Welcome to The Cybersecurity 202! My sympathies are going out this morning to staff and animals at the Smithsonian National Zoo where 25 American flamingos and one Northern pintail duck were killed by a wild fox this week. Washington’s a rough town sometimes.
Democracy Live is submitting to continuous vetting for hackable bugs
One online voting provider is striving to prove its cybersecurity bona fides before the 2022 elections.
Democracy Live, which ran online voting pilots in numerous states in 2020, is partnering with cybersecurity company Synack to continuously test its platform for hackable bugs before the midterms.
It's one of the most significant efforts to date by an online voting provider to prove its services are secure. But it also comes amid long-standing warnings from election security advocates that voting online or by mobile device isn’t secure enough and raises hacking risks from Russia and elsewhere.
“We want the feedback. We want to make this as secure as possible,” Democracy Live founder Bryan Finney, told me in an interview. Democracy Live and Synack shared the news with The Cybersecurity 202 in advance of a formal announcement this morning.
- Democracy Live is gearing up for another round of online voting pilots using its OmniBallot platform this year in West Virginia, North Carolina, South Carolina and Alabama.
- The pilots in all states will include military voters based overseas. In West Virginia and North Carolina they’ll also be open to voters with disabilities that make voting by mail impossible or impractical.
Details
The deal with Synack will open up Democracy Live’s systems to about 1,500 cybersecurity researchers vetted by the company who work on a bug bounty model — essentially meaning they get paid for the computer vulnerabilities they find and more damaging vulnerabilities pay out more.
The bug reports won’t be public, Finney told me, but he pledged to make them available to any state or locality that’s interested in his product and to cyber researchers and academics — including those who are openly opposed to online voting.
“We want to be as transparent as possible,” he said.
The dilemma in a nutshell
When people vote with secret ballots online there’s no way to definitively verify that hackers haven’t changed those votes before they reach election officials. There’s no way for voters to double check the votes after they hit send and no physical record of the vote that officials can audit if the election results are called into question. There’s also an increased danger of people voting on behalf of others because they have access to their devices.
Intense security vetting can alleviate some of those concerns but not eliminate them.
Many advocates, including Finney, say those risks are worth it in the short term — and in limited pilots — to ensure people can vote who might otherwise be disenfranchised. In the case of military servicemembers stationed abroad, those who can’t easily vote by mail often end up sending ballots in by fax machine or email attachment, which have their own security vulnerabilities.
“The whole reason why we’re doing this is to make it more secure than a fax machine or an email attachment,” Finney said.
Concerns
But election security advocates fear such efforts will be a slippery slope to everyone voting online — a move they say would take elections in the wrong direction amid widespread fear of foreign manipulation and plummeting confidence in the integrity of elections.
Some of the biggest online voting boosters are already pushing for wider adoption. Most recently, the D.C. city council considered a plan pushed by Tusk Philanthropies to allow online voting by all voters before scrapping the plan amid an outcry from residents and cybersecurity experts.
Finney says he wants to limit Democracy Live’s online voting pilots to voters who might otherwise be disenfranchised for the time being. But he also envisions a longer-range future in which the security risks have been mitigated and online voting can be rolled out more broadly — eventually to all voters.
“We're in no rush to make it universally available, but I think there are a lot of great reasons to do that eventually,” Finney told me. “The language of next generation voters is mobile, and, at some point, we have to speak that language.”
Synack CEO Jay Kaplan is on essentially the same page.
“People didn’t trust mobile banking years ago,” he told me. “I think we have to build confidence over time, and it starts at a smaller scale. It personally gives me a lot of confidence that hundreds, if not thousands, of security researchers will have looked at this environment.”
Finney also has long-term ideas about using online voting to improve voter education — for example by linking candidates’ names on the ballot to campaign finance information.
“You can be more informed as a citizen voter. You can click on a card and know if it’s the NRA or the Sierra Club [funding a candidate],” he said.
The keys
Trump official meddled with Russian election interference report, watchdog says
Former president Donald Trump’s acting Homeland Security secretary, Chad Wolf, asked a top DHS official to hold a report on Russian interference in the 2020 election because it would hurt Trump’s reelection campaign, the official told the agency’s inspector general.
The report described a Russian influence campaign “spreading unsubstantiated allegations that … Biden is of poor mental health” — a line of attack Trump was also deploying at the time.
Wolf disputed the report’s characterizations of the meeting. He said the meeting focused on problems with the report, which “was not well written” and was “written at the fifth-grade level.”
DHS officials also added a section to the report about Chinese and Iranian efforts to question Trump’s mental state as a “blunting feature” to balance the report. But that shouldn’t have been a consideration, and the box “served an unclear intelligence purpose,” the inspector general said.
Lawyer Mark Zaid called the report “significant vindication” for his client Brian Murphy, a former DHS official who filed a whistleblower complaint about the report in 2020:
We are still reviewing but @DHSOIG report looks to be significant vindication for our #whistleblower client #BrianMurphy whose lawful efforts bravely reported misconduct during Trump Admin at highest levels of @DHSgov.https://t.co/XceUBKA8b5
— Mark S. Zaid (@MarkSZaidEsq) May 3, 2022
Leaked Supreme Court opinion is sparking fears about data security
Cybersecurity Twitter was thick Tuesday with warnings about data collected by apps and online services that might be used to identify women seeking abortions in the event the procedure becomes illegal in some states.
The tweets were sparked by a leaked draft of a majority Supreme Court decision to overturn the 1973 Roe v. Wade ruling that affirmed abortion rights.
A case in point: Motherboard purchased a week’s worth of location data about more than 600 U.S. Planned Parenthood locations from data broker SafeGraph for around $160, Motherboard’s Joseph Cox reports. Some of those Planned Parenthood clinics offer abortions. While the data doesn’t include names of users, such data has been used in the past to identify individuals by analyzing patterns of movement and behavior. Planned Parenthood and SafeGraph didn’t respond to requests for comment from Motherboard.
Cybersecurity experts also encouraged women to take precautions when it comes to their online privacy. Principled LLC chief executive Debra J. Farber and Duke Law’s Jolynn Dellinger:
— Debra J. Farber (0.0.512836) (@privacyguru) May 3, 2022
The Electronic Frontier Foundation’s Eva Galperin:
If you are in the United States and you are using a period tracking app, today is good day to delete it before you create a trove of data that will be used to prosecute you if you ever choose to have an abortion.https://t.co/7L7LaQizgx
— Eva (@evacide) May 3, 2022
EA’s Amélie E. Koran:
Evaluate your threat model… also would be a good time to check your browser cookies and tracking info. https://t.co/b02oqInKFR
— Amélie E. Koran (@webjedi) May 3, 2022
The CDC also purchased location data from SafeGraph
The Centers for Disease Control paid $420,000 for access to the data to monitor whether Americans were complying with coronavirus lockdowns, Motherboard’s Joseph Cox reports.
The CDC also mulled more than 20 other coronavirus-related uses for the data, including looking at public policy effectiveness on the Navajo Nation, tracking K-12 school visiting patterns and examining whether visits to “mass gatherings” including at places of worship correlated with increased cases.
The use of the data is likely to raise concerns about invasive government use of data crunching. “It's also likely to give anti-vaccine groups a real-world data point on which to pin their darkest warnings” about vaccine passports, which some have claimed allow the government to track vaccine recipients, Cox writes. The CDC and SafeGraph didn’t respond to requests for comment from Motherboard.
Chat room
Journalist Kim Zetter pondered how the Supreme Court could identify future leakers:
There's a risk in publishing a leaked document even if metadata is scrubbed from it. It's one thing to report that justices voted to overturn Roe v Wade - that info can come from a lot of people. But few people probably had access to the actual document that got published.
— Kim Zetter (@KimZetter) May 3, 2022
They could do this by simply changing one word in each copy of the document distributed internally - so each justice and their staff gets a slightly different version without realizing it.
— Kim Zetter (@KimZetter) May 3, 2022
Government scan
CISA's getting into podcasts
The publication CyberWire will be offering an audio version of the cybersecurity agency's alerts in podcast form. The audio feed will “provide urgent information about cyberthreats, vulnerabilities, and exploits,” CyberWire said.
Global cyberspace
National security watch
Daybook
- CISA Director Jen Easterly, Rep. Jim Langevin (D-R.I.) and cybersecurity officials speak at the Hack the Capitol conference today.
- Gen. Paul Nakasone, who leads U.S. Cyber Command and the National Security Agency; NSA cybersecurity director Rob Joyce; and deputy national security adviser Anne Neuberger speak on the first day of Vanderbilt University’s two-day Summit on Modern Conflict and Emerging Threats today.
- Homeland Security Secretary Alejandro Mayorkas testifies before the Senate Homeland Security Committee today at 2:30 p.m. after testifying before a Senate Appropriations Committee panel at 10 a.m.
- Secretary of State Antony Blinken outlines the Biden administration’s China policy at an Asia Society event Thursday at 11 a.m.
Secure log off
Today’s second @washingtonpost TikTok features the latest covid variant, BA.2.12.1. Preliminary research suggests it is about 25% more transmissible than BA.2, the current nationally dominant strain of omicron:https://t.co/Mn0H4TRkno pic.twitter.com/1tZS7wC3Hx
— Carmella Boykin (@carmellaboykin) May 3, 2022
Thanks for reading. See you tomorrow.