with Tonya Riley

Attacks on the voting company Dominion and the integrity of the election by President Trump and his allies are posing a conundrum for election security advocates. 

On one hand, they’ve long battled with Dominion and other top voting machine vendors to take security more seriously and be more transparent about their operations so they can be vetted by outside security experts. 

“If there’s one positive piece that comes out of this it would be greater oversight of election vendors,” David Levine, elections integrity fellow at the Alliance for Securing Democracy, told me. Dominion, along with two other major vendors, control about 80 percent of the U.S. market for election systems. “If there’s a successful cyberattack against one of them, that could have devastating consequences,” he said.

On the other hand, the attacks by Trump and his supporters are basically made up out of whole cloth and contrary to all available evidence. Security pros worry these conspiracy theories that go far beyond any legitimate concerns will corrode public faith in elections and convince people it’s not worth turning out to vote. 

Unfortunately, there’s a danger that the entire effort to increase cybersecurity in elections will get tarred by the unfounded rantings of a few people,” Lawrence Norden, director of the Election Reform Program at New York University's Brennan Center for Justice, told me. “There are legitimate things that need to be done to improve the security of our election systems and they should be done regardless of what some crazy people are alleging.” 

There's a potential silver lining as election security is likely to remain a hot topic in Washington after 2020. 

The fact that it's entered the discourse at such a high level among Republicans – even because of dubious circumstances – suggests there could eventually be a more bipartisan focus on ensuring future elections are conducted securely and transparently. 

Election security has improved considerably since 2016 with the addition of paper ballots for millions more voters and a surge in post-election audits  But there’s still a lot more to be done. 

Security advocates now have to thread an important political messaging needle as the debate gets incredibly polarized. The issue was already precarious following the 2016 election when Democrats' fears about Russian hacking were high – but Trump often reacted to discussion about election security and Russia’s efforts to undermine the 2016 contest as suggesting that his victory over Hillary Clinton was illegitimate. 

That Russian effort included the hacking and leaking operation at the Democratic National Committee and the Clinton campaign and probing election systems in numerous states, intelligence agencies said, but there's no evidence Russian hackers compromised actual voting systems or changed votes. 

It has become even more treacherous since November’s election. Dominion has pushed back on all the phony claims the election was rigged by the company and state and local election officials on its website and in an op-ed by Dominion CEO John Poulos in the Wall Street Journal. But it hasn’t helped that the vast majority of Republican members of Congress have not acknowledged President-elect Joe Biden’s victory. 

People working in this space really have to thread the needle when they’re talking about these issues,” Norden said. “We want to make changes that will build confidence in the system, backed by expertise and science. Hopefully we can do that without fueling conspiracy theories or undermining trust.”

Many security advocates are taking a step back to avoid inadvertently becoming pawns in efforts to overturn a legitimate election. 

In some cases, it's easier to leave off talking about potential election security gaps and focus instead on the broad conclusion — endorsed by state and federal officials — that Americans should have high confidence the election results were not affected by hacking or other interference. 

“The specific concerns of election security advocates are not of paramount importance right now,” Mark Lindeman, interim co-director of the election security organization Verified Voting, told me. “The continuity of the American republic is more important than attention given to my issues.” 

But once Trump is out of office, there’s hope the surge in public interest could lead to better protections. 

At the very least, the controversy could compel election technology vendors to be voluntarily more transparent about their security, the experts say. 

Major election vendors have already made some progress in that direction since 2016 by agreeing to have their technology independently vetted by a federal technology testing facility at Idaho National Labs. One major vendor, Election Systems & Software, also has struck a deal with the cybersecurity company Synack to allow independent researchers to search for bugs in its systems.

Many security advocates want the companies to go further, however, and allow broad public vetting of the cybersecurity protections they have in place. 

The best-case scenario for many security pros would be for Congress to mandate security measures and transparency for election vendors — a practice that's more common for other industries that the government deems critical infrastructure, such as aerospace and energy firms.

That would be a shift from prior years when Democrats’ election security efforts focused relatively narrowly on pushing mandates for paper ballots and post-election audits and Republicans eschewed mandates entirely.  

“I think [voting vendors] will do as much as is demanded from their customers and from government oversight, and at a national level, so far there’s not been much demand,” Norden said. 

Republicans hesitant to court Trump’s ire by supporting election security changes after 2016 may see new political opportunity.

After all, the issue appears to be rising in popularity among Trump's base. But they also may begin to worry that if voter doubts about the integrity of elections go too far, as many argue they are now, it could harm their chances of winning office. That’s a paramount concern right now in Georgia, where Trump has repeatedly claimed Biden’s win was illegitimate — even after it has been affirmed by two statewide audits — and which will hold two Jan. 5 runoff elections that could determine control of the U.S. Senate. 

If people are relying on false information and they decide to not turn out to vote and that leads to candidates not getting enough votes to win, that will lead to a reckoning,” Levine said. “Instead of being in this place again where you’re swimming in a cesspool of conspiracy theories and false information, in four years you can be talking about how we have transparency about vendors.”

Levine’s big hope is that just like the period between 2016 and 2020 saw a massive increase in the percentage of votes cast using paper ballots, the period between 2020 and 2024 could see a spike in transparency for election vendors. 

“The political winds for that may be more helpful now,” he said. 

The keys

Hackers accessed documents related to Pfizer and BioNTech’s coronavirus vaccine.

The documents were stolen from a server belonging to the European Medicines Agency, which held regulatory documents about the vaccine, Germany’s BioNTech reported in a news release. BioNTech and Pfizer’s own systems were not breached in connection with the incident, according to the news release.

The EMA confirmed that it was the victim of a cyberattack but did not provide details. The agency said it is investigating the attack and is working with law enforcement. 

U.S. and British intelligence agencies have warned that Russian and Chinese hackers are targeting companies and research institutions working on a coronavirus vaccine. Both countries deny the allegations.

Trump added the proposed cyber director position to his list of reasons he might veto a must-pass defense bill. 

The bill’s mandate to appoint a national cyber director within the White House increases bureaucracy and confuses cybersecurity policymaking, the White House said in a statement. The government already performs the functions of the new role, the White House claims.

That’s roughly the same rationale the former national security adviser John Bolton gave when he scrapped a similar role in 2018.  

Bringing back a stronger version of the position that would require Senate confirmation, as outlined in the National Defense Authorization Act, is widely popular with both parties. A bipartisan congressionally-led committee on cybersecurity recommended the reinstatement of the position earlier this year. 

Trump previously threatened to veto the $741 billion dollar spending bill because it doesn’t repeal a key tech liability law, among other issues. The House has passed the bill with a veto-proof majority.

An Al Jazeera anchor sued the Saudi and United Arab Emirates crown princes for allegedly targeting her in a hacking operation.

The anchor, Ghada Ouiess, alleged that the Saudi and UAE governments conducted a hack and leak operation to undermine her character and career, Maggie Miller at The Hill reports. Operatives connected with the governments allegedly stole pictures of her in a swimsuit from her phone and then distributed doctored versions of the photo that made her appear nude.

Oueiss claims the operation was in retaliation for her critical reporting on the governments. The photos rapidly spread on Twitter and appeared to be amplified by accounts connected to the two crown princes. 

The Saudi crown prince faces a separate lawsuit for allegedly carrying out the murder of Washington Post columnist Jamal Khashoggi in 2018. Khashoggi’s fiancee filed the suit.

Chat Room

Lawyers for ousted federal cybersecurity chief Chris Krebs say a “shadow group” is “proposing the assassination” of current and former officials who defend the integrity of the 2020 election. Krebs, who was fired by Trump for defending the election’s integrity, has charged there’s a conspiracy to attack Republicans who dissent from the president’s baseless election fraud claims. Here are details from the Wall Street Journal’s Dustin Volz:

Securing the ballot

Democratic secretaries of state are touting their accomplishments in a new video. 

The video released by the Democratic Association of Secretaries of State this morning highlights the work of top Democratic election officials during an election year challenged by the coronavirus pandemic and expansion of mail-in voting. 

A spokesperson for the group called the video a “victory lap” for the secretaries. It's also a clear jab at Trump, who refuses to acknowledge Joe Biden's victory and claim the election was rigged despite presenting no credible evidence to support those claims. The video, shared ahead of its release with The Cybersecurity 202, features clips of secretaries of state who have faced attacks from Trump, including Michigan's Jocelyn Benson and Arizona's Katie Hobbs.

“Working together, secretaries navigated last-minute changes to election laws, combated blatant voter suppression efforts, and defended against cynical lawsuits,” DASS Chair and California Secretary of State Alex Padilla said in a statement. “Some secretaries faced personal attacks and death threats before, during, and after the election. The integrity, transparency, and grace with which these secretaries conducted themselves despite these challenges deserves the highest praise.” 

Cyber insecurity

A suspect in a massive 2016 cyberattack that took down Netflix and other sites pleaded guilty.

The unnamed hacker is schedule for sentencing in January, Jeff Stone at CyberScoop reports. The cyberattack harnessed computing powers from poorly secured Internet-connected devices, known as the Mirai botnet, and used it to overwhelm numerous websites. 

It caused outages for popular sites including Twitter, Netflix and Reddit.

More cybersecurity news:

Daybook

  • The Senate Homeland Security and Governmental Affairs Committee will hold a hearing on Wednesday titled "Examining Irregularities in the 2020 Election."

Secure log off

Even more lawsuits from the Trump campaign.