Maryland may be getting a dry run in how to respond to an election cyberattack.
State officials say a computer glitch prevented the Board of Elections from updating voter registration data for as many as 80,000 voters. As a result, droves of people will have to cast provisional ballots if they want to vote in Maryland’s primary today.
No, it wasn't the work of hackers. But the technical error simulated what a hack on a state’s voter registration database might look like — and how election administrators might handle it.
“Almost everything that a malicious actor might try to do can also happen by accident,” said Lawrence Norden, deputy director of the Brennan Center for Justice’s Democracy Program, which promotes voting rights.
The discovery of the flaw offers a valuable lesson for election officials as they work to improve the security of their election systems ahead of the November midterms, which U.S. intelligence chiefs warn are already being targeted by Russian hackers. And the response shows that election administrators are ready to move quickly if something goes awry.
“This is an example of how officials are prepared to deal with voter registration problems,” Norden told me. “Election officials are generally very good at thinking about what can go wrong and how to prevent such problems from keeping people from voting or having those votes count.”
The practical effect of the situation in Maryland mirrors some worst-case scenarios election security experts say could arise if hackers were to tamper with statewide voter registration databases. “The concern about tampering with voter registration databases is legitimate,” Norden said. “Moreover, registration databases have been successfully targeted in other countries.”
And it isn't far-fetched here. In the run-up to the 2016 presidential election, Russian hackers scanned election systems in 21 states and actually penetrated Illinois's voter database, though there’s no evidence they actually changed anything. Altering thousands of voters’ registration details could cause chaos at the polls, as some experts have warned.
The problem in Maryland stemmed from faulty voter registration software installed on the Motor Vehicle Administration website and kiosks, as the Baltimore Sun reports. When voters logged on to change their address or party affiliation, the system failed to send the updates to the Maryland Board of Elections.
Election officials discovered the flaw Friday, when an election worker who submitted a change of address didn't receive a new registration card, according to the Sun. By then, it was too late to update poll books ahead of today’s primary. Now, officials say they're notifying all the affected voters that they'll have to cast provisional ballots that won't be counted until July 5 at the earliest. Provisional ballots, which are identical to the actual ballots cast on Election Day, are typically used when there are questions about a voter's eligibility at the polls -- for instance, if a voter's name is misspelled.
Officials can learn from this to form a road map for how to respond there's a digital intrusion, rather than a technical issue, that causes errors in voter registrations. “The impact could be very similar to what an intentional attack could be,” said David Becker, director of the Center for Election Innovation and Research, a nonprofit organization working to improve election administration.
Becker said that if a state were to get hit with such a hack, election officials would almost certainly catch any major anomalies before Election Day, which is what happened in Maryland. Early warning signs — including voters not receiving registration cards on time or data analytics showing unusual upticks in registration changes — could tip off officials in time for them to fix voter rolls ahead of time.
If voter rolls couldn't be corrected by Election Day, as in this case, provisional ballots offer a sound solution to make sure every vote is counted. “It's not Plan A,” Becker said, “but they are an incredibly effective way to make sure that the election itself isn’t disrupted and no voter is disenfranchised.”
What’s especially important about provisional ballots is that they come with a guarantee, according to Tammy Patrick, senior adviser at the bipartisan advocacy group Democracy Fund. Everyone who votes with them gets a receipt, and federal law requires election officials to tell each provisional ballot voter whether their vote was counted, and if not, provide an explanation why.
“If a voter who is otherwise eligible doesn’t have their name on voter rolls, it doesn’t matter — that voter still has a right to cast a provisional ballot,” Patrick told me.
A scenario similar to Maryland's played out in Los Angeles County during California’s primary earlier this month when a printing error left more than 100,000 names off of voting rosters. Officials responded by having them cast provisional ballots.
But the effect of a hack — or even a technical mishap — could sap voter confidence in a way that's far harder to remedy. Provisional ballots could take weeks to count, leaving voters in the dark about whether their votes were tallied. In that sense, what's happening in Maryland may serve as a call to action going into November.
“The biggest challenges are going to be responding to problems that are only discovered on Election Day, when there is less time to make sure that contingency plans are implemented quickly and successfully,” Norden said. “And because voter confidence is likely to be more of an issue in this election, we are going to need to learn to do an even better job of communicating both what the problem is and how we’re dealing with it.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Facebook last month held a meeting at its headquarters in Menlo Park, Calif., with top tech companies and FBI and Department of Homeland Security officials tasked with preventing foreign interference in U.S. elections as the 2018 midterms approach, The Washington Post's Elizabeth Dwoskin and Ellen Nakashima report. Among the companies that attended the meeting were Google, Twitter, Apple, Microsoft, Snap and Oath. “An invitation for the 'election-protection' meeting from Facebook Chief Security Officer Alex Stamos said that it would focus on 'practical ways' that the companies could most effectively collaborate with law enforcement, including identifying appropriate points of contact and creating clear communication channels, according to a copy reviewed by the Washington Post.” Dwoskin and Nakashima write. “Tech companies say that they need help from law enforcement because the private sector is not always aware of threats picked up on by intelligence agencies.”
During the meeting, FBI officials provided information on the bureau's efforts to counter interference by foreign actors like Russia. DHS officials spoke about the agency's work with state and local officials to help secure election infrastructure. Facebook explained how it endeavors to combat interference in elections in the United States and abroad. “No intelligence and no classified material was shared at the meeting, according to a person familiar with the discussions," my colleagues report. The participants agreed that there were several key areas of concern that merited further discussion, including attacks on individuals, and any U.S. government discovery of foreign groups or campaigns attempting to influence democracy or elections."
Christopher C. Krebs, the undersecretary of DHS’s National Protection and Programs Directorate who attended the meeting, told The Post that interference does not seem as widespread as it was during the 2016 presidential campaign. “We haven’t seen any real activities along the lines of what Russia did in 2016, but I don’t need to see that to do something,” Krebs said. “We’re full speed ahead. And the good news is the state and local election officials take this very seriously. They’re very much engaged.”
PATCHED: The city of Orlando announced Monday that it stopped using Amazon.com's facial-recognition technology but did not rule out resuming the pilot program later. “The City’s pilot with Amazon regarding the potential viability of their Rekognition technology ended last week,” according to a joint statement from the city of Orlando and the Orlando Police Department. “Staff continues to discuss and evaluate whether to recommend continuation of the pilot at a further date. At this time that process in still ongoing and the contract with Amazon remains expired.” The American Civil Liberties Union of Northern California last month said documents showed Amazon was selling Rekognition to law enforcement agencies in Orlando and Oregon for a handful of dollars. The revelation prompted concerns from civil rights groups, House lawmakers and a group of Amazon employees. (Amazon founder and chief executive Jeffrey P. Bezos is also the owner of The Washington Post.)
“The City of Orlando is always looking for new solutions to further our ability to keep our residents and visitors safe,” the statement from Orlando's city and police department said. “Partnering with innovative companies to test new technology — while also ensuring we uphold privacy laws and in no way violate the rights of others — is critical to us as we work to further keep our community safe.” The ACLU said in a tweet that Orlando made “the right move."
After extensive public pressure, the city of Orlando just said that it’s no longer using @Amazon’s facial recognition software. That’s the right move — now Amazon should take the hint and stop selling it to governments everywhere. https://t.co/f1fvBlPyxz— ACLU (@ACLU) June 25, 2018
PWNED: Critical parts of the National Security Agency's massive surveillance apparatus are hiding in plain sight — in giant, windowless skyscrapers owned by AT&T in cities across the United States, the Intercept reports.
"Atlanta, Chicago, Dallas, Los Angeles, New York City, San Francisco, Seattle, and Washington, D.C. In each of these cities, The Intercept has identified an AT&T facility containing networking equipment that transports large quantities of internet traffic across the United States and the world," write Ryan Gallagher and Henrik Moltke. "A body of evidence – including classified NSA documents, public records, and interviews with several former AT&T employees – indicates that the buildings are central to an NSA spying initiative that has for years monitored billions of emails, phone calls, and online chats passing across U.S. territory."
“It’s eye-opening and ominous the extent to which this is happening right here on American soil,” Elizabeth Goitein, co-director of the Liberty and National Security Program at the Brennan Center for Justice, told the Intercept. “It puts a face on surveillance that we could never think of before in terms of actual buildings and actual facilities in our own cities, in our own backyards.”
— More cybersecurity news:
— A Russian company accused by special counsel Robert S. Mueller III of spreading disinformation during the 2016 campaign claims that Mueller shouldn't even be investigating the matter. “Deputy Attorney General Rod Rosenstein improperly appointed Mueller and he lacked authorization of the U.S. Congress to investigate Russian meddling in the 2016 election, Concord Management and Consulting LLP argued Monday in court papers,” Bloomberg News's David Voreacos reports. “The deputy attorney general and the special counsel are attempting to exercise authority neither the Constitution nor Congress has conferred, and the court should dismiss the indictment to restore the checks and balances the constitution demands,” wrote Concord attorneys Eric Dubelier and Katherine Seikaly, as quoted by Voreacos.
— Mueller is also examining the communications of Erik Prince, the founder of the private security company Blackwater, ABC News's James Gordon Meek reports. A representative for Prince told Meek in a statement that Prince gave Mueller “total access to his phone and computer.” The Post reported last year that Prince took part in a secret meeting in the Seychelles with a Russian close to Russian President Vladimir Putin. “As Mr. Prince told the Daily Beast he has spoken voluntarily with Congress and also cooperated completely with the Special Counsel’s investigation, including by providing them total access to his phones and computer,” the Prince representative said in a statement, as quoted by Meek.
— The House on Monday approved a bill by Rep. Don Bacon (R-Neb.) that aims to help protect industrial control systems from hacking. The Department of Homeland Security “provides critical support to operators of industrial control systems (ICS), and my bill clarifies this responsibility so the Department can continue to identify and address threats to ICS in critical infrastructure,” Bacon said in a statement. “Any disruption or damage to critical infrastructure has the potential to cause catastrophic consequences to our nation’s public health and safety, economic security, and national security.”
— More cybersecurity news from the public sector:
— The cybersecurity company FireEye denies that it retaliated against Chinese hackers with hacks of its own. The firm released a statement Monday that disputed reporting by the New York Times's David E. Sanger in his new book, “The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age,” that FireEye subsidiary Mandiant hacked into cameras that the Chinese hacking group APT1 was using, the Hill's Morgan Chalfant reports. “Mr. Sanger's description of how Mandiant obtained some of the evidence underlying APT1 has resulted in a serious mischaracterization of our investigative efforts,” FireEye said in a statement. “Specifically, Mr. Sanger suggests our '… investigators reached back through the network to activate the cameras on the hackers' own laptops.' We did not do this, nor have we ever done this. To state this unequivocally, Mandiant did not employ 'hack back' techniques as part of our investigation of APT1, does not 'hack back' in our incident response practice, and does not endorse the practice of 'hacking back.' ”
FireEye also said Sanger may have misinterpreted videos that the company used in its report on Chinese hackers. “FireEye suggested Monday that Sanger may have mistakenly concluded that the company breached the hackers’ computers while viewing videos the company compiled showing hackers interacting with malware command and control servers,” Chalfant writes. Sanger told CyberScoop's Chris Bing in an email that “Mandiant now says that all those images came from 'consensual monitoring'." “While that wasn’t my understanding at the time, passive monitoring is reasonable explanation of how the company came to link the hacks to specific individuals, several of whom have since been indicted by the United States,” Sanger added.
— Law enforcement officials are considering whether to break into iPhones without a warrant to beat a security feature announced this month by the tech giant, Motherboard's Joseph Cox reports. With this security upgrade, called USB Restricted Mode, an iPhone's Lightning port will serve merely to charge the device if the phone has not been unlocked within the past hour. (I recently wrote about this new security feature and the debate that ensued.)
“That ticking clock is causing law enforcement officials to at least explore the possibility of using warrantless unlocks to more quickly download data from a device, although they may then obtain a warrant to examine the data itself, according to a document obtained by Motherboard,” Cox writes. “By leveraging a legal exemption known as exigent circumstances — used in emergencies to avoid the deletion of evidence, or to prevent imminent danger to life — police officers may argue they can unlock and siphon data from an iPhone without first obtaining a warrant.” Law enforcement officials may not necessarily seek to resort to the concept of exigent circumstances to access data from an iPhone, according to Cox. Motherboard previously reported that the company Grayshift may have found a way to bypass Apple's new security mode.
— Cybersecurity experts worry that hackers may set their sights on Mexico’s upcoming presidential election, according to Bloomberg News’s Eric Martin. Mexicans will vote with paper ballots but computer systems will transmit election results. Ron Bushar, Mandiant’s vice president of government solutions, told Martin that “the outcome of an election almost doesn’t matter” to those who carry out cyberattacks. Hackers are looking at “calling into question the legitimacy (of the process) or creating a lot of tension between the political parties,” Bushar said. Martin notes that then-national security adviser H.R. McMaster said in December that there was evidence that Russia was interfering in the Mexican campaign. Additionally, recent hacking of financial institutions has heightened the fear of cyberattacks ahead of the election. “The state-owned export promotion bank Bancomext suffered an attempted cyber theft of $110 million in January,” Martin writes. “In April and May, hackers succeeded in infiltrating five financial institutions including Grupo Financiero Banorte SAB and stole at least $15 million from lenders.”
— Romanian Defense Minister Mihai Fifor said on Monday that Russia is carrying out cyberattacks against his country and interferes in Romania’s political affairs, the Associated Press’s Alison Mutler reports. “Fifor, 48, who was previously economy minister, said Romania was facing ‘interference in the political zone, interference with minorities... and economic war,’ that included opposition to the building of a pipeline that will lessen dependence on Russian gas,” Mutler writes.
— More cybersecurity news from around the world:
- Karen S. Evans, Trump’s nominee for assistant secretary of energy for cybersecurity, energy security and emergency response at the Energy Department, appears before the Senate Energy Committee for her confirmation hearing.
- Senate Judiciary subcommittee hearing on protecting elections.
- Two House Science subcommittees hold a hearing on artificial intelligence.
- The Council on Foreign Relations holds a discussion on the future of data privacy.
- Tennessee Digital Government Summit in Nashville.
- The New York City Bar Association organizes a panel discussion on the legal challenges from the Internet of Things in New York.
- House Science subcommittee hearing on IMSI catchers tomorrow.
- The Information Technology and Innovation Foundation holds a panel on encryption in Washington on June 28.
- SIA GovSummit in Washington tomorrow through June 28.
- Cyber Security Summit: DC Metro in McLean, Va., on June 28.
- National Homeland Security Conference in New York on July 9 through July 12.
- National Association of Secretaries of State 2018 Summer Conference on July 13 through July 16 in Philadelphia.
Highlights from the 2018 BET Awards:
This D.C. restaurant is not that Red Hen:
Iguanas go head-to-head outside a Florida Starbucks: