Counting Votes

Counting Votes: Election Cybersecurity Legislation Hits a Wall, RobinHood Visits Baltimore, and of course Florida

“According to a joint report from the Australian Strategic Policy Institute (ASPI) and IT industry professional association ACS, one in five national elections held worldwide since 2016 were potentially influenced by foreign interference, … “Democracies around the world have been struggling to grapple with foreign interference from state actors during elections,” International Cyber Policy Centre head Fergus Hanson said. “More empirical data means they can respond in a more targeted way calibrating policy responses to the likely risk, methods and adversary.” Technology Decisions

In an extensive Roll Call article this morning, Gopal Ratnam reports that despite the best intentions of election officials and many lawmakers, in 2020 many jurisdictions will be using “voting machines that are woefully outdated and that any tampering by adversaries could lead to disputed results.”

In addition to eliminating direct recording electronic (DRE) voting machines and requiring routine post-election audits, many of the legislative efforts have addresses cybersecurity vulnerabilities in voting systems. Edgardo Cortés, election security advisor at the Brennan Center for Justice noted, “In some sense, anything that has an internet connection can be hacked. Wireless capability, even if the functionality can be turned off through hardware or software, poses risks of remote access by adversaries, he said.”

Verified Voting President Marian Schneider explained inthe article that beyond prohibiting voting equipment that can connect to the internet, “machines may still need to have some type of wireless communication system so that administrators can upload new ballot information ahead of each election. Some counties and precincts insert manual cartridges into machines to upload ballot information, but others push out that information wirelessly because it’s easier.”

“The software on new models of voting machines would also need routine updates, and that would require some type of connectivity,” Schneider continued, “the question is, how you do it safely? Because we can’t reduce the risk to zero, we need to do audits to check the results after. Post-election audits, in which samples of cast paper ballots are recounted, is considered the gold standard for verifying election results, but few states conduct them.”

The concern over election cybersecurity was reflected in the many federal election cybersecurity related bills that have been introduced in the past several days. Those bills met an icy reception yesterday, as Senate Rules Committee Chairman Roy Blunt (R-MO) said he doesn’t expect to hold hearings on any election security bills this Congress because he doesn’t think Senate Majority Leader Mitch McConnell (R-KY) will bring them to a floor vote.

On May 10 House Democrats introduced the Election Security Act, portions of which were included in H.R. 1, the For the People Act, an omnibus bill including a broad range of electoral reforms. Last Tuesday, a bipartisan group of senators introduced the Voting System Cybersecurity Act, which would require a cybersecurity expert from the Department of Homeland Security (DHS) be included on the committee tasked with developing voluntary voting system guidelines as part of the effort to make U.S. elections secure.

On Wednesday, Sen. Ron Wyden (D-OR) and a group of 12 other senators introduced a bill to mandate the use of paper ballots in U.S. elections and also ban all internet, Wi-Fi and mobile connections to voting machines in order to limit the potential for cyber interference. And on Thursday, Sen. Amy Klobuchar introduced a Senate companion for the Election Security Act, which has garnered the support so far of 38 co-sponsors, all Democrats or independents.

The EAC: Understaffed and Underfunded

With deadlines to complete a new iteration of the VVSG fast approaching, and forced to meet other responsibilities on a shoestring budget and short staff, the EAC commissioners visited the Hill last week seeking increased funding. Comparing the EAC’s role in working on “the infrastructure of our democracy,” the Commission’s vice chairman, Benjamin Hovland, told the committee. “What we need is an investment from Congress to help us do that work.” Hovland noted that “The commission’s budget request for fiscal 2020 is $7.95 million, which is about $1 million less than 2019 and lower than the annual money set aside by Kansas City, Missouri, to fix its potholes.

“With additional resources, the EAC would have the opportunity to fund additional election security activities within its election technology program,” said McCormick. “There is no shortage of ambition at EAC when it comes to supporting this work, but there is a stark shortage of funds for such activities.”

Derek Johnson, writing for FCW, notes that the “EAC’s budget has been chopped in half over the past decade, and the Trump administration has proposed further cuts in its 2020 budget.“ At the hearing McCormick revealed that the EAC doesn’t have any full-time employees dedicated to election security work and only four full-time employees working on certification of voting machines.

[Earlier today in CybersScoop, Sean Lygrass reported, the EAC had added Jessica Bowers, a former executive at Dominion Voting Systems and Paul Aumayr, a former Maryland election official, to its voting system certification program staff.]

Last month, a group of 31 Democratic Senators led by Rules Committee ranking member Amy Klobuchar (D-Minn.) sent a letter to the Senate Appropriations Committee urging them to fund the EAC at Fiscal 2009 levels, when it had nearly fifty employees and a budget of just under $18 million, citing cybersecurity as a top concern.

“As you know, our state and local government partners face significant and sophisticated cybersecurity threats from foreign actors,” the Senators wrote. “Against this backdrop, it is critical that our nation’s election officials have the support they need from the federal government in modernizing their voting systems, and the EAC has a responsibility to maintain a high-functioning certification program.”

Florida: Who Got Hacked?

Joseph Marks wrote in the Washington Post about the frustration expressed by Florida lawmakers learning that the FBI took more than two years to acknowledge Russian hackers had penetrated some of the state’s voter database. “This lack of transparency is counterproductive,” Rep. Stephanie Murphy (D) complained. “I’m really concerned that it can erode public confidence in the integrity of our elections almost as much as the actual hacking did.”

The Mueller Report noted that the FBI had determined two Florida counties had been hacked, but the identities have not been released. Explaining their cloak-and-dagger secrecy, the FBI says it defines the counties themselves — as opposed to the actual voters within them — as the victims of the hack. Therefore, it’s up to the counties involved to disclose their own identities, as reported by Marc Caputo at Politico.

Rep. Michael Waltz (R-FL), who was briefed with other congressional members Thursday about the counties’ identities, objected, “Basically, what they’re classifying as the ‘victim’ — which is the elections official — is a mischaracterization in and of itself. The victim is the voter.”

David Smiley at the Tampa Bay Times suspects that nearly identical “jargon-filled non-denials” issued by Washington and Sumter Counties might be clues.

The NGA Cybersecurity Summit in Shreveport and RobinHood in Baltimore

Dan Lohrmann reported for GovTech on the third National Governors Association National Summit on State Cybersecurity held in Shreveport, LA. In his keynote presentation, DHS cybersecurity director Chris Krebs described the actions of Russia in 2016 as “game-changers in the history of cybersecurity, because the hacking was not just for data, but was an attempt to undermine democracy.” While noting progress on election cybersecurity, Mr. Krebs cautioned that in addition to threats from nation-states, “ransomware and a host of other cyber trends were top priorities.”

On the subject of ransomware, the RobinHood ransomware attack on the Baltimore city government has prompted the creation of a Committee on Cybersecurity and Emergency Preparedness, even as the city works to restore the systems taken down by the debilitating attack Maggie Miller wrote  in The Hill. The attack took down several of the city’s services last week, including the Department of Elections. As Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology told Mindy Moretti in electionline Weekly “Ransomware is unfortunately one of the more challenging cybersecurity threats that election offices might face.”

Hall recommended that election offices keep all software is updated and back up critical systems, but observed that “Updating software may sound easy, but if an elections office has dependencies such as relying on the wider city or county infrastructure, this may be out of the election office’s hands and they may not be able to demand that the software they are using is updated as soon as new updates are available,” Hall said.

Threats to EU Elections

Responding to concerns by European and U.S. officials over cyber-attacks related to election meddling and intellectual property theft, the EC last week agreed on “new rules that will grant it authority to impose travel bans and asset freezes against individuals responsible for cyber-attacks that pose a significant threat to the bloc.”

 

The EU Parliament election this weekend will be the first since Russia’s disinformation campaign aimed at the 2016 US presidential election put other nations on high alert for similar behavior. Earlier this year, the security firm Fireeye reported that Russian hackers had been targeting European government agencies, as well media outlets in France and Germany.

Election Cybersecurity in Indonesia

The Jakarta Globe interviewed Fernando Serto, director of security technology and strategy at Akamai APJ, about efforts made by Indonesian officials to address the threat of election cyberattack. Noting that cybercrimes often happen during elections all over the world, Serto said “This is not unique to Indonesia; every time a country holds an election, we see a lot of hacking activity. We’ve seen it happen during elections in the Philippines and the US.”

“We see a lot of hacktivists, people who disagree with the policies of a particular candidate, trying to hack into their official website and put very aggressive messages on it,” Serto continued. “The role of the government is crucial in preventing hacktivists from creating cyber chaos during elections.”