Pages

Search This Blog

Translate

Search Tool




Jun 10, 2020

Analysis | The Cybersecurity 202: Georgia’s primary debacle should sound alarm bells for November

By Joseph Marks


with Tonya Riley

Multiple problems plagued voters as they went to the polls yesterday in Georgia's primary, from hours-long lines, technical disasters and absentee ballots that never arrived,
They're another ominous sign for states and the general election officials trying to run a safe and trustworthy elections this year, though Georgia's issues were known for some time and are more unique. In fact, the problems in Georgia were especially galling because the seeds of the failure were evident for months to technologists — since long before the novel coronavirus pandemic arrived and multiplied the obstacles facing election officials.
They included an overly complex voting system designed to improve security but may have compromised it, a rushed time frame to implement that system and a training program for poll workers that wasn’t up to the task, especially after a slew of new workers replaced elderly people more vulnerable to covid-19.
The long lines were exacerbated because election officials failed to send mail-in ballots to many people who requested them during the pandemic and who then showed up to vote in person. There may also have been a surge in voters driven by anger over the police killing of George Floyd in Minneapolis and the nationwide protests that have followed.
The wide-scale problems in Georgia are exactly what experts have been fearing,” said Alex Halderman, a University of Michigan election security expert who testified in a lawsuit challenging Georgia's previous generation of paperless voting machines. “The state implemented a completely new voting system at great expense in a short time frame and unfortunately they didn’t make sufficient preparations.”
The fiasco is also the starkest warning yet for election officials across the country they must increase their efforts to avoid a similar disaster in November that could throw the results of a hotly contested presidential contest into chaos.
“This should be the wake-up call for election officials that Iowa was for the Democratic Party,” said Duncan Buell, a University of South Carolina election security expert, referring to a malfunctioning app that delayed for days the results of the Iowa caucuses.
Switching technologies this quickly and thinking everything will work correctly is just chutzpah,” Buell said.

Voters wait in long lines at Peachcrest Elementary School to vote in Georgia's primary election. (Jenni Girtman/Atlanta Journal-Constitution/AP)
Georgia has been ground zero for election security concerns for years. 
A federal judge ordered the state last year to replace its outdated voting machines that lacked any paper records. Then voting security advocates pilloried the state’s choice to replace those machines with expensive touch screen systems that produce a paper record rather than old-fashioned hand-marked paper ballots.
Security advocates acknowledge those machines, called ballot marking devices, are far more secure than paperless systems. But they say they also create too many opportunities for hackers to manipulate votes, and there’s no guarantee voters will spot that manipulation if they don’t review the printed ballot line by line.
They also warn that including more machines in the election process creates more chances for hacking and for the sorts of disastrous breakdowns that happened yesterday.
Everything about an election argues for a system that’s as simple as possible because so many things can go wrong,” Buell said.
This year has seen numerous other election day problems across the country, including a new Los Angeles County voting system that went haywire on primary day, a political standoff in Wisconsin that forced thousands of Milwaukee and Green Bay voters to risk voting in person at the height of the pandemic, and a risky last-minute decision to allow some D.C. voters to cast ballots by email.

Kelsey Luker reads as she waits in line to vote on Tuesday in Atlanta. Luker said she had been in line for almost two hours. (John Bazemore/AP)
There’s no evidence that Georgia’s voting machines technically malfunctioned. 
Instead state officials said most of the problems were caused by poll workers who didn’t understand how to use the machines. In at least one instance, state technicians found they were inserting magnetic voter cards upside down.
Secretary of State Brad Raffensperger’s (R) office stressed the machines weren't at fault and attributed the problems to “counties engaging in poor planning, limited training, and failures of leadership.” Still, Raffensperger pledged to launch an investigation into the issues, which were concentrated in the Atlanta metro area.
That didn’t provide much solace, however, for election security experts who said overly complicated machines or poor training could be just as damaging as malfunctions.
If a system cannot be used by those who are intended to use it, the system is at fault,” Buell said. “You can’t claim operator error if you deliver technology and people just can’t use it. Passing the buck to the counties is inappropriate. It’s on the state to make sure people know how to use the machines.”
Edward Perez, global director of technology development at OSET Institute, a nonprofit election technology organization, offered a similar response on Twitter:
Paraphrasing what I saw from another wise tweet: “When one poll worker makes a mistake, it’s user error. When many poll workers cannot operate the machines, it’s a system design error.” Well-thought-out technology follows human-centered design principles.
— Eddie Perez (@eddieperezTX) June 9, 2020
Poll workers’ failure to successfully operate the machines also suggests they might not have been properly trained to take all necessary security precautions or urged voters to review their ballots to ensure they weren’t tampered with.
“Amid all this chaos, problems that could be caused by attacks on machines are much more likely to go unnoticed or be ascribed to human error,” Halderman said. “There’s also much more pressure on voters to just take their ballot and stick it in the scanner as quickly as possible and not take the necessary time to review it.”
Georgia's problems were also centered in largely African American communities, prompting concerns about voter suppression. 
Georgia has been a hotbed for such worries for years but they were magnified by Stacey Abrams's (D) narrow loss to Brian Kemp (R) in the 2018 governor's race amid tough new voter ID laws.
“The snarl of voting problems…revived long-standing complaints about the disenfranchisement of voters of color in the state, with many residents saying that predominantly African American communities appeared hardest hit,” Amy Gardner, Michelle Ye Hee Lee, Haisten Willis and John M. Glionna report.
I stayed in line despite a three-hour-and-10-minute wait because my ancestors sacrificed too much for me to be stopped from exercising my right to vote,” Raney Branch, an African American voter, said.
Ron Clark, an educator and author, also waited more than three hours but had to cast a provisional ballot because poll workers couldn’t figure out how to operate the machines.
“Whether you’re a Democrat or a Republican, or whatever party you’re affiliated with, you should have an opportunity to express your voice,” Clark said. “Right now, I just feel like a lot of people are doubting the strength and the effectiveness of democracy in our country.”
Democrats in Washington, meanwhile, pointed to Georgia’s problems as evidence the federal government must pump money into ensuring the safety of pandemic-era voting. 
Congress approved $400 million for elections in a stimulus bill earlier this year. But advocates say that’s only a fraction of what will be necessary to increase voting by mail and provide safe in-person voting.
“In America, people shouldn’t have to wonder if voting machines will be operational, if their mail-in ballot will arrive in time, or whether they will have to wait hours in line to exercise their right to vote,” Sen. Amy Klobuchar (D-Minn.), a sponsor of the main Democratic bill to increase funding for voting by mail, said in a statement.
“When we don’t properly fund our elections and develop plans to protect voters, Americans — often in communities of color — get disenfranchised and that’s what happened today in Georgia,” Klobuchar said.
Here’s Sen. Ron Wyden (D-Ore.), another sponsor of that bill, which would deliver $3.6 billion for mail voting but likely faces insurmountable Republican opposition.
Voters in Georgia are facing outrageous voter suppression resulting from years of election system sabotage by Republican lawmakers. If Republicans actually wanted you to vote, they would support #VoteByMail and hand-marked #PaperBallots. https://t.co/L6WFHKUlne
— Ron Wyden (@RonWyden) June 9, 2020
A representative for presumptive Democratic presidential nominee former vice president Joe Biden called the long wait times “completely unacceptable” in a statement.
“Free and fair elections are the cornerstone of our democracy. What we see in Georgia today, from significant issues with voting machines to breakdowns in the delivery of ballots to voters who requested to vote absentee, are a threat to those values and completely unacceptable,” Rachana Desai Martin, Biden’s national director for voter protection and senior counsel, said.

The keys

An obscure Indian cybersecurity firm helped its clients hack more than 10,000 email accounts of high-profile victims.

Sumit Gupta, owner and director of cybersecurity firm BellTroX InfoTech Services, outside his office in New Delhi. (Alasdair Pal/Reuters)

The firm’s targets included government officials in Europe asnd well-known investors and digital rights organizations in the United States, Reuters’s Jack Stubbs, Raphael Satter and Christopher Bing report.
The New Delhi-based firm, BellTroX InfoTech Services, operated on behalf of various clients but the company's owner, Sumit Gupta, declined to name any of them. The company was usually contracted by private investigators to hack their clients business rivals or political opponents, employees told Reuters.
It's "one of the largest spy-for-hire operations ever exposed, " John Scott-Railton, a researcher at the internet watchdog group Citizen Lab, told Reuters. U.S. law enforcement is investigating the seven-year hacking spree, five people familiar with the matter told Reuters.
Gupta denied any wrongdoing. He said he only helped private investigators download messages from inboxes he was given login information for.
In the same investigation, Citizen Lab found multiple environmental organizations working on climate change campaigns against ExxonMobil that were hit with suspicious emails with fake articles and other links about their work. ExxonMobil has not been accused of any wrongdoing, the New York Times reports.
There’s no evidence that a controversial Chinese drone maker was sharing data with Beijing, an audit found.

Law enforcement officers used heat-seeking drones such as this one to search for victims of the tornadoes that ravaged a rural corner of Alabama in March 2019. (Menlo Park Fire Protection District/AP)

The review of Chinese drone maker DJI was conducted by Booz Allen Hamilton, The Hill's Chris Mills Rodrigo reports
The review comes after the Interior Department stopped using the drones over national security concerns. China hawks including Sen. Marco Rubio (R-Fla.) have pushed legislation that would ban the U.S. government from purchasing drones from China and other foreign adversaries. 
DJI says the accusations are baseless and the new audit proves it.
None of the claims of DJI's wrongdoing have been accompanied by "evidence or analysis demonstrating that there's a factual basis behind the allegation," Brendan Schulman, DJI’s vice president of policy, told the Hill.
Privacy groups are rejecting funding from Facebook after the company refused to remove or label President Trump's post calling for violence against protesters.

The U.S. Capitol building. (Al Drago/Bloomberg News)

The Open Technology Institute received $130,000 in funding from Facebook between June 2019 and June 2020 but won't accept anymore.
“With over 2.6 billion users, Facebook has a clear responsibility to reckon with its role in these systems or risk continuing to facilitate oppression that imperils Black lives,” OTI Director Sarah Morris said in a statement.
The advocacy group Public Knowledge also announced it would no longer accept funding from Facebook. Public Knowledge received more than $25,000 from Facebook in 2018 and 2019.
“Platforms shouldn’t hide behind the First Amendment as an excuse to allow hate, misinformation, and abuse to run rampant on their services, particularly when they hold such a dominant position in the marketplace,” said President and chief executive Chris Lewis.
The announcements are a significant stand against Facebook given the company's prominent role in funding tech organizations in Washington. Facebook spends at least $1 million dollars a year on privacy and technology nonprofits and think tanks, including the Electronic Frontier Foundation, Brookings Institute and Access Now.
“We've heard from some organizations about their disagreement with a number of the content decisions we've made and we appreciate their feedback," Facebook spokesman Andy Stone said in a statement.

Government scan

Coronavirus stimulus fraud could cost $30 billion. 

A man wearing a protective mask uses a laptop. (Photo by Cindy Ord/Getty Images)
That’s “even if we assume a very low rate of fraud, of just 1 percent,” a top official with the U.S. Secret Service told members of the Senate Judiciary Committee, The Hill’s Maggie Miller reports.
More government cybersecurity news:

The head of the NATO military alliance said on Wednesday that the West could not ignore the rise of China and so it was important that Britain had a review of the role of Huawei in its 5G network to ensure its security.
Reuters

Most of the money would go to security measures at Equifax, not to community banks and credit unions affected by the breach.
Wall Street Journal

Industry report

Some Honda plants are still slowed down after the carmaker was hit with a cyberattack this weekend.

Honda Motor Co. vehicles bound for shipment sit at a port in Yokohama, Japan. Economists are slashing forecasts for the Japanese economy as exports are hit from overseas lockdowns and rising domestic virus cases force the Tokyo governor to request that residents stay home. (Kiyoshi Ota/Bloomberg News)
The company has not said that the virus that disrupted its systems was ransomware, but some security experts say they found evidence of ransomware designed to lock the company's internal network, Kevin Collier at NBC News reports
Ransomware attacks have been on the rise during the coronavirus pandemic.
More hacking news:

The gaming giant said the number of affected accounts increased as a result of its continuing investigation.
TechCrunch

Emails obtained by Motherboard also reveal new details about previously unreported NSO Group products.
Vice


Daybook

  • The House Administration Committee will hold a hearing on the impact of covid-19 on voting rights and election administration Thursday at 1 p.m.
  • The House Financial Services committee will host a hearing on how cybercriminals are exploiting the covid-19 pandemic on June 16 at noon.

Secure log off

Here's an analysis of health concerns related to super-fast new networks.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.