2020 Elections Will Be a Security Disaster Zone

Next year’s U.S. elections will be no more secure than in 2016. That’s the depressing conclusion from reports out this week, including a massive, 90-page analysis from the Stanford Cyber Policy Center.

Experts say the very laws set out to make elections fair are making them less secure. In today’s SB Blogwatch, we get out the vote.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: DJs From Mars.

20/20 Hindsight: Too Late

What’s the craic? Nicole Perlroth and Matthew Rosenberg bring us, “Election Rules Are an Obstacle to Cybersecurity of Presidential Campaigns”:

 2020 … candidates face legal roadblocks … to defend against the cyberattacks and disinformation campaigns that plagued the 2016 presidential campaign. … Federal laws prohibit corporations [or] political parties … from offering free or discounted cybersecurity services to federal candidates … because it is considered an “in-kind donation.”

Experts say time is running out for campaigns to develop tough protections. … The 2020 campaigns themselves are unlikely to have the expertise to track disinformation campaigns or to build sophisticated defenses needed to ward off hackers [nor] afford to pay outside experts market rates.

The Federal Election Commission [has] ruled that a nonprofit organization … could provide free cybersecurity services. … But the ruling was narrow, and applied only to nonpartisan, nonprofit groups that offer the same services to all campaigns.

For now, campaigns must fend for themselves, and most are vulnerable to more phishing attacks.

Beware of unintended consequences? Jessica Brandt—@jessbrandt—is beside herself:

 We really can’t expect campaigns — small organizations, with short life spans, small budgets, and little to no IT expertise — to go up against the intelligence agencies of adversarial governments. It’s not a fair fight.

ALSO: it’s not just presidential campaigns. We have 435 congressional races every other year. That’s a whole lot of target surfaces.

Poor cyber-hygiene is a real problem, even among those who should know better. … Security of voter rolls matters as much as of machines. Manipulating them can … disenfranchise voters (selectively) [and] cast doubt on the integrity of vote.

Speaking of which, Maciej Cegłowski has experience in the trenches—“What I Learned Trying To Secure Congressional Campaigns”:

 From late 2017 to 2018 … I was part of an effort that delivered a basic, hour-long campaign security training to 41 … Congressional campaigns [that] ranged from beyond-long-shot candidates running from their den, all the way up to some nationally prominent figures. … I want to now hand over to you, the next person willing to take a swing at this piñata of futility.

This article is specifically about campaign security, or how to keep candidates and their staff and families safe from people trying to break into social media, read their email, or wire their campaign war chest to Nauru. … Practical campaign security is a wood chipper for your hopes and dreams. … Trying to secure a modern campaign is like doing surgery with a scalpel made out of anthrax spores.

I was never able to find a way to set people up on a password manager in the time available. … In the end, I told candidates to generate unique passwords and save them in the notes app on their phone, or write them down on a card they kept in their wallet.

Security keys are still hard to use. The biggest problem is the lack of support for U2F on the iPad or iPhone.

The candidate was hardest person to secure. … And without support at the top, it’s hard to get everyone else to take the problem seriously.

D.C. people … are characters from Veep come to life. … They communicate exclusively by Word attachments sent from their AOL account.

Yikes. And thirdsun is in violent agreement:

 I just introduced 1Password in our company, to our mostly non-technical staff and being a long time 1Password user myself it was indeed surprisingly complicated and involved more friction than most of us … would expect.

The actual process of moving to secure, unique passwords requires changing them manually at every service in a repeated sequence of back and forth between the service’ configuration and 1Password. [And] problems like 1Password not recognizing that the current website at foo.ebay.com does in fact belong to the entry with the attribute bar.ebay.com.

But there’s a broader context here. Lily Hay Newman says, “Election Security Is Still Hurting at Every Level”:

 The Russian meddling that rocked the 2016 US presidential election gave the public a full view of … weak voting infrastructure and election systems. … Two and a half years later, real progress has been made [but] glaring systemic risks remain.

Smooth-running elections will require a clear-eyed view of those lingering deficiencies. … Four areas stand out that still need major work:

Experts have long agreed on the need for a paper backup to be generated along with each digital vote. Computerized tallies can potentially be manipulated in ways that paper cannot.

While independent, locally adjudicated elections are a cornerstone of US democracy … federal funding is still badly needed to make sure all election systems around the country have high-caliber security. … Secure election advocates say … funding has not come quickly enough and that it needs to be consistent and reliable over time.

Voting machine vendors in particular aren’t subject to any specific regulations, and aren’t even required to notify their customers when they have a security issue or breach. … Voting machines don’t just need better technology [but also] a better regulatory framework.

[There’s a] need to forge international norms discouraging hacking and digital meddling in foreign elections [and] reinforcing basic concepts of voting as a human rights issue.

So Stanford Prof. Michael McFaul summarizes some “Prescriptions for Enhancing the Integrity and Independence of the 2020 U.S. Presidential Election and Beyond”:

 In 2016 … Vladimir Putin, his government, and his proxies deployed multiple strategies and instruments—media, doxing, covert operations, direct contacts with Trump associates, and cyber-attacks on U.S. electoral infrastructure—to influence the outcome of the … election, and more generally, to disrupt the electoral process. … The scale, scope, and sophistication of this Russian intervention … were unprecedented.

This report urges policymakers, in both government and the private sector, to act immediately: …

  • Increase the Security of the U.S. Election Infrastructure …
  • Regulate Online Political Advertising by Foreign Governments and Nationals …
  • Confront Efforts at Election Manipulation from Foreign Media Organizations …
  • Combat State-Sponsored Disinformation Campaigns …
  • Enhance Transparency about Foreign Involvement in U.S. Elections …
  • Establish International Norms and Agreements …
  • Deter Foreign Governments from Election Interference

What we need right now is a ridiculous over-simplification. Business Cat—@BusinessCat6—trolls thuswise:

 - Ballot cards
– Identification
– Paper & pencil.

3 simple ways you can iron-clad your elections and it’s simply what your Western allies have been doing for decades.

Easy peasy lemon squeezy.

And Finally:

Never Really Over Vs A Sky Full Of Stars

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Featured eBook
7 Reasons Why CISOs Should Care About DevSecOps

7 Reasons Why CISOs Should Care About DevSecOps

DevOps is no longer an experimental phenomenon or bleeding edge way of delivering software. It’s now accepted as a gold standard for delivering software. It’s time for CISOs to stop fearing DevOps and start recognizing that by embedding security into the process they’re setting themselves up for huge potential upsides. Download this eBook to learn ... Read More
Security Boulevard

Richi Jennings

Richi is a foolish independent industry analyst, editor, writer, and fan of the Oxford comma. He’s previously written or edited for Computerworld, Petri, Microsoft, HP, Cyren, Webroot, Micro Focus, Osterman Research, Ferris Research, NetApp on Forbes and CIO.com. His work has won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 70 posts and counting.See all posts by richi