Not long ago, lawmakers might have been wary about showcasing the work of hackers who specialize in penetrating voting equipment. But on Thursday, organizers from the Def Con Voting Village — a collection of security researchers who hack election systems in hopes of making them more secure — received a warm welcome on Capitol Hill.
The organizers were in town to unveil a new report identifying vulnerabilities in several widely used voting machines they tested during the Def Con hacking conference in Las Vegas over the summer, including a flaw in a vote tabulator that could allow a malicious actor to hack it remotely. They presented their findings in a meeting hosted by Rep. Jackie Speier (D-Calif.) and attended by staffers from the offices of Sen. Amy Klobuchar (D-Minn.), who is sponsoring an election security bill, and several other Democrats.
The event highlights how the cybersecurity experts behind the Voting Village, which is only in its second year, are reaching beyond the niche and often apolitical community of Def Con in hopes of influencing the debate over how to secure the country’s election systems. The issue has received a wave of new attention since the 2016 election, when Russian hackers probed election administration systems in 21 states.
“What we’ve come to realize in the last two years is that, where there used to be a separation between cybersecurity and policy -- there isn’t anymore,” Voting Village co-organizer Jake Braun told me. “Washington’s political space is becoming one of those centers of gravity for cyber. We have to engage on all fronts, or else we lose.”
A “staggering” number of vulnerabilities exist in the country's voting systems, the Voting Village report warns. One machine used to count votes in 26 states, for example, contained a decade-old flaw that could allow malicious actors to infect it with malware, according to the report. The same machine could be hacked without requiring the attacker to have physical access, the report found. Another machine used in at least 15 states could be hacked with a pen in two minutes — a third of the time the average voter spends casting a ballot.
The organizers said the findings underscored the need for Congress to create basic cybersecurity standards for election equipment and send more money for states to upgrade their election infrastructure. “This is not an election administration issue, this is a national security issue,” Braun said at the meeting. “This body needs to act and fund a dramatic overhaul.”
The report is part of a broader effort by Voting Village organizers to convince officials to take action. Over the summer, they hosted more than a dozen staffers from the Senate Homeland, Rules and Intelligence committees at this year’s Def Con conference, Braun told me. They also spent nearly $25,000 as part of a push to get election officials from around the country to attend the conference. In Washington, experts from the Voting Village meet regularly with lawmakers and staff to advise on election security issues. And their communications team has worked overtime to get the word out about their findings.
Voting machine vendors and some state election officials have criticized the Voting Village's work, saying the simulated hacks on election systems don't reflect what could actually happen on Election Day.
But some lawmakers are listening. Reps. Bennie Thompson (D-Miss.) and Robert A. Brady (D-Pa.), co-chairs of the Congressional Task Force on Election Security, thanked the Voting Village for its work in a statement Thursday, saying it “once again ably demonstrated that our voting systems are at grave risk.” So did Speier, who said in the meeting that the Voting Village’s report should “put pressure on Congress as a whole” to set cybersecurity standards for election equipment.
President Trump’s former White House cybersecurity coordinator, Rob Joyce, has also gone to bat for the Voting Village. He lauded its work in the Cipher Brief Thursday. “They’ve made incredible contributions, and are offering advancements for federal, state, and local election programs, as well as insights for the manufacturers of voting technology,” he wrote.
Joyce, now a top cybersecurity official at the National Security Agency, also offered some words of advice: “While Def Con continues to foster a venue to investigate election infrastructure in the Voting Village, the focus cannot simply be about calling out the state of security in our current technology. Rather the result needs to be developing tangible actions that lead to collaborations that will make us more secure.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Karen Evans, a top cybersecurity official at the Energy Department, told a House Energy and Commerce subcommittee that America's energy infrastructure is a “primary target” for cyberattacks from state-sponsored actors and private groups. “The frequency, scale, and sophistication of cyber threats have increased and attacks can be much easier to launch,” Evans, the assistant secretary for the Office of Cybersecurity, Energy Security, and Emergency Response (CESER) at the Energy Department, told lawmakers in her opening remarks at the hearing. “Cyber incidents have the potential to interrupt energy services, damage highly specialized equipment and threaten human health and safety.”
Energy Secretary Rick Perry announced the creation of CESER in February to increase efforts to protect U.S. energy infrastructure. “The creation of CESER elevates the department’s focus on the energy infrastructure protection and will enable a more coordinated preparedness and response to cyber and physical threats and natural disasters with the private sector as well as federal, state and local government partners,” Evans told lawmakers. She also said that “energy cybersecurity and resilience” is among the United States's “most important security challenges.” Asked by Rep. Jerry McNerney (D-Calif.) whether she was confident that U.S. utilities are sufficiently protected from Russian and North Korean cyberattacks, Evans replied: “So, since you asked me: ‘Do I feel confident?’ The answer would be no.”
PATCHED: A bipartisan group of senators wants the federal government to embrace artificial intelligence. Sens. Kamala D. Harris (D-Calif.), Cory Gardner (R-Colo.), Brian Schatz (D-Hawaii) and Rob Portman (R-Ohio) introduced a bill to help formalize how the federal government researches and uses artificial intelligence. The bill, titled Artificial Intelligence (AI) in Government Act, would enable the General Services Administration to carry out research on federal AI policy and would create a panel to advise executive agencies about it, according to a news release from Schatz's office. The bill would also direct the Office of Management and Budget to draw up a strategy for investing in AI.
“Our bill will bring agencies, industry, and others to the table to discuss government adoption of artificial intelligence and emerging technologies,” Gardner said in a statement. “We need a better understanding of the opportunities and challenges these technologies present for federal government use and this legislation would put us on the path to achieve that goal.” In a statement, Harris said that the “bill will help develop the policies to ensure that society reaps the benefits of these emerging technologies, while protecting people from potential risks, such as biases in AI.”
PWNED: “The U.S. Secret Service is warning financial institutions about a recent uptick in a form of ATM skimming that involves cutting cupcake-sized holes in a cash machine and then using a combination of magnets and medical devices to siphon customer account data directly from the card reader inside the ATM,” Brian Krebs, the author of the computer security website KrebsOnSecurity.com, reported on Thursday. “According to a non-public alert distributed to banks this week and shared with KrebsOnSecurity by a financial industry source, the Secret Service has received multiple reports about a complex form of skimming that often takes thieves days to implement.”
There are ways for people to protect themselves from those attacks, which can be called ATM wiretapping or eavesdropping. “Overall, it’s getting tougher to spot ATM skimming devices, many of which are designed to be embedded inside various ATM components (e.g., insert skimmers),” according to Krebs, who is a former Washington Post reporter. “It’s best to focus instead on protecting your own physical security while at the cash machine. If you visit an ATM that looks strange, tampered with, or out of place, try to find another machine. Use only ATMs in public, well-lit areas, and avoid those in secluded spots.” Krebs also urged readers to cover the ATM's keyboard with their free hand as they enter their PIN numbers.
— Rep. Adam B. Schiff (D-Calif.), the ranking Democrat on the House Intelligence Committee, said the panel's Democratic members have asked for a briefing about Trump's claims that China is seeking to interfere in the U.S. midterm elections, the Hill's Morgan Chalfant reported on Thursday. “We have requested to be briefed on what he was referring to,” Schiff told Chalfant. “We expect that we will, before we recess, have the opportunity to ask just what he is talking about.”
— “The House Judiciary Committee issued a subpoena Thursday for former FBI deputy director Andrew McCabe’s memos as well as the supporting documents the FBI used in its application to conduct surveillance on former Trump campaign adviser Carter Page,” The Post's Karoun Demirjian reported. My colleague wrote that the subpoena demands “that the Justice Department furnish ‘all documents supporting’ claims the FBI made in its application to conduct surveillance on Page, as well as documents from the department’s probe of Russian interference during the 2016 elections that were previously shared with the ‘Gang of Eight’ — a bipartisan group of congressional and intelligence committee leaders who receive the highest-level classified intelligence briefings in Congress.”
— More cybersecurity news from the public sector:
— “Estonian police are seeking to recover 152 million euros ($178 mln) in a lawsuit filed on Thursday against digital security firm Gemalto, following a recall last year when security flaws were found in citizen ID cards produced by the firm,” Reuters reported. “The vulnerabilities to hacker attacks found in government- issued ID cards supplied by the Franco-Dutch company marked an embarrassing setback for Estonia, which has billed itself as the world’s most digitalised ‘e-government.’ ”
- Washington Post Live Cybersecurity Summit 2018 on Tuesday.
- U.S. Election Assistance Commission Election Readiness Summit on Wednesday.
The key moments from Christine Blasey Ford's testimony:
Brett Kavanaugh's testimony, in three minutes:
Kavanaugh throws “blackout” question back to Klobuchar, then apologizes: