THE KEY

Now there's proof: The voting machines used in the 2020 contest are still incredibly insecure. 

That's the message from ethical hackers visiting the Capitol yesterday.

They tested an array of voting machines and election systems that states plan to use in the next election -- and were able to crack into every machine they got their hands on.

Lawmakers seeking to get more election security funding embraced their findings -- and promised to spread the results of their work to scare every sitting member about the political risks of weak security.  

“The best way we can make the case is by scaring the living bejesus out of every member of Congress that the system can be fixed against them,” said Rep. Jackie Speier (D-Calif.). 

The ethical hackers' tests, which took place this summer at the Def Con cybersecurity conference's "Voting Village," could easily be replicated by voters, poll workers, or anyone else with access to the machines, said Matt Blaze, a co-founder of the election testing project and a Georgetown University cryptography professor. And in some cases, he said, hackers could probably compromise the machines even if they weren’t anywhere near them — especially if poll workers made mistakes setting them up or took shortcuts. 

All it took was a few days of tinkering on machines they mostly bought on eBay. “The resources of…eBay are well within that of our foreign adversaries,” Blaze warned.

Sen. Ron Wyden (D-Ore.), a major booster for election security funding, said the tests prove “it is basically a piece of cake for a relatively savvy hacker to compromise an election and alter votes." 

But the wide variety of serious flaws these hackers found, ranging from weak default passwords to shoddy encryption, underscores just how little time states have to make fixes by 2020. And Senate Majority Leader Mitch McConnell (R-Ky.) is blocking bills that would mandate key election security fixes recommended by Blaze and other security experts in exchange for cash. 

“As of today, my view is that hostile foreign powers — and I’m not talking just about the Russians — are going to interfere in the 2020 election in a way that’s going to make what happened in 2016 look like small potatoes,” Wyden said.

Intelligence officials are also warning that Russian hackers who probed voting machines and hacked into voter databases in 2016 could do far worse next time, and other nations may be eager to follow suit. During a hearing yesterday focused on the  landmark whistleblower complaint against President Trump, acting director of national intelligence Joseph Maguire warned that cyberattacks and election interference are the “greatest challenge” the intelligence community faces, declaring "this is cyberwar." 

Blaze and his co-founder Harri Hursti, founding partner of Nordic Innovation Labs, are urging Congress to require states to use paper ballots whenever possible and to conduct post-election security audits.

McConnell recently endorsed delivering an additional $250 million in federal money to state election officials but that's far lower than the $600 million Democrats in the Senate and House are pressing for -- and it doesn't include any mandates about how states must spend the money.

PINGED, PATCHED, PWNED

PINGED: The computer system where officials stored the rough transcript of a conversation between President Trump and the leader of Ukraine is considered the White House's most secure lockbox. That's why it's highly unusual that a conversation containing no apparent highly classified information got stored there, several former officials from both the Obama and Trump administrations tell the Wall Street Journal's Warren P. Strobel and Andrew Restuccia. The “code word” computer system described in the whistleblower complaint is typically reserved for documents about U.S. covert actions and counterintelligence probes to root out moles and even most top White House national-security aides don't have access to it, the Journal reports

The high level of security would be extreme for a presidential phone call and suggests that the White House was concerned about political damage rather than national security, former National Security Council advisers told Jason Koebler and Joseph Cox at Motherboard.

“You don't have hundreds of people getting access to presidential calls. They're tightly controlled, so … to take the added step of telling the White House lawyers to put this on that system is beyond bizarre to me,” Kelly Magsamen, who served in the National Security Council for two administrations, told Motherboard. “It suggests they know it was extremely damaging.”

PATCHED: The Navy has appointed a new head cybersecurity official following a damning internal audit that found the branch had been hit with repeated national security-threatening compromises that jeopardized state secretsGordon Lubold and Dustin Volz at the Wall Street Journal report. Aaron Weis, a former cybersecurity adviser to the Pentagon, will lead the Navy's efforts to improve its cybersecurity standards and to create a stronger defense against increasingly aggressive Chinese hackers, Gordon and Dustin report.

One key focus for Weis will be tightening cybersecurity standards for defense contractors, a major target of foreign hackers. Navy officials expect to roll out a plan for more changes later this year, the Journal reported. The officials declined to discuss specific breaches with the Journal, but in one instance last year Chinese hackers reportedly managed to access plans for a supersonic missile after targeting a small contractor.

PWNED: An "unauthorized third party" breached the personal data of nearly 5 million DoorDash consumers, contractors, and merchants in May, the company revealed in a blog post yesterday.

The breach included the victims' names, addresses and phone numbers and also captured the driver's license numbers for 100,000 contractors. The incident, which comes just a year after DoorDash denied reports of a separate breach, could trigger fines under certain state data breach laws.

The company said it only noticed the “unusual activity" which invovled a third-party service provider earlier this month and immediately blocked the user. Since then, DoorDash has added additional security protections and brought in an outside expert to assess its systems, the company said.

The breach affected only users who joined DoorDash before April 5, 2018, according to the company. The breach also exposed the last four digits of payment cards for consumers and the last four digits of bank account numbers for contractors and merchants. 

PUBLIC KEY

— Cybersecurity news from the public sector:

The top Republican lawmaker on an influential House committee wants the Federal Reserve to be more open about its cybersecurity preparations.
Wall Street Journal
In a previously-secret fight with the U. S. government, Microsoft has been told to hand over emails belonging to one of its unnamed enterprise customers.
Forbes
Major automakers are moving full steam ahead with their plans to put self-driving cars on the road, even as lawmakers and regulators in Washington fall behind on creating a cybersecurity framework for those vehicles.
The Hill
PRIVATE KEY

New York's attorney general is suing doughnut company Dunkin' Brands for “glazing over” the fact that a 2015 hack compromised the accounts of nearly 20,000 customers, resulting in the theft of tens of thousands of dollars stored on users' store cards, the office said in a press release

The company also failed to investigate the attacks to determine if additional accounts were compromised, the lawsuit claims. The company's failure to address cybersecurity concerns resulted in a second breach of more than 300,000 customers in 2018, which also compromised users' emails and card value, the suit claims. Dunkin' disclosed the 2018 attack to customers, but didn't reveal that hackers had actually accessed those customer accounts, the lawsuit claims.

 “Dunkin’ failed to protect the security of its customers,” said Attorney General Letitia James. “And instead of notifying the tens of thousands impacted by these cybersecurity breaches, Dunkin’ sat idly by, putting customers at risk “ The lawsuit is seeking full restitution for the customers, civil penalties and changes to the company's business practices.

— More cybersecurity news from the private sector:

Another major cyberattack with Chinese state hackers as the prime suspects.
Forbes
AB5 is going to impact the way bug bounty companies deal with freelance hackers once the law goes into effect on Jan. 1, 2020.
CyberScoop
Chinese tech giant Huawei is willing to exclusively license its 5G technology to one American firm to create a level playing field for competitors, CEO Ren Zhengfei said on Thursday.
CNBC
THE NEW WILD WEST

— Cybersecurity news from abroad:

Iran has launched an inspection of security at its key Gulf oil and gas facilities, including preparedness for cyber attacks, the Oil Ministry news agency SHANA said, following media reports of Washington weighing possible cyber attacks on Tehran.
Reuters
Norway does not plan to block China’s Huawei Technologies[HWT.UL] from building the country’s 5G telecoms network, cabinet minister Nikolai Astrup told Reuters, a decision that puts it at odds with NATO ally the United States.
Reuters
ZERO DAYBOOK

— Today:

  • The House Energy and Commerce Committee will host a hearing to discuss securing America's wireless future and the deployment of 5G communications on Friday at 9:30 am.
  • The House Judiciary Committee will host a hearing on securing America's elections at 9 a.m. on Friday.