The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Stanford group calls for major overhaul on election security. Here are their recommendations

with Tonya Riley


A plan released this week by a Stanford University group that includes former top government and tech industry officials aims to be the equivalent of the 9/11 Commission report for election security.

Like the 9/11 report, which fundamentally reorganized the nation’s homeland security and intelligence structure after the Sept. 11, 2001, terrorist attacks, “Securing American Elections” aims big. It argues Russia's 2016 election interference operation was an attack on fundamental American values, and should provoke the government and private sector to step up "defenses against efforts to erode confidence in democracy.” 

The report’s 108 pages include 45 recommendations ranging from securing voting systems and combating online disinformation campaigns to negotiating major election security norms with allies and punishing adversaries who violate them.

Like the 9/11 commission leaders who spent years pushing the government to fully implement their reforms amid partisan bickering, this group is preparing for a fierce lobbying campaign to turn its recommendations into reality, said Nate Persily, a report author and director of Stanford’s Cyber Policy Center.

That will be an uphill climb. “We’re not naive. We recognize that the topic of Russian intervention in the 2016 election provokes a partisan reaction and there’s a partisan allergy to some types of recommendations,” Persily told me. “But we believe Democrats and Republicans can unite around what are some common-sense reforms.”

Persily, who was the senior research director on a bipartisan commission that recommended election administration reforms after the 2012 election, will be in Washington next week to urge lawmakers from both parties to turn the report’s recommendations into law.

The report authors, who include Michael McFaul, U.S. ambassador to Russia during the Barack Obama administration, and former Facebook chief security officer Alex Stamos, also plan to lobby many of their election-security recommendations to state and local officials, Persily said. They will urge them to voluntarily adopt protections that congressional Republicans are wary of forcing on them.

Those recommendations include having paper trails for all ballots, conducting post-election audits and inviting ethical hackers to probe their voting systems for vulnerabilities.

They also will be urging Democratic and Republican party officials to include many recommendations in their party platforms in 2020.

Some other key election-security recommendations include ensuring significant and regular funding for securing election infrastructure and allowing political parties to provide cybersecurity assistance for state parties and political candidates. That last measure mirrors a bill Sen. Ron Wyden (D-Ore.) introduced in March. 

Other broader recommendations are aimed at improving cooperation across Internet companies to combat disinformation and sending signals to Russia and other adversaries that they will face serious consequences for disrupting future elections.

The authors hope to push through significant changes before the 2020 election, Persily told me, though they realize many of the recommendations will be tough sells because of partisan discord.

Congress has not passed any major election reforms since the attacks and Republicans are highly wary of imposing any election security requirements out of concerns about impinging on state's authorities to run elections.

And unlike the 9/11 Commission, which was appointed by President George W. Bush and Congress in 2002, the Stanford team also lacks official government backing. That's what gave such impact to the recommendations published in its final report in 2004 after more than a year of investigation.

Still, the Stanford group plans to keep lobbying for their recommendations even after 2020, Persily told me, with the expectation that many of the ideas might become less partisan over time.

He echoed several Republican lawmakers such as Sen. Marco Rubio (Fla.) in warning that, while Russia’s efforts in 2016 were aimed at damaging Democratic candidate Hillary Clinton, future interventions could be aimed at hurting Republicans.

“It would be a shame if we need to have election interventions by foreign countries that damage both parties before we have bipartisan reforms,” Persily told me. “I’m hopeful that before the next disaster, we’ll have reforms.”


PINGED: The Department of Homeland Security will conduct a forensic analysis of laptops used by Durham County, N.C., in the 2016 election, amid concerns they might have been penetrated by Russian hackers, my colleague Neena Satija reports.

The move comes 18 months after state officials first requested the investigation based on the suspicion that problems with electronic tools used to check in the city’s voters were tied to an August 2016 hacking attempt against its vendor, VR Systems.

And it comes six weeks after the report from special counsel Robert S. Mueller III first revealed that Russian government hackers “installed malware on the company network” of an unnamed voter registration technology vendor. VR told Neena that it believes it’s the company referenced in the report but denied its technology was compromised.

New revelations about the company's cybersecurity practices have raised serious concerns. Kim Zetter reported for Politico that for several hours on the day before the election, the company used remote-access software to repair issues with Durham's polling books and download the state's voter list. Election Systems and Software, a vendor used by several other states, has come under lawmaker scrutiny for similar practices.

“If poll books are compromised, this can selectively disenfranchise voters, create long lines at polling places and cast doubt on the legitimacy of election results," Matt Blaze, a cryptography professor at Georgetown University, told Zetter.

On Election Day, Durham County poll workers dealt with seeming technology glitches that marked some voters as having already voted and prompted unnecessary ID checks for others.

Here are details from Zetter:

Sen. Ron Wyden (D-Ore.) slammed the Department of Homeland Security's long delay in investigating the Durham laptops.

Wyden introduced a bill last month that would mandate states to use hand-marked paper ballots alongside other election-security measures he said would have prevented the situation.


PATCHED: Sen. Ron Wyden (D-Ore.) wants to know if the Justice Department has ever had any of its secret hacking tools stolen, according to a letter he sent Wednesday to Attorney General William Barr that was shared with The Cybersecurity 202.

The letter also asks how many hacking tools used by Justice divisions, including the FBI and Drug Enforcement Administration, were purchased from foreign companies and if the agencies have audited them to ensure they’re not beaconing information back to their creators.

The CIA and NSA have both lost control of dangerous hacking tools in recent years -- including NSA’s powerful EtnernalBlue tool, which has been used in numerous hacking operations, including North Korea’s 2017 WannaCry attack which compromised computers in more than 150 countries and cost billions of dollars.

Though it doesn’t hoard as many hacking tools as intelligence agencies, Justice Department agencies also control powerful malicious software that could be dangerous if it fell into hackers’ hands. Most notably, the FBI purchased a secret tool that bypasses the passcode lock on some iPhones after it was unable to crack into the phone used by San Bernardino shooter Syed Farook in 2015.

PWNED: It’s going to cost Baltimore at least $18 million to recover from the malware attack that’s frozen many city services for nearly a month now, Ars Technica’s Sean Gallagher reported.

That includes $10 million for the cleanup operation plus another $8 million in revenue lost when the city couldn’t process payments, according to a press briefing from Mayor Bernard “Jack” Young and his Cabinet, Gallagher reported.

Put another way, that’s more than 25 times the $700,000 ransom the hackers reportedly requested.

As is common practice, the FBI discouraged Baltimore from paying the ransom, said the mayor's deputy chief of staff for operations, Sheryl Goldstein.

“The recovery remains in its early stages, with less than a third of city employees issued new log-in credentials thus far and many city business functions restricted to paper-based workarounds,” Gallagher reported.


-- A new study sheds light on the complex tactics and extensive Twitter footprint of Russia's main Internet troll group, which wreaked havoc on the 2016 election and has continued to attempt to influence U.S. politics.

The Internet Research Agency created Twitter accounts nearly half a year before using them in its online disinformation operation aimed at undermining the 2016 presidential election, an analysis released Wednesday by Symantec found. It created its first accounts for the effort in 2014 and most remained active for just 429 days, the report said. Reports presented to the U.S. Senate have traced IRA activity about U.S. politics to as early as 2013.

Like other analyses of IRA accounts conducted since 2016, the Symantec report found that accounts represented views across the political divide, with some accounts tweeting seemingly apolitical news. The most active account, which posed as an unofficial representative of the Tennessee Republicans, was retweeted more than 6 million times.

However, the report found that the majority of accounts in the pool were created to amplify a core group of just 123 accounts that all had at least 10,000 followers.

The company had to retract a claim that a small number of the Russian bot accounts earned over $1 million by using monetized URL shorteners.

More cybersecurity news from the public sector:

Growing Hack of Health-Care Data Gets Scrutiny From Congress (Bloomberg News)

Freshman Democrats call on McConnell to hold vote on election reform bill (The Hill)

U.S. military risks falling victim to China’s effort to gain technology edge, report warns (Paul Sonne)

The Race to Save Encryption (Wall Street Journal)

Watchdog: Current pipeline security plans weak on cybersecurity, coordination — FCW (FCW)

DoD cyberops are changing, and so is oversight (Fifth Domain)


Cybersecurity news from the private sector:

The Clever Cryptography Behind Apple's 'Find My' Feature (Wired)

Company Advertised American, Canadian, Indian Phone Location Data for Sale (Vice)


Cybersecurity news from abroad:

The E.U.’s Embassy In Russia Was Hacked But The E.U. Kept It A Secret (BuzzFeed News)

In race for 5G, European companies hope to profit from security doubts over Chinese giant Huawei (Yahoo News)

West Africa's Scattered Canary gang shows how cybercriminals supersize email scams - CyberScoop (CyberScoop)