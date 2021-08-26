Now Peters is in hiding and being investigated by the FBI and the Colorado secretary of state’s office for allegedly surreptitiously gathering the information and sharing it with Lindell and others. The secretary of state’s office claims that before the information was released, Peters turned off video surveillance and brought an unauthorized person into the secure room where the election equipment is stored.
It's the most significant example yet of someone charged with election security aligning with conspiracy theorists.
Officials in Arizona and at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said the release of the hard-drive images will not create “a significant heightening of the election risk landscape at this point.”
But election security experts are more concerned, warning that the images could make it far easier for someone with access to that brand of voting machines to surreptitiously load them with malware that could alter how votes are recorded.
“If you’re a bank robber, it would be helpful to have a blueprint of the bank vault,” Philip Stark, a statistics professor who focuses on election security at the University of California at Berkeley, told me. “This democratizes the ability to hack an election. It lowers the barrier.”
(Stark is an expert witness for the plaintiffs in a long-running lawsuit to try to get Georgia to drop Dominion voting machines in favor of hand-marked paper ballots.)
Dominion has featured heavily in pro-Trump conspiracy theories about the election, but none of the outlandish claims have been proven to have any basis in fact. The company has filed defamation lawsuits seeking billions of dollars in damage from allies of former president Donald Trump, including Lindell.
Colorado Secretary of State Jena Griswold (D) says she remains confident Colorado voting machines are secure because of other protocols.
As Griswold told me, those include requirements that machines are securely stored and under video surveillance, and complex checks to ensure that no one person has the necessary passwords to make changes.
Machines used in Colorado also print out a paper ballot so voters can verify that their choices were recorded correctly. Such machines or hand-marked paper ballots are used in about 95 percent of U.S. voting jurisdictions at this point. Voting machines should also never be connected to the Internet – which severely limits the options for hacking.
Geoff Hale, director of CISA’s election security initiative, told me the agency presumes that malicious actors already know the inner workings of voting machines.
“The published disk images confirm the risk that malicious actors may attempt to exploit vulnerabilities,” he said. “In the face of this, our guidance remains the same. Logic and accuracy testing, voter-verifiable paper audit trails, and credible post-election audits are safeguards that election officials have in place to mitigate this risk and to validate that the systems perform as intended.”
Dominion said in a statement that the company “is fully cooperating with all ongoing investigations.”
The leak could complicate one big argument for voting machine security.
That argument is that machines are most secure when the fewest people have knowledge about their internal workings.
Such arguments – often called “security through obscurity” – are out of favor with most cybersecurity experts. But they’re often made by industries that rely on complex machines that run on software that’s difficult to update.
Until recently, voting machine vendors used such arguments to ward off outside security researchers from searching their machines for hackable bugs. They’ve relented in recent years, but have continued to resist making their software broadly available to security researchers.
Dominion, for example, has set up programs for researchers to report bugs in its software. Several large election systems vendors have submitted their technology to be vetted by experts at Idaho National Laboratory.
Yet officials fear Peters may be part of an emerging trend.
Across the country, several Republicans committed to the baseless claim that the 2020 election was stolen from Trump are running for positions that oversee elections – including for top state election official posts in Michigan, Nevada, Georgia and elsewhere.
A partisan audit that lacks any of the rigorous controls of a traditional audit is continuing to drag on in Maricopa County, Ariz. Trump-supporting state lawmakers are pushing for similar audits in Wisconsin, Pennsylvania and elsewhere.
“It’s unnerving to have an insider threat, but this is the start to future insider threats,” Griswold said. “We’re seeing more extreme politicians running for office. …This is part of a larger coordinated attack playing out across the country.”
For the time being, the vast majority of Republican and Democratic officials tasked with running elections have stood firm against efforts to challenge results with baseless conspiracy theories.
Mesa’s entirely Republican County Commission voted 3 to 0 to replace the county’s entire suite of 41 pieces of election equipment over concerns that they couldn’t be trusted after the unauthorized access. That will cost about $825,000, the Denver Post reported. Griswold earlier barred the machines from being used in future elections.
Peters remained defiant during an appearance on Lindell’s Web show on Monday.
She denied releasing the hard drive images but acknowledged shutting off surveillance equipment guarding the machines. She said she doubts the legitimacy of her county’s election results because “even though we’re a conservative county and we won in certain instances, it wasn’t by as much as we should have.”
Peters did not reveal her location or say when she’ll return.
The keys
Companies pledged to boost cybersecurity after meeting with Biden.
Some of the companies will join an initiative to develop guidelines to build secure technology and examine the security of existing technology, as Cat Zakrzewski, Jay Greene and I report. The announcement came as President Biden tried to rally the companies into doing more to respond to hacks.
“The reality is most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone,” Biden said. “You have the power, capacity and responsibility, I believe, to raise the bar on cybersecurity.”
Many initiatives announced at the summit are aimed at boosting the cybersecurity workforce:
- Microsoft will make $150 million available to government agencies to boost their cyber defenses.
- IBM will train 150,000 people in cyber skills and work with historically Black colleges and universities to create cybersecurity centers.
- Google will train 100,000 Americans in fields such as IT and data analytics.
- Amazon will make employees’ cybersecurity training public and offer some cloud customers free authentication devices.
- TIAA announced a partnership with NYU to allow employees to get free cyber master’s degrees.
Microsoft also announced a plan to invest $20 billion over five years to strengthen cybersecurity. Google will spend $10 billion over the same time period.
The committee investigating the Jan. 6 Capitol riot requested information on Trump’s firing of former CISA director Chris Krebs.
The chairman of the committee, Rep. Bennie G. Thompson (D-Miss.), asked Homeland Security Secretary Alejandro Mayorkas for “all documents and communications related” to Krebs’s removal as CISA director in November. The records could reveal new details about Krebs’s ouster and false claims that the election was stolen from Trump.
Thompson, who also leads the House Homeland Security Committee, asked for records about social media that could highlight how the U.S. government monitors encrypted communications and social media networks. Thompson asked for records on the ability of the intelligence community, National Counterterrorism Center, FBI and Department of Homeland Security to “monitor or report closed or nonpublic social media platforms.”
The Department of Homeland Security is preparing to revamp how it hires cyber workers.
Under the system, DHS will be able to pay cybersecurity professionals up to $255,000 based on their skills and importance to the mission, FCW’s Natalie Alms writes.
Regulations setting up the system go into effect in mid-November, and the first people that DHS hires through it will work at CISA and the office of the DHS chief information officer.
The system is “designed to adapt to changes in cybersecurity work, the cybersecurity talent market, and the department's cybersecurity mission,” the department wrote.