A plan released this week by a Stanford University group that includes former top government and tech industry officials aims to be the equivalent of the 9/11 Commission report for election security.
Like the 9/11 report, which fundamentally reorganized the nation’s homeland security and intelligence structure after the Sept. 11, 2001, terrorist attacks, “Securing American Elections” aims big. It argues Russia's 2016 election interference operation was an attack on fundamental American values, and should provoke the government and private sector to step up "defenses against efforts to erode confidence in democracy.”
The report’s 108 pages include 45 recommendations ranging from securing voting systems and combating online disinformation campaigns to negotiating major election security norms with allies and punishing adversaries who violate them.
Like the 9/11 commission leaders who spent years pushing the government to fully implement their reforms amid partisan bickering, this group is preparing for a fierce lobbying campaign to turn its recommendations into reality, said Nate Persily, a report author and director of Stanford’s Cyber Policy Center.
That will be an uphill climb. “We’re not naive. We recognize that the topic of Russian intervention in the 2016 election provokes a partisan reaction and there’s a partisan allergy to some types of recommendations,” Persily told me. “But we believe Democrats and Republicans can unite around what are some common-sense reforms.”
Persily, who was the senior research director on a bipartisan commission that recommended election administration reforms after the 2012 election, will be in Washington next week to urge lawmakers from both parties to turn the report’s recommendations into law.
The report authors, who include Michael McFaul, U.S. ambassador to Russia during the Barack Obama administration, and former Facebook chief security officer Alex Stamos, also plan to lobby many of their election-security recommendations to state and local officials, Persily said. They will urge them to voluntarily adopt protections that congressional Republicans are wary of forcing on them.
Those recommendations include having paper trails for all ballots, conducting post-election audits and inviting ethical hackers to probe their voting systems for vulnerabilities.
They also will be urging Democratic and Republican party officials to include many recommendations in their party platforms in 2020.
Some other key election-security recommendations include ensuring significant and regular funding for securing election infrastructure and allowing political parties to provide cybersecurity assistance for state parties and political candidates. That last measure mirrors a bill Sen. Ron Wyden (D-Ore.) introduced in March.
Other broader recommendations are aimed at improving cooperation across Internet companies to combat disinformation and sending signals to Russia and other adversaries that they will face serious consequences for disrupting future elections.
The authors hope to push through significant changes before the 2020 election, Persily told me, though they realize many of the recommendations will be tough sells because of partisan discord.
Congress has not passed any major election reforms since the attacks and Republicans are highly wary of imposing any election security requirements out of concerns about impinging on state's authorities to run elections.
And unlike the 9/11 Commission, which was appointed by President George W. Bush and Congress in 2002, the Stanford team also lacks official government backing. That's what gave such impact to the recommendations published in its final report in 2004 after more than a year of investigation.
Still, the Stanford group plans to keep lobbying for their recommendations even after 2020, Persily told me, with the expectation that many of the ideas might become less partisan over time.
He echoed several Republican lawmakers such as Sen. Marco Rubio (Fla.) in warning that, while Russia’s efforts in 2016 were aimed at damaging Democratic candidate Hillary Clinton, future interventions could be aimed at hurting Republicans.
“It would be a shame if we need to have election interventions by foreign countries that damage both parties before we have bipartisan reforms,” Persily told me. “I’m hopeful that before the next disaster, we’ll have reforms.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Department of Homeland Security will conduct a forensic analysis of laptops used by Durham County, N.C., in the 2016 election, amid concerns they might have been penetrated by Russian hackers, my colleague Neena Satija reports.
The move comes 18 months after state officials first requested the investigation based on the suspicion that problems with electronic tools used to check in the city’s voters were tied to an August 2016 hacking attempt against its vendor, VR Systems.
And it comes six weeks after the report from special counsel Robert S. Mueller III first revealed that Russian government hackers “installed malware on the company network” of an unnamed voter registration technology vendor. VR told Neena that it believes it’s the company referenced in the report but denied its technology was compromised.
New revelations about the company's cybersecurity practices have raised serious concerns. Kim Zetter reported for Politico that for several hours on the day before the election, the company used remote-access software to repair issues with Durham's polling books and download the state's voter list. Election Systems and Software, a vendor used by several other states, has come under lawmaker scrutiny for similar practices.
“If poll books are compromised, this can selectively disenfranchise voters, create long lines at polling places and cast doubt on the legitimacy of election results," Matt Blaze, a cryptography professor at Georgetown University, told Zetter.
On Election Day, Durham County poll workers dealt with seeming technology glitches that marked some voters as having already voted and prompted unnecessary ID checks for others.
Here are details from Zetter:
The remote-access in Durham wasn't an isolated incident, as my story notes. It was common practice for VR Systems to do this if a customer needed troubleshooting and VR couldn't send someone in person. VR Systems software is used in 8 states, including 64 of Florida's 67 counties— Kim Zetter (@KimZetter) June 5, 2019
Sen. Ron Wyden (D-Ore.) slammed the Department of Homeland Security's long delay in investigating the Durham laptops.
When foreign government hackers probe your election systems, it shouldn’t take THREE YEARS to examine the evidence to ensure it never happens again. We need mandatory cybersecurity standards to secure our elections before it’s too late. https://t.co/EeejHnJQCi— Ron Wyden (@RonWyden) June 5, 2019
Wyden introduced a bill last month that would mandate states to use hand-marked paper ballots alongside other election-security measures he said would have prevented the situation.
PATCHED: Sen. Ron Wyden (D-Ore.) wants to know if the Justice Department has ever had any of its secret hacking tools stolen, according to a letter he sent Wednesday to Attorney General William Barr that was shared with The Cybersecurity 202.
The letter also asks how many hacking tools used by Justice divisions, including the FBI and Drug Enforcement Administration, were purchased from foreign companies and if the agencies have audited them to ensure they’re not beaconing information back to their creators.
The CIA and NSA have both lost control of dangerous hacking tools in recent years -- including NSA’s powerful EtnernalBlue tool, which has been used in numerous hacking operations, including North Korea’s 2017 WannaCry attack which compromised computers in more than 150 countries and cost billions of dollars.
Though it doesn’t hoard as many hacking tools as intelligence agencies, Justice Department agencies also control powerful malicious software that could be dangerous if it fell into hackers’ hands. Most notably, the FBI purchased a secret tool that bypasses the passcode lock on some iPhones after it was unable to crack into the phone used by San Bernardino shooter Syed Farook in 2015.
PWNED: It’s going to cost Baltimore at least $18 million to recover from the malware attack that’s frozen many city services for nearly a month now, Ars Technica’s Sean Gallagher reported.
That includes $10 million for the cleanup operation plus another $8 million in revenue lost when the city couldn’t process payments, according to a press briefing from Mayor Bernard “Jack” Young and his Cabinet, Gallagher reported.
Put another way, that’s more than 25 times the $700,000 ransom the hackers reportedly requested.
As is common practice, the FBI discouraged Baltimore from paying the ransom, said the mayor's deputy chief of staff for operations, Sheryl Goldstein.
“The recovery remains in its early stages, with less than a third of city employees issued new log-in credentials thus far and many city business functions restricted to paper-based workarounds,” Gallagher reported.
-- A new study sheds light on the complex tactics and extensive Twitter footprint of Russia's main Internet troll group, which wreaked havoc on the 2016 election and has continued to attempt to influence U.S. politics.
The Internet Research Agency created Twitter accounts nearly half a year before using them in its online disinformation operation aimed at undermining the 2016 presidential election, an analysis released Wednesday by Symantec found. It created its first accounts for the effort in 2014 and most remained active for just 429 days, the report said. Reports presented to the U.S. Senate have traced IRA activity about U.S. politics to as early as 2013.
Like other analyses of IRA accounts conducted since 2016, the Symantec report found that accounts represented views across the political divide, with some accounts tweeting seemingly apolitical news. The most active account, which posed as an unofficial representative of the Tennessee Republicans, was retweeted more than 6 million times.
However, the report found that the majority of accounts in the pool were created to amplify a core group of just 123 accounts that all had at least 10,000 followers.
The company had to retract a claim that a small number of the Russian bot accounts earned over $1 million by using monetized URL shorteners.
UPDATE: Symantec says it has removed the section with ad revenue estimates from its report. Good! I hope the company also notifies reporters who cited the $1m figure so they can remove this info from their stories and notify readers as well. https://t.co/kQloSOR22n— Craig Silverman (@CraigSilverman) June 5, 2019
More cybersecurity news from the public sector:
Cybersecurity news from the private sector:
Cybersecurity news from abroad: