THE KEY

A major voting machine vendor reversed course Friday and urged Congress to pass legislation mandating paper trails for all votes as an anti-hacking protection.

The company, Election Systems & Software, also pledged to no longer sell paperless voting machines as the primary voting device in an election jurisdiction and urged Congress to mandate security testing of voting equipment by outside researchers. That promise was made in an op-ed from chief executive Tom Burt published in Roll Call.

Burt called such a move “essential to the future of America” and vital for restoring “the general public’s faith in the process of casting a ballot” after the 2016 election was marred by Russian attempts to hack into election systems.

The call marks a major about face for ES&S, which, as recently as September, lashed out at researchers who publicly tested its voting machines for hackable vulnerabilities at the annual Def Con hackers conference.

The move also comes, however, as chances look extremely slim for any election security legislation to make it out of Congress this year because of fierce opposition from Senate Majority Leader Mitch McConnell (Ky.).

Even a popular bipartisan bill — The Secure Elections Act — that’s being prepared by Sens. James Lankford (R-Okla.) and Amy Klobuchar (D-Minn.) among others, has almost no chance of getting an up-or-down vote at this point, Sen. Roy Blunt (R-Mo.), who chairs the Senate Rules and Administration Committee, which oversees most election security legislation, told the New York Times on Friday.

“No, I don’t think there is any likelihood that we are going to move a bill that federalizes more of the election process,” Blunt told the Times. “Our focus will be on being sure that we are supporting the state and local governments that have run and will be the best people to run elections.”

The ES&S declaration is the latest in a string of voluntary actions taken by states, localities and election technology vendors in the absence of congressional action.

States and jurisdictions that have paperless voting machines are generally moving to systems with paper trails -- which security professionals say are essential to ensuring the security of elections, both so voters can verify their own votes were correctly recorded and so officials can audit that paper trail later.

And between 2016 and 2018 the Department of Homeland Security tested the cybersecurity of voting systems in numerous states and localities.

ES&S also submitted some of its voting technology for security testing by Idaho National Laboratory in April, and the company told Cyberscoop that it’s working with some congressional staffers on an industry-wide program to allow independent researchers to alert them to hackable vulnerabilities in their systems.  

But those voluntary actions won’t be sufficient to ensure the highest security against hackers from Russia and elsewhere, according to election security experts and Democratic politicians.

Sen. Mark R. Warner (Va.) hammered Republicans for failing to support election security legislation in Democrats’ weekly address on Friday.

“The truth is [if] the Secure Elections Act that was introduced last session were brought to the floor today for a vote, it would pass overwhelmingly. But the White House and Senate Republican leaders have been blocking a vote,” Warner said, calling it “part of a pattern with a White House and a president that has shown no interest in tackling this problem.”

And because ES&S’s commitment to third-party testing is entirely voluntary, it also gets to say who those third-party testers are, Georgetown University cybersecurity professor Matt Blaze pointed out on Twitter.

Blaze was a co-author of the 2018 Def Con report, which found numerous hackable bugs in voting systems — including one that was more than a decade old. As the researchers prepared to test the company’s systems, ES&S asserted they were breaking the law by using the company’s software without a license and later told lawmakers that the Def Con work could provide a dangerous roadmap for Russian hackers looking to penetrate their systems.

“I see this op ed as a positive first step. I think the voting system vendor community, which has long automatically denied even the most glaring security weaknesses, is starting to see the handwriting on the wall on demand for more secure voting system architecture,” Blaze wrote. “But if you're serious about wanting security testing, please stop threatening security experts who examine and comment on your products.”

PINGED, PATCHED, PWNED

PINGED: The Trump administration might be willing to loosen restrictions on U.S. companies selling software and other components to the Chinese telecom giant Huawei as part of a new trade deal, Treasury Secretary Steven Mnuchin said Sunday, Reuters’s Kanishka Singh reported.

The move would mark a major reversal for the administration, which has accused Huawei of spying on U.S. companies for the Chinese government. The Commerce Department's blacklisting of Huawei had been delayed for months before trade negotiations between the two countries broke down.

“I think what the president is saying is, if we move forward on trade, that perhaps he’ll be willing to do certain things on Huawei if he gets comfort from China on that and certain guarantees,” Mnuchin told Reuters. “But these are national security issues.”

Huawei might also get a temporary reprieve from legislation banning government contractors and federal grant recipients from using its technology. Acting White House budget chief Russell Vought is pushing for a delay in implementing the legislation Congress passed in 2018, the Wall Street Journal’s Dan Strumpf reports.

The request cites a potentially "dramatic reduction" in the number of U.S. companies able to service the government when the ban goes into effect. It also cites an outsize impact on federal grant recipients in rural areas that rely more heavily on Huawei tools.

Vought wants the ban on contractors and grant recipients to go into effect four years after the law’s passage rather than two, the Journal reports. Huawei is suing the government in a federal court in Texas to reverse that ban.

China, meanwhile, is working on a system to restrict other nations from using some of its technology, the Associated Press's Ken Moritsugu reports, citing Chinese state media. 

“China ... will never allow certain countries to use China’s technology to contain China’s development and suppress Chinese enterprises,” the People's Daily newspaper reported. 

PATCHED: The hackers who have locked up Baltimore’s computer systems with malicious software for nearly a month didn’t use a leaked National Security Agency hacking tool — but another hacking group in the same networks did, the Wall Street Journal’s Scott Calvert and Jon Kamp reported.

The report -- if correct -- would seem to explain a longstanding mystery about the ransomware attack. The New York Times reported last month that the Baltimore hackers used that powerful tool — called EternalBlue — to move swiftly through Baltimore’s networks, but the NSA has told Maryland lawmakers the hackers didn't use EternalBlue. The tool was leaked by a group called Shadow Brokers in 2017 that the NSA still hasn’t identified.

The dispute has sparked a broader debate about whether the NSA’s stockpiling of dangerous hacking tools is making U.S. companies and individuals less safe in cyberspace rather than safer.

The cost of the Baltimore ransomware attack will be at least $18 million, Ars Technica earlier reported.

PWNED: Microsoft is trying to incentivize more security researchers to find hackable vulnerabilities in its cloud computing platform Azure, Dina Bass reports for Bloomberg News.

The company has a long history of inviting ethical hackers to test its products for vulnerabilities — sometimes offering cash prizes called bug bounties. But not enough of those researchers are working on the company’s cloud-based products, Azure Chief Technology Officer Mark Russinovich told Bass. And that’s a big problem because the unethical variety of hackers are increasingly targeting cloud-based systems.

"The level of sophistication of the attackers and the interest in [attacking] the cloud just continues to grow as the cloud continues to grow,” Russinovich said.

The new Azure program will introduce something ethical hackers have long been asking Microsoft for: a "safe harbor" statement that explicitly protects them from prosecution under anti-hacking laws. That kind of protection is already offered by Mozilla, Dropbox and Tesla, and GitHub, which is owned by Microsoft.

Microsoft introduced its first bug bounty program in 2013 and paid out over $2 million in 2018. Unlike many other bounty programs, Microsoft offers an additional reward to hackers who can offer a fix for the bugs they've identified.

PUBLIC KEY

Cybersecurity news from the public sector:

President Trump says it's "case closed." But Democrats are just getting started with Robert Mueller.
National
A military judge refused to dismiss the case against a decorated Navy SEAL charged with killing a wounded Islamic State prisoner in Iraq in 2017.
AP
An anti-fraud measure under a 2018 banking law requires the Social Security Administration to build an electronic verification system, but first industry has to help pay for it.
FCW
A Defense Department inspector general audit says JRSS isn’t working like it is supposed to.
Nextgov
PRIVATE KEY

Cybersecurity news from the private sector:

Fourteen Russia-backed YouTube channels spreading disinformation have been generating billions of views and millions of dollars in advertising revenue, according to researchers, and had not been labeled as state-sponsored, contrary to the world’s most popular streaming service’s policy.
Reuters
Hacking groups like Magecart are carrying out more efficient attacks to walk off with online shoppers’ data, according to multiple security companies.
Cyberscoop
Dangerous spam campaign targets European users with backdoor trojan.
ZDNet
THE NEW WILD WEST

Cybersecurity news from abroad:

Outgoing Dutch member of European Parliament Marietje Schaake tells us why spyware is as dangerous as an AK-47, but regulated less.
Motherboard
It was China Telecom, again. The same ISP accused last year of "hijacking the vital internet backbone of western countries."
ZDNet