Jul 15, 2020

Analysis | The Cybersecurity 202: DNC’s email voting plan limits hacking risk but can’t eliminate it


By Joseph Marks


with Tonya Riley

The Democratic National Committee’s virtual convention next month will mark a major test for whether Internet-based voting can be done safely and securely.
The DNC, which is moving its convention online because of the coronavirus pandemic, released a plan Friday for delegates to vote by email for the Democratic presidential nominee and planks in the party’s platform.
Internet voting presents far fewer risks in this case than it would during a regular election because delegates’ ballots aren’t secret. That means they can verify their votes weren't altered either by hackers or technological snafus and correct any errors after the fact. There’s also no drama about the outcome of the most important vote because former vice president Joe Biden has basically already secured the Democratic nomination.
But it still presents numerous opportunities for hackers from Russia or elsewhere to disrupt the voting process, sow confusion about results or use disinformation operations to spread conspiracy theories or gin up hostilities between rival camps supporting Biden and Sen. Bernie Sanders (I-Vt.).
And any disruption is likely to spark painful memories of 2016 when information Russia hacked and leaked from the DNC helped wreak havoc on Hillary Clinton’s campaign.
That means the DNC must be hyper-prepared to knock back any allegations of digital interference or rapidly respond to attacks even as it runs a convention unlike any in history.
Even if they’re making a prudent decision for public health, this still remains a rich environment for bad actors,” Edward Perez, global director of technology development at OSET Institute, a nonprofit election technology organization, told me. “No one should lose sight of the fact that a purely electronic return of ballots is very high risk. The DNC needs to wear both hats at the same time: public health and cyber defense.”

Former vice president Joe Biden, the presumptive Democratic nominee. (Tom Brenner/Reuters)
The DNC has been working for months on how to make a virtual convention work during the pandemic. 
The party passed a resolution in May allowing smaller subcommittees to handle in advance some of the more complex votes that usually take place on the convention floor. The remaining votes, including nominating the party’s candidate for president, will go to all convention delegates on a single ballot delivered by email. They’ll have 12 days to fill that ballot out and forward it by email to state party officials between Aug. 3 and Aug. 15. The convention begins Aug. 17.
Those emailed ballots will include the delegate’s name and another unique identifier such as a bar code that connects the delegate with his or her vote, the party said in an email to delegates.
“The State Parties will be responsible for collecting all ballots from convention delegates as they would if we were conducting votes in person at the convention,” the letter states. “At the conclusion of voting, each state delegation chair will submit a tally sheet to the Secretary’s Office that formally records the number of votes cast on each item of convention business.”
There are a number of built-in security safeguards. 
Delegates will receive email updates when their votes are tallied by state party officials and will be able to reach out to those officials to ensure their votes were correctly recorded, a DNC official told me. Delegates will also have the option of voting by phone or conventional mail if they object to email voting or lack Internet, the official said.
Biden’s and Sanders’s campaigns hosted webinars this weekend outlining the email-voting system for their delegates.
We want delegates to play their critical role without risk to their personal or the public health,” said the official, who was not authorized to speak publicly about cybersecurity planning. “We know who all the delegates are. And because the votes are public, we feel confident that we could swiftly fix any problems that arise.”
The party is also taking measures to ensure that other elements of the convention aren’t disrupted by hackers such as speeches by Biden and top party officials. That includes buying services from cybersecurity companies and “deploy[ing] redundant and diverse connections and pathways for the programming and infrastructure that supports the programming,” the official said.

Sen. Bernie Sanders (I-Vt.), left, and Biden. (Matt Rourke/AP)
If a traditional election was held this way, election security experts would be sounding alarms about it. 
Indeed, when a handful of states piloted voting on mobile apps earlier this year, it sparked so much concern that the Department of Homeland Security, the FBI and the Election Assistance Commission sent states a guidance memo detailing the risks. The memo warned that returning ballots using the Internet poses “significant security risks,” including that hackers could change large numbers of votes, block votes from being recorded or undermine ballot secrecy.
Those risks are significantly mitigated when officials aren’t trying to both send a vote over the Internet and keep the voter’s identity secret. But they’re not eliminated.
The stakes are obviously a lot lower in a party convention setting than a general election context where online voting could be hacked to change the results,” Alex Halderman, a University of Michigan election security expert, told me. “But what’s at stake here is the legitimacy of the process and for that reason security is still very important.”
For example, hackers could prevent a state from forwarding votes to the DNC by locking up its computers with ransomware or overwhelming its networks with Internet traffic. They could also change large numbers of votes by hacking into delegates’ personal computers and mobile devices. That would probably be caught but not before it publicly embarrassed the party.
“I’m less concerned about this instance of remote voting because they won’t be anonymous,” Duncan Buell, a University of South Carolina election security expert, told me. “But [the DNC] should contract with a really good security firm. They should have backups on top of backups and delegates should be checking their votes were cast the way they expected.”
The committee should also be as transparent as possible so there’s less room for Russia or another hostile nation to spread phony rumors that votes aren’t being counted accurately or to otherwise spark fights between delegate factions, Perez said.
“Just like the DNC attack in 2016, this creates an opportunity for bad actors to cast doubts on results and further divide us as a nation,” he said.

The keys
Trump is taking credit for the U.K.’s decision to ban Huawei from its 5G networks.

President Trump exits a news conference. (Jabin Botsford/The Washington Post).

The president’s boast came after the United Kingdom reversed an earlier decision that would have allowed the Chinese firm to build less-sensitive parts of its next-generation phone and Internet system. 
I did this myself, for the most part, Trump said at a news conference. Its a big security risk. I talked many countries out of using it.
British Health Secretary Matt Hancock pushed back on Trump’s claims, saying ““All sorts of people can try to claim credit for the decision but this was based on a technical assessment by the National Cyber Security Centre about how we could have the highest quality 5G systems.”
Hancock told Sky News: “Well we all know Donald Trump don’t we.”
The U.K. government expects its 5G network to be totally Huawei-free by 2027 because it will be a lengthy and costly process for British companies to shed all their Huawei gear. The decision came after a U.S. ban on foreign firms selling computer chips made with U.S. equipment to Huawei.
U.S. security hawks hailed the ban as a victory. U.S. officials have long maintained that Huawei could serve as a back door for Chinese spying. Huawei denies the claims.
Sen. Mark R. Warner (D-Va.), vice chairman of the Senate Select Committee on Intelligence, urged the Trump administration to work with allies “on promoting secure and competitively priced alternatives to Huawei equipment.”
Sen. Roger Wicker (R-Miss.), chairman of the Senate Commerce Committee, also weighed in:
UK Prime Minister @BorisJohnson is making the right call. Huawei equipment can be used to facilitate Chinese espionage. I hope more of our allies will follow suit and secure their networks from compromised equipment.https://t.co/BnwBctf8id
— Senator Roger Wicker (@SenatorWicker) July 14, 2020
The decision could steer other European countries toward banning Huawei or seriously limiting its role in their 5G networks, Ellen Nakashima and William Booth report
Huawei, meanwhile, blamed the U.K. decision on politics. “This disappointing decision is bad news for anyone in the U.K. with a mobile phone, a company spokesman told Reuters. “Regrettably our future in the U.K. has become politicized, this is about U.S. trade policy and not security. Some trade groups have also criticized the move, saying the timeline could hurt U.K. consumers.
A Texas judge denied a request to allow voters with the coronavirus to cast ballots by email in yesterdays primary runoff.

Voters check in before casting their ballots Tuesday in Houston. (Steve Gonzales/Houston Chronicle/AP)

The last-minute request by Harris County officials came on behalf of thousands of quarantined people, Zach Despart at the Houston Chronicle reports. An Austin resident in a similar bind had to get a last minute doctor’s note that allowed her to have someone else return her ballot with minutes to spare, the Texas Tribune’s Alexa Ura reports.
The incidents shows the sort of thorny challenges that are likely to face officials in November as they attempt to run elections in the thick of the pandemic.
Meanwhile, some Dallas County voters had their ballots returned to them because of issues with preprinted envelopes, the U.S. Postal Service confirmed Monday. Its unclear how many voters were affected and if they ultimately risked catching the virus to vote in person. “We reviewed this issue with the Dallas County Board of Elections before the election as well as last week, advising them how to correct the problem,” USPS told Dallas news station WFAA in a statement.
Other primary and runoff elections went relatively smoothly yesterday in Alabama and Maine.
Spain is the latest nation accused of using spyware to go after political opponents.

Roger Torrent, president of the Catalonian parliament. (Jean-Francois Badias/AP)

Roger Torrent, the speaker of a regional parliament in Spain’s Catalonia region, alleges the Spanish government used controversial spyware from the Israeli company NSO Group to hack his phone, the Guardian reports
Torrent, an advocate for Catalan independence from Spain, was alerted about the hack by researchers working with WhatsApp. The Facebook division is suing NSO for helping government clients hack its customers. Torrent told the Guardian that it seemed clear the “Spanish state” was responsible for the alleged attack.
Two other advocates for Catalan independence were allegedly also targeted in what researchers called a “possible case of domestic political espionage, the Guardian reports. 
A former NSO employee confirmed to Motherboard that the Spanish government is a client. NSO maintains it only sells its spyware to governments for tracking terrorists and criminals.
WhatsApp is suing NSO for allegedly helping to hack approximately 1,400 of its users across 20 countries, including about 100 journalists, dissidents and activists. Amnesty International recently lost a case that would have stripped NSO of its license to export software outside of Israel.

Hill happenings

A Democratic lawmaker is calling on Apple and Google to require apps to disclose where they store data.

(Lam Yik/Bloomberg News)

Rep. Stephen F. Lynch (D-Mass.), chairman of the House Oversight Subcommittee on National Security, sent letters to Apple and Google saying that the companies are responsible for making consumers aware of potential security risks posed by the apps.
Neither company requires developers to disclose in which countries their data is stored. 
Intelligence officials have warned that foreign apps could be compelled to share U.S. user data depending on local laws. Some lawmakers and officials have pointed to the concern in advocating for restrictions on TikTok and other Chinese apps. (TikTok says it does not store U.S. user data in China.)
Lynch also asks the companies to provide details on any instances in which they removed an app for sharing personal data with a foreign government.

Securing the ballot

Major U.S. Postal Service operational changes could wreak havoc on mail-in voting.

(Caitlin OHara/Bloomberg News)

The changes, instituted by new Postmaster General Louis DeJoy, include directing carriers to temporarily leave some mail at distribution centers in order to finish their routes more quickly, according to a memo obtained by The Washington Post.
Mail voting advocates fear that could dramatically slow delivery of ballots and mail ballots and ballot applications. The changes come as the Trump administration has wrested increased control over the struggling agency.
“With our states now reliant on mail voting to continue elections during the pandemic, the destabilizing of the Post office is a direct attack on American democracy itself,” said Rep. Bill Pascrell Jr. (D-N.J.). He urged the Senate to pass a $25 billion rescue package that the House has already passed.
More election news:
Nearly 100,000 voters mailed in their choices on Saturday, July 11.
WAFB
The decision marks a new development in the State House tug-of-war over how to conduct the upcoming primary and general elections.
WPRI

Global cyberspace

TikTok tries to allay security concerns in Australia. 

(Lam Yik/Bloomberg News).

The company's general manager for Australia wrote a two-page letter to Australian lawmakers insisting that the company does not share any data with the Chinese government, the Wall Street Journal reports.
More international news:

A Chinese bank required a company to use a tax software for local tax purposes, but the software quietly deployed a backdoor, Trustwave researchers say.
CyberScoop

Cyber insecurity

Microsoft issued a patch for a serious Windows flaw.

Microsoft headquarters in France (Photo by GERARD JULIEN / AFP) (Photo by GERARD JULIEN/AFP via Getty Images)
The 17-year-old vulnerability could have allowed hackers to take over a victim's entire IT system, including emails and servers, CyberScoop reports. The vulnerability, which was discovered by researchers at Check Point, is the third serious vulnerability Microsoft has patched this month.
More hacking news:

EXCLUSIVE: The MGM Resorts 2019 data breach is much larger than initially reported.
ZDNet

Chat room

There's no rest for our nations first line of defense against foreign interference:

Daybook

  • The House Oversight Committee will hold a hearing to examine U.S. cybersecurity preparedness and the National Cyber Director Act today at 12 p.m.
  • The House Budget Committee will hold a hearing on the need for federal investments in technology in light of the coronavirus pandemic today at 2 p.m.
  • The Center for Democracy and Technology will host an event, “A Shared Responsibility: Protecting Consumer Health Data Privacy in an Increasingly Connected World” today at 4 p.m.
  • The Aspen Institute will host a discussion about U.S. Election security in the shadow of the coronavirus on Thursday at 1 p.m.
  • The House Homeland Security Committee will hold a hearing evaluating the Cyberspace Solarium Commission recommendations Friday at 12:30 p.m.
  • The House Administration Committee will hold a hearing on the security of remote voting in the House on Friday at 1 p.m.
  • The Center for Strategic and International Studies will host a discussion with former Google chairman and chief executive Eric Schmidt about technology, data and innovation policy on Friday at 4 p.m.
  • The Senate Commerce Subcommittee on Manufacturing, Trade, and Consumer Protection will hold a hearing on protecting Americans from coronavirus scams on July 21 at 2:30 p.m.
  • The Senate Rules Committee will hold a hearing on general-election preparations on July 22 at 10:30 a.m.

Secure log off

The Daily Show throws its support behind a project to recruit poll workers during coronavirus:
America is facing a nationwide poll worker shortage, but you can help by going to https://t.co/70gHiVzDaT pic.twitter.com/qBJbcmVpVp
— The Daily Show (@TheDailyShow) July 14, 2020
A new Apple commercial capitalizes on our work-from-home nightmares.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.