Dec 2, 2019

Analysis | The Cybersecurity 202: Pennsylvania voting debacle gives ammunition to paper ballot push

By Joseph Marks

ExpressVote XL voting machines are displayed during a demonstration at the Reading Terminal Market in Philadelphia. (AP Photo/Matt Rourke, File)

Massive voting machine failures in a Pennsylvania county in November are giving election security advocates fresh ammunition to call for nationwide paper ballots.
The problems, which may have been caused by a software glitch, resulted in some Northampton County residents who tried to vote straight-ticket Democrat initially registering as straight-ticket Republican. It also incorrectly showed a Republican judicial candidate winning by a nearly statistically impossible margin, the New York Times’ Nick Corasaniti reports.
In this case, voters got lucky. The county had paper backups for all the votes the machine counted incorrectly. They showed the Democrat judicial candidate Abe Kassis — who the computer tally said got just 164 votes out of 55,000 ballots — actually narrowly won the race.
But about 16 million Americans spread across eight states won’t have a paper backup for their votes in 2020. That means a similar software glitch or a malicious hack by Russia or another U.S. adversary could cause mass uncertainty about an election’s outcome or even result in the wrong candidate taking office.
Even in Pennsylvania, it could have been different. The machines that malfunctioned in November were just purchased this year in response to a statewide mandate to upgrade to new voting machines with paper records.
Election security hawks have been pushing the importance of paper backups since 2016, when Russia probed election systems across more than a dozen states and penetrated systems in Illinois and Florida, according to the Mueller report. But even in 2016 there's no evidence any votes were counted incorrectly.
That's why the Pennsylvania debacle offers stark new evidence for how badly things could go wrong with no paper backups in place, degrading public faith in elections.
“People were questioning, and even I questioned, that if some of the numbers are wrong, how do we know that there aren’t mistakes with anything else?” Matthew Munsey, the chairman of the Northampton County Democrats, told Nick.
Lee Snover, chairwoman of the county Republicans, was just as worried. “There are concerns for 2020. Nothing went right on Election Day. Everything went wrong. That’s a problem,” she said.
Officials haven’t determined what caused the failures, but a senior intelligence official who focuses on election security told Nick there were “no visible signs of outside meddling by any foreign actors.” The miscount shows, however, how voting machine vulnerabilities could be exploited by Russia, China or Iran — which U.S. intelligence and law enforcement agencies said last month are all eager to interfere in the 2020 contest.
Presidential candidates were quick to  make that connection.
Here’s Sen. Amy Klobuchar (D-Minn.), who sponsored the main Senate bill that would deliver more election security money to states in exchange for paper ballots and other fixes.
All you have to do is read this to see why I’m focused on election security & passing my bills for back-up paper ballots & systematic audits. As Fiona Hill said, Russia is “gearing up.” And that’s just one possibility. via @NYTimes
— Amy Klobuchar (@amyklobuchar) November 30, 2019
Here’s Montana Gov. Steve Bullock, who dropped out of the race this morning:
Elections are the foundation of our democracy. It's far past time for us to invest in new equipment, poll worker training, and protections for our election systems from both physical and cyber threats.
— Steve Bullock (@GovernorBullock) November 30, 2019
House Democrats have passed bills that would require paper backups for all votes and deliver $600 million for states to upgrade voting machines and add other cybersecurity protections. But Senate Majority Leader Mitch McConnell (R-Ky.) has blocked any bills that mandate specific election security fixes.
Some House Democrats were quick to seize on the Pennsylvania debacle to push the Senate to act.
Here’s Rep. Tom Malinowski (D-N.J.):
One of the most common sense bills we've passed in the House is one that requires paper back up ballots for all federal elections. Read this and you'll see why!
— Tom Malinowski (@Malinowski) November 30, 2019
The story also sparked concern in states that will lack paper records for some voters in 2020.
Here’s John Ray Clemmons, a Democratic state representative from Tennessee:
This should concern (and, frankly, scare the heck out of) every Tennessean. Demand that your county’s #voting machines are up to date, produce a paper trail, & protected from hacking with modern, readily available and affordable tech (ie Albert sensors).
— John Ray Clemmons (@JRClemmons) December 1, 2019
And Sri Preston Kulkarni, a former diplomat who’s running as a Democrat for a House seat in Texas:
We must have integrity of our elections, including paper records of every ballot and machines tested to ensure they don't switch votes.
In this case, they found the problem because 99% of the Democratic votes weren't counted. But what if it was only 5%?
— Sri Preston Kulkarni (@SriPKulkarni) December 1, 2019
Other states where some voters will lack paper records in 2020 are Indiana, Kansas, Kentucky, Louisiana, New Jersey and Mississippi, according to a tally by the Brennan Center for Justice.
Northampton also demonstrates the importance of automatic “risk limiting” audits after elections to make sure that paper records back up machine results.
In this case, there was such a wide margin of victory for the Republican candidate that it was obvious something was fishy. But if hackers or a software glitch caused a much smaller shift in votes, election officials might not have caught it without an audit.
Here’s Matt Blaze, co-founder of an annual challenge to find hackable bugs in election machines at the Def Con cybersecurity conference and a cryptography professor at Georgetown University:
The tally software clearly failed, giving the (apparent) actual loser a huge margin of victory (so large it wouldn’t ordinarily trigger a re-count). But an RLA WOULD catch this. So score one for RLAs. But...
— matt blaze (@mattblaze) December 1, 2019
It’s HUGELY fortunate that this happened in an off year, relatively low stakes local election rather than, say, the 2020 presidential race. Assuming we actually learn from the experience.
— matt blaze (@mattblaze) December 1, 2019
You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.
Not a regular subscriber?


A Huawei company logo. (Reuters/Aly Song)
PINGED: The Trump administration is considering tightening Commerce Department rules to restrict sales of U.S. technology to Huawei even if that technology is in products manufactured outside the United States, two sources told Alexandra Alper and Karen Freifeld at Reuters.
The move follows a massive crackdown on U.S. companies selling directly to Huawei, which officials say could abet Chinese spying.
It could appeal to congressional China hawks who have criticized the Trump administration for not doing enough to keep U.S. technology out of Huawei's hands as it tries to dominate the market for next-generation 5G wireless networks. But it "would be poorly received by U.S. allies and U.S. companies,” Washington trade lawyer Doug Jacobson told Reuters.
The potential change follows the Trump administration's decision last week to delay a blanket ban on most U.S. companies selling parts to Huawei for another 90 days.
Huawei and the Commerce department did not immediately respond to a request for comment from Reuters.

The Whatsapp logo and binary cyber codes are seen in this illustration taken November 26, 2019. REUTERS/Dado Ruvic/Illustration
PATCHED: India's lead cybersecurity agency wants to audit WhatsApp's security systems after the accounts of 121 Indian users were allegedly hacked using tools from the Israeli spyware company NSO Group, Sankalp Phartiyal and Nigam Prusty at Reuters report.
Officials at the agency also want to know why WhatsApp executives, including CEO Will Cathcart, failed to mention the spyware attack when they met with Indian leaders in July and September. Facebook, which owns WhatsApp, is suing NSO for the alleged hacks which affected roughly 1,400 users globally, including many journalists and activists.
The Indian government is also seeking answers from NSO on the malware attacks, Technology Minister Ravi Shankar Prasad said. NSO has denied any wrongdoing.

President Trump (Photo by Brendan Smialowski/AFP)

PWNED: Just one-third of 2020 presidential campaigns are automatically rejecting or quarantining emails that come from suspicious domains and could be part of a phishing attack, TechCrunch's Zack Whittaker reports.
Candidates whose campaigns aren’t automatically rejecting suspicious emails include President Trump and Sen. Bernie Sanders (I-Vt.). That could put the campaigns at a higher risk of opening malware-laden phishing emails like the one that Russia used to target Clinton campaign chairman John Podesta's Gmail account in 2016.
“When a campaign doesn’t have the basics in place, they are leaving their front door unlocked,” Armen Najarian, chief identity officer at Agari, an email security company told Zack.
Campaigns for former Vice President Joe Biden and Sens. Elizabeth Warren (D-Mass), Kamala Harris (D-Calif.) Amy Klobuchar (D-Minn.) and Cory Booker (D-N.J.) are among those automatically rejecting or quarantining suspicious emails using a tool called DMARC, which verifies a sender's email is legitimate and rejects emails that may be spoofing a real email in order to trick the recipient. That's an increase from May, when Agari researchers found that only Warren was using DMARC to block spoofed emails.


— Cybersecurity news from the public sector:

Kennedy maintained that he hasn’t been “duped” by Russia, even though U.S. intelligence officials have warned that allegations of Ukrainian interference are part of a “fictional narrative” spread by Russian security services.
Felicia Sonmez

In the space of ten sentences, President Trump told Four Whoopers
Glenn Kessler

If you just bought a smart TV on Black Friday or plan to buy one for Cyber Monday tomorrow, the FBI wants you to know a few things. Smart TVs are like regular television sets but with an internet connection.

The Department of Homeland Security’s (DHS) cybersecurity agency on Wednesday issued a draft order that would require federal agencies to increase protections against cyber vulnerabilities.
The Hill

Virgil Griffith "provided highly technical information to North Korea" that "could be used to help North Korea launder money and evade sanctions," officials said.
NBC News


— Cybersecurity news from the private sector:

Researchers from SRLabs found that telecos are implementing the RCS standard in vulnerable ways, which bring back techniques to attack phone networks.

Exclusive: The exposed database was left unprotected without a password. None of the data was encrypted.

Mixcloud is investigating data for sale on the dark web after Motherboard alerted the company of the issue.


— Cybersecurity news from abroad:

Eastern Europe’s cybercriminals are highly sophisticated. Can they be coaxed into more honest work?
The New York Times

Europol reports 14 arrests across eight countries, including the RAT's creator, in Australia.


— Coming up:
  • The Senate Committee on Foreign Relations will examine the future of United State policy towards Russia at 9:45 a.m. on Tuesday.
  • The Senate Commerce Committee will host a hearing titled “Examining Legislative Proposals to Protect Consumer Data Privacy,” on Wednesday at 10 a.m. 
  • The House Energy and Commerce Committee will host an Federal Communications Commission oversight hearing on Thursday at 10 a.m.
  • The Senate Commerce subcommittee on communications, technology, innovation and the Internet will convene a hearing titled “The Evolution of Next-Generation Technologies: Implementing MOBILE NOW” on Thursday at 10 a.m. 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Latest Post Published

From The Desk of Fernando Guzmán Cavero: Notification

Dear Friends:  Soon I'll be back with you with my selected financial daily News. Please, stay tuned                                     ...