Jun 24, 2020

Analysis | The Cybersecurity 202: Here's why all election officials should pay attention to Kentucky's primary

By Joseph Marks


with Tonya Riley

Kentucky’s primary contest yesterday marked a rare bright spot after a string of primaries where officials proved wholly unprepared to hold safe and secure elections during the pandemic.
The Kentucky primary Tuesday was far from flawless. Indeed, some in-person voters waited up to two hours in Lexington. But the state managed to evade the fate of Wisconsin, Georgia and the District of Columbia where large numbers of requested mail ballots never arrived, poll workers were unprepared and voting lines stretched for four hours and longer.
And it did it while shattering the record for primary voter turnout, largely driven by interest in a contentious Democratic primary to take on Senate Majority Leader Mitch McConnell (R-Ky.). Secretary of State Michael G. Adams (R) predicted total turnout would exceed 1 million voters with a large percentage of them casting ballots by mail, Amy Gardner, Michelle Ye Hee Lee and Elise Viebeck report.
The Kentucky situation was a welcome victory after speculation the state could face major primary day challenges — especially because a dearth of poll workers healthy enough to brave the pandemic forced the state to just open 200 polling sites, down from 3,700 in a typical election year.
Given there’s a global pandemic, I think Kentucky did pretty darn well,” Joshua Douglas, a University of Kentucky law professor and voting rights advocate, told me. “It wasn’t perfect, but under the circumstances things could have been a lot worse.”
Voters also cast ballots yesterday in New York and Virginia, which similarly suffered from scattered delays and long lines but no major debacles.
The Kentucky election could carry some valuable lessons for states as they prepare for November’s contest, which will draw far more voters and may be just as constrained by the coronavirus.

Voters wait in line to cast their ballots in the Kentucky primary at Kroger Field in Lexington, Ky. (Timothy D. Easley/AP)

Here are three big reasons things went comparatively smoothly in Kentucky:
1. Bipartisan cooperation
Adams and Kentucky’s Democratic Gov. Andy Beshear issued a joint plan in late April  allowing all residents to vote by mail during the primary, which was delayed from May 19 because of the pandemic. The plan also included 15 days of early voting and a new online portal where voters could request absentee ballots.
That’s a far cry from Wisconsin where the state hurtled toward a primary during the early confused days of the pandemic after the Republican-led legislature blocked Democratic Gov. Tony Evers’s effort to delay it. More than 70 cases of the the virus were later traced to people who stood in line or worked at polls during that election.
Getting past partisanship in running elections this fall is going to be really critical,” Lawrence Norden, director of the Election Reform Program at New York University’s Brennan Center for Justice, told me.
2. Lots of upfront planning
State and county officials generally worked together to set up for an unusual Election Day.
The state managed the process of setting up the online portal for ballot requests, verifying the identity of people who requested mail ballots and tracking those ballots journey between the voter and election officials.
Counties, meanwhile, managed a massive consolidation of voting sites. Officials opened just one polling location each in the state’s two largest counties, Jefferson and Fayette, and provided shuttle service to and from them. Those locations, however, were massive enough to accommodate large numbers of voters social distancing.
In Jefferson County, which contains Louisville, voting took place at the Kentucky Exposition Center, which also holds the annual state fair. In Fayette County, which contains Lexington, voting was held inside Kroger Field, home of the University of Kentucky’s football team.
County officials were also able to mitigate the long lines in Lexington midday by bringing in more electronic poll books to speed voters’ check-in process.
That’s a far different picture from Georgia where Secretary of State Brad Raffensperger spent much of Election Day trading accusations with executives in Fulton County, a heavily African American district that saw some of the state’s longest delays.
“I think Kentucky is a great example of what can be done in other states,” Amber McReynolds, CEO of the National Vote at Home Institute and a former Colorado election official, told me. “They had a thoughtful approach, they considered the data and they mitigated their risks.”
3. No complex new machines. 
Kentucky counties use a hodgepodge of voting systems. They range from hand-marked paper ballots, which election experts say are most secure against hacking, to outdated machines lacking any paper trail and that experts and government officials say are far too vulnerable to hacking by Russia and other U.S. adversaries.
While that creates problems for cybersecurity, it proved a boon during the election because poll workers and voters didn’t have to familiarize themselves with new processes.
That was a problem in Georgia, where poll workers weren’t well enough trained to use new ballot marking machines, and in Los Angeles, where some new machines malfunctioned on Election Day.

A poll worker cleans a voting booth during Tuesdays primary election on Tuesday in Louisville. (Brett Carlsen/Getty Images).
But we’re not out of the woods yet. 
Like many other states, Kentucky’s planning has mostly focused on its primary.
The state has yet to make firm plans for its general election, including ensuring all voters can cast ballots by mail then. During normal elections, Kentucky is among a handful of states that requires voters to provide an excuse to vote by mail such as illness or travel. 
Voting accessibility advocates are also already pushing for the state to open up more polling places in November — both to deal with a surge in voters during a highly contentious presidential election and to ensure in-person voters aren’t forced to travel so far they choose to stay home.
“Governor Beshear and Secretary of State Adams made a good faith effort to make the best of the difficult task of holding an election in the middle of a pandemic. But now they must take the lessons learned from the primary and get things right for the general election when we will likely see even higher turnout,” Richard Beliles, Kentucky Board Chair for the voting rights group Common Cause, said in a statement.
It's also far from clear states will have the money they need to successfully run November elections or whether the federal government will pitch in. 

Sen. Amy Klobuchar (D-Minn.). (Tom Williams/CQ Roll Call/Pool /AP).

Democrats in Congress have pushed for $3.6 billion in new election money along with tough new mandates that states offer a mail voting option to all voters and early voting days. But the efforts are facing tough opposition from McConnell and other Republicans.
Sen. Amy Klobuchar (D-Minn.), a lead sponsor of Senate legislation, made another push for it yesterday, warning “if the past few months are any indication, for many casting a ballot today will not be safe and will not be easy.”
She also pointed to the Wisconsin primary as a signal disaster. “Wisconsin’s primary will forever be etched in the memory of our nation,” Klobuchar said. “Voters stood four hours in the cold and rain, wearing garbage bags and homemade masks just to be able to exercise their right to vote.”
The Senate Rules Committee, which is in charge of election issues, will hold hearings next month to look at what is and isn’t working in expanding voting by mail, Chairman Roy Blunt (R-Mo.) said.
Blunt said he’d consider legislation that sends more money to state election officials. But he’s highly skeptical of mandating any changes to how states run elections.
Klobuchar’s bill “represents a one-size-fits-all federal answer to a problem that I think the federal government is not the best place to answer,” he said.

The keys
Senate Republicans want to end "warrant-proof" encryption.

Sen. Lindsey O. Graham (R-S.C.). (Al Drago/Bloomberg News).

Legislation introduced by Senate Judiciary Committee Chairman Lindsey O. Graham (R-S.C.) and other Republicans would require tech companies to help law enforcement with a warrant to access encrypted data on their systems
The Lawful Access to Encrypted Data Act would authorize the Justice Department to issue directives requiring that tech companies comply with the law, but it wouldn't give it the authority to tell the companies exactly how to do it. The lawmakers argue that the data-protecting technology shields terrorists, child predators and other criminals from law enforcement. Encryption proponents and tech companies argue that creating an encryption backdoor for law enforcement would also make it easier for criminals to hack into encryption, undermining everyone's cybersecurity. 
The new legislation comes just two days before Graham's committee is scheduled to discuss the EARN IT Act, a bill with bipartisan sponsors that would strip tech companies' liability protections if they don't help law enforcement better combat child pornography sharing on their platforms. Encryption advocates have warned the bill could force companies to weaken encryption. Neither bill has much chance of becoming law ahead of the November election.
The new legislation follows a months-long push by Attorney General William P. Barr against encryption. Barr tried unsuccessfully to push Apple to help unlock encrypted iPhones used by a Saudi Air Force student who opened fire last year at a U.S. military base in Pensacola, Fla. He also has criticized Facebook's push to encrypt all its messaging services, alleging that move would make it much harder to track down online child predators.
A privacy-centric operating system is slamming Facebook for helping the FBI hack it. 

The Facebook app. (Johannes Berg/Bloomberg News)

The criticism comes after Motherboard reported last week that Facebook paid a third-party developer to help the FBI hack into the operating system called Tails to catch a heinous child predator. That was news to executives at Tails, who said it had no idea about the hack until the Motherboard story. 
Facebook argued it didn't have to tell Tails about the vulnerability the FBI exploited since a pending software upgrade would fix it. But Tails say there is no way it can know for sure the vulnerability is fixed because Facebook and the FBI won't answer their questions.
“Without these full details, we cannot have a strong guarantee that our current users are 100 percent safe,” a Tails representative said.
Experts also fear the hacking tool could have been used against activists and journalists who use the security-focused operating system, Motherboard reports. Tails is part of SecureDrop, an anonymous tip submission system used by journalists.  
Security experts also criticized Facebook's actions.
The hypocrisy is absolutely wild, said security expert Harlo Holmes. “More hackers should learn about the ethics of what we do, and this is a textbook example. 
The FBI is warning schools to expect a surge in cyberattacks.

A classroom is set out with socially distanced seating. (Photo by OLI SCARFF / AFP) (Photo by OLI SCARFF/AFP via Getty Images).

The risks are heightened because most schools are trying to run classes remotely during the pandemic, an FBI alert obtained by Eric Geller at Politico warns. The warning also points to limited cybersecurity budgets at many schools, something that lawmakers have attempted to address in federal legislation.
Scoop: FBI privately warns K-12 schools to expect a surge in cyberattacks, esp. ransomware, during the pandemic.
Remote learning small cyber budgets pressure to protect student data = tempting combination for hackers, according to alert I obtained.https://t.co/mJqLgN5o34 pic.twitter.com/w2F0wD7p6j
— Eric Geller (@ericgeller) June 23, 2020
The FBI has already seen an increase in cyberattacks over the past year in which hackers lock up school districts' computer systems and refuse to unlock them unless they pay a ransom. The attacks can leave school districts' online systems disabled and damaged for weeks. 
In the past, schools have switched to low-tech learning during ransomware attacks. But that would be essentially impossible with students dialing into classes from home. 

Chat room

Republicans' encryption busting bill quickly sparked concern from privacy advocates who tied it to law enforcement surveillance of recent protests against police violence. Fight for the Future's Evan Greer poked at one of the sponsors, Sen. Tom Cotton (R-Ark.), who also urged a U.S. military crackdown on the protests.
Oh cool. The "Send in the troops" Senator is sponsoring a bill that would put government backdoors in encryption because 2020 is the year where fascist authoritarians say the quiet part LOUD https://t.co/ymeLksDWMf
— Evan Greer (@evan_greer) June 24, 2020
The Open Technology Institute's Ross Schulman:
If you are a protestor, if you are seeking change in the status quo, if you believe that #BlackLivesMatter, if you follow @BlackSocialists, or are a person of color, then the police state is aimed at you and ENCRYPTION protects you. Now old white men want to take that away.
— Ross Schulman (@RossSchulman) June 24, 2020

Cyber insecurity

Twitter banned an account that distributed 20 years' worth of hacked police records.

Police in New York. (Frank Franklin II/AP)

The account, DDoS Secrets published emails, training documents and potentially sensitive information including bank account information from dozens of police departments. Sharing the content violated Twitter's policy on the distribution of hacked data, a representative told ZDNet.  Twitter said the data could have posed "real world harm."
Journalist Emma Best, who runs the account:
.@DDoSecrets has worked with dozens of major news outlets across the world and published terabytes of data uncovering money laundering schemes, corruption, and more.
Now we're being censored for publishing the #BlueLeaks files about law enforcement https://t.co/MBKQ7JRW6A
— Emma Best 🏳️‍🌈🏴 (Mx. Yzptlk) (@NatSecGeek) June 23, 2020
More in cyber-scams and hacking:

The FBI is investigating several recent incidents of racist emails being sent to thousands of affiliates of major institutions including Harvard University, Stanford University, and Iowa State University, according
The Hill

Daybook

Today:
  • The Aspen Tech Policy Hub will host an event on "Protecting Your Digital Reality" Wednesday at noon.
  • The Senate Commerce Committee will hold an oversight hearing to examine the Federal Communications Commission at 10 a.m.
  • The Energy and Commerce Committee will host a hearing on online disinformation at 11:30 a.m. The hearing will cover disinformation related to covid-19 and the recent racial unrest.
Coming up:
  • The Senate Homeland Security Committee will hold an oversight hearing to examine Customs and Border Protection Thursday at 9:30 a.m.
  • The Senate Judiciary Committee will mark up the EARN IT Act of 2020 on Thursday.
  • Carnegie's Partnership for Countering Influence Operations and Twitter will host an event on influence operations on Twitter on July 9 at 1 p.m.
All events are virtual unless otherwise noted.

Secure log off

In case the new “Perry Mason” reboot isn't enough:
skoo bop dee skoo wop renegade pic.twitter.com/1wWYIyxMkw
— Dave Jorgenson (@davejorgenson) June 23, 2020

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.