Meanwhile! Back At The Ballot Boxes

Not that I’m unconcerned about sexual harassment (etc) BUT there’s another story which is getting lost behind the steady drip of the Mueller Investigation and the deluge of harassment stories — not to put too fine a point to it, but the Russians played havoc with our election in 2016 and the Congress of the United States hasn’t done squat about it.

The House Permanent Select Committee on Intelligence seems perfectly happy to make charges and counter-charges about “collusion” without apparently looking all that deeply into what espionage techniques and strategies were applied by the Russians, and what was the outcome. Nor have I heard one peep out of them about how to better secure our election institutions and systems against incursions.  Given White House water boy Devin Nunes is in charge of the committee, I don’t suppose we’ll get that much out of this outfit, and that’s both a tragedy and a missed opportunity.

While the Senate Select Committee on Intelligence manages to sound more organized and focused,  there’s not much emerging from that quarter either.   Again, the committee seems to have Republicans intent on proving there’s “nothing to see here,” and Democrats hoping to find the smoking arsenal.  Again, the conspiracy/collusion segment is only part of the story, and while it’s important so too is the notion that we need to find out what the Russians did, how they did it, and how we can prevent this from happening in future elections.

Then there’s the Senate Committee on the Judiciary.   Chairman Charles Grassley (R-IA) seems rather more interested in absolving Republicans and the President from responsibility for or knowledge of Russian activities than in finding out exactly what happened in 2016.   I wouldn’t want to hang by my hair for as long as it will take to get this outfit to determine what laws were broken, or eluded, by Russians — nor how we might want to modify our statutes to prevent future problems.  The House Judiciary Committee is essentially AWOL on all manner of topics, case in point the “calendar” for the subcommittees is almost blank for the month of December with one FBI “oversight” hearing, and one session with Deputy AG Rod Rosenstein.  The Chairman appears to be more concerned with disparaging the Mueller Investigation than with determining how to identify and prevent foreign incursions into our elections.

Remember back on September 22, 2017 the Department of Homeland Security finally informed 21 states that their elections systems had been hacked in some way, shape, or form:

“The federal government on Friday told election officials in 21 states that hackers targeted their systems before last year’s presidential election.

The notification came roughly a year after officials with the United States Department of Homeland Security first said states were targeted by hacking efforts possibly connected to Russia. The states that told The Associated Press they had been targeted included some key political battlegrounds, such as Florida, Ohio, Pennsylvania, Virginia and Wisconsin.

The A.P. contacted every state election office to determine which ones had been informed that their election systems had been targeted. The others that confirmed they were targeted were Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Illinois, Iowa, Maryland, Minnesota, North Dakota, Oklahoma, Oregon, Texas and Washington.” (emphasis added)

21 states, notified a year after the fact was bad enough — but not only was the information belated, but some of it wasn’t even accurate.

“Now election officials in Wisconsin and California say DHS has provided them with additional information showing that Russian hackers actually scanned networks at other state agencies unconnected to voter data. In Wisconsin, DHS told officials on Tuesday that hackers had scanned an IP address belonging to the Department of Workforce Development, not the Wisconsin Elections Commission.

California Secretary of State Alex Padilla (D) said in a statement Wednesday that DHS gave his office additional information saying hackers had attempted to target the network of the California Department of Technology’s statewide network and not the secretary of state’s office.”

So, we might expect the Senate Homeland Security and Government Affairs Committee to be looking into this?  No, the Chairman, Sen. Ron Johnson is more interested in finding out if members of the Mueller team are biased against the current President.  The “logic” appears to be that because Special Counsel Mueller REMOVED those who made prejudicial statements in text messages therefore the investigation is prejudiced.  It doesn’t get more bass-ackwards than this.   Can we expect oversight regarding the slowness and inaccuracy of the DHS response to election hacking?  Under the current Senate leadership probably not.

The national broadcast media (as usual) is currently chasing the newest shiny object — which members of the Congress can or cannot keep their hands to themselves and their “little soldiers” zipped inside the “barracks.”  This is an important topic — but to continue to focus on the salacious and to continue to ignore the insidious is not in the best interest of this country and its institutions.

There are questions introduced last August which remain unresolved, and for which we should demand answers:

1. What was the extent and nature of Russian hacking (and meddling) in the US election of 2016?
2. Will the United States deploy safeguards and countermeasures to address thee Russian activities?
3. Will the frustrations of state governments with the quality of information shared by DHS be alleviated? Will states receive up to date and accurate information so they can prevent hacking and meddling?
4. What measures should be taken to prevent future hacking and meddling, and to give the states the support they need to deal with forms of assault as yet undeployed by the Russians?

The Mueller Investigation can explore and illuminate the extent to which criminal statutes may have been broken in regard to the 2016 election, but it cannot determine how the US analyzes, evaluates, and prepares for the next round of elections.  That should be the function of Congress, but then we seem to have one so focused on giving tax breaks to the wealthy and so determined to cut Social Security, Medicare, and Medicaid they can barely pay attention to the transgressions of their own members (speaking of Farenholdt here) while chasing conspiracy theories about the “Deep State” opposition to the administration.

Perhaps in the midst of asking our Senators and Representatives about the “questions of the day,” we should squeeze in a couple of questions (see above) that have been sitting on the shelves since last Summer?

They’ve Only Just Begun: Hacking the Silver State?

If the President of the US isn’t all that interested in how the Russians hacked and meddled in the 2016 election, voters and voting officials in the US should be, and this includes the state of Nevada.  There are several layers to the issues, the voting itself and the processes which are elements of the total election system.

Voting Machine Vulnerability

The good news is that Nevada has a relatively robust voting system in place that is more difficult for a foreign power — read Russian operatives — to hack, the bad news is that the Sequoia (Dominion) system could still have some issues most related to “insider” attacks

“The software suffers from numerous programming errors, many of which have a high potential to introduce or exacerbate security weaknesses. These include buffer overflows, format string vulnerabilities, and type mismatch errors. In general, the software does not reflect defensive software engineering practices normally associated with high-assurance critical systems. There are many instances of poor or absent error and exception handling, and several cases where the software behavior does not match the comments and documentation. Some of these problems lead to potentially exploitable vulnerabilities that we identified, but even where there may not be an obvious vulnerability identified, the presence of such errors reduces our overall confidence in the soundness of the system as a whole.” [VerifiedVoting]

The problems associated with Nevada’s voting machines are mostly of the variety perpetrated by “insiders,” those who have control of the machines during set up, maintenance, and handling.  This is good news for preventing ‘rigging’ issues in terms of election outcomes being vulnerable to outside forces.  A statement from the Secretary of State describes the election audit system. (pdf)

Voter Registration Record Security

The election voter data isn’t quite so reassuring.  Nevada is a “member” of the Cross Check system.   The system certainly can be used to remove individuals from the voter rolls with deleterious effect, and the exchange between

voting officials and the Nevada ACLU isn’t all that comforting:

Wayne Thorley, Nevada’s deputy secretary of state for elections, counters that the program just matches data and doesn’t target anyone. “Just because someone comes back as a match on the Interstate Crosscheck list, it doesn’t automatically trigger cancellation of their account,” he said. “And then, further investigation is done by the state.” He said Nevada also uses the Electronic Registration Information Center to match names from the Crosscheck list with DMV records. Voters then get a postcard to verify their address and if they don’t respond and don’t vote in two elections, they’re dropped from the rolls. Tod Story, executive director of the Nevada ACLU, worries that the postcard system could be problematic. “It does not seem to be fair and certainly would affect more low-income and minority voters, who tend to be more transient, who are going to move more frequently,” he said. Thorley said that is certainly not the intent. “If that has a disparate impact on members of minority communities, I’m not aware of that,” added Thorley. “But it’s not targeted that way at all. We’re simply following the federal law.”

First, Mr. Thorley should be aware of “that” — there is, and has been demonstrated to be a disparate impact on members of minority groups.  Secondly, the post-card system is, and has been demonstrated to be, an ineffective way of contacting individuals who are ‘challenged’ under the Cross Check system.  [RS]  The results of using the Cross Check system are also not reassuring:

“The program has since expanded to 30 states, according to the National Conference of State Legislatures (NCSL), but it’s been controversial from the start. For one thing, it’s resulted in very few actual cases of fraud being referred for prosecution, as alleged cases of double voting in multiple states turned out to be clerical and other errors. One tally found that while the program has flagged 7.2 million possible double registrants, no more than four have actually been charged with deliberate double registration or double voting. Meanwhile, some states including Florida dropped out of the program due to doubts about the reliability of its data — though others, including the swing state of North Carolina, joined despite those issues.”  [TVN]

Get that? Out of 7.2 million ‘flagged’ 4 individuals have been charged with double registration or double voting.  In addition to obviously being ineffective (A 0.00005.5% catch rate doesn’t seem worth the effort) the collection would appear to be a grand place for a hacker to start if he or she has mischief in mind.

Initial Russian assaults are still a matter of confidentiality, no Secretaries of State have yet been cleared to receive the reports of hacking collected by our security agencies although there is testimony that 21 states were subjected to attacks of some kind. [LAT]  We do know that Illinois was one on the states in which voter registration rolls were hacked.

“The hack had nothing to do with counting the votes in elections in Illinois. The hackers looked at voting registration data: name, address, date of birth, gender and the last four digits in the Social Security number.

The hackers searched through about 80,000 records overall, with the elections board confirming that the records of just under 3,000 voters were viewed by the hackers.” [CST]

The Chicago Sun Times reported how the hack was accomplished, and how it was detected.   The state of Arizona also had a major scare, as reported by Michele Reagan, AZ Secretary of State:

Reagan said she was alerted to the hack after the Federal Bureau of Investigation found a credential — a username and login — for the state system for sale on the dark web.

“It was really frightening and scary considering we’re in charge of almost four million people’s information,” Reagan said.

Reagan said her office had a lot of decisions to make in short amount of time to protect voter safety and took the system offline.

“At that moment in time, the most important thing was what do we do with that database,” she said. “How do we inspect it? We need to make sure that no information was taken, no information was altered, a virus wasn’t inserted into that system.”

She said, while the voter database was hacked, the voting registration system was not.

“We got lucky once,” she said, adding that the state has added multi-factor authentication, required the changing and strengthening of passwords and made other tweaks to better protect the system. [KTAR]

It would be reassuring to know if Nevada has implemented “multi-factor authentication” and other measures to better secure Nevada voter data.

I’ve not read any reports to date assuring me that the Russian hacking was a “one-off” and unlikely to be replicated.  Indeed, nearly every article asserts that what we’ve seen in 2016 was only the beginning.  A few intrusions in anywhere from 21 to 39 states, a peek into voter information data, some attempts to ‘phish” their way into systems — and many warnings that this indicates increasing interest in going deeper into US elections rather than any foray for temporary recreational purposes.

Recommendations

Retain the sanctions placed on the Russians by the Obama Administration, and enact new and greater sanctions on them as proposed by the U.S. Senate.  House Republicans have stalled the bill which passed the Senate on a 98-2 vote. [NYT] As of June 23, 2017 the White House indicated it would step up lobbying efforts against the Russian sanctions bill. [WP]  Those tracking the progress of this bill will want to follow GovTrack S 722.

Review and potentially revise Nevada voter data security processes and products.  Have issues revolving around the infamous Cross Check program been resolved?  Have procedures been adopted that would prevent access such as happened in Illinois and Arizona?

Russian probing, and interference, will not stop…it will be up to the US Congress and the 50 states, to reject their efforts.