Hundreds of U.S. military and National Guard hackers will gather in Columbia, Md., today to test their mettle attacking and protecting voting systems that will be used across the Mid-Atlantic on Election Day 2020.
The first-of-its kind event is aimed at preparing troops who might respond to an Election Day cyberattack for all kinds of possible problems ranging from Russia or another adversary hacking voting machines to shutting off the power at polling stations.
It also marks a novel team-up between U.S. Cyber Command, which is sponsoring the AvengerCon conference today and tomorrow, and the ethical hacking community, which has sounded alarm bells about vulnerabilities in U.S. voting systems but gotten blowback from state and local election officials and voting machine companies saying they’re overhyping the threat.
“The idea is to bring up the skill level and the knowledge level of individuals that, if all hell breaks loose, are going to be responsible for defending or eradicating a potential impact [on Election Day]. You can't do that if you don't practice,” Armando Seay, director of Dreamport, a Cybercom offshoot running the conference, told me.
Cybercom launched Dreamport about 18 months ago with a mission of forging stronger relationships between the super-secret work being done by the military command’s offensive and defensive hackers and private-sector cybersecurity researchers.
And with the public anxious that Russia will try to repeat or one-up its 2016 election interference operation, protecting elections seemed like an obvious priority, Seay told me.
AvengerCon will bring together 500 military and government hackers and a select group of guests representing the Mid-Atlantic FEMA region, which includes Washington, Maryland, Virginia, Pennsylvania, Delaware and West Virginia.
It will pair them with voting machines that will be used in those states acquired by organizers of the Def Con cybersecurity conference’s Voting Village, where hackers discovered numerous dangerous bugs this summer.
But unlike the Voting Village, which gathers thousands of ethical hackers into casino conference centers in Las Vegas, AvengerCon will be invitation-only, allowing some of the military’s top hackers to make freer use of their specialized knowledge and to talk more openly about threats.
“This is a more curated environment where they get to talk amongst themselves,” Seay told me. “We bring in the exact type of people that we want to have them talk to, and anyone who shouldn't be in the room isn't in the room.”
In addition to election machines, AvengerCon will stock machines that simulate electric grids and other critical infrastructure adversaries might hack to disrupt election operations and reduce turnout or to raise questions about the legitimacy of election results, Seay told me.
This is the fourth year Cybercom has hosted AvengerCon, but it’s the first one to feature an election-hacking component. And it’s the first time the conference is being held outside Fort Meade -- the military base housing Cybercom and the National Security Agency — making it easier for outsiders to attend.
For Voting Village organizers, the conference not only offers an opportunity to better prepare people on the front lines of securing elections but also to spread the word about voting machines they say are dangerously insecure.
“For us this is really a mission of getting more people informed and educated about the facts and realities of today’s voting machine infrastructure,” Harry Hursti, a Voting Village organizer and long-time voting machine security researcher, told me.
Hursti and fellow organizers have been warning for years that voting machines are riddled with bugs that hackers from Russia or elsewhere could use to change or erase votes, to remove legitimate voters from databases or merely to sow chaos on Election Day. But their message has been slow to get public attention.
After this year’s conference, Hursti and his partners launched a nonprofit organization called the Election Integrity Foundation that plans to use the Voting Village concept to demonstrate vulnerabilities at locations across the country.
One big part of that is housing a second set of voting machines in Northern Virginia where they can be more easily transported for demonstrations across the East Coast. Those machines will get their first demonstration at AvengerCon.
“We want more people who are credible and educated and who have observed these things firsthand,” Hursti, a founding partner of Nordic Innovation Labs, told me. “We want to get more people familiar with the technology and more people familiar with the facts.”
PINGED, PATCHED, PWNED
PINGED: Rep. Eljiah Cummings (D-Md.), who died this morning, was a strong advocate for cybersecurity from his perch as top Democrat and later chairman of the powerful House Oversight and Government Reform Committee.
Cummings was a leading force behind the congressional investigations into the massive 2015 data breach at the Office of Personnel Management, which compromised highly sensitive information about more than 20 million current and former federal employees. That investigation helped push the Obama administration to surge efforts to protect the government’s sensitive data.
He was also co-author of a major 2014 bill that mandated upgraded cybersecurity protections at federal departments and agencies.
More recently, Cummings tried to boost public attention to the report on Russian election interference by former Special Counsel Robert S. Mueller III and investigated misuse of secretive texting apps by top Trump administration officials.
PATCHED: President Trump reupped a debunked conspiracy theory yesterday that claims the Democratic National Committee colluded with a cybersecurity company to fake its 2016 data breach and a server that proves the fact is somewhere in Ukraine. That is the same conspiracy Trump floated in an infamous phone call with the Ukrainian president that's at the center of House Democrats’ impeachment efforts.
“I still ask the FBI, ‘Where is the server?’ How come the FBI never got the server from the DNC? Where is the server? I want to see the server. Let’s see what’s on the server,” he told White House reporters
Trump again pushes debunked Crowdstrike conspiracy:— JM Rieger (@RiegerReport) October 16, 2019
“I still ask the FBI, ‘Where is the server?’ How come the FBI never got the server from the DNC? Where is the server? I want to see the server. Let’s see what’s on the server." pic.twitter.com/xSTKNRegmW
The President had accused the cybersecurity firm CrowdStrike, which the DNC hired to investigate the breach, of colluding in faking the hack, which U.S. intelligence agencies unanimously attributed to Russia. He also falsely claimed CrowdStrike is owned by Ukrainians.
PWNED: The House Administration Committee forwarded to a floor vote legislation requiring campaigns to report offers of illegal foreign assistance to the FBI and Federal Election Commission. The bill comes after Trump told ABC News in a June interview he might not disclose such information and would want to "take a look at it" first. The measure will probably will pass the House, but stall in the Senate, where Senate Majority Leader Mitch McConnell (R-Ky.) continues to block election security legislation.
The ‘‘Stopping Harmful Interference in Elections for a Lasting Democracy Act’,’ or ‘‘SHIELD Act,” would also require social media companies to maintain and disclose who is buying online political ads. A similar bill sponsored by Sens. Mark R. Warner (D-Va.), Lindsey O. Graham (R-S.C.) and Amy Klobuchar (D-Minn.) to do that, known as the Honest Ads Act, is pending in the Senate.
“We should all be able to agree that we need to protect our democracy, and with a sense of urgency,’ said Rep. Zoe Lofgren (D-Calif), chair of the committee who is leading the legislation. “This is not a partisan opinion. Nothing less than our national security is at stake.”
A telecom association wants Congress to create better liability protections for companies that notify the government about products and companies that could pose national security risks, Mark Rockwell at Federal Computer Week reports. The request comes as the government is trying to develop a fast track to identify companies such as Russia’s Kaspersky Lab and China’s Huawei that they believe pose serious cybersecurity risks.
A 2015 law shields companies from liability when they disclose data about potential cyberattacks but not about suspected threats posed by particular companies. That could make lawyers reluctant to advise companies to come forward, Robert Mayer, senior vice president of cybersecurity at U.S. Telecom, told lawmakers on the House Homeland Security Committee.
The request got a boost from Bob Kolasky, a top Department of Homeland Security cybersecurity official, who said, “We want something in place to encourage private-sector firms to share information about things they may not have trust [in]."
Chairman Bennie G. Thompson (D-Miss.) expressed interest in updating the law, but doing so might be an uphill battle. The Cybersecurity Act of 2015, which shields companies that share cybersecurity threat data with the government, took years to become law and faced significant opposition from privacy advocates.
— More cybersecurity news from the public sector:
Congress, the White House and the Securities and Exchange Commission should all boost and standardize requirements for companies to disclose when they've been hit with cyberattacks seeking to steal intellectual property, Robert Knake at the Council on Foreign Relations argues in a new report.
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
- The House Administration Subcomittee on Elections will hold a hearing on Voting Rights and Election Administration in America at 10 a.m.
- The Senate Commerce Subcommittee on Security will convene a hearing titled “Improving Security at America’s Airports: Stakeholder Perspectives,” at 10:30 a.m.