“We need to ensure that every new idea is tested, transparent and secure — just like the eight successful mobile voting pilots conducted to date,” Bradley Tusk, the founder and CEO of Tusk Philanthropies, said in a statement. “Enough is enough. 2016 should have been enough of a wake-up call. Iowa just confirmed it.”
Tusk Philanthropies has funded pilots for mobile voting across the country, launched in a push to increase participation in elections.
Unlike the app used in Iowa, which was developed to relay vote counts, the pilots use technologies that allow voters to easily vote from their mobile phones. So far, the pilots have largely been limited to eligible uniformed and overseas voters and voters with disabilities.
But any expansion is sure to fall under an even more critical spotlight. Any malfunction — or hack — of an app used directly for voting in 2020 could have far greater impact in undermining public faith in the Democratic process than one Democratic caucus gone wrong.
“I think [Iowa] really set back mobile voting, maybe even by a number of years,” Maurice Turner, an election security expert at the Center for Democracy & Technology, told me. “Because what voters and officials and the press see is this is a failure of new tech. Most people aren't going to appreciate that this is a caucus app, that this was procured by the party and developed in secret.”
Voatz, a mobile election platform used in many pilots, is stressing that difference in its public messaging — insisting it had never heard of the app used in Iowa until it flopped. “We are also committed to transparency which is why we were one of the first elections companies in the world to invite the research community to help test our technology through our public bug bounty program,” the company said in a statement. Votes cast on the app are encrypted and stored on a blockchain that election officials can access.
Voatz also highlighted that it voluntarily worked with the Department of Homeland Security after Sen. Ron Wyden (D-Ore.) called on intelligence agencies to audit the app in the fall.
Still, Iowa could have a chilling effect on any election officials still on the fence about whether to adopt such technology.
“I think it will cause concern among election administrators in looking at if a pilot in mobile voting is right for them,” Jocelyn Bucaro, director of elections for Denver Elections Division, told me. “I think there is reason to be worried about that.”
And federal lawmakers are already skeptical. “Relying on an untested phone app to deliver election results is like asking a guy off the street to safeguard our nuclear codes,” Sen. Ron Wyden (D-Ore.) told me. “Unless the federal government steps up and gives state parties and local election officials the help they need to secure American elections, voting technology will continue to fail, or worse, suffer from malicious hacks.”
Wyden urged top election officials in Oregon in a letter last week to address the security risks of mobile voting amid plans to expand use of the technology in his state, as The Cybersecurity 202 first reported.
Bucaro, whose city used Voatz to allow uniformed and overseas voters to participate in a municipal election last May, pointed to Iowa Democrats' lack of transparency around the app as damaging to voters' trust. Multiple cybersecurity experts claimed the app used in Iowa appeared to have been sloppily put together in mere months without widespread testing.
“Transparency is paramount in election administration,” Bucaro said. “What happened in Iowa was not managed by people who run elections.”
The timing is especially rough for elections happening as soon as today: My colleague Jay Greene reports this morning that all voters will be able to cast a ballot from a mobile device or computer in the election for seat on the board of the little-known King Conservation District in the Seattle area, through another Tusk pilot that uses technology from Democracy Live.
Bucaro said Denver’s rollout for mobile voting technology, even for an election that was out of the national spotlight, was conducted much more thoroughly: In addition to initial vetting through a cybersecurity firm hired by Tusk, Denver conducted its own audit of the app before the election and conducted a public audit afterward.
Donald Kersey, general counsel for the West Virginia secretary of state, noted that unlike Iowa Democrats, election officials are subject to laws requiring transparency around election processes. His state has also been aggressive in vetting mobile voting technology since it launched its first mobile voting pilot in 2018 for military and civilian voters overseas. It's now considering expanding mobile voting in 2020 to include disabled voters. It’s looking into the results of a Department of Homeland Security audit into Voatz, and Idaho National Labs is also auditing the company, Kersey said.
All the vetting stands in stark contrast to the IowaReporterApp used in Iowa, which party officials declined to make available to lawmakers or independent researchers to audit before the caucuses. Iowa Democrats also reportedly declined an offer by DHS to audit the app.
“I think the public would have benefited more if the public had known more about the app,” Kersey told me. “Hopefully other states and jurisdictions will take note.”
That doesn't seem likely so far. With just days before early voting begins in Nevada, campaigns and voters are still in the dark about what technology will be used. State Democrats said they scrapped plans to use the same vote reporting app as Iowa but have so far declined to confirm media reports that they will use a new iPad tool to relay vote counts or explain how they plan to audit any new technologies in use.
Tech glitches may also give ammo to cybersecurity experts, who often point to a 2018 National Academy of Sciences Report that determined “no known technology guarantees the secrecy, security, and verifiability of a marked ballot transmitted over the Internet” and discouraged the use of Internet-based voting.
Those who say technology is an inevitable part of future elections suggest one way to mitigate the risks is for states and the federal government to take on a greater role in funding research on how to secure and deploy election technologies. “Without assistance from the federal government, we can't do our due diligence,” Kersey told me.
PINGED, PATCHED, PWNED
PINGED: Lawmakers sounded the alarm about the growing dangers of China-backed data theft after the Justice Department charged four members of the Chinese military with the 2017 hack of credit reporting agency Equifax.
Rep. Abigail Spanberger (D-Va.) urged lawmakers to keep an eye on emerging technologies.
Rep. Anthony Gonzalez (R-Ohio) called for a strong response from the U.S. government.
The hack may highlight how far China will go to steal American secrets, but that doesn't leave Equifax off the hook, lawmakers say.
“There’s no separating privacy and national security,” said Wyden. "When companies like Equifax amass vast stores of sensitive personal information and then cut corners on security, they become irresistible targets for unfriendly regimes like China.”
Sen. Mark Warner (D-Va.), vice chairman of the Senate Intelligence Committee and co-chair of the Senate Cybersecurity Caucus, also slammed Equifax. "A company in the business of collecting and retaining massive amounts of Americans’ sensitive personal information must act with the utmost care — and face any consequences that arise from that failure,” Warner said.
Both used the moment to push for respective pieces of legislation that would hold credit agencies more accountable for breaches and increase cybersecurity standards for companies more generally.
Sen. Rob Portman (R-Ohio) also weighed in.
Attorney General William P. Barr warned: “This kind of attack on American industry is of a piece with other Chinese illegal acquisitions of sensitive personal data.” He tied the attack to other intrusions by Chinese hackers against the U.S. Office of Personnel Management, health insurance company Anthem, and Marriott hotels that collectively exposed the data of hundreds of millions of Americans. That data can be used to help Chinese spies target Americans, Barr warned.
PATCHED: President Trump’s proposed budget for next year would slightly cut cybersecurity across the government but boost spending on some key priorities including the Department of Homeland Security’s efforts to secure state and local election systems. In particular the proposal includes $1.1 billion to more than double DHS-led risk assessments of local election systems and other critical infrastructure from 1,800 to more than 6,500.
The president’s annual budget proposal amounts to a wish list that Congress will largely ignore during its own appropriations process, but it’s a good guidepost for what an administration values.
Overall, the budget commits about $18.8 billion to cybersecurity, split about evenly between the Defense Department and civilian agencies. About $2.6 billion of that goes to DHS, which is the lead civilian agency for cybersecurity and charged with helping protect the nation against cyberattacks targeting energy plants, airports and other critical infrastructure.
The budget also includes $25 million for the National Telecommunications and Information Administration to modernize systems for managing the electromagnetic spectrum that powers radio and wireless networks — some of which will go toward securing next-generation 5G networks. The budget also earmarks $185 million to improve the cybersecurity of companies that affect the nation’s energy supply.
PWNED: Google will start offering its top level of cybersecurity protection free to presidential and congressional campaigns, the company announced this morning. Google is offering the service called “advanced protection” through Defending Digital Campaigns, a nonprofit organization that won Federal Election Commission approval to supply campaigns with free and reduced-price cybersecurity tools and services without violating campaign finance laws.
Advanced protection is essentially a super-secure way for users to verify their identities when they log into websites using a physical key that resembles a USB drive. The devices work both with Google-owned services such as Gmail and with many prominent non-Google services, such as tools from Apple and Mozilla.
The company plans to provide enough free keys for campaigns to give them to all the staffers they want – up to several hundred on a presidential campaign, Google head of account security Mark Risher told me. The company also hopes to work with DDC to offer training to ensure campaigns are using the devices correctly and securely, Risher said.
DDC is already offering security tools from the anti-phishing firm Area 1 Security, the encrypted messaging platform Wickr, the email security firm Agari and the software and mobile security firm Lookout, among others.
A bipartisan group of lawmakers led by Rep. Cedric Richmond (D-La.) introduced legislation yesterday that would provide $400 million in grant money to states to shore up their cybersecurity defenses. The plan comes ahead of a Senate Homeland Security hearing today where DHS cybersecurity leaders and local officials will testify about creating more effective cybersecurity programs at the state and local level.
Sponsors include Rep. Bennie G. Thompson (D-Miss.) and Rep. Mike Rogers (R-Ala.), chairman and ranking member on the House Homeland Security Committee, as well as a number of lawmakers whose states have been hit with serious ransomware attacks in the past year.
“Over the past two years, we have seen the impact of major cyber breaches cost large U.S. cities nearly $20 million,” Thompson said. “Making smart investments in cybersecurity at the state and local level is not only fiscally responsible, it is a national security imperative.”
DHS’s cybersecurity division would be in charge of distributing the grants and work with an advisory committee of officials from state, local and tribal governments that would help advise the agency of their needs.
— More cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
- The Senate Homeland Security and Governmental Affairs Committee will host hearings to examine a roadmap for effective cybersecurity, focusing on what states, locals, and the business community should know at 9:30 a.m.
- The Senate Committee on the Judiciary, Subcommittee on Intellectual Property has scheduled a hearing entitled “The Digital Millennium Copyright Act at 22: What is it, why was it enacted, and where are we now” at 2:30 p.m
- The Senate Armed Services Committee will host hearings to examine United States Special Operations Command and United States Cyber Command in review of the Defense Authorization Request for fiscal year 2021 and the Future Years Defense Program on Thursday at 10 a.m.
- RSA Conference 2020 is scheduled for Feb. 24 to 28 in San Francisco.