Pages

Search This Blog

Translate

Search Tool




Jun 4, 2020

Analysis | The Cybersecurity 202: D.C.’s use of email voting shows what could go wrong in November

By Joseph Marks


with Tonya Riley

The District of Columbia’s last-minute decision to allow voting by email in this week’s primary is sounding warning bells for election security hawks.
The practice puts election results at higher risk of hacking because there’s no way for voters to verify their votes were recorded accurately, they say.
And the scramble is a disturbing preview of how election officials beset by challenges may bargain away security if they’re not better prepared by November.
“Between now and November, the D.C. board and any other jurisdiction that’s paying attention to what happened [Tuesday] needs to be absolutely focusing their energies on ramping up voting by mail capacities,” Edward Perez, global director of technology development at OSET Institute, a nonprofit election technology organization, told me. “And they need to do it now, now, now. Not in July or August, and definitely not in September.”
The D.C. Board of Elections’ decision was effectively a desperate move after numerous people who had requested mail-in ballots because of the coronavirus pandemic didn’t receive them in time – and it became clear that a reduced number of in-person polling sites would be challenged by hours-long lines. This problem was made even worse considering the public health risks of crowding into polling stations during a pandemic – and the confusion sparked by a curfew imposed on D.C. streets that went into effect a full hour before the polls technically closed.
The chaotic Election Day resulted in D.C. Council member Elissa Silverman (I-At Large) calling for Board of Elections Chair Michael Bennett’s resignation and Mayor Muriel E. Bowser pledging that she would “not tolerate continued failed leadership or execution.”
November’s elections are likely to be faced by just as many challenges, and experts fear a similar predicament could create doubts about the validity of results. Even without an actual hack, it could give fodder to foreign adversaries that want to use the chaos to make Americans question the election’s legitimacy and undermine the democratic process.
“This needs to serve as a warning for November, Perez said. “Even if this was a difficult trade-off they needed to make now, sending PDF ballots by email should not be thought of as a contingency plan in November.”

People wait in line at a polling station in Washington. (Julie Zauzmer/The Washington Post)
About 500 District voters received ballots by email, but it’s not clear how many returned them that way. 
That’s because some voters printed and mailed in the ballots, Bennett told Julie Zauzmer, Jenna Portnoy and Erin Cox.
The board appears to have taken some security precautions, including requiring people who voted by email to submit an affidavit verifying their identity.
The board also plans to call everyone who voted by email to verify that’s how they submitted their ballot, Bennett told my colleagues.
But those efforts won’t detect whether hackers changed votes before they reached the board, which is a major concern for security pros.
“Sending voted material electronically simply cannot be done securely,” Marian Schneider, president of the voting security group Verified Voting, told me. “You can’t guarantee votes weren’t altered in transmission. You can’t verify those ballot are counted as the voter intends.”
The District does not plan to use email voting for locals in November.
Bennett told my colleagues “there are a number of issues associated with that” and “it is always used sparingly.”
The Board of Elections did not provide answers to questions about any other security measures it put in place or how many ballots specifically were returned by email. Spokeswoman Rachel Coll said the board will try to answer questions this week.
Since we don't know how many email ballots were used, it's unclear how concerned voters should be about the primary's legitimacy. 
The District and numerous states regularly allow email ballots from military and overseas votes despite security concerns. The justification is generally that those voters cast such a small percentage of ballots that it’s exceptionally unlikely hackers could alter an election’s outcome by changing their votes alone.
Depending on how many people returned ballots by email in Tuesday’s election, however, that concern could go up.

Voters wait in line to cast their primary ballots in Washington. (Andrew Harnik/AP)
Even before the District’s election, experts worried states would adopt insecure electronic voting methods due to the pandemic. 
New Jersey allowed residents with disabilities to vote using a mobile app during local elections last month, and West Virginia and Delaware are planning to use the same app for voters with disabilities in primaries later this year.
Those plans sparked so much concern that the Department of Homeland Security, the FBI and the Election Assistance Commission sent states a guidance memo detailing the risks.
The memo warned that returning ballots using the Internet poses “significant security risks,” including that hackers could change large numbers of votes, block votes from being recorded or undermine ballot secrecy.
Security experts generally say increasing voting by mail is the most secure option when in-person voting is unsafe. But it takes a lot of work and money to get the right ballots to voters and to ensure they can safely return those ballots. It's a process most states are going through now.
In an ironic twist, the District played a leading role in proving the vulnerability of Internet-based voting. 
In 2010, the city conducted a mock election in which voters could cast ballots through a website and invited security researchers to try to hack the process. A group of University of Michigan researchers hacked into the site within 48 hours.
We successfully changed every vote and revealed almost every secret ballot,” the researchers said in a 2012 paper. “Election officials did not detect our intrusion for nearly two business days — and might have remained unaware for far longer had we not deliberately left a prominent clue.”
The clue: “We modified the Thank You page that appears at the end of the voting process to play the University of Michigan fight song.”

A voter, standing behind a plastic shield, checks in at a D.C. polling station. (Erin Scott/Reuters)
Election experts did express sympathy for D.C. officials in a tough situation.
They noted that they likely used emailed ballots because there was no other way to ensure everyone who wanted to vote could do so.
“I understand having your back against the wall and trying to ensure people can cast a ballot, but email voting on a broad scale isn’t ready for prime time,” David Levine, the elections integrity fellow at the Alliance for Securing Democracy, told me.
They also warned that without additional funding, officials in the District and numerous states could end up in a similarly desperate situation in November — especially if the novel coronavirus is still making in-person voting difficult and requests to vote by mail continue to soar.
Congress appropriated $400 million for elections in its $2 trillion coronavirus stimulus bill, but experts warn the cost of running safe elections during the pandemic could cost up to $2 billion.
Congressional Democrats have pushed for another $3.6 billion in election funding in a future stimulus bill but have made little headway with Senate Majority Leader Mitch McConnell (R-Ky.), who has historically been wary of spending on election security.
“The most important takeaway here is Congress needs to act,” Schneider said. “We have to give election officials the resources they need so they can be prepared for November.”

The keys
Democrats are demanding answers about the government’s surveillance of protesters.

A demonstrator protests in front of a military police line near the White House on Wednesday. (Jose Luis Magana/AP)

Democrats on the House Homeland Security Committee wrote to DHS and the FBI demanding documents related to the surveillance by June 19 and a briefing no later than June 12.
The request comes amid broad uncertainty about what surveillance is being conducted and who’s conducting it. The Drug Enforcement Administration was granted the authority to “conduct covert surveillance” on protesters, according to an agency memo obtained by BuzzFeed News.
But it is not clear what the agency will do. The DEA is limited by statute to enforcing drug-related crimes, so Attorney General William P. Barr's approval for the agency to operate outside of that scope raises unprecedented questions.
That prompted a new wave of concern among lawmakers.
Rep. Jackie Speier (D-Calif.):
DOJ granted DEA the authority to conduct "covert surveillance" & collect intel on people participating in protests over George Floyd's death. We obtained the DEA memo written by DEA Acting Administrator & former-US Atty Shea.
How is this different than China’s Communist Party?
— Jackie Speier (@RepSpeier) June 3, 2020
Sen. Chris Murphy (D-Conn.):
It’s not that covert. Last night I couldn’t get to the Capitol for a vote bc the streets downtown near the protests were blocked off by uniformed DEA agents. They were all over. https://t.co/kqYgqc0drw
— Chris Murphy (@ChrisMurphyCT) June 3, 2020
President Trump has claimed that mail voting encourages fraud and cheating. His recent attempt to do it was rejected for not following the rules. 

President Trumps Mar-a-Lago resort in Palm Beach, Fla. (Alex Brandon/AP)

Trump’s initial application to vote by mail in Florida claimed the White House as his legal address, violating a rule that only state residents can vote absentee in Florida, Manuel Roig-Franzia reports. He revised the September 2019 application a month later to use the Florida address of his Mar-a-Lago resort, allowing him to vote in the state’s Republican primary. 
But the Palm Beach City Council has questioned whether Trump’s private club qualifies him for residency.
And Trump stated as recently as this week that he lives in Manhattan, possibly putting him afoul of Florida’s strict residency laws for voter registration. Democratic lawyer Marc E. Elias:
Sounds like New York may have a good claim for taxes. And Florida for voter fraud. https://t.co/fpi0Ac23X8
— Marc E. Elias (@marceelias) June 1, 2020
The death of George Floyd in police custody and the protests that followed have sparked conversations about race and discrimination in the cybersecurity industry.

Authorities in Los Angeles stand watch at a protest Wednesday over the death of George Floyd. (Patrick T. Fallon/Reuters).

For some African American cybersecurity pros, the events of recent days have highlighted how uncomfortable their colleagues are talking about race and racism, Sean Lyngaas, Greg Otto and Shannon Vavra at CyberScoop report.
Too many people, especially in the infosec community have remained silent, possibly waiting for the story of George Floyd to ‘blow over’ or paralyzed by not knowing what to say,” said Richie Cyrus, an African American manager at cybersecurity company SpecterOps. “Not only is this detrimental to inclusion in our industry, it further deters true progress.”
Others say it highlights  how minority voices are silenced within cybersecurity companies. “It’s always women and people of color who have to shoulder the burden,” said an industry lawyer, who spoke on the condition of anonymity over fear of reprisal.
Other cybersecurity pros told CyberScoop they’re uncomfortable working for companies that contract with the federal government, which they see as unfairly targeting protesters.
It’s difficult to reconcile working with a company that is currently supporting the government in a cybersecurity role,” said one source who works at a publicly traded cybersecurity company and asked not to be identified. “I know [the company] is not implicitly or explicitly supporting police brutality or the words of our president, but it’s an aspect of it that keeps me up at night.”
Moodys cyber-risk analyst Leroy Terrelonge III tweeted about how he's been affected by recent events.
..because I was in a predominantly black area wearing clothes from Kazakhstan- a very specific description! As they took my information, one officer asked dispatch to describe the person of interest, and I heard the dispatcher say clearly, “We have no description at this time.”
— Leroy Terrelonge III (@leroyterrelonge) June 3, 2020
... so far people are being much more receptive. There is a long road ahead to counteract deeply entrenched institutional racism, so I’m not celebrating yet. But I do hope we can make some progress.
— Leroy Terrelonge III (@leroyterrelonge) June 3, 2020

Chat room

Other cybersecurity professionals also shared their thoughts about the need for companies to allow employees to speak out amid the protests. Google security researcher Maddie Stone:
Dear #Infosec
I've been "warned" 3x that if I keep posting that Black Lives Matter, I'm unhireable.
If I, a white, cis, straight, US-born... woman w public evidence of my work can be "unhireable" due to just saying #BlackLivesMatter, how can Black hackers even hope to be hired?
— Maddie Stone (@maddiestone) June 3, 2020
Dragos CEO Robert M. Lee:
First, I’m prior military, please do not play the “support our troops” card on me. Our military has a wide set of diverse views not supporting one position or party. Many support military usage here and many sont and are following lawful orders but ready to refuse unlawful ones
— Robert M. Lee (@RobertMLee) June 3, 2020
Fourth, if your biggest complaint in this situation is not the absolutely horrible events in front of us but the opinions of my employees on social media may I kindly suggest your biases are misleading you and your frustration is misplaced. We’re stressed I get it but you’re off
— Robert M. Lee (@RobertMLee) June 3, 2020

Hill happenings

The Senate Intelligence Committee forwarded a measure requiring presidential campaigns to report foreign election influence efforts.

Rep. John Ratcliffe (R-Tex.), center, arrives to a Senate Intelligence Committee hearing on May. 5. He is greeted by Chairman Richard Burr (R-N.C.) and Vice Chairman Mark R. Warner (D-Va.), left. (Andrew Harnik/Pool/AP)

The measure comes after Trump said last summer that he would consider accepting foreign intelligence on his opponents. The comments caused widespread alarm following Russia's efforts to interfere in the 2016 contest. Former vice president Joe Biden, the presumptive Democratic presidential nominee, and other Democrats said they would refuse such offers. 
The committee passed the measure in an 8-to-7 vote with Sen. Susan Collins (R-Maine) joining Democrats, CNN reports. The measure was added to a key Intelligence policy bill, which makes it far more likely to pass than as a stand-alone bill. Lawmakers are also considering attaching the intelligence bill to an annual defense policy bill, which nearly guarantees passage. 
Sen. Mark R. Warner (D-Va.), the committee’s top Democrat, originally introduced a stand-alone version of the measure that would apply to all campaigns for federal office. The version passed Wednesday would only apply to presidential campaigns. Warner’s bill was repeatedly blocked by Republicans.
More government cybersecurity news:

Rosenstein generally defended the FBI’s Russia probe but conceded flaws in the handling of warrants to surveil former Trump campaign adviser Carter Page.
Matt Zapotosky

Christopher Krebs, the director of the Department of Homeland Security’s cybersecurity agency, said in an interview released this week that he expects to see "every intelligence service” attempt to target and steal
The Hill

Cyber insecurity

Advocacy groups are seeing a more than 1,000 percent increase in attacks trying to knock down their websites since protests began.

Members of the LGBTQ community join Black Lives Matter protesters in Hollywood, Calif., on Wednesday. (Richard Vogel/AP)

Internet protections firm Cloudflare said it had blocked more than 135 billion malicious Web requests against advocacy groups since the death of George Floyd, CyberScoop reports. That’s more than four times the number of attacks on military and police organizations.
Cloudflare did not provide the names of specific clients.
But the protests havent distracted hackers entirely from coronavirus-themed scams.
Scammers are using malware-laced résumés to steal bank passwords, researchers at Check Point found. The files are often attached as Microsoft Excel sheets with misleading subject lines like “applying for a job” or “regarding job.” They've doubled in the past two months as the coronavirus has pummeled the job market.
More hacking news:

DopplePaymer ransomware gang claims to have breached DMI, a major US IT and cybersecurity provider, and one of NASA IT contractors.
ZDNet

Zoom has a few new flaws that could allow attackers to execute arbitrary code on victim computers, according to Cisco Talos research published Wednesday.
CyberScoop

Global cyberspace

British officials may urge telecom companies to reduce or remove Huawei hardware as soon as this month. 

(U.K. Parliamentary Recording Unit/EPA-EFE/Shutterstock)
The move reported by the Wall Street Journal would be a major victory in the U.S. government’s quest to get allies to drop the Chinese company over security concerns.
More global news:

France's digital minister says 600,000 people installed the app in its first hours of release.
BBC News

Daybook

  • The RSA Conference will host a webcast on nation-state cyberthreats and the 2020 election on Thursday at 4 p.m.
  • The Brennan Center for Justice and Microsoft’s Defending Democracy Program will host a workshop, “Building Election Resilience,” at noon on Friday.
  • The Senate Judiciary Committee has scheduled a hearing, titled “COVID-19 Fraud: Law Enforcement’s Response to Those Exploiting the Pandemic,” for June 9 at 10 a.m.

Secure log off

In memoriam:

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.