Search This Blog

Translate

Search Tool




Mar 31, 2020

Analysis | The Cybersecurity 202: Coronavirus response is officially a new front in the election security fight


By Joseph Marks



A woman wearing mask and protective gloves leaves after cast her vote during the Florida Democratic primary election in Miami, Florida. (Photo by Eva Marie UZCATEGUI / AFP) 

THE KEY
The brief detente in partisan bickering over how to ensure people are safe to vote – and their votes are safe – amid the coronavirus pandemic just burst into open warfare. 
President Trump suggested on Fox and Friends that one reason he opposed a $4 billion infusion of election money Democrats sought for the coronavirus stimulus was that it might have led to more Democratic victories. Democrats wanted the money to go toward expanding secure vote by mail or early voting options to reduce the risk of people getting infected, should the pandemic still pose risks by November.
“They had things, levels of voting that if you ever agree to it, you’d never have a Republican elected in this country again,” he said, seeming to suggest that higher turnout would help Democrats.
House Administration Committee Chair Zoe Lofgren (D-Calif.) shot back, calling that “a monstrous example of putting party ahead of America” and accusing the president of forcing citizens to vote in unsafe ways. The stimulus bill ultimately included $400 million for election security related to the pandemic but no rules for how states must spend it.
“Every American, regardless of party affiliation, should condemn the president’s apparent belief that it’s a good thing for American voters to risk their lives when safer voting alternatives are possible,” she said.
The partisan flame-throwing is also happening on the state level: Voting rights advocates in Ohio and Wisconsin, two important swing states in November, are suing to stop primary elections they say are being rushed in ways that threaten voters’ safety or could tamp down turnout.
The response to coronavirus is now officially a new front in the fight about election security in Washington, which until now has focused on preventing foreign adversaries from upending 2020 with hacking or disinformation campaigns.
And with a pressure cooker atmosphere of just seven months to go before the general election and no clear indication how long American life will be upended by the pandemic, it risks undermining voters’ confidence that elections will be safe and secure. State election officials, who so far seem relatively united across party lines in pushing for more voting by mail and extended early-voting periods to manage the crisis, will each have to make tough choices about how to proceed.
Trump critics quickly lashed out at the president’s comments on Twitter.
Here’s from Vanita Gupta, former head of the Justice Department’s civil rights division, who’s now chief executive of the Leadership Conference on Civil and Human Rights:
This is wild for many reasons, but worth noting that Trump responds to a question about "special interest projects" by talking about funding for VOTING.
This is not a special interest project, it is our DEMOCRACY – and ensuring it can function should be a bipartisan emergency. https://t.co/asnt4uVbEH
— Vanita Gupta (@vanitaguptaCR) March 30, 2020
And Rep. Bill Pascrell Jr. (D-N.J.):
When you say the quiet part out loud.
Democracy can't ever take a nap. We voted during the Civil War, we voted in WWII, and we'll do whatever's necessary to help every state cast ballots in 2020 despite trump's antagonism to voting. https://t.co/B1QntXfh77
— Bill Pascrell, Jr. (@BillPascrell) March 30, 2020
Things are already getting messy on the state level. In Ohio, the state’s chapter of the American Civil Liberties Union filed a lawsuit last night to delay an April 28 mostly vote-by-mail primary scheduled by the Republican-controlled legislature. It would make up for a conventional primary Gov. Mike DeWine (R) canceled two weeks ago citing a public health crisis.
A single month isn’t nearly long enough to manage the complex process of an all-mail election, according to the lawsuit, which was also filed on behalf of the League of Women Voters of Ohio; the Ohio A. Philip Randolph Institute, which advocates for seniors and union members; and several Ohio voters. The early primary date will disenfranchise wide swaths of voters who aren’t used to voting by mail and will have trouble navigating the process, they say.
That’s effectively the same position advocated by DeWine and Ohio Secretary of State Frank LaRose (R) who asked the legislature for an early June primary date and $10.5 million in new funding — enough to send forms to request an absentee ballot to every registered Ohio voter along with a postage-paid envelope.
The legislative plan includes sending voters a postcard with instructions for requesting an absentee ballot but requires the voters to handle more of the details themselves and cover postage.
LaRose hoped to raise the approximately 35 percent of Ohioans who typically vote by mail to as near 100 percent as possible without diminishing turnout, he told me last week — a process that will be far harder with the earlier primary date.
After the legislature nixed his proposal, LaRose described the new timeline as “very tight” to the Associated Press.
“I’m a good soldier,” he said. “And when the Legislature has spoken, we’re going to carry out the legislation they created to the best of our ability.”
In Wisconsin, meanwhile, voting advocacy groups have filed a bevy of lawsuits aimed at loosening rules for absentee voters and delaying the state’s primary — which is still scheduled for April 7 despite widespread concerns that it will be unsafe for voters to gather then.
Wisconsin Gov. Tony Evers (D) is also locked in battle with the GOP-controlled legislature over whether to send absentee ballots to the state’s 3.3 million registered voters ahead of the primary. Evers just introduced the plan on Friday, with about two weeks to go before the primary, the New York Times reported.
Scott Fitzgerald, the state Senate’s Republican majority leader, called Evers’s plan a “fantasy,” the Times reported.
“In pitching this idea, the governor is lying directly to Wisconsinites about this even being remotely possible. Acting like this is doable is a hoax,” Fitzgerald said.
Evers defended the effort, saying, “It ain’t gonna be easy, but we’re gonna do it.”

PINGED, PATCHED, PWNED


Zoom's logo. (Olivier Douliery/AFP/Getty Images)
PINGED: New York regulators want answers about how the videoconferencing app Zoom, which has surged in popularity during the coronavirus pandemic, is protecting users' data and privacyDanny Hakim and Natasha Singer at the New York Times report.
New York Attorney General Letitia James expressed concerns that Zoom might not have the resources to deal with a boom in users that has made the platform an attractive target for hackers and scam artists. She also wants to know how the company dealt with past security bugs, including a vulnerability that allowed hackers to access users' cameras.
The letter also asks what other companies Zoom is sharing user data with, noting a recent Motherboard report that the company shared data from its iPhone app users with Facebook. (Zoom has since removed the feature.)
Zoom might also be violating state requirements that companies protect student data as more teachers flock to the service to teach remote lessons, James said.
Zoom pledged to cooperate with James's requests and told the Times it takes “its users’ privacy, security and trust extremely seriously.”

House Speaker Nancy Pelosi (D-Calif.). (Andrew Harnik/AP)
PATCHED: Remote voting is not going to happen anytime soon for lawmakers in the House despite the danger the chamber’s close quarters could spread coronavirus, Speaker Nancy Pelosi (D-Calif.) told reporters yesterday, according to my colleague Felicia Sonmez.
Pelosi sounds a pessimistic note when asked about the potential for remote voting in the House. She says there's no way it's possible without discussion in the House and changing the rules. “So let’s not waste too much time on something that’s not going to happen.”
— Felicia Sonmez (@feliciasonmez) March 30, 2020
Both the House and Senate failed to pass rule changes that would allow for remote voting before leaving Washington last week, despite members from both parties pushing for the changes. Nearly 70 members of the House joined Rep. Katie Porter (D-Calif) in urging the House Rules Committee to allow for remote voting. The committee responded with a memo citing concerns including that manipulated videos could be used to fake votes.
But open-government advocates warn that if lawmakers aren't able to vote during the national emergency, it could open the door to a power grab by the White House. Demand Progress Policy Director Daniel Schuman:
Opponents of remote Congressional voting have forgotten that when Congress is unable to act, the Executive Branch fills in the gap -- whether constitutionally or otherwise. Example 1: a presidential signing statement undermining IG reports to Congress https://t.co/733mAdgO8x pic.twitter.com/f0k5pE17Z3
— Daniel Schuman (@danielschuman) March 28, 2020
Right now it's unclear when the House is set to return, and that date could remain in limbo as more members have to self-quarantine or are unable to travel for other reasons. That could delay future efforts to fight the virus and manage essential government operations.
The Senate is set to return April 20.

A roll of “I Voted!” stickers. (Jayme Gershen/Bloomberg News)
PWNED: A well-known company that organizes ethical hackers to test products for bugs is refusing to do business with the mobile voting app Voatz after researchers reported hostile interactions with the company, CyberScoop's Sean Lyngaas reports
The move by Hacker One comes after repeated clashes between Voatz and researchers that reported hackable vulnerabilities in its app. Voatz also changed its policy last month to say it couldn't guarantee legal protections for hackers digging into its systems, sparking alarm from researchers.
We partner with organizations that prioritize acting in good faith towards the security researcher community and providing adequate access to researchers for testing, a HackerOne representative told Sean. It's the first time the platform, which works with companies including Uber and AT&T, has publicly expelled a client.
Researchers and lawmakers have heavily scrutinized Voatz, which they say has too many vulnerabilities to be used safely. 
Voatz’s bug bounty was more of a PR talking point than an attempt to truly engage with the security community,” Kevin Skoglund, chief technologist at the nonprofit group Citizens for Better Elections, told Sean.
Voatz chalked up the criticism to a grudge by researchers who have accused the company of reporting a hacker to the FBI. The company will soon launch its own system for independent researchers to report bugs, it said.

PRIVATE KEY

Hackers are continuing to exploit government and private-sector responses to the coronavirus pandemic, and they’re finding new ways to hack users stuck indoors and online, new reports show. Here's a rundown:
  • Hackers are creating bogus sites that claim to have information about stimulus cash for citizens recently approved by Congress but that actually contain information-stealing malware, researchers at Cisco Talos say
  • Hackers have posed as officials with the U.S. Small Business Administration to seed struggling business owners with malware, IBM X-Force researchers found. In just the past 14 days, the researchers have seen a 14,000 percent increase in spam related to covid-19, they said. 
  • The number of suspicious domains and files referring to the teleconferencing company Zoom have also increased, researchers at Check Point observed
A coalition of 13 nonprofit organizations joined a new initiative from the Global Cyber Alliance to help businesses secure their newly remote workforces. Members of the campaign include Aspen Digital, part of the Aspen Institute, and the Cyber Threat Alliance.
— More cybersecurity news from the private sector:

Contractors battle bogus assertions about canine vaccines and free baby formula: “We’ve maxxed out.”
Wall Street Journal

The health care sector has increasingly turned to artificial intelligence to aid in everything from performing surgeries to helping diagnose and predict outcomes of patient illnesses. 
The Hill

PUBLIC KEY

Cybersecurity news from the public sector:

Exclusive: The exposed cache of code contained app secrets and internal passwords.
TechCrunch

Official Chinese accounts adopted a "more confrontational posture" in messaging on COVID-19, beginning in late February and March, as cases were confirmed across Europe and within the U.S.
CBS News

Courts have struggled to interpret the vague Computer Fraud and Abuse Act.
Ars Technica

FBI agents have arrested a Russian citizen accused of laundering money for a cybercriminal gang that allegedly stole funds from a range of U.S. banks.

THE NEW WILD WEST

Cybersecurity news from abroad:

Israel's defense ministry plans to use software that analyses data gathered from mobile phones - produced, according to Israeli media, by the spyware firm NSO - to help locate likely carriers of the coronavirus in order to test them.
Reuters

ZERO DAYBOOK

  •  The Alliance for Securing Democracy  will hold an interactive webinar to discuss narratives and long-term trends in China’s information manipulation efforts at 10:00 a.m. ET. 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.