The federal government should start vetting companies that sell election systems as seriously as it does defense contractors and energy firms, a top election security group argues in a proposal out this morning.
Under the proposal from New York University’s Brennan Center for Justice, government auditors would verify election companies and their suppliers are following a raft of cybersecurity best practices. They would also have to run background checks to ensure employees aren’t likely to sabotage machines to help Russia or other U.S. adversaries.
The suggestion comes as Congress continues to fight over whether to tighten election security as candidates ramp up for the 2020 election. Senate Republicans, especially, have stalled further security measures, even as observers warn that the next election is ripe for hacking by foreign adversaries such as Russia, which interfered in the 2016 contest.
Vendors of voting machines, however, have traditionally been exempt from close review by federal regulators.
“These vendors are a critical part of securing our elections, but we haven’t really focused on them at all,” Lawrence Norden, director of Brennan’s election reform program and one of the authors, told me. “We need to understand that they’re critically important but also represent a vulnerability that there needs to be oversight for.”
The program would be voluntary but states and localities that buy voting machines would likely place a high premium on the federal stamp of approval.
Election companies currently submit voting machines for rigorous state-by-state security tests but don’t open up any of their other products or operations for review. The only current rules are voluntary guidelines that states use in their certification processes. But the threat of Russia or another adversary upending U.S. elections in 2020 or later necessitates big and bold changes, the report authors say.
There's also evidence some election system vendors aren’t as secure as they should be.
In 2018, for example, the FBI alerted Maryland officials after learning the software vendor managing its statewide voter registration and election night reporting systems was financed by an organization with ties to a Russian oligarch. A federal judge in Georgia also found the state consistently ignored warnings about vulnerabilities in its voting machines.
"Someone needs to be checking in and confirming vendors are doing everything possible to give people confidence in the outcome of elections," Norden said.
The proposal is unlikely to get much traction in Congress before the 2020 election. It goes far beyond most election security plans contemplated by lawmakers, which primarily focus on mandating that states upgrade voting machines and delivering money to help them do so.
But it could be an important marker after 2020 if lawmakers begin to consider longer-term election security fixes.
Lawmakers have hinted at imposing some stricter requirements, such as the Election Systems Integrity Act, sponsored by Senate Democrats, which would require election companies to disclose any foreign ownership. The House-passed Securing America's Federal Elections Act, or SAFE Act, would also impose strict cybersecurity requirements on vendors but doesn’t create a system to ensure they’re meeting those requirements.
Election vendors, meanwhile, have launched several voluntary programs to demonstrate they’re taking cybersecurity seriously, including submitting new voting machines to federal labs for testing and contemplating allowing independent ethical hackers to review their systems.
PINGED, PATCHED, PWNED
PINGED: China's government is “confident” that Brazil will choose Huawei to build out its next-generation 5G telecommunications network, despite warnings from the United States, Bloomberg News's Samy Adghirni reports.
That could create tension between Brazilian President Jair Bolsonaro, a right-wing populist, and President Trump who has threatened to “downgrade security cooperation” with Brazil if it chooses Huawei, Samy reports. Chinese President Xi Jinping is scheduled to meet with Bolsonaro this week and Brazil will open its auction for 5G bids next year.
U.S. officials have urged allies to ban Huawei equipment from 5G networks, citing concerns the company could aid Chinese espionage.
PATCHED: Google is harvesting and analyzing the personal health information of tens of millions of patients without their knowledge — and it's probably legal, Rob Copeland at the Wall Street Journal reports. Google appears to be using the data partnership with the nation's second-largest health-care system at least in part to design new artificial intelligence-driven software to suggest changes in patient care.
At least 150 employees have access to data obtained by the code-named “Project Nightingale,” which includes a complete health history, patient names and dates of birth, according to people familiar with the matter and internal documents. Privacy law generally allows hospitals to share such information with business partners “only to help the covered entity carry out its health-care functions,” Rob reports.
Some employees of St. Louis-based Ascension, the health system partnering with Google, have raised concerns about how the data is being shared and collected, Rob reports.
The project is fully compliant with federal health law and includes robust protections for patient data, Google told the Journal. An Ascension spokesman had no immediate comment.
PWNED: Progressive groups are redoubling their efforts to get Congress to pass funding for election security measures before the clock runs out on a deadline to keep the government open. The anti-Trump progressive group Stand Up America, which is leading the effort, is demanding the Senate pass at least $600 million in election security funding before the Nov. 21 deadline, according to a letter to Senate leadership shared first with The Cybersecurity 202.
“We’re running out of time to protect the 2020 election — if we wait for Congress to agree on a full appropriations bill, it may be too late,” Brett Edkins, Stand Up America’s political director, wrote in a statement.
“As leaders of the Senate, you have a constitutional obligation and moral duty to protect the foundations of our democracy by ensuring that America’s elections are secure,” Stand Up and 12 other groups, including the Sierra Club and Greenpeace USA, wrote.
The letter comes after a Stand Up campaign to get more than 90,000 Americans to call their members of Congress demanding funding. The group also placed a billboard near the Louisville district office of Senate Majority Leader Mitch McConnell (R-Ky.) slamming him for blocking election security legislation.
Hackers will get more aggressive with ransomware attacks next year, including attacks that are tailored for specific businesses, researchers at FireEye warn in a new report on the biggest cyberthreats in 2020 out today. The 2020 elections also mean a likely rise in targeted hacks against election vendors, FireEye warns.
— More cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
— Coming up:
- The House Committee on Veterans Affairs will host a hearing on “Hijacking our Heroes: Exploiting Veterans through Disinformation on Social Media” on Wednesday at 2 p.m. Eastern time
- New York University’s Center for Cybersecurity, the Journal of National Security Law & Policy will host an event titled “Catching the Cybercriminal: Reforming Global Law Enforcement” on November 18 at 10 a.m.
- The House Financial Services Committee will host a hearing on the role of big data in financial services on November 21 at 9:30 a.m.