Voting machine companies and cybersecurity advocates are still miles apart on what it will take to secure 2020 against Russian hackers.
During a nearly three-hour congressional hearing yesterday, security advocates sounded alarm bells about possible election hacks, warning machines in use today can be easily compromised. Companies, meanwhile, mostly defended the status quo.
At one point, the chief executive of Hart InterCivic, one of three major companies that control more than 80 percent of the voting machine market, even defended selling paperless voting machines that can’t be audited and that top security experts and the Department of Homeland Security have warned are far too vulnerable in an era when elections are being targeted by sophisticated Russian hackers.
“We actually believe our [machines] are secure,” said Hart CEO Julie Mathis, describing a number of internal defensive measures and security reviews they passed – primarily before 2016.
The divisions highlighted how, despite three years of surging congressional attention to election security since Russia’s 2016 hacking efforts, there has been almost no government oversight of voting machine makers themselves.
House Administration Committee Chair Zoe Lofgren (D-Calif.) opened the hearing noting that “there are more federal regulations for ballpoint pens and magic markers than there are for voting systems” — quoting Lawrence Norden, director of the Election Reform Program at New York University's Brennan Center for Justice.
“There is much work to do, and much for Congress to learn about this industry,” Lofgren said.
Mathis's comments were panned by security advocates. “It’s very simple. No matter how secure that device is, there’s no way to know whether the choice that’s recorded matches what the voter intended. It’s rightly called a black box,” Edward Perez, a former Hart executive who's now global director of technology development at OSET Institute, a nonprofit election technology organization, said in an interview.
And they even differed from another voting machine executive, Election Systems & Software CEO Tom Burt, who urged Congress at the hearing to “pass legislation that requires a paper record for every voter.”
The top three voting machine companies — Hart, ES&S and Dominion Voting Systems — have all been pilloried for being opaque about their cybersecurity protections and too slow to adapt after Russian hackers probed election systems across the nation in 2016 and penetrated systems in Illinois and Florida.
Changes voting vendors have made, such as submitting their machines for vetting by federal security experts, have generally been seen as half- measures that don’t match the urgency of the cybersecurity challenge.
The executives went further yesterday, saying they’d all support new federal rules requiring them to share information about their cybersecurity protections, how they vet employees, their corporate ownership and voting machine components that come from China and other nations.
They declined, however, to answer questions about their annual profits, which lawmakers have charged may come at the expense of protecting elections.
"We're a private company, so we'll keep that information private," Burt said.
The executives also declared definitively that their systems had never been breached by hackers — though critics have said the machines are highly vulnerable and could be hacked undetected. Significant security improvements also require lead time, and it's unclear whether the voting vendors will or can act in time to protect elections against determined hackers from Russia or China in 2020.
Security experts urged far more radical changes including dramatically increasing federal oversight of elections. But congressional Republicans have roundly opposed mandating specific cybersecurity requirements for state election officials, and even many Democrats have been wary of reducing states’ power to run elections.
That has become untenable, however, in an era when the United States’ top adversaries are intent on undermining Democratic processes, said Matt Blaze, a Georgetown University election security expert who testified at the hearing.
“We don't expect the local sheriff to single-handedly defend against military ground invasions. We shouldn't expect county election IT managers to defend against cyberattacks by foreign intelligence services,” Blaze said. “But that's precisely what we've been asking them to do.”
PINGED, PATCHED, PWNED
PINGED: Russian hacking groups that probed voting systems before the 2016 election are shifting tactics to thwart detection in 2020 and upping their game to compete with far stronger U.S. defenses, the New York Times’s Matthew Rosenberg, Nicole Perlroth and David Sanger report.
Their big goal may not be to actually breach election systems but just to create enough confusion that Americans worry they did. “Chaos is the point,” Laura Rosenberger, director of the Alliance for Securing Democracy, told the Times. “You can imagine many different scenarios.”
One of the groups, known as Fancy Bear, is moving some of its hacking infrastructure inside the United States so it can’t be tracked by the NSA and other U.S. spy agencies, which are prohibited from operating inside U.S. borders.
Online trolls at Russia’s Internet Research Agency, where leaders were indicted for spreading disinformation in 2016, are also switching to encrypted communication tools like ProtonMail that are much harder to trace than regular email.
The organization is also trying to evade Facebook’s ban on foreigners buying political ads by paying Americans to hand over pages they already own and setting up offshore bank accounts to cover their financial tracks, the Times reports.
PATCHED: A cellphone carrier that receives federal funds to help provide low-income households with cellular service may be giving them free phones laced with Chinese malware. Researchers claim the infected phones, distributed by Assurance Wireless, may be spying on users’ text messages and contact data and sharing it with unknown recipients, Forbes's Thomas Brewster reported.
The findings quickly sparked concerns from lawmakers.
Sen. Ron Wyden (D-Ore.) said it was “outrageous” that the FCC may be funding a company “providing insecure, malware-ridden phones to low-income families." He pledged to ask the Federal Communications Commission to investigate the story and ensure Americans that rely on federal help for phone service "aren’t paying the price with their privacy and security."
Democratic FCC commissioner Jessica Rosenworcel also sounded off:
The @FCC funds a program to help low-income folks get access to wireless service. This makes sense. But it does not makes sense to have them pay for it by accepting insecure foreign malware. We need to get to the bottom of what is going on here--fast. https://t.co/CmZgJVKtwU— Jessica Rosenworcel (@JRosenworcel) January 9, 2020
The FCC declined to say whether it would investigate the matter.
PWNED: “Pro-Iranian wannabe hackers” are expressing their outrage over the U.S. killing of a top Iranian general by defacing vulnerable American websites, Kevin Collier reports for the Verge. The digital graffiti included pro-Iranian messages like “Suleimani was not a person/he was a belief/Beliefs never die” and “Down with America,” Kevin reports.
The hackers aren't affiliated with the Iranian government, but their actions are a “sign of protest,” one told Kevin. Their targets have included a California dentist, an Oklahoma steel company and the University of Maryland at Baltimore County. The hackers tagged their posts with their Telegram and Instagram handles.
“I do not work for the government. I work for my home country of Iran,” one hacker told Kevin.
Lawmakers pressured the FCC in a letter yesterday to do more to protect consumers against a hacking technique called “SIM Swapping."
That's when scammers trick phone companies into activating a user's SIM card on a new device and use it to bypass text message-based security features so they can hack into the user's other accounts. SIM swapping gained national attention after high-profile celebrity targets including Twitter CEO Jack Dorsey fell victim to it last fall.
Wyden and five other lawmakers asked the agency what it's doing to track the scams and whether it believes agency rules hold carriers sufficiently accountable.
“Consumers have no choice but to rely on phone companies to protect them against SIM swaps — and they need to be able to count on the FCC to hold mobile carriers accountable when they fail to secure their systems and thus harm consumers,” the members wrote.
— More cybersecurity news from the public sector:
--Reddit will ban manipulated videos seeking to mislead users, the company announced yesterday. That would include a video manipulated to make House Speaker Nancy Pelosi (D-Calif.) appear drunk that went viral last summer as well as a deceptively-edited video of former Vice President Joe Biden circulating on Facebook.
The policy distinguishes the online platform from Facebook, which recently released a policy on manipulated media that would not cover the Pelosi or Biden videos. Politicians have pressed for tech companies to address computer-generated, highly manipulated videos, known as deepfakes, before the 2020 election.
— More cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
Oh, come ON guys!
— Coming up:
- The U.S. Election Assistance Commission (EAC) will host an all-day summit on Tuesday addressing preparations for the 2020 elections at the National Press Club.
- The House Armed Services Committee will host a hearing on the Department of Defense's Role in Competing with China” on Wednesday at 10 am