Tag Archives: Election Security

Nevada Gets a C: Election Security Report

I think we can agree on the proposition that free and fair elections are crucial to American democracy and to the preservation of our republic.  That said, how does Nevada rank among states in terms of our election security.  The Center for American Progress gives Nevada a “C.”  The think tank reviewed the following categories:

  1. Minimum cybersecurity standards for voter registration systems
  2. Voter-verified paper ballots
  3. Post-election audits that test election results
  4. Ballot accounting and reconciliation
  5. Return of voted paper absentee ballots
  6. Voting machine certification requirements
  7. Pre-election logic and accuracy testing

Nevada gets mixed reviews in category 1, the registration system is about ten years old, but does provide for some important cybersecurity checks for intrusions.  There is currently no requirement for cybersecurity training for all election officials in the state, nor has the State reached out to DHS for any assistance in auditing or improving its system.  Secretary of State Cegavske is an alternate member of a national task group on election cybersecurity, but no indication is given in the report whether or not her participation has yielded improvements in Nevada’s system, or whether more security emphasis is placed on the Office of Cyber Defense Coordination.

There is one major loophole in the Nevada system: “The state permits UOCAVA voters to submit completed ballots electronically, via email or by fax.986”  This is a notoriously fragile practice and one wide open to possible manipulation.

A full reading of this important study is highly recommended.  It’s also important for Nevadans to support the Election Assistance Commission, which is under Republican attack in Congress, since that is the specific agency tasked with establishing testing standards for voting machines.

Advertisements

Comments Off on Nevada Gets a C: Election Security Report

Filed under Nevada politics, Politics

Now A Warning? Same Old News About Russian Interference Without Any New Response

No, it’s NOT okay.  Merely because it isn’t thought the Russians actually changed any voting results doesn’t mean things are hunky-dory for the 2018 elections.  Today’s ‘news’ is in reality old news.  Consider the following excerpts from times gone by:

September 22, 2016 – “Democrats Dianne Feinstein and Adam Schiff, ranking members of the Senate and House Intelligence Committees, issue a joint statement declaring that based on information they received during congressional briefings, they believe that Russian intelligence agencies are carrying out a plan to interfere with the election. They call on Putin to order a halt to the activities.” [CNN]

September 29, 2016 –  “There have been hacking attempts on election systems in more than 20 states — far more than had been previously acknowledged — a senior Department of Homeland Security official told NBC News on Thursday.  The “attempted intrusions” targeted online systems like registration databases, and not the actual voting or tabulation machines that will be used on Election Day and are not tied to the Internet.The DHS official described much of the activity as “people poking at the systems to see if they are vulnerable.”  “We are absolutely concerned,” the DHS official said. “The concern is the ability to cause confusion and chaos.” [NBC]

Fast forward to 2017, and the story remains essentially the same, albeit with more details.  In September 2017 the Department of Homeland Security finally got around to officially notifying the states they’d been hacked.

“The Department of Homeland Security said earlier this year that it had evidence of Russian activity in 21 states, but it failed to inform individual states whether they were among those targeted. Instead, DHS authorities say they told those who had “ownership” of the systems — which in some cases were private vendors or local election offices.” [NPR]

Yes, it took ten months for the Department of Homeland Security to officially tell the states what was going on.  And now…. this is “news:”

February 7, 2018:  “The U.S. official in charge of protecting American elections from hacking says the Russians successfully penetrated the voter registration rolls of several U.S. states prior to the 2016 presidential election.

In an exclusive interview with NBC News, Jeanette Manfra, the head of cybersecurity at the Department of Homeland Security, said she couldn’t talk about classified information publicly, but in 2016, “We saw a targeting of 21 states and an exceptionally small number of them were actually successfully penetrated.”  [NBC]

Indeed, this isn’t coming as news to the 18 states that volunteered for the free cyber-hygiene scans offered by the Obama Administration’s Department of Homeland Security in 2016.  However, a person would have to wonder what happened to the two states which refused the free scan offer, and why we keep getting what is at best a repetition of the same warnings issued at least a year ago.

And what has happened since November 2016? It would be far easier to track what has NOT been done.  For example, there has not been a single cabinet level meeting concerning the issue of Russian interference.  There has not been a single report issued by the current administration issued on the subject of Russian interference.  There has been nothing done by the current administration to implement the sanctions overwhelmingly enacted by the 115th Congress against the Russians for their interference — their continuing interference.  And yes, the Russians did in fact hack into some voter rolls. [TheHill] And yes, the Russians are still at it. [NYT]

How do we know this? Because CIA Director Mike Pompeo says he’s reasonably certain the Russians will meddle in the 2018 midterms. [BBC/Politico]  The Secretary of State Rex Tillerson says we’re going to be a target in 2018 (and there’s probably nothing we can do about it.)’ [WashExam]

So once more it’s time to refer to the only comprehensive report on Russian interference issued from Washington so far — the Cardin Report:

“A Senate Foreign Relations Committee Democratic staff report released Wednesday and commissioned by U.S. Senator Ben Cardin (D-Md.), the Committee’s ranking member, details Russian president Vladimir Putin’s nearly two decades-long assault on democratic institutions, universal values, and the rule of law across Europe and in his own country. The report comes one year after Senator Cardin introduced the Counteracting Russian Hostilities Act of 2017, which served as the basis for the sanctions package signed into law last August, and makes a series of recommendations to adequately bolster U.S. and European defenses and counter the growing Kremlin threat to democratic institutions.”

It is well past time for the administration to take action.  One obvious suggestion would be for the administration to do something more efficacious than publishing a list of Forbes’ Richest Russians and apply additional sanctions as a response to continuing Russian interference in our political systems and institutions.  “Name and Shame” has obviously NOT stopped Russian efforts.  As the Cardin Report points out, the timidity of the US reaction to Russian activities as compared to actions taken by European nations has a source, in the White House:

“Despite the clear assaults on our democracy and our allies in Europe, the U.S. government still does not have a coherent, comprehensive, and coordinated approach to the Kremlin’s malign influence operations, either abroad or at home. Although the U.S. government has for years had a patchwork of offices and programs supporting independent journalism, cyber security, and the countering of disinformation, the lack of presidential leadership in addressing the threat Putin poses has hampered a strong U.S. response.”  [CardinReport pdf]

So, the British have publicly chastised the Russians for their meddling and have taken steps to secure their cyber-systems and election procedures.  The Germans upgraded the cooperation between the government and the campaigns, taken stronger measures against bots and trolls, and issued strong warnings of consequences for any additional Russian games.  The Spanish cracked down on Russian based organized crime groups, especially those seeking to use the country for money laundering.  The French took direct action to address cyber-hacking and smear campaigns.  The Nordic states have adopted a “whole society” approach to address Russian propaganda and cyber efforts. The Baltic states have employed public information campaigns, strengthened cyber-security systems, and reduced their energy dependence on Russian sources. [Cardin] If most of our western allies can take active measures to address Russian interference, the question remains — Why has the US done so little?  The Cardin Report conclusion that the lack of presidential leadership has not been helpful takes on more credibility.

There are some activities good old Average Americans can do to help rectify this situation.  (1) Get informed.  Read the Cardin Report.  (2) Evaluate the suggested steps the US could take to directly confront Russian interference. (3) Contact Senators and Representatives to let our lawmakers know that the public IS interested in Russian operations in the US.  (4) Contact those Representatives to tell them the American public (and their constituents in particular) insist the administration implement and enforce the sanctions enacted by Congress.

Perhaps there’s a sufficient number of phone calls, post cards, e-mails, and constituent meetings which will prevent the Russian Meddling from being an annual event in the American press, each time reminding us that nothing has been accomplished thus far to prevent Russian activities to sow discord, dissension, and advance the demolition of American political institutions.  We should not only hope so, but also work to make this happen.

Comments Off on Now A Warning? Same Old News About Russian Interference Without Any New Response

Filed under elections, Homeland Security, Nevada politics, Politics

The Happy Hackers Bill approved by House Republicans

One of the major ironies of the past few days is that the administration’s fraudulent anti-voting fraud commission is asking for bundles of private voter information from the 50 states, all the while dismissing Russian interference in the 2016 election as a hoax, AND submitting a budget which we’ve known for some time would eliminate the ONE federal agency tasked with assisting state and local governments with election security.

“House Republicans are taking aim at a small federal agency that helps provide election oversight and guidance, saying its functions are no longer necessary.

A spending bill from the House Appropriations Committee unveiled Thursday would give the Election Assistance Commission 60 days to terminate itself. The small agency was created after the tightly contested 2000 presidential election. It has an annual budget of about $10 million and had just 31 employees on its rolls as of March. The agency writes election management guidelines and develops specifications for testing and certifying voting systems, among other tasks.” [GovExec]

The bill, introduced by Rep. Gregg Harper (R-MS), would hand the powers and duties of the Election Assistance Commission to the Federal Election Commission, and the little agency responsible for “developing specifications for testing and certifying voting systems” would fold up and go away under the terms of HR 634.

The tribulations and gridlock in the Federal Election Commission are well known and documented: Investigations stalled, dark money flowing freely, enforcement delayed and denied. In short a scene of “dysfunction and deadlock.”  [NYT]  Failures to investigate, and 3-3 vote ties stifling further investigations. [NBC] Thus, the Harper bill would deliver election security responsibilities to a commission already in the throes of partisan gridlock and as they say so politely, “dysfunction.”

Republicans on the Administration Committee [Harper (R-MS), Davis (R-IL), Comstock (R-VA), Smith (R-NE),  Walker (R-NC), and Loudermilk (R-GA)] voted to send the bill forward;  Democratic Representatives Brady (D-PA), Lofgren (D-CA) and Raskin (D-MD) voted “no.”  So, what do these lawmakers want to hand over the the stalemated FEC?  The part which should interest us the most at the moment is this segment from the EAC:

“EAC Certification Program is to provide clear procedures to Manufacturers for the testing and certification of voting systems to specified Federal standards consistent with the requirements of HAVA Section 231(a)(1).

Under this program, the testing and review process requires the completion of an application, employment of an EAC-accredited laboratory for system testing, and technical analysis of the laboratory test report by the EAC. The result of this process is an Initial Decision on Certification.”

It doesn’t take much effort to interpret this task as the foundation of standards for the certifying and testing of election systems.   Republicans may argue that this could be done under the auspices of the Department of Homeland Security, but this seems hollow since the bill doesn’t transfer the duties to DHS, it just wipes the EAC off the map.  The EAC already maintains a list of certified election systems,  and those which have been terminated.   The Republicans appear quite pleased to take the constable off the beat, and hope that someone, somewhere, will prevent the development and certification of voting systems from becoming the Wild West of slackers, partisan backers, and hackers.

If eliminating the EAC isn’t the answer, what might be?   The Brennan Center issued a report on “Security Election Systems from Foreign Interference,”  in a forward by former CIA Director James Woolsey,” he observes:

“In the last few months, we have learned extraordinary details about a Russian assault on our election infrastructure. While there is no evidence that this assault altered the vote count, that fact should be cold comfort as we look to protect ourselves against future attacks.”

One doesn’t have to be an expert on cybersecurity or election technology to understand how dangerous this is. Based on my experience, as a former Director of Central Intelligence, and in service to this country under both Democratic and Republican Presidents, I am confident the Russians will be back, and that they will take what they have learned last year to attempt to inflict even more damage in future elections. In particular, their history of interfering in other nations’ politics, their antipathy to the United States and Western democracies generally, and their proven ability to multiply the impact of their actions through cyberattacks should put us on the highest alert, and spur us to take all necessary actions to protect ourselves from further attack.”

In summary form, Ambassador Woolsey is convinced the Russians will be back, they will apply “lessons learned” evaluations, and they will attempt to cause even more damage in the future.  If the former CIA Director is correct, and there’s no logical reason to believe otherwise, this is hardly the time to terminate any programs to help state and local election officials secure their systems.  In fact, it’s time to do more, as outlined by the Report:

“What more must be done? The key security measures detailed in this report are the right place to start: replace paperless electronic machines, upgrade the hardware and software that supports voter registration, and conduct post-election audits to confirm the results.

These are common-sense solutions that will increase security and public confidence in the integrity of our system. Importantly, they will do so without interfering with the right of any eligible citizen to participate in the choice of who will govern the nation.”

Some of these recommendations are squarely in the EAC wheelhouse, others will require additional support for local and state election officials.

The good news is that the decentralization of American voting systems makes a concerted attack extremely difficult, there are 8,000 voting jurisdictions, and about 100,000 polling places.  However, this doesn’t mean that we should be taking much comfort from our fragmented system, because the bad news is that some jurisdictions are using antiquated equipment with operating systems no longer supported by vendors (and thus are easier to attack.)  States and localities have made progress toward greater technical voting system security since 2004, but now is no time to rest upon laurels and declare “we’re Safe!” merely because vote totals are difficult to alter.

There’s also the matter of voter registration data security.  Again, the Brennan Center recommends:

“State and local governments must fully identify potential avenues for attacking voter registration systems, mapping out all of the entities that interact with that system, and implementing mitigation strategies where weaknesses are identified. The consensus among experts interviewed by the Brennan Center is that this should be done on a regular basis, but that many states are unlikely to have completed this kind of comprehensive risk assessment in the last few years, despite the fact that both registration systems and cyber threats have evolved enormously over that time.”

Putting a more blunt perspective on it:  The risk assessment tools used to evaluate the security of voter registration data which were judged “state of the art” just a couple of years ago may now be as outdated as that Motorola StarTAC clam shell mobile phone  sitting in the bottom of someone’s junk drawer.   Add to this the notion that the Administration’s fraudulent Fraud Commission wants to centralize voter registration data from 50 states all in one convenient place — thus making it a handier target for our adversaries — and we lose the advantages of decentralization while making life easier for those wishing to practice their “foreign interference.”

There is a bill in the Congress well worth supporting, introduced by Derek Kilmer (D-WA), HR 1344, under its terms the Department of Homeland Security would assist local and state government officials as follows:

“The Department of Homeland Security (DHS) may award states with planning and biennial implementation grants under the program to:

adopt cybersecurity best practices;
mitigate talent gaps in government workforces;
protect public safety answering points, emergency communications, and continuity of communications during catastrophic disruption;
mitigate threats to critical infrastructure or key resources;
coordinate with neighboring states or countries, National Guard units, or information sharing and analysis organizations; and
establish scholarships or apprenticeships to provide financial assistance to state residents pursuing cybersecurity education who commit to working for state government.
The bill sets forth requirements for distribution of awarded amounts to local and tribal governments within states and for consultation with local and regional officials.

The Committee for Cyber Resiliency Grants is established to: (1) promulgate guidance for states to develop applications for such cyber resiliency grants; (2) provide DHS and states with recommendations regarding the approval of state plans or applications; and (3) evaluate, and report to Congress regarding, the progress of states in implementing plans.”

We’d be well advised to contact our Representatives and recommend they oppose HR 634 (perhaps on the theory that the fact we have a Navy doesn’t obviate the need to also have a Coast Guard) and to support HR 1344.

This is hardly the time to make the hackers any happier.

Local Contact Information: 

Representative Mark Amodei (R-NV2) Phone: (775) 686-5760

Representative Dina Titus (D-NV1) Phone: (702) 220-9823

Representative Ruben Kihuen (D-NV4)  (702) 963-9360

Representative Jacky Rosen (D-NV3)  (702) 963-9500

Comments Off on The Happy Hackers Bill approved by House Republicans

Filed under Nevada Congressional Representatives, Nevada politics, Politics, Vote Suppression, Voting