with Bastien Inzaurralde
“I read these responses as showing the public has a fairly nuanced and sophisticated understanding of the risks we face,” said Lawrence Norden, an election security expert at the Brennan Center’s Democracy Program. “I think the majority of respondents have it right: The risks we face are risks, and we shouldn't overstate them. At the same time, the risks are real, and we should be taking measures that would reduce them, such as replacing paperless electronic systems with systems that read paper ballots.”
The poll, which interviewed 777 registered voters from Sept. 5-9, is among the first to gauge voters' attitudes on specific digital security questions as officials scramble to prevent a repeat of Moscow’s hacking and disinformation campaigns that rattled the 2016 presidential race. Congress has given states money to buy new voting equipment and pay for other upgrades to their election systems, but legislation that would incentivize states to switch to paper ballots has stalled in the Senate.
Yet the increased awareness of security threats also shows voter confidence in the democratic process is taking a hit: About a third said Russia or another adversary is likely to change vote results, even though there's no evidence of this happening. And more broadly, nearly 40 percent of voters said they don’t believe elections are fair, with sharp divisions along party and racial lines.
Here are a few key takeaways from the poll:
— Voters don't believe foreign interference in vote counts is so likely. The poll found 68 percent of registered voters do not believe it's likely that a foreign country would tamper with the votes cast during the midterms to change the outcome. That includes 96 percent of Republicans, 55 percent of Democrats and 66 percent of independents. The numbers are largely a bright spot for election officials, who have consistently fought to dispel claims that malicious actors could change people’s votes. Officials say there’s no evidence this happened in 2016. And experts say vote tampering would be prohibitively difficult to carry out on a significant scale.
— Registration databases are seen as a more likely target. The threat here is clear: National security officials say Russian hackers targeted online voter rolls in 21 states ahead of the 2016 election, breaching a database in Illinois. According to the poll, more than 40 percent of voters said it was likely that something akin to this would happen again — that a foreign country would “hack into voter lists to cause confusion about who can and cannot vote” in the midterms. Fifty-five percent said this wasn’t likely to happen. Many state officials say they've made it a priority to improve the security of their voter registration databases after Russian hackers stole hundreds of thousands of voter records from Illinois.
The fact that some poll respondents appeared to draw a distinction between vote manipulation and attacks on voter lists was a positive sign, said Adam Ambrogi, program director at the bipartisan Democracy Fund, which promotes election security. “To me, that does indicate that people are following in some ways where the current challenges have been,” he told me. “It shows that people are responding to the evidence that’s out there instead of getting the frame that everything is vulnerable and everything can be manipulated.”
— Paper ballots polled far better than electronic voting machines. Election officials, security experts and some lawmakers in Congress agree that the country should phase out its electronic touch screen voting machines in favor of paper ballot systems, which are easy to audit and can’t be hacked. The poll found 68 percent of voters — including strong majorities of Democrats, Republicans and independents — said paper ballots would make U.S. elections more safe from interference. On the other hand, just 35 percent of voters said touch screen machines would make elections more safe, while 55 percent said touch screen machines would make elections less safe.
— Voters believe more social media disinformation is coming. More than two-thirds of voters said it was likely that Russia would use social media to spread false information about candidates in the midterms, according to the poll. And they were pessimistic that social media companies were addressing it: majorities said Facebook and Twitter had done “not very much” or “nothing at all” to prevent election interference this year.
— But voters showed some confidence in federal agencies and state officials. More than 50 percent of voters said the FBI and state election officials had done “a great deal” or a “good amount” to combat interference, and nearly half said the same of the Department of Homeland Security. But they were unsatisfied with President Trump and Republicans and Democrats in Congress: majorities said they'd done not very much or nothing at all, according to the poll.
| You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news. | |
| Not a regular subscriber? | |
|
PINGED, PATCHED, PWNED
PINGED: Georgia won’t have to stop using electronic voting machines for the midterms. “A federal judge in Atlanta denied a motion Monday night to force the state of Georgia to switch from electronic touchscreen machines to paper ballots for the Nov. 6 midterm elections,” The Washington Post’s Ellen Nakashima reported. “But in doing so, U.S. District Judge Amy Totenberg warned state and county officials that ‘further delay is not tolerable’ in ‘confronting and tackling the challenges before the state’s election balloting system.’ And she indicated that in the future she would be prepared to rule that Americans have a right to cast a vote in a way that can’t be hacked.” Georgia is among five states that rely on entirely paperless electronic voting.
Totenberg wrote in a 46-page opinion that switching to paper ballots now could hamper the election process. “While [the] plaintiffs have shown the threat of real harms to their constitutional interests, the eleventh-hour timing of their motions and an instant grant of the paper ballot relief requested could just as readily jeopardize the upcoming elections, voter turnout, and the orderly administration of the election,” Totenberg wrote, as quoted by Ellen. Moreover, my colleague reported that even though “Totenberg denied the motion for a preliminary injunction for November, she has not yet ruled on the underlying claims, which seek to wean Georgia entirely off paperless touchscreen machines.”
PATCHED: Delaware state lawmakers on Monday approved a $13 million contract to upgrade the state's election systems with new voting machines and new systems to register voters, the Delaware News Journal's Scott Goss reported. Delaware is among five states that rely exclusively on paperless direct-recording electronic voting machines. “All of the new equipment will be supplied by Election Systems & Software, including roughly 1,500 of the Nebraska-based company’s new ExpressVote XL machines,” Goss wrote. “State officials say those systems will provide the first, verifiable paper trail of Delaware voters’ ballots in decades and allow for a full audit of election results — something not possible under the current system.”
The voting machines currently in use in Delaware were first rolled out in 1996, according to the News Journal. Here is how the new machines will work: “Starting with municipal and school board elections in 2019, voters will receive a blank paper ballot that they will load into one of the new voting machines,” Goss wrote. “Once inside the polling booth, voters will make their choices on an electronic screen before verifying their vote, which the machine will transfer to the paper ballot. Voters then will be able to examine the paper ballot for accuracy before the machine drops it into a locked box once they are finished.”
PWNED: Facebook is expanding its bug bounty to reward reports of vulnerabilities in third-party apps and services that connect to the accounts of the social network's users, Wired's Lily Hay Newman reported Monday. “The bounty expansion will specifically focus on third-party bugs that relate to exposure of ‘user access tokens,’ the credential that allows apps to interface with Facebook accounts, and that could be exploited to gain inappropriate types of access,” according to Wired. “For example, researchers have found things like personality quiz services, and JavaScript components in apps, that invasively track user data or pilfer information.”
Dan Gurfinkel, security engineering manager at Facebook, wrote in a post on Monday that the company will reward reports of vulnerabilities according to their “impact .” The minimum amount for rewards will be $500 per vulnerable app or website. “Facebook says it will only accept submissions in which a researcher discovered a bug by passively using a third-party service, and noticing it sending data improperly to or from their device,” Wired reported. “‘You are not permitted to manipulate any request sent to the app or website from your device,’ Gurfinkel writes. This means that certain common — and potentially severe — types of vulnerabilities, like authorization bypass and unvalidated redirect bugs that hackers can use to get around authentication requirements, are out of scope.”
PUBLIC KEY
— “The State Department recently suffered a breach of its unclassified email system, and the compromise exposed the personal information of a small number of employees, according to a notice sent to the agency’s workforce,” Politico's Eric Geller and Nahal Toosi reported Monday. “State described the incident as ‘activity of concern … affecting less than 1% of employee inboxes’ in a Sept. 7 alert that was shared with Politico and confirmed by two U.S. officials.”
The State Department confirmed the breach to Politico. “‘This is an ongoing investigation and we are working with partner agencies, as well as the private sector service provider, to conduct a full assessment,’ spokeswoman Nicole Thompson said in an email,” Geller and Toosi wrote. The Sept. 7 alert also indicated that the department has not found any breach in its classified email system.
— “The Education Department office that oversees student loan issues isn’t effectively monitoring cybersecurity vulnerabilities among the third parties it shares students’ personal information with, including collection agencies, according to a watchdog report released Monday,” Nextgov's Joseph Marks reported. “In general, the Federal Student Aid office is most closely monitoring the security of collection agencies and third-party servicers of federal student loans, according to the Government Accountability Office report. The office is exercising less oversight over private student loan providers, such as banks and credit unions, and guaranty agencies that insure student loan, the report found.”
— More cybersecurity news from the public sector:
PRIVATE KEY
SECURITY FAILS
THE NEW WILD WEST
— “U.S. Defense Secretary Jim Mattis accused Russia on Monday of attempting to influence the outcome of a referendum in Macedonia on changing the country’s name that would open the way for it to join NATO and the European Union,” Reuters's Idrees Ali reported. Mattis said that the United States and Macedonia “plan to expand our cybersecurity cooperation to thwart malicious cyber activity that threatens both our democracies.”
— More cybersecurity news from abroad:
FOR THE N00BS
ZERO DAYBOOK
Today
- Security of Things World USA conference in San Diego.
- CrowdStrike Cybersecurity Conference in Miami through tomorrow.
- Air Force Association’s Air, Space & Cyber Conference in National Harbor, Md., through tomorrow.
- Senate Armed Services subcommittee closed hearing on “interagency coordination in the protection of critical infrastructure.”
EASTER EGGS
Kavanaugh and his accuser offer to testify as allegation roils Washington:
In these N.C. beach towns, some residents stayed behind. Here’s what Florence left them:
Trucker uses school bus to evacuate 64 pets from Florence's path: