the threats that election systems face:
- “Experts have long warned about the numerous vulnerabilities in election hardware and software which should continue to be evaluated, tested and updated. Moreover, we need to be investing long-term in media literacy and education in order to prepare individuals for future disinformation campaigns.” — Amie Stepanovich, U.S. policy manager at Access Now
- “We know that state election voter registration systems were targeted in the 2016 presidential elections. This was not an anomaly. This is part of a strategy of foreign nation-states with Russia being the most aggressive. This will continue unless or until nation-states are held accountable for their actions. States move slowly and do not have sufficient resources (budget for purchasing IT and people) allocated to sufficiently protect election systems. So in short, states will be ill prepared for attacks this election season." — Anup Ghosh, founder of Invincea Inc.
- “Given that elections are decentralized, an adversary can look for a weakness across all of the local authorities and exploit the weakest ones. Furthermore, systems beyond exact vote counting such as registration systems can be targeting, thus creating a large attack surface.” — Steve Grobman, chief technology officer for McAfee
- “While Russia will undoubtedly persist in pursuing cyber active measures and disinformation campaigns; others will surely pull a page from their playbook as well — which provides all the more reason for state and federal officials in this country, and their private sector partners, to focus on inoculating the United States from cyberattacks, cyberthreats and disinformation.” — Frank Cilluffo, director, Center for Cyber and Homeland Security at George Washington University
- “The machines themselves are vulnerable to attack, but far more importantly Facebook and Twitter (and the like) have done virtually nothing to protect the public from bad actors. Nor has government spending been granted to counter the threat of state actors and astroturfing. To withhold spending on protecting against social interference of state and local campaigns is tantamount to saying that the government simply doesn't care who is in control of our nation. Tampering at the ballot booth is a problem, but nowhere near as dangerous as social interference.” — Robert Hansen, chief technology officer of Bit Discovery
- “Although voting systems without auditable paper trails present an unreasonable risk of potentially depriving citizens of their votes, such machines are sometimes still in use in some jurisdictions. Every state attorney general, secretary of state and citizen should ensure that no voting systems without paper trails are in use in their state. Paper ballots offer a preferable alternative to voting systems without auditable paper trails.” — Andrea Matwyshyn, co-director, Center for Law, Innovation and Creativity at Northeastern University School of Law
- “There is little to no consistency in operations from state to state. In order to protect our voting systems from hacking there should be high-level technical requirements provided by the federal government. Something as simple as requiring paper trails for all votes could go a long way to securing our democracy. Until such requirements exist our democracy will remain at risk." — Respondent who asked to remain anonymous
PINGED: Fake Facebook accounts impersonating the suspect in the Santa Fe High School shooting emerged on the social network in the hours following the attack that left 10 people dead on Friday, The Washington Post's Drew Harwell reports. The accounts featured a doctored photograph of the suspect wearing a hat reading “Hillary 2016.”
Chris Sampson, a disinformation analyst, told Harwell that the first fake Facebook account bearing the suspect's name that he saw came less than 20 minutes after police identified him. “It seemed this time like they were more ready for this,” Sampson told Harwell. “Like someone just couldn't wait to do it.”
"The fakes again reveal a core vulnerability for the world's most popular websites, whose popularity as social platforms is routinely weaponized by hoaxers exploiting the fog of breaking news,” Harwell writes. Misinformation about the shooting also spread on other platforms, including Twitter and Instagram.
PATCHED: Atlanta's ransomware ordeal looks like it may end soon. Richard Cox, the city's chief operating officer, said Atlanta has almost recovered from a cyberattack that took aim at the city's computer network in March, the Atlanta Journal-Constitution's Stephen Deere reports. The only computers that haven't been brought back online yet are the municipal court's, Cox said.
“Cox said the total cost of the attack has yet to be calculated,” Deere writes. “But emergency contracts posted on the city’s procurement website have a combined not-to-exceed amount of about $5 million.”
As recommended by federal agents, the city didn't pay the ransom — the equivalent of about $51,000 in bitcoin — that hackers demanded, Deere writes.
PWNED: The Federal Communications Commission said on Friday that it is opening an investigation into reports that a demonstration service by the company LocationSmart exposed the location of cellphones from major U.S. carriers without customers' consent, Reuters's David Shepardson reports.
“LocationSmart spokeswoman Brenda Schafer said on Friday the vulnerability 'has been resolved and the demo has been disabled,'" Shepardson writes.
Sen. Ron Wyden (D-Ore.) said in a statement that he was “pleased” with the FCC's decision to investigate LocationSmart's flaw after asking for a probe on the matter the same day.
A hacker could have used this site to know when you were in your house so they would know when to rob it. A predator could have tracked your child’s cell phone to know when they were alone.— Ron Wyden (@RonWyden) May 18, 2018
— More cybersecurity news:
— Some lawmakers hope President Trump's scheduled meeting with North Korean leader Kim Jong Un next month will be an opportunity to address the regime's use of cyberattacks, Politico's Martin Matishak and Eric Geller report.
"I hope it’s not just a summit to turn a blind eye to other malign activities of North Korea," Sen. Cory Gardner (R-Colo.) told Politico. "I think you’ve got an opportunity to do some good things here."
But other cybersecurity experts said a negotiation on nuclear weapons between Trump and Kim would be complicated enough without including this in the discussion, Matishak and Geller write. Jason Healey, a cyberconflict scholar at Columbia University, said that unlike nuclear threats, cyber issues can be addressed through a variety of options. "We’re talking about nuclear weapons here, and someone wants Trump to talk about Sony or [the Bangladesh bank hack]?" Healey told Matishak and Geller. "Please, those are issues we can manage with so many other tools at our disposal, whereas dealing with nuclear issues has pretty much either negotiation or death, perhaps of millions."
— Authorities in France have charged a suspect in a terror plot, "citing messages sent with the secure-messaging Telegram app,” Defense One's Patrick Tucker reports. But France's interior minister hasn't said how police found the messages.
“Perhaps they found some technical flaw in the way Telegram encrypts data, or, less exotically, intercepted login requests but not actual conversations — or maybe one of the alleged conspirators simply informed on his accomplice,” Tucker writes. “Police did find material related to poisoning and bomb-making in the suspect’s residence, but it’s unclear whether they expected to find them there.”
— Apps that allow users to monitor their children or track a lost phone can also allow people who want to spy on their intimate partners ways to do so without their consent, the New York Times's Jennifer Valentino-DeVries reports. “More than 200 apps and services offer would-be stalkers a variety of capabilities, from basic location tracking to harvesting texts and even secretly recording video, according to a new academic study,” Valentino-DeVries writes.
The study, titled The Spyware Used in Intimate Partner Violence, found that legitimate apps can be abused to spy on a partner. “While we find dozens of overt spyware tools, the majority are 'dual-use' apps — they have a legitimate purpose (e.g., child safety or anti-theft), but are easily and effectively repurposed for spying on a partner,” the study says. “We document that a wealth of online resources are available to educate abusers about exploiting apps for [intimate partner surveillance].”
A number of services are presented as tools to surveil partners. “More than two dozen services were promoted as surveillance tools for spying on romantic partners, according to the researchers and reporting by The New York Times,” Valentino-DeVries writes. “Most of the spying services required access to victims' phones or knowledge of their passwords — both common in domestic relationships.”
More news on cybersecurity in the private sector:
— Matt Hancock, Britain's secretary of state for digital, culture, media and sport, announced yesterday that the British government will consider new legislation to combat “the Wild West elements of the Internet” such as bullying and child sexual exploitation online, Reuters reports.
“Digital technology is overwhelmingly a force for good across the world and we must always champion innovation and change for the better,” Hancock said in a news release. “At the same time I have been clear that we have to address the Wild West elements of the Internet through legislation, in a way that supports innovation.”
— Content moderators working at a Facebook deletion center in Berlin spend hours reviewing posts and decide what's protected by free speech and what fails to abide by the company's rules or by a new German online hate speech law, the New York Times's Katrin Bennhold reports.
“The deletion center predates the legislation, but its efforts have taken on new urgency,” Bennhold writes. “Every day content moderators in Berlin, hired by a third-party firm and working exclusively on Facebook, pore over thousands of posts flagged by users as upsetting or potentially illegal and make a judgment: Ignore, delete or, in particularly tricky cases, 'escalate' to a global team of Facebook lawyers with expertise in German regulation.”
More international cybersecurity news:
- IEEE Symposium on Security and Privacy in San Francisco today through May 23.
- Ignite '18 Cybersecurity Conference in Anaheim, Calif., today through May 24.
- Enfuse 2018 conference in Las Vegas today through May 24.
- House Energy Committee hearing on Internet of Things legislation tomorrow.
- Senate Armed Services subcommittee on cybersecurity closed markup of the National Defense Authorization Act for fiscal 2019 tomorrow.
- Security Through Innovation Summit in Washington tomorrow.
- GMU-AFCEA Symposium 2018 in Fairfax tomorrow through May 23.
- Air Force Cyber Strategy Conference at Maxwell Air Force Base, Ala., tomorrow through May 23.
- Senate Banking Committee hearing on cybersecurity risks to the financial services industry on May 24.
- The European Union's General Data Protection Regulation goes into effect on May 25.
Expanding lava flow from Hawaii's Kilauea volcano injures man:
Meet Bishop Michael Curry, the man who stole the show at the royal wedding:
SNL’s "The Sopranos" cold opening, annotated: