Search This Blog

Translate

Search Tool




Jun 17, 2020

Analysis | The Cybersecurity 202: How secure are electronic pollbooks and vote reporting tools? This new program aims to find out.

By Joseph Marks


with Tonya Riley

Voting machines get most of the attention when it comes to election security. But officials are now trying to tackle myriad ways adversaries could undermine U.S. elections aside from directly rigging ballots.
A new pilot project run by a top cybersecurity nonprofit group and the Election Assistance Commission aims to look for bugs in the many other machines that hackers could exploit to throw an election into chaos, such as electronic poll books and systems for reporting unofficial election night results. Most states currently don’t have a formal process for ensuring they're secure.
Most of our adversaries aren’t looking to affect the outcome of an election as much as they want to affect our confidence in that outcome,” Aaron Wilson, senior director of election security at the Center for Internet Security, which is running the project, told me. “All of these technologies could have a really big impact on voter confidence and in some cases on the vote itself.”
A cyberattack that modified voter information in e-poll books, for example, could make it difficult or impossible for many people to cast ballots. An attack that changed election night results could create confusion about the winner and degrade faith in the real result.
And, unlike voting machines which are almost always scrupulously segregated from the Internet, these systems are often online and connected to cloud-based storage, opening up numerous avenues for hackers.
But much of this won’t be ready in time for November’s contest.

Dozens of voters wait in line to vote after the official end of polling time due to trouble with one of the place's two voting booths near Temple University. (Jahi Chikwendiu/The Washington Post)
CIS expects to produce its first report after November but make it a guidepost for future elections. 
The report will essentially be a how-to guide for states that want to incorporate vetting such tools when they certify election equipment and for companies that build the tools and want to improve their security practices.
“We want to be the thought leaders on how to do this the right way,” Wilson said. “The lack of scrutiny [from states] just puts everything at a higher risk.”
The Election Assistance Commission, which produces voluntary security guidelines for voting machines, may also use what it learns from the process to launch its own program assessing nonvoting election equipment, EAC Chairman Ben Hovland told me. CIS released its broad plan for the project in January and is announcing most details and the EAC partnership this morning.
The EAC is officially co-chair of the project’s steering committee, which means it weighs in regularly on the assessments CIS is providing and whether they’re helpful.
The commission, which was formed in the wake of the disputed 2000 election between George W. Bush and Al Gore, has sought to expand its role in security vetting since the 2016 but was slowed by lack of funding, Hovland said. It also has been roiled by staff turmoil and turnover during that time.
The project's steering committee also includes state election officials from Maryland, Ohio, Wisconsin, Texas and Pennsylvania.
Four companies have agreed to submit their election technology to CIS for testing: KnowInk, which produces electronic poll books; Scytl, which produces election night reporting systems; VR Systems, which produces both e-poll books and election night reporting systems, and VotingWorks, which produces an online system to audit election results.
There's evidence adversaries are broadly interested in hacking these kinds of equipment. 
In 2014, for example, a Russian hacking group called CyberBerkut compromised a Ukrainian election website and set it up to post phony results declaring a far-right candidate the winner. Officials discovered the attack and corrected the results just an hour before they would have been broadcast.
“We've seen foreign adversaries exploit election night reporting … so we know that it's in the playbook,” Hovland said. “If people hear one thing on the news that night and wake up the next morning and hear that was wrong or that information was manipulated, you can certainly imagine how that would impact voter confidence. So, it’s crucial to make sure that information is as secure as possible.”
E-poll book malfunctions and instances where people didn't know how to use them have also contributed to long lines and voter outrage in numerous primaries without any evident hacking.
That could be a roadmap for Russia and other U.S. adversaries for how they could create even more chaos in November. It could even affect the outcome or sow doubts about it's legitimacy if enough people in particular districts get frustrated and go home.
There are a lot of things you can do to affect the outcome of an election even if you don’t change votes themselves,” Wilson said.

A voter fills out their ballot at a polling station inside the Brooklyn Museum. (John Minchillo/AP)
Yet states have traditionally been hesitant to vet nonvoting election tools. 
That's partly because they connect to the Internet and rely on a lot of commercial software, which means new vulnerabilities can crop up on a regular basis. That makes them a poor fit for states’ lengthy and bureaucratic certification processes for voting machines, tabulators and other voting equipment.
Instead election officials have relied mostly on their IT staffs and on companies that sell the tools to ensure their software is properly patched and the right security protections are in place.
But that system probably isn’t secure enough for the post-2016 era when Russia and other U.S. adversaries are eager to find any route to upend U.S. elections.
“Certainly, this is an area that adversaries could sow chaos or really impact voter confidence,” Hovland said.

The keys
CIA hacking tools leak shows it should be bound by DHS cybersecurity rules, Sen. Ron Wyden says. 

The seal of the Central Intelligence Agency at CIA headquarters in Langley, Va. (Carolyn Kaster/AP)

The warning comes after the Oregon Democrat released a damning 2017 internal assessment of poor security practices that enabled an insider to covertly steal a cache of the agency’s prized hacking tools known as Vault 7, as Ellen Nakashima and Shane Harris report
The report found that the 2016 theft was a result of woefully lax security procedures, including sharing passwords for top-level access and only using one authentication procedure to get into systems. Many of the practices defied the standards DHS imposes on other civilian agencies, Wyden points out in a letter to National Intelligence Director John Ratcliffe.
The letter asks Ratcliffe whether the agency intends to meet 22 cybersecurity recommendations from the intelligence community inspector general.
The report itself slams the CIA for making too little progress securing its data especially after other high-profile leaks by NSA contractor Edwad Snowden and Army Pvt. Chelsea Manning. 
The breach of the CIA hacking tools was uncovered only after anti-secrecy group WikiLeaks published the information a year later in March 2017.  It was the largest known unauthorized disclosure of classified information in the agency's history.
A Russian disinformation operation targeted a Who’s Who of Putin’s enemies. 

The Kremlin's Spasskaya Tower. (Pavel Golovkin/AP)

The operatives behind the Secondary Infektion group targeted everyone from French President Emmanuel Macron and former U.S. secretary of state and presidential nominee Hillary Clinton to the World Anti-Doping Agency and Kremlin critic Alexei Navalny, Ellen Nakashima and Craig Timberg report
They relied on fake news articles and social media accounts with small followings to spread misinformation.
The claims, detailed in the report by research firm Graphika, were rarely subtle,” Ellen and Craig report. “Clinton in 2016 was dubbed a “MURDERER.” Political rivals were depicted as incompetent or alcoholics. The World Anti-Doping Agency, which barred Russia and many of its athletes from the 2016 Olympics, was falsely accused of colluding with pharmaceutical companies.”
Graphika was unable to determine which arm of Russia's extensive intelligence operations was behind the effort.
The operation was less effective than Russia's Internet Research Agency's efforts in 2016 to spread misinformation, or the distribution of stolen emails from the Clinton campaign, researchers say. 
But the scope of the effort and the fact it remained undiscovered so long underscores the scope of Russian disinformation operations that could affect the 2020 contest. 
“This shows that we are still uncovering blind spots in our understanding of Russian interference and have work ahead of us to make sure we’re properly prepared to defend the 2020 election,” said Camille François, Graphika's chief innovation officer. “Who are these guys and what are they really trying to achieve: These are questions we’re not currently able to answer. That’s disconcerting.”
Bahrain and Kuwait are using contact-tracing apps as "mass surveillance tools," Amnesty International reports.

A man holds a smartphone showing a tracking and tracing app launched by the National Institute of Public Health. (Heiko Junge/NTB Scanpix/AFP/Getty Images)
The international human rights group's analysis criticized the apps for tracking citizens’ locations in real time and storing that data in a central server where it would be more vulnerable to mass hacking than in people’s phones.
Amnesty International also criticized Norway for similar location-tracking practices. Norway ceased using its app on Monday after state regulators said the app didn't provide enough value to justify its privacy risks.
The apps from both Bahrain and Kuwait further invade citizens' privacy by pairing with a Bluetooth bracelet to monitor individuals who are quarantined. Bahrain even used its app to identify random users for a national game show that checks to see whether people are staying at home during the pandemic. The app now allows users to opt out of the game show. 
Researchers found that authorities in all three countries could easily link the location data the apps collected with identifiers such as a phone number to trace users. 
“Bahrain, Kuwait and Norway have run roughshod over people’s privacy, with highly invasive surveillance tools which go far beyond what is justified in efforts to tackle covid-19,” said Claudio Guarnieri, head of Amnesty International’s Security Lab.

Chat room

Here are some more reactions to the 2017 Vault 7 report. Former DHS cybersecurity official Phil Reitinger:
Please read the Wyden letter. That the IC uses single factor auth to protect its domain names. hasn't deployed DMARC on .gov domains like https://t.co/SEiwt4yJcw, and uses single factor auth for JWICS is shocking. (FYI, I am not easily shocked.) @bobgourley @lewisshepherd https://t.co/RJOshR3eSb
— Phil Reitinger, Principle Engineer (@CarpeDiemCyber) June 16, 2020
John Hopkins's Thomas Rid points out the lack of consequences for the debacle:
No hearings.
No high-level firings.
No major consequences. pic.twitter.com/uMDwZ8fuCF
— Thomas Rid (@RidT) June 16, 2020
Annie Jacobsen, an author and journalist on military issues:
Woah...That IARPA's version of DARPA's ADAMS (Anomaly Detection at Multiple Scales) Program also failed here. https://t.co/UCuF4NsJyx
— Annie Jacobsen (@AnnieJacobsen) June 16, 2020

Industry report

Facebook will launch a new tool to help users request mail-in ballots.

A design for Facebook's new Voter Information Center. (Facebook)
The company will also give users a tool to see fewer political ads if they choose, chief executive Mark Zuckerberg wrote in a USA Today op-ed
“Voting is voice. It's the single most powerful expression of democracy, the best way to hold our leaders accountable, and how we address many of the issues our country is grappling with," Zuckerberg wrote. "I believe Facebook has a responsibility not just to prevent voter suppression -- which disproportionately targets people of color -- but to actively support well-informed voter engagement, registration, and turnout. ”
The company hopes to register 4 million people to vote across its platforms, he said.

Cyber insecurity

Internet infrastructure firm Akamai recorded the world's largest-ever denial of service attack, it says.

Cables feed into a serial digital interface (SDI) card. (Bloomberg News)
The firm isn't revealing who was targeted by the attack, though, which happened earlier this month.
"What was really different in this case was the coordination," Roger Barranco, vice president of global security operations for Akamai, told Dark Reading. "The actors were able to get ahold of multiple tools. It did not source from a single region. So that means that someone went way out of their way to either reserve the capability or collect the tools needed to level an attack of this size."
More in hacks and scams:

employees at two European aerospace and defense companies were hacked via LinkedIn from September to December 2019, according to ESET.
CyberScoop

Lawmakers on Tuesday received a loud warning about the danger of hackers zeroing in on financial institutions as prime targets during the COVID-19 pandemic.
The Hill

Treck Inc. may be one of the most important software companies you’ve never heard of. Engineers at the Cincinnati-based company build networking protocols that end up in everything from HP printers to medical devices made by Baxter International, a Fortune 500 company.
CyberScoop

Daybook

  • House Intelligence Committee will hold a virtual open hearing with Facebook, Google and Twitter on Foreign Influence and Election Security Thursday at noon.
  •  Carnegie's Partnership for Countering Influence Operations and  Twitter will host an event on influence operations on Twitter on July 9 at 1 p.m.

Secure log off

Our newsletters will be off on Friday in honor of Juneteenth. Here's a primer by Karen Attiah, Washington Post Global Opinions editor, about the significance of the holiday.
Juneteenth explained pic.twitter.com/FlfE8p8FM7
— Dave Jorgenson (@davejorgenson) June 16, 2020

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.