Pages

Search This Blog

Translate

Search Tool




May 14, 2020

Analysis | The Cybersecurity 202: New Jersey lawsuit tries to block Internet voting in the state

By Joseph Marks


with Tonya Riley

Human rights activists and New Jersey law students are suing to block the state from using Internet-based voting systems, which security experts say are fundamentally insecure against hacking.
The effort is a shot across the bow for the online systems, which some states have embraced as a solution for people who have trouble voting by mail during the pandemic despite widespread security concerns.
New Jersey piloted an app-based system on Tuesday in a collection of 33 small elections for people with disabilities that make it impractical for them to vote by mail. Everyone else had to vote by mail and there was no in-person voting option.
New Jersey officials haven’t said whether they plan to repeat the pilot in the state’s July primary or the general election, but the lawsuit is trying to stop those plans before they start. It's essentially an offshoot of an earlier lawsuit that challenged the security of the state's voting machines and also dealt with the danger of voting systems going online.
It’s critical that voting be accessible for everybody but not at the expense of security and the risk of a group of people having their votes manipulated,” said Penny Venetis, director of Rutgers University Law School’s International Human Rights Clinic, which is challenging the use of online voting on behalf of Coalition for Peace and its New Jersey division as well as a state legislator.
Venetis and her students filed their motion Monday. They initially aimed to halt Internet voting during the Tuesday election but couldn’t get a hearing in time.
Delaware and West Virginia are planning larger pilots for voters with disabilities and those in the military or overseas during their states' presidential primaries in June. The states are all using a cloud-based system designed by the Seattle-based company Democracy Live.

A man uses a cellphone in New Orleans. (Jenny Kane/AP)
States that are using them have described the Internet systems as a safe way to ensure everyone can vote amid a pandemic that has upended everything about elections. 
But security experts see them as an invitation for hackers to alter votes undetected and worry they’ll deny equal treatment to voters with disabilities by making them take security risks other voters don’t have to.
This is one of many issues of inequality that the virus is bringing to the fore,” Venetis told me.
The New Jersey secretary of state’s office didn’t respond to a request for comment about future plans for the app or about how many people used it on Tuesday.
Internet-based voting is generally viewed as less secure than any in-person voting system. 
That’s because there’s no way to ensure that the computer, phone or tablet the voter is using hasn’t been compromised, and it's impossible for the voter to verify that the vote is still correct when it reaches election officials.
Because there’s no paper record of the vote there’s also no way to audit it after the fact.
There’s very clear scientific consensus that the return of voted ballots by Internet is not securable,” Andrew Appel, a Princeton University computer science professor, who wrote an expert statement for the plaintiffs in the New Jersey case, told me.
The Department of Homeland Security also sent states an alert last week warning that online voting systems pose “significant security risks” that could undermine the integrity of an election or compromise the secrecy of the ballot.
The DHS alert was less critical of systems that deliver blank ballots to voters over the Internet or that allow them to mark their votes on a home computer and then print them out and mail them in.
Democracy Live also produces such systems, which Venetis and Appel said they urged New Jersey to adopt instead of the fully online system.

People wait to cast their votes. (Mark Ralston/AFP/Getty Images)
New Jersey had a spotty record with election security even before the pandemic hit. 
It’s one of just two states, along with Louisiana, where nearly all in-person voting machines will lack paper records in 2020, which experts say are vital to protect against hacking.
That’s despite a four-year push by DHS and more than $1 billion in federal money nationwide aimed at eliminating such machines and making other cybersecurity fixes following Russia’s hacking and disinformation operation in 2016.
The earlier lawsuit filed by Venetis and the Rutgers students aimed to stop the state using those paperless voting machines. It dragged on for more than a decade and didn't ultimately block the machines. But Superior Court Judge Mary C. Jacobson did order New Jersey officials to ensure the state’s voting process is kept entirely offline — an order the Rutgers clinic is asking her to enforce now.
My big concern is this will not just be an emergency measure. It will continue past the quarantine and it will be expanded,” Venetis told me. “And that’s a real problem because votes can be manipulated and it will be completely and totally invisible.”

The keys
House lawmakers will vote Friday on a historic resolution that would allow lawmakers to vote remotely during the pandemic. 

House Majority Leader Steny H. Hoyer (D-Md.), left, and House Speaker Nancy Pelosi (D-Calif.). (Sarah Silbiger/Bloomberg News)

The rule change would allow members at home to designate a colleague in Washington to cast votes on their behalf.
The order kicks the can down the road, however, on lawmakers using videoconferencing or other tech tools to vote from home, saying such systems could be used in the future if the House’s tech division certifies they’re sufficiently secure against hackers.
The measure would also allow committees to hold official video hearings something the Senate is already doing. “That one big step is to make sure Congress can act,” House Majority Leader Steny H. Hoyer (D-Md.), who introduced the changes, told Paul Kane.
The proposed rule change was supposed to be introduced late last month but was stalled by Republican opposition. Hoyer said the final rules incorporated ideas from House Minority Leader Kevin McCarthy (R-Calif.). McCarthy accused Democrats of using the rules to steal power.
Trump extended until 2021 an order banning U.S. companies from dealing with Huawei or other telecommunications companies deemed a national security risk. 

President Trump. (Evan Vucci/AP)
The White House first issued the order last May, but the Commerce Department has provided temporary licenses over the past year allowing some U.S. companies to continue to sell goods to Huawei. U.S. officials say Huawei could serve as a backdoor for Chinese espionage and have urged allies to similarly get tough with the company, but Huawei denies those charges.
Trump’s move comes as relations between China and the United States have cooled dramatically during the pandemic.
U.S. officials also warned that Chinese government hackers are likely trying to steal coronavirus research, calling it a "significant threat to our nation’s response to COVID-19."
DHS will advise U.S. telecom companies on how to protect 5G cellphone towers following arson attacks linked to coronavirus conspiracy theories. 

Workers install 5G telecommunications equipment on a T-Mobile tower. (Adrees Latif/Reuters)
The warning follows nearly a dozen arson attacks against towers in Britain, the Netherlands and Belgium last month after false claims that the technology spreads the coronavirus, Ellen Nakashima reports.
U.S. carriers have also seen sporadic attacks in recent weeks, some of which may have been the work of "eco-terrorists" rather than conspiracy theorists, an industry official told Ellen.
The U.S. government and World Health Organization officials have made clear there's no connection between 5G technology and the virus.

Hill happenings

The Senate will vote today on whether to renew vast government spying powers.

Sen. Ron Wyden (D-Ore.). (Andrew Harnik/AP/Bloomberg News)
The powers expired about two months ago when the Senate failed to reauthorize them before breaking for an extended recess during the pandemic.
The Senate failed to pass one bipartisan amendment on the bill yesterday to exclude Internet browsing and search histories from a warrantless surveillance program. The amendment, introduced by Sens. Steve Daines (R-Mont.) and Ron Wyden (D-Ore.), failed by just one vote and might have passed except that four members did not vote.
But in a win for privacy hawks, the Senate did pass an amendment by Sens. Patrick Leahy (D-Vt.) and Mike Lee (R-Utah), which will increase oversight of the court that grants warrants under the Foreign Intelligence Surveillance Act. Here are details from Politico's Martin Matishak.
More news from the Hill:

Warrant marks a major escalation of the investigation of stock trades by lawmakers as the coronavirus spread.
Los Angeles Times

‘Unmasking’ is a routine practice used to identify U.S. individuals who are referred to anonymously in an intelligence document.
Matt Zapotosky, Ellen Nakashima and Shane Harris

Sen. Ron Johnson (R-Wis.) said Wednesday that he was pushing for inclusion of measures meant to defend the United States against cyber threats in the upcoming annual National Defense Authorization Act (NDAA).
The Hill

Industry report

A  group of more than 140 global technology companies is today launching a new initiative promoting awareness of security risks associated with “smart” Internet-connected devices.

An Amazon Echo, center, and a Google Home, right. (AP Photo/Mark Lennihan, File)
The  Cybersecurity Tech Accord's “Stay Smart. Stay Safely Connected” campaign will host an online repository of Internet of Things security tips and international privacy standards.
More industry news:

Cyberattackers seeking more than $2M from Travelex got inside Allen Grubman’s celebrity law firm. Confidential docs are now leaking online as the hackers turn the screws.
The Daily Beast

A company that pays hackers to submit serious flaws says it’s made aware of so many flaws in Apple operating systems that it will stop acquiring new ones.
CyberScoop

Global cyberspace

Germany has "hard evidence" Russian was responsible for a cyberattack on the country's parliament, German Chancellor Angela Merkel said. 

German Chancellor Angela Merkel. (Michael Kappeler/dpa/AP)

The breach allowed hackers to steal documents from Merkel's office, the Associated Press reports.
The statement comes after federal prosecutors issued an arrest warrant against an alleged officer in Russia's GRU military intelligence agency last week. Merkel didn't confirm the arrest was related but said, “I take these things very seriously.” Russian officials have repeatedly denied involvement in the 2015 hack.
More global cybersecurity news:

China's foreign ministry, asked about China-linked hackers breaking into U.S. COVID-19 research, said China opposed what it called slander from the United States.
Reuters

Whether you love them or hate them (or think they won’t work), authorities around the world have universally embraced the concept of contact tracing tech in order to curb the coronavirus’s spread.

France is empowering regulators to slap large fines on social-media companies that fail to remove postings deemed hateful, one of the most aggressive measures yet in a broad wave of rules aimed at forcing tech companies to more tightly police their services.
The Wall Street Journal

Chat room

Even though the House is trying remote voting, the Senate is still meeting in person, a move some technologists consider unnecessary and dangerous. Stanford Internet Observatory Director Alex Stamos:
It's crazy that the Senate is meeting in person. All this money spent on continuity of government and we put our most powerful octogenarians in the same room during a viral pandemic.
Every movie with a huge door closing on a secure mountain base lied to you. https://t.co/9DZOWsUN0u
— Alex Stamos (@alexstamos) May 13, 2020

Daybook

  • The Open Technology Institute will host an event on the role of technology in pandemic response efforts today at 11:30 a.m.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.