“We’ve done everything that we could think of doing — not to just assess what happened in 2016 but to fortify our defenses,” California Secretary of State Alex Padilla told me.
“Cybersecurity concerns are equally top-of-mind in the primary as they are in November,” he said. “We’re not considered a swing state, but we’re still California and from a security standpoint a high-value target, so we’re taking it very seriously, to protect our election process and the integrity of elections.”
Yet the states holding primaries on Tuesday run the gamut when it comes to election security. California and New Mexico, for instance, are widely considered ahead of the curve, having already adopted the paper ballot systems with easily verifiable results and post-election auditing recommended by experts. Several states have hired and trained new staff, upgraded computer networks or brought in technical experts to test their systems for weaknesses. But other states are further behind. Voters in New Jersey and Mississippi, for example, will be casting ballots Tuesday on aging electronic machines that experts widely agree should be scrapped because they’re hackable and their results can’t be audited.
Officials say they'll be watching closely for any indications of interference, such as voters showing up to the polls to find their registrations were altered or outages on websites that post election night results.
“My staff and all 33 New Mexico county clerks have worked hard to ensure that proper security protocols are in place so that Election Day goes smoothly,” New Mexico Secretary of State Maggie Toulouse Oliver told me in an email. “I’ll keep the lines of communication open with our county clerks, relevant federal agencies and other state election officials so there is a coordinated and effective response to any attempts to interfere in New Mexico’s elections.”
And there’s reason to be optimistic: Election officials who have worked on shoestring budgets for years are receiving local, state and federal money — including a $380 infusion from Congress — for cybersecurity improvements. And officials at all levels of government are partnering with private-sector researchers to share expertise and information about cyberthreats in ways they never have.
That’s all good news going into Tuesday, said David Becker, director of the Center for Election Innovation and Research, a nonprofit working to improve election administration. “It’s a test of all the work that has been done to date,” he said, “and fortunately that work is significant.”
Here's a rundown on what each state holding elections Tuesday is doing well — and how they might improve:
What it's doing well: California is one of several states that are emerging as models for election security nationwide. It uses paper ballots and machines that produce paper trails that can be audited — exactly what election security experts recommend. It’s also moving toward a vote-by-mail system, with millions of Californians mailing in ballots ahead of Election Day. Becker, of the Center for Election Innovation and Research, says this offers an important “early warning system” for voting irregularities: “Because so many voters vote by mail, if there were problems, we would likely see that and detect it well before Election Day,” he said. Additionally, the state’s online voter registration database is one of the newest in the country, so it doesn’t require the potentially costly security updates that others do.
What it could do better: A survey of election security in all 50 states released this year by the Center for American Progress recommended that the state expand its post-election auditing to include provisional ballots. It also recommended ending its practice of allowing electronic absentee voting from overseas, which experts warn poses privacy and security risks.
What it's doing well: New Jersey officials say they’ve taken extra precautions to secure their voting machines, which are entirely electronic, including outfitting them with tamper-evident seals and requiring criminal and security background checks for anyone who works on them. They’ve also held security training sessions for election workers, installed anti-virus software on election management computers and brought in Department of Homeland Security officials to conduct vulnerability tests. Additionally, the state has a government office devoted to sharing threat information with local governments and the private sector.
What it could do better: New Jersey is one of five states that votes solely on direct recording electronic voting machines, or DREs, which produce no paper trail and are vulnerable to hacking. This is a top concern for election security experts because the machines offer no way to verify the vote count beyond what the machines tally. A recent analysis by the Brennan Center, a nonpartisan think tank, found that it would cost more than $40 million to replace the machines. A full replacement could be years away.
What it's doing well: Alabama is in some ways ahead of the curve. The election between Democrat Doug Jones and Republican Roy Moore to fill Attorney General Jeff Sessions’s Senate seat drew international attention — and close intervention from the federal government. Christopher Krebs, DHS’s top cybersecurity official, visited the state to assist in election security ahead of the vote last November. Beyond that, Alabamians vote almost entirely on paper ballots, which experts widely agree are the safest voting method.
What it could do better: Alabama doesn’t require post-election audits to verify voting results. Alabama was also among the states whose systems were targeted in 2016, but as of early May it was one of just two that hadn’t requested a security review by DHS.
What it's doing well: In Iowa, people vote almost entirely on paper ballots. After the state had its election systems targeted in 2016, Iowa Secretary of State Paul Pate last month convened an election cybersecurity working group made up of officials from the Department of Homeland Security, U.S. Elections Assistance Commission, Iowa National Guard, county officials and IT professionals, among others. The group will advise Pate’s office on how to protect election systems. The state is also one of a handful of states that received a security checkup from DHS.
What it could do better: Iowa requires post-election audits, but not the kind favored by most experts. The state could improve, experts say, by using “risk-limiting audits,” in which a sample of ballots are counted by hand and compared to machine tallies. Experts widely agree that only these such audits are comprehensive enough to detect a cyberattack.
What it's doing well: New Mexico earns high marks among election experts because it uses paper ballots and because it’s one of just three states that use risk-limiting audits. The state has welcomed assistance from the federal government’s cybersecurity pros. And although it wasn’t among the states targeted in 2016, it has received a security check from DHS.
What it could do better: The Center for American Progress gave New Mexico an overall positive review, but said it should consider requiring backup paper voter registration lists at polling places and prohibit electronic absentee voting.
What it's doing well: Secretary of State Delbert Hosemann recently noted that his office uses two-factor authentication, encryption and firewalls to protect the state's election management computer system, all of which experts say is important. The state had also hired third-party companies to try to penetrate the state’s voter registration system, but none had succeeded, he told the Jackson Free Press last month.
What it could do better: Mississippi votes almost entirely on DREs that can’t be audited. Experts say those need to be replaced, and Hosemann has indicated that the state will use some of its $4.5 million in federal election assistance funding to do that. But the Brennan Center notes that it will cost at least $9.2 million to replace every machine statewide. It's not clear when a full replacement could come.
What it's doing well: Montana votes on paper ballots. And like California and other Western states, many Montanans vote by mail.
What it could do better: Montana requires some post-election auditing, but only in counties that use ballot tabulators, not statewide. The Center for American Progress said in its report that such audits aren’t a satisfactory way to verify the results and recommenders switching to risk-limiting audits.
What it's doing well: South Dakota is another paper ballot state. Votes are delivered by mail or in person and counted and logged on machines that aren’t connected to the Internet. Along with New Mexico, it’s also one of 17 states that bar electronic absentee voting.
What it could do better: South Dakota doesn’t require any post-election audits, which experts say are essential to ensure voter confidence, especially in the wake of 2016.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Facebook has struck deals over the last decade with at least 60 device-makers -- including Apple, Samsung and Amazon -- to hand over extended access to users data, the New York Times's Gabriel J.X. Dance, Nicholas Confessore and Michael LaForgia reported yesterday. "Facebook allowed the device companies access to the data of users’ friends without their explicit consent, even after declaring that it would no longer share such information with outsiders," they write. "Some device makers could retrieve personal information even from users’ friends who believed they had barred any sharing, The New York Times found." (Amazon founder and chief executive Jeffrey P. Bezos is the owner of The Washington Post.)
Some device makers can access information that includes users' relationship status, religion and political leaning, Dance, Confessore and LaForgia write. Most of Facebook's partnerships with device makers are still effective but the social network started scaling them back in April, they write. Additionally, Facebook officials told the Times that they aren't aware of any situation where the data was misused.
"The New York Times has today written a long piece about our device-integrated APIs — software we launched 10 years ago to help get Facebook onto mobile devices," Ime Archibong, Facebook's vice president of product partnerships, said in a statement. "While we agreed with many of their past concerns about the controls over Facebook information shared with third-party app developers, we disagree with the issues they’ve raised about these APIs."
PATCHED: There appears to be a truce between Apple and Telegram. The Russian founder of the secure-messaging app thanked Apple chief executive Tim Cook on Friday for allowing Telegram to issue an updated version of its app on Apple's App Store. The acknowledgment came just a day after Pavel Durov blamed the U.S. tech giant for preventing updates since April, Reuters's Joseph Menn reports. “Apple has thus far resisted a Russian order that month to remove the application from the store entirely, and the update delay sparked concern that Apple was moving to appease authorities there.”
Durov previously said on his Telegram channel that Russian authorities banned the app in the country “because we refused to provide decryption keys for all our users’ communications to Russia’s security agencies.” He added that “unfortunately, Apple didn't side with us.”
“Without an update, not all Telegram features worked on the latest iPhone software, and Telegram also said it was running afoul of new European data privacy laws,” Menn writes. “If the ban had become permanent, Telegram would have grown unsafe over time as security flaws were discovered but unable to be patched through the normal update process.” Neither Apple nor Telegram have explained why the app wasn't allowed to update on the App Store in the first place and what prompted Apple's decision later to let Telegram do so, Menn reports.
PWNED: Google will drop a contract with the Pentagon to use artificial intelligence to analyze drone footage after the Project Maven program sparked discontent among employees and even resignations, The Post's Drew Harwell reports. A source told Harwell that Google will let the contract expire when it comes to an end in March next year.
“Project Maven was launched in April 2017 to find ways the military could use AI to update its national security and defense capabilities 'over increasingly capable adversaries and competitors,' a Defense Department memo stated,” Harwell writes. “In a pilot effort, AI was deployed to analyze hours of footage from Predator drones and other unmanned aircraft, pinpointing buildings and vehicles and processing video now tagged by human analysts.”
Thousands of employees had asked Google chief executive Sundar Pichai in a letter that the company end its involvement in the program, according to Harwell. Meredith Whittaker, an artificial intelligence researcher at New York University and founder of Google's Open Research group, celebrated the news that Google will stop working on Project Maven:
"Bob Work, the former deputy secretary of defense who launched Project Maven last year, called Google's decision not to renew the contract 'troubling' and expressed concern that it could discourage others in Silicon Valley from working with the military on autonomous technologies that could assist in foreign conflicts and national defense,” Harwell writes.
More cybersecurity news:
— Days before the 2016 election, Russian hackers sent emails impersonating the electronic voting vendor VR Systems to state election officials, but the use of a Gmail address and British spelling exposed the trickery, the Intercept's Sam Biddle reports. “An image of the malicious email, provided to The Intercept in response to a public records request in North Carolina, reveals precisely how hackers, who the NSA believed were working for Russian military intelligence, impersonated a Florida-based e-voting vendor and attempted to trick its customers into opening malware-packed Microsoft Word files,” Biddle writes.
VR Sytems issued a warning on Nov. 1, 2016, that included a copy of the malicious email and urged recipients not to open the attachment that came with it, according to Biddle. “Emails from VR Systems will never come from an '@gmail.com' email address,” the company said.
"[T]he attacker also appears to have slipped up and used the British spelling of 'modernized' in the email’s body,” Biddle writes. “But to a state election official reading quickly in the frantic period before a presidential election, without an eye open for the hallmarks of a phishing attack and accustomed to such emails from VR, the message could have had disastrous and completely unexpected consequences. North Carolina experienced a variety of widely-reported software glitches on Election Day in 2016.”
— The revelations about the United States's surveillance capacities from documents leaked by former National Security Agency contractor Edward Snowden started five years ago, and intelligence officials are still counting the disclosures of U.S. secrets, the Associated Press's Deb Riechmann writes. “That includes recent reporting on a mass surveillance program run by close U.S. ally Japan and on how the NSA targeted bitcoin users to gather intelligence to combat narcotics and money laundering,” Riechmann writes. “The Intercept, an investigative publication with access to Snowden documents, published stories on both subjects.”
“This past year, we had more international, Snowden-related documents and breaches than ever,” National Counterintelligence and Security Center Director William R. Evanina said recently, as quoted by Riechmann. “Since 2013, when Snowden left, there have been thousands of articles around the world with really sensitive stuff that’s been leaked.” Glenn Greenwald, who reported on the documents at the Guardian and is now at the Intercept, said intelligence officials have consistently inflated the risk that Snowden's leaks represent. “It’s been almost five years since newspapers around the world began reporting on the Snowden archive and the NSA has offered all kinds of shrill and reckless rhetoric about the 'damage' it has caused, but never any evidence of a single case of a life being endangered let alone harmed,” Greenwald said.
— North Korea will resort to cyber operations against the United states if the planned summit between President Trump and North Korean leader Kim Jong Un yields no results, said Eric Rosenbach, who served as chief of staff to then-Defense Secretary Ashton B. Carter in the Obama administration. Rosenbach was delivering a presentation last week at Recode's Code Conference in which he asked audience members to imagine the United States's response to a hypothetical cyberattack from North Korea.
“Personally, I really hope that there's a summit, the North Koreans give up their nukes and peace breaks out across the Korean Peninsula,” said Rosenbach, who also served as a senior cyber official at the Pentagon. “That would be a wonderful thing. I personally am super skeptical that any of those things will happen. Maybe there'll be a summit and my fear is that after that, because tensions will start to escalate like they always have, that the North Koreans will turn to cyber as they have in the past and hit us where we're most vulnerable, which is in the democracy and the systems that underpin our democracy.” (I wrote about how North Korea is even less likely to give up hacking than nukes last week.)
— More cybersecurity news about the public sector:
— “Many Google Groups leak emails that should probably not be public but are nevertheless searchable on Google, including personal information such as passwords and financial data, and in many cases comprehensive lists of company employee names, addresses and emails,” the computer security blog KrebsOnSecurity.com reported on Friday. The cybersecurity firm Kenna Security estimated that around 3,000 organizations are leaking some kind of sensitive email via Google Groups, according to Brian Krebs, the author of the blog and a former Post reporter.
“This information could be a potential gold mine for hackers seeking to conduct so-called 'spearphishing' attacks that single out specific employees at a targeted organization,” Krebs wrote. “Such information also would be useful for criminals who specialize in 'business email compromise' (BEC) or 'CEO fraud' schemes, in which thieves spoof emails from top executives to folks in finance asking for large sums of money to be wired to a third-party account in another country.”
— The Buffalo Wild Wings restaurant chain issued an apology for “the awful posts” that resulted from the hacking of its Twitter account. “A spokeswoman for the Minneapolis-based company says Buffalo Wild Wings is in touch with Twitter and 'will pursue the appropriate action against the individuals involved,'" the AP reported on Saturday.
- Apple Worldwide Developers Conference in San Jose today through June 8.
- Techno Security & Digital Forensics Conference in Myrtle Beach, S.C., continues through June 6.
- ACSC Campaign Cyber Defense Workshop in Boston.
- Cyber:Secured Forum in Denver today through June 6.
- Gartner Security & Risk Management Summit 2018 in National Harbor, Md., today through June 7.
- Cyber Security Summit: Boston tomorrow.
- Securing Federal Identity 2018 conference in Washington tomorrow through June 6.
- House Homeland Security Committee markup of H.R. 5733 on threats to industrial control systems and H.Res. 898 on cybersecurity threats from Chinese tech firm ZTE on June 6.
- House Science Subcommittee hearing on "the electric grid of the future" on June 7.
Can Trump pardon himself?
Did more than 4,000 people die in Puerto Rico as a result of Hurricane Maria? From the Fact Checker:
Hawaii volcanic eruption hits four-week mark: