Now that voters know that nation-states such as Russia want to disrupt U.S. elections, it’s going to take a continuous effort from DHS and other government agencies at all levels to make sure they keep turning out at the polls, Masterson told me in a recent interview in his office in Arlington, Va. And that won’t go away come November.
“Security is not an end goal,” he said. “You don’t reach a point where you say, okay, now we’re secure. It’s an evolving process.”
This is DHS’s new reality. Russia's interference in the 2016 election set off a sea change at the agency, which previously played little to no role in election security but now offers state election systems the same protections it provides power plants and emergency services.
Masterson says DHS has embraced its new responsibilities, working with state election officials to share cyberthreat information and offering technical services to bolster election security. But there is always more to do.
“Threats and risks evolve constantly,” Masterson said. “And so I think all of us at all levels need to do better in ensuring that election officials have a constant supply of resources — money, information services, whatever the case may be — so they can continue to evolve and improve with the threat.”
Few if any government officials have the sweeping view of election security in the United States that Masterson does. In his position at DHS, which he assumed in March, Masterson works with the federal election security task force assembled last year to muster the sprawling agency’s election security expertise and help states improve their election infrastructure. Before that, he spent more than three years on the bipartisan U.S. Election Assistance Commission, where he served as a Republican commissioner and later chair. He has also held senior positions in the Ohio secretary of state’s office. In those roles, he said, he has checked out more state election systems and met with more election officials than he can count off the top of his head.
I spoke with Masterson last week about how to secure the vote going into November and beyond. Here are some highlights from our conversation:
1. There's been no sign yet of Russian hackers targeting state election systems like they did in 2016.
There have been a lot of warnings from intelligence officials about how Russia is seeking to disrupt the midterms with the same types of influence operations that sowed discord two years ago. And just yesterday, special counsel Robert S. Mueller III said in court filings that “uncharged individuals and entities” in his investigation of Russian interference continue to try to influence U.S. politics and elections.
Yet on the tactical level, Masterson said he hasn’t seen any evidence of actual attempted hacking or successful breaches of state election systems so far. “There’s no specific Russian targeting of election systems that I’m aware of this year to report,” he said. In the run-up to the 2016 election, Russian hackers targeted election systems in 21 states and breached a statewide voter database in Illinois.
Masterson added that he had not detected any other targeted attacks or tampering from other actors besides Russia. “But honestly, whether it’s Russian nation-state actors or others, I don’t need specifics to continue to go out and talk about elections being targeted and that the threat is real,” Masterson said.
“And I don’t think it took a nation-state targeting our election systems. Elections in general are a target,” he added. “They’re critical to our nation’s infrastructure, to our operation as a democracy. That makes them naturally a target regardless of whatever activity happened in 2016.”
2. Not all states want the help that DHS is offering. But they have other options.
So far, 17 states have requested DHS risk and vulnerability assessments, intensive two-week, on-site checks of their election systems. Ten have been completed, one is in progress and another six will be completed by November, Masterson said.
Why wouldn’t every state ask for this? “Ours is just one of many services that they can take advantage of,” Masterson said. He pointed to other options, including projects by Google and Cloudflare to prevent election cyberattacks and ongoing work by the National Guard to help states protect their election systems. He also noted that 48 out of 50 states had signed up to use a new forum DHS created this year to share election cyber threats.
“Whether or not you’re working with DHS on those services or another isn’t indicative of how secure or how serious you’re taking the threat,” he said.
Masterson declined to say whether he worried some states were lagging behind others on election security. “All of the states I’ve been to are taking the steps and are taking it seriously. I wouldn’t grade one state versus another in part because I don’t know their systems, their approach well enough. I’m not living their life in that way.”
“Our level of engagement with election officials across the country is far greater than it was in 2016,” he added. “Election officials are taking this seriously.”
3. States need more resources to defend against election cyberattacks ...
Congress in March sent $380 million to all 50 states to buy new voting equipment and take other steps to beef up their election systems.
It was a good start, Masterson said, but that windfall alone isn't enough.
“That money was a really important step from Congress. I was really pleased to see that because it’s an infusion to help the states get started with many of the things that need to be done,” he said. “But in the end it’s going to take an ongoing commitment from all levels. States and locals run elections, so that means state and local funders — county commissioners, legislators — need to be committed to funding elections because there’s always going to be this need to resource elections in order to keep them secure and maintain a resilient process.”
“We have the ability to reach all 50 states when we need to, and they know that the services are available to them. But that needs to be ongoing,” Masterson said. “This isn’t something we’re going to do and then have it go away.”
4. ... but states are still "miles ahead" of where they were in 2016.
“That’s not my experience,” he said. “As I’ve been out traveling, talking with those state and local officials, they are absolutely improving the overall resilience of the process and taking it seriously. And quite frankly we’re in an environment now where more resources and more information is available to them than has ever been.”
If the 2020 presidential election were held today, he said, the country would be ready.
“Whether it’s 2018 or 2020,” Masterson said, “you prepare like everyone’s going to show up all the time.”
“November is an important milestone. It’s obviously a chance for all of us to assess where we’re at,” he said. “But elections — and election officials will tell you this — it’s a little bit like painting the Golden Gate Bridge. They finish an election and they start all over again.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Foreign adversaries could seek to interfere in this year's midterm elections through a broad range of tools. Adam S. Hickey, deputy assistant attorney general, gave a broad outline in written testimony to the Senate Judiciary Committee on Tuesday. (Masterson testified alongside him in the same hearing).
Hackers could direct cyberattacks at election systems “to undermine the integrity or availability of election-related data,” Hickey said in his prepared remarks. “Operations aimed at removing otherwise eligible voters from the rolls or attempting to manipulate the results of an election (or even just disinformation suggesting that such manipulation has occurred) could undermine the integrity and legitimacy of elections, as well as public confidence in election results,” according to Hickey's statement.
Hackers could hack political campaigns, steal information and weaponize it “to discredit or embarrass candidates” or public officials, he said. Foreign actors could also illegally influence campaigns, for example via financial assistance or by seeking to influence candidates' policy proposals. Additionally, those seeking to influence elections could conduct online disinformation campaigns to discourage people from voting, push voters to choose third-party candidates or make them question the validity of election results. Finally, foreign powers could use state-owned media outlets or other organizations as propaganda machines.
PATCHED: A group of Democratic senators on Tuesday introduced a bill that aims to strengthen election security by requiring the use of paper ballots and risk-limiting audits in all federal elections. “One of the most painful lessons of the 2016 election is that our country was dangerously unprepared to block a foreign attack on our voting systems,” Sen. Kirsten Gillibrand (D-N.Y.), one of the bill's sponsors, said in a statement. “We cannot let this happen again. Congress has a responsibility to protect our voting systems from being attacked, and this important legislation would help achieve that goal.”
Democratic Sens. Ron Wyden (Ore.), Edward J. Markey (Mass.), Jeff Merkley (Ore.), Patty Murray (Wash.) and Elizabeth Warren (Mass.) also back the Protecting American Votes and Elections Act of 2018. Paper ballots provide an “easily auditable, tamper proof, and simple way” to conduct elections while risk-limiting audits would “ensure that Americans have confidence in their election results, without the cost of a full recount of every ballot in the country,” according to the text of the bill. “With known vulnerabilities and a clear history of foreign interference, it is critical we take meaningful steps to protect the integrity of our elections and ensure the public’s faith in our voting system,” Murray said in a statement.
PWNED: Two dams that the U.S. government considers part of the nation's critical infrastructure are safe from outside cyberattacks but are at high risk from insider threats, according to a report from the Interior Department's inspector general released Monday. The U.S. Bureau of Reclamation, which operates the dams, errs in the way it manages the industrial control systems, or ICS, that control generators, gates and outlet valves, according to the report.
The agency “failed to limit the number of ICS users with system administrator access and had an extensive number of group accounts,” it did not abide by password guidelines and “failed to remove inactive system administrator accounts,” the report says. “A large number of shared accounts increases the likelihood that unauthorized individuals may access account due to inadvertent disclosure,” according to the report. Additionally, the bureau did not follow recommendations that staff with privileged access to the dams' industrial control systems undergo more thorough background checks. The report urged the U.S. Bureau of Reclamation to improve its security, arguing that cyberattacks on dams could potentially threaten national security.
— The Senate on Tuesday confirmed Christopher Krebs to serve as undersecretary for National Protection and Programs Directorate at the Department of Homeland Security.
— More than 2,300 people suspected of online child sex offenses were arrested in a nationwide enforcement operation called “Broken Heart” from March through May, the Justice Department announced in a statement on Tuesday. “No child should ever have to endure sexual abuse,” Attorney General Jeff Sessions said in a statement. “And yet, in recent years, certain forms of modern technology have facilitated the spread of child pornography and created greater incentives for its production.” Authorities investigated more than 25,200 child abuse complaints over the course of the operation.
— More cybersecurity news from the public sector:
— A lawsuit claims that an artificial intelligence company involved in a Pentagon program called Project Maven learned in November that it had been hacked but executives did not immediately report the breach to the Defense Department, Wired's Tom Simonite reports. "A lawsuit filed by former employee Amy Liu this month alleges that Clarifai’s computer systems were compromised by one or more people in Russia, potentially exposing technology used by the US military to an adversary," Simonite writes. Google recently announced that it would not renew its contract in Project Maven when it expires in March next year after thousands of employees raised concerns about the company's participation in the program.
— Apple has updated the rules of its App Store to prevent app developers from building databases of information collected from iPhone users' contact books, Bloomberg News's Sarah Frier and Mark Gurman report. Apple also banned sharing and selling such databases to third parties, according to Bloomberg. “IPhone contact lists contain phone numbers, email addresses and profile photos of family, friends, colleagues and other acquaintances,” Frier and Gurman write. “When users install apps and then consent, developers get dozens of potential data points on people’s friends. That’s a trove of information that developers have been able to use, beyond Apple’s control.”
— Britain's Information Commissioner's Office on Tuesday handed Yahoo a fine of 250,000 pounds, or more than $330,000, for a massive security breach in 2014 that exposed the data of millions of users. The investigation found that Yahoo failed to protect the accounts of more than 515,000 users in Britain, the ICO said. “Cyber-attacks will happen, that’s just a fact, and we fully accept that they are a criminal act,” James Dipple-Johnstone, ICO's deputy commissioner of operations, said in a statement. “But as the intruders become more sophisticated and more determined, organisations need to make it as difficult as possible for them to get in. But they must also remember that it’s no good locking the door if you leave the key under the mat.”
— A researcher said security software for Mac devices could be tricked into taking malware for legitimate Apple code, Motherboard's Lorenzo Franceschi-Bicchierai reports. “This is not a flaw in MacOS but an issue in how third-party security tools implemented Apple’s APIs,” Franceschi-Bicchierai writes. Josh Pitts, a security researcher at Okta who discovered the vulnerabilities, told Motherboard that he “can take malicious code and make it look like it’s signed by Apple.”
- The Senate Homeland Security and Governmental Affairs Committee examines the Cyber SAFETY Act of 2018.
- Senate Commerce Committee hearing on the National Telecommunications and Information Administration
- 2018 Cybersecurity Leadership Forum in Washington.
- Missouri Digital Government Summit in Jefferson City, Mo.
- Last day Colloquium for Information Systems Security Education in New Orleans through tomorrow.
- Cisco Live conference in Orlando through tomorrow.
- House Energy Subcommittee hearing on the Chemical Facility Anti-Terrorism Standards program tomorrow.
- The Brookings Institution holds a discussion on cybersecurity in Asia tomorrow.
- Interface Phoenix conference on June 15.
- BSides San Antonio conference on June 16.
- Senate Judiciary Committee hearing on the Justice Department inspector general’s first report on the department and FBI’s actions before the 2016 election on June 18.
- House Judiciary Committee and House Oversight Committee joint hearing on the Justice Department and the FBI’s actions before the 2016 election on June 19.
Watch the video shown before the Trump-Kim news conference:
Caps fans flood D.C. streets for Stanley Cup parade:
This skyscraper-scaling raccoon has become an Internet sensation: