The Cybersecurity 202: Election security officials sound confident about November

with Tonya Riley

Election security officials are confident they made key changes to make in-person voting safer in November. But lawmakers are farther apart than ever on how best to protect the election that’s just three months away.

The Department of Homeland Security’s top election security official, Chris Krebs, ticked off a slew of accomplishments during an address at an online version of the annual Black Hat cybersecurity conference. They include an extensive cybersecurity testing program for state and local election offices and digital sensors that can alert DHS about hacking attempts at thousands of county election offices.

“It’s night and day compared to what existed in 2016,” Krebs said. He said he’s confident that “2020 will be the most protected and most secure election in modern history.”

Lawmakers, meanwhile, have fallen into partisan bickering with Republicans and Democrats accusing each other of aiding U.S. enemies rather than combating them.

That split screen has been a relative constant during the past four years.

And it comes as officials are facing a new kind of insecurity – a potentially massive wave of mail-in ballots as fewer people go to physical polling places during the coronavirus pandemic.

With some notable exceptions, federal, state and local officials have made steady progress with changes to transition to more secure paper ballots and implement cybersecurity protections and post-election audits.

Congress, meanwhile, has failed to pass any significant campaign or election security legislation. It has delivered about $1.2 billion to states to improve cybersecurity and make voting safer during the pandemic, but that’s far less than Democrats have requested and many experts say is necessary.

Recently, the congressional wrangling has focused on a Republican investigation into work in Ukraine by Joe Biden’s son Hunter.

For the past several weeks, Democrats including House Speaker Nancy Pelosi (Calif.) and Senate Minority Leader Chuck Schumer (N.Y.) have warned about a foreign disinformation campaign trying to get Congress to undermine the election — a likely reference to the investigation led by Sens. Ron Johnson (R-Wis.) and Charles Grassley (R-Iowa).

Biden campaign spokesman Andrew Bates has accused Johnson of “facilitating a foreign influence operation to undermine our democracy” in part to distract from the Trump administration’s handling of the coronavirus pandemic, Paul Sonne, Karoun Demirjian and David L. Stern report.

Johnson and Grassley punched back yesterday, arguing it was Pelosi and Schumer who were undermining election security by questioning their investigation.

“It is certainly our goal to eradicate foreign influence from our elections. But your use of this issue to knowingly and recklessly promote false narratives for political purposes is completely contrary to that goal,” the lawmakers wrote.

Then they got harsher: “Although it is undisputed that Russia interfered in the 2016 elections, as they have done in the past and will continue to do in the future, you have twisted this fact beyond recognition to forge a weapon for the purpose of attacking your political opponents no matter its tenuous relationship with facts or the truth.”

So far, Russia doesn't appear to be trying for a repeat of 2016.

That year, Russian hackers compromised voter databases in at least two states, though there’s no evidence they changed any information or compromised actual voting infrastructure. They also scanned but did not hack into election systems in dozens of other states in addition to hacking and leaking embarrassing information from the Democratic National Committee and the Clinton campaign.

Krebs warned of “a whole lot of scanning” of election-related computer networks by U.S. adversaries this year, a list that might include China and Iran as well as Russia.

But there has been “nothing at the directed, focused level of 2016,” he said.

That’s good news for election officials who are trying to remain secure against Russian hacking even as they tackle a slew of challenges related to running an election during the pandemic.

But, Russian disinformation operations aimed at undermining the election and sowing divisions between Americans are still going strong.

“On disinformation, Russia’s never taken its foot off the gas,” Krebs said.

The federal government is launching new efforts to help election officials in the final months before November.

DHS launched a $2.2. million pilot program recently with the Center for Internet Security to help election officials secure the laptops, tablets and other devices they use to manage election business such as checking in voters at polling places and reporting vote totals.

The State Department began offering up to $10 million in rewards for information that helps identify anyone who is helping a foreign government hack U.S. elections. It’s similar to a reward program for information that helps locate terrorists.

Election machine companies are also making progress on cybersecurity.

The nation’s largest voting machine vendor, Elections Systems and Software, formally introduced a system at the Black Hat conference for ethical hackers to alert it to bugs in its computer systems. The move is a shift from two years ago when ES&S downplayed digital threats to its systems and accused ethical hackers of using unrealistic scenarios to suggest their machines are far more vulnerable than they are.

It also marks at least a partial truce with the cybersecurity research community, which has slammed voting machine vendors for being too opaque about security and not responsive to legitimate criticism. The ES&S program was first reported by Robert McMillan and Alexa Corse at the Wall Street Journal.

ES&S began accepting reports of digital vulnerabilities by email about 18 months ago, said Chris Wlaschin, the company’s vice president of systems security. Yesterday the company released a formal document called a “vulnerability disclosure policy,” which outlines which systems hackers can access without getting into legal trouble and lays out how and when ES&S will respond to bug reports.

The program doesn’t extend to voting machines and other systems that generally can’t be accessed on the public Internet.

ES&S also announced a deal with the cybersecurity company Synack, which will deploy a team of hackers to probe for bugs in the company’s newest electronic poll book. The company plans to expand that program to include voting machines and other tools that aren’t included in the vulnerability disclosure policy, Wlaschin said.

The keys

Trump now likes mail voting in Florida and Arizona but still says it will be a disaster elsewhere.

The president’s position on mail voting has grown increasingly convoluted in recent days as he seems to be strategically reversing his long-held opposition to the practice — but only in states where it might help his electoral chances.

“So, in Florida, they've done a good job. In Arizona, they've done a good job, but they've been doing this thing and refining it for years," Trump said at a news conference attended by Arizona Gov. Doug Ducey (R.)

Within hours of Trump praising mail voting in those two states, his campaign filed a lawsuit to block Nevada from sending ballots to all registered voters, Amy Gardner and Jacob Bogage report. The election could take “years” to call if Nevada absentee voting is expanded, the president alleged on Fox News and in a tweet.

Nevada has ZERO infrastructure for Mail-In Voting. It will be a corrupt disaster if not ended by the Courts. It will take months, or years, to figure out. Florida has built a great infrastructure, over years, with two great Republican Governors. Florida, send in your Ballots!
— Donald J. Trump (@realDonaldTrump) August 5, 2020

Trump has claimed without evidence that mail voting will lead to massive fraud and disastrous delays.

At a separate news conference he said, “I you look at it just out of common sense and pure basic beautiful intelligence, you know it can’t work."

Trump also incorrectly asserted that Nevada does not plan to verify voter signatures on mail ballots. When a reporter corrected him, he incorrectly insisted that state officials had earlier said they would not verify signatures. He also asserted that aging machinery would make doing so impossible.

Virginia will launch the first U.S. coronavirus alert app that uses Apple and Google software.

The app, called COVIDWISE, will use Bluetooth signals to notify users who were in close proximity with people who report coronavirus infections, Paresh Dave at Reuters reports.

“This is a way we can all work together to contain this virus,” Democratic Gov. Ralph Northam said in a televised briefing. “No one is tracking you. None of your personal information is saved.”

Virginia is one of several states that have signed on to use the technology, but deploying tit has been slowed by a lack of funding and clashes between public officials and the tech giants over data collection. Some states and countries initially declined to use the software because it didn't collect GPS location data, which they said could help them better track the spread of the disease. The companies argued the technology was too invasive.

Secretary of State Mike Pompeo is urging U.S. companies to ban downloads of Chinese apps.

The plea comes as a part of the State Department's initiative to remove allegedly untrustworthy Chinese technology from America's infrastructure, ranging from mobile apps to telecommunications networks. Most recently Trump threatened to ban TikTok if its Chinese parent company doesn't sell its U.S. assets to Microsoft or another U.S. company by Sept. 15.

“We want to see untrusted Chinese apps removed from U.S. app stores,” Pompeo told reporters, Laura Kelly at the Hill reports. “President Trump has mentioned impending action on TikTok, and for good reason. With parent companies based in China, apps like TikTok, WeChat and others are significant threats to personal data of American citizens, not to mention tools for [Chinese Communist Party] content censorship.”

Both Google and Apple, which dominate app platforms in the United States, allow the Chinese social networking site WeChat alongside a host of other Chinese apps. Privacy researchers at the research organization Citizen Lab criticized WeChat earlier this year for monitoring content sent from users based abroad to users inside China.

Industry report

YouTube banned a network of nearly 3,000 Chinese accounts for spreading political propaganda.

The content pushed by the accounts related to ongoing protests around police brutality, TechCrunch reports. Researchers at Graphika found similar operations on Facebook and Twitter earlier this year.

More industry news:

TikTok says it's going to fight election misinformation (NBC News)

Chat room

A bond hearing conducted on Zoom for the teenager who allegedly masterminded the recent Twitter hack that embroiled Joe Biden and Barack Obama was hacked itself. The hackers posted videos to the hearing including pornography. More from cybersecurity blogger Brian Krebs:

Predictably, the Zoom hearing for the 17-year-old alleged Twitter hacker in Fla. was bombed multiple times, with the final bombing of a pornhub clip ending the zoom portion of the proceedings.
— briankrebs (@briankrebs) August 5, 2020

BTW, the pornhub clip was fairly tame. Imagine child porn being streamed in a court proceeding. I'm sure I wasn't the only attendee video recording the hearing. Right there you'd be guilty of possession of CP. Judges holding hearings over Zoom need to get a clue.
— briankrebs (@briankrebs) August 5, 2020

Daybook

Black Hat will take place virtually through Thursday.
The Senate Energy and Natural Resources Committee will hold a hearing to examine federal and industry efforts to improve cybersecurity in the energy section today at 10 a.m.
DEF CON will take place virtually August 5-8.

Secure log off

How tech works:

Today’s second @washingtonpost quarantine TikTok features Reels https://t.co/iAjZGX55rW pic.twitter.com/zYveX9yf1z
— Washington Post TikTok Guy (@davejorgenson) August 5, 2020