Analysis | The Cybersecurity 202: DNC move against phone-in caucuses pits cybersecurity vs. voter participation

By Joseph Marks

11-14 minutes - Source: THE WASHINGTON POST

---

Democratic National Committee Chairman Tom Perez. (Scott Olson/Getty Images)

THE KEY
The Democratic National Committee’s decision to recommend scrapping phone-in virtual caucuses in Iowa and Nevada is pitting security hawks, who say those systems are ripe for hacking, against Democratic activists who want to increase voter participation.
The DNC announcement on Friday comes after a test of the phone-in systems showed they were vulnerable to hacking, as my colleagues Isaac Stanley-Becker and Michael Scherer reported. That confirmed the suspicions of cybersecurity experts who have long argued there’s no way to ensure the authenticity of votes that aren’t cast in person — including votes cast by email, websites or mobile phones.
But it was a blow to activists who want to make it easier for people to participate in the democratic process — and who say lengthy in-person caucuses exclude people who work long hours or are caring for young children.
Iowa and Nevada developed their phone-in systems after the DNC urged caucus states in 2018 to either switch to primaries — which are speedier  — or make it easier for people to participate remotely. The Iowa system would have allowed voters to register for a unique PIN number and use that PIN when they called in to vote for a candidate, my colleagues reported.
The DNC move also sparked the ire of some 2020 presidential hopefuls.
“It’s important if we’re going to win this election against Donald Trump in 2020 that you get people off the sidelines,”  Julián Castro said in a video message after the DNC announcement. “And you ain’t going to get them off the sidelines if you promise people that you’re going to have more opportunity to get out and vote and now you go back on your word.”
The DNC should either “figure out a secure virtual caucus process” or set up another option for people to caucus remotely such as mail-in ballots, said Castro, who was housing secretary during the Obama administration.

The DNC has disallowed plans to increase participation in the first-in-the-nation caucus state.
I strongly urge the DNC to embrace our party's values and allow absentee voting, either through a virtual caucus, mail-in, or early voting process. pic.twitter.com/V85BIJtq4v

— Julián Castro (@JulianCastro) August 30, 2019

Other 2020 candidates also criticized the DNC move.
New York City Mayor Bill de Blasio acknowledged that “cybersecurity is a very serious threat to our democracy” but said it’s “imperative that the DNC reconsider its decision and immediately get to work, in partnership with the Iowa Democratic Party, to ensure the caucus is both safe from interference and accessible to all.”
Author and activist Marianne Williamson urged the DNC to reconsider the virtual caucus and “assure it’s a safe and secure process where every vote counts.”

.@marwilliamson says "Iowa’s Virtual Caucuses are an important and innovative step to increase voter participation in Iowa...We need to assure its a safe and secure process where every vote counts." pic.twitter.com/jwaiO8Ax3A

— Adam Brewster (@adam_brew) August 30, 2019

Former Vice President Joe Biden offered a more measured response to reporters over the weekend. “I'm going to still go into every county I can get to. I am going to compete for every vote in the state. That's a decision the DNC has to make. The more people that access to vote the better,” Biden said.
Other top polling candidates — Sens. Elizabeth Warren (Mass.), Bernie Sanders (Vt.) and Kamala Harris (Calif.) and South Bend Ind. Mayor Pete Buttigieg — didn't respond to queries I sent out about the DNC decision over the holiday weekend.
Security advocates, however, warn there’s no quick fix that will make phone-based voting systems secure against determined hackers from Russia and elsewhere.
It’s tough enough, they say, to protect the cybersecurity of traditional voting machines, which are designed to be segregated from the Internet and other key avenues for hacking. Mobile phones, by contrast, are online by default, connect frequently to unsecured and hackable wireless networks and are filled with apps that could be compromised by hackers.
Those hackers could either cast phony votes to deliver the caucus to a preferred candidate, they say, or simply cast enough doubt on the caucuses that voters don’t trust the results.
“Expanding caucus participation is a worthy goal, however phone and internet-based caucusing is simply too vulnerable to attack by foreign hackers,” Sen. Ron Wyden (D-Ore.), one of the top cybersecurity hawks in Congress, said in a statement.
Wyden warned that “one of the biggest lessons from 2016,” when Russia launched a hacking and disinformation operation aimed at helping Donald Trump win the presidency, “is that election officials and parties must make cybersecurity a key consideration for every decision in our elections process.”
Nevada Deputy Secretary for Elections Wayne Thorley expressed reservations about the state’s phone-in caucus system during a panel discussion I moderated at the Def Con cybersecurity conference in Las Vegas last month.
“I wouldn’t advocate for voting over telephone right now, but they have gone the route of trying to be as inclusive as possible,” Thorley said of the state Democratic Party’s effort.
“Sometimes security and accessibility are at odds,” Thorley said, adding that the party had “come down on the side of accessibility and I think sacrificed some of the security.”
The DNC recommendation came in a Friday memo from Chairman Tom Perez and the co-chairmen of the DNC’s Rules and Bylaws Committee, which found there was “no tele-caucus system available that meets our standard of security and liability.” That recommendation must still be formally approved by the full Rules and Bylaws Committee, though it’s sure to follow its leaders’ recommendation.
Iowa Democratic Party Chairman Troy Price said in a statement the party would accept the DNC’s decision.
“We are obviously disappointed by this outcome, and we continue to have confidence in the abilities of our vendors, but if the DNC does not believe the virtual caucus can be secure, then we cannot go forward,” Price said.

You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.

Not a regular subscriber?

PINGED, PATCHED, PWNED

Secondary students wear face masks during a school strike in Hong Kong on Monday.  (Kin Cheung/AP)

PINGED: The Chinese government may have been behind a digital attack that temporarily knocked a prominent online organizing service for Hong Kong protesters offline, Bloomberg's Shelly Banjo reports. 

The forum, LIHKG, stopped working after a surge of traffic from servers around the world flooded the site with 1.5 billion visitors. The attack, known as a distributed denial-of-service attack, crashed the website. Although the group behind the forum did not call out China specifically, it released a statement saying it suspected a "national level power" may have been behind the attack.

This is the second large cyberattack to hit a technology used by protesters in Hong Kong to organize against Beijing's power. In June, shortly after the protests began, the popular encrypted messaging app Telegram was also knocked offline. The company's CEO suggested that China may have been behind the attack. 

Apple iPhone X (Michael Nagle/Bloomberg News)

PATCHED: The Chinese government may also be responsible for a nearly two-year campaign to use phony websites to infect iPhones and give hackers access to their owners' messages, passwords and even "near-real time" location data. The wide-reaching attack, which was first reported by Google researchers last week, was likely launched by Beijing to increase surveillance of its Uighur Muslim minority, sources told Tech Crunch's Zack Whittaker.  

Thomas Brewster at Forbes also found the Chinese government was likely responsible for the attack and revealed that it also targeted Android and Windows devices, making the scope of the attack much wider than the Google report suggested. Google did not comment on either new report. The initial Google report didn't reveal a specific target for the attack or name the malicious websites it relied on, as Dell Cameron at Gizmodo reported.  

Apple patched the vulnerabilities in February.

Vice President Pence and Polish Prime Minister Mateusz Morawiecki display an agreement they signed in Warsaw on Monday. The United States and Poland agreed to cooperate on new 5G technology amid growing concerns about Chinese telecommunications giant Huawei. (Petr David Josek/AP)

PWNED: Poland joined the United States in an agreement to cooperate on thoroughly vetting suppliers of 5G network equipment to prevent cybersecurity risks, the AP's Jill Colvin reports. The joint declaration comes as the Trump administration continues to pressure foreign allies to exclude the Chinese telecom Huawei from supplying 5G technology, citing concerns it could be an espionage tool for Beijing. 

Vice President Mike Pence said he hopes the declaration can set a “vital example for the rest of Europe on the broader question of 5G.” But European allies, including Great Britain and Germany, have consistently pushed back against U.S. calls to ban Huawei from their 5G building process. Unlike those nations, Poland has a relatively minimal trade relationship with China, as the Wall Street Journal notes. So far only a handful of U.S. allies including Australia and New Zealand have agreed to completely ban Huawei from their 5G networks.

The Monday declaration doesn't mention Huawei by name, but it seems to be the obvious target of the Trump administration, whichhas imposed numerous restrictions on the Chinese telecom.
“We recognize 5G networks will only be as strong as their weakest link,” Marc Short, Pence's chief of staff, said, adding, “We must stand together to prevent the Chinese Communist Party from using subsidiaries like Huawei to gather intelligence while supporting China’s military and state security services — with our technology.”
PUBLIC KEY

— Cybersecurity news from the public sector:

The Roaring Fork School District says hackers breached a database of special-education students and teachers but didn’t obtain any social security numbers or financial information.
The Denver Post

The Louisiana Cyber Coordination Center will be home to the state National Guard’s cybersecurity activities and two private-sector firms.
StateScoop

In a rare feat, French police have hijacked and neutralized a massive cryptocurrency mining botnet controlling close to a million infected computers. The notorious Retadup malware infects computers and starts mining cryptocurrency by sapping power from a computer’s processor.
TechCrunch

PRIVATE KEY

— Cybersecurity news from the private sector:

A federal grand jury indicted Paige Thompson, the accused Capital One hacker, in connection with allegations that she accessed data on more than 30 companies and used that illicit access to generate cryptocurrency, the Justice Department said Wednesday.
CyberScoop

Critics say face-swap app could spread misinformation on a massive scale.
Agence France-Presse

THE NEW WILD WEST

— Cybersecurity news from abroad 

North Korea denied on Sunday allegations that it had obtained $2 billion through...
Reuters

A manifesto released by the employees at one of the state-controlled firms to be privatized by the government raises concerns over the future of information belonging to millions of citizens.
ZDNet