Election Hacking Thread


From Five Thirty Eight. Highly recommended! Read the whole thing, it’s great.

But what worries election security watchers most is that the U.S. isn’t being proactive enough in its work against state-sponsored hackers targeting the country’s election systems and political organizations. In February 2018, Adm. Mike Rogers, the head of the National Security Agency and Cyber Command, told the Senate Armed Services Committee that he had not been instructed by President Trump or Defense Secretary James Mattis to go after Russian hackers at their point of origin. “Everything, both as the director of the NSA and what I see on the Cyber Command side, leads me to believe that if we don’t change the dynamic here, this is going to continue, and 2016 won’t be viewed as something isolated,” Rogers said. That might mean that while U.S. intelligence agencies are monitoring Russian cyberactivity or gathering on-the-ground intelligence, they might not be taking offensive actions to prevent further attacks on state election systems.


I didn’t realize Mattis has the authority to order further action on pursuing hackers, I’m trying to figure out why he won’t? Or maybe there’s a covert instruction to do it but they’re publicly pretending like they’re not so that drumpf doesn’t turn right around and tip off the enemy…or maybe my brain looks like this right now lol


Yeah, I don’t know :woman_shrugging:t2:


The Senate Intelligence Committee released their report on Russian hacking of election infrastructure. The findings were interesting to say the least.


Actors and Motive

The Committee concurs with the IC that Russian government-affiliated actors were behind the cyber activity directed against state election infrastructure.

While the full scope of Russian activity against the states remains unclear because of collection gaps, the Committee found ample evidence to conclude that the Russian government was developing capabilities to undermine confidence in our election infrastructure, including voter processes.

The Committee does not know whether the Russian government-affiliated actors intended to exploit vulnerabilities during the 2016 elections and decided against taking action, or whether they were merely gathering information and testing capabilities for a future attack. Regardless, the Committee believes the activity indicates an intent to go beyond traditional intelligence collection.

(Matt Kiser) #25


From @dragonfly9, saving for later. :nerd_face:

Day 489


Ok…thx for pointing this out.:-:grinning:


@dragonfly9 Sigh… Well, at least the states are trying to find solutions… I feel like new paper ballots and pencils can’t cost all that much. :woman_shrugging:t2:


Voting - Protecting fairness and Regulating it for the future

We see glimpses of what may or may not be happening within the states about how voting should be handled in the future.

How many states have paper ballots?
Which states use electronic ballots?

How safe is our voting data bases from external threats and from manipulation via the courts (washing voter rolls)?

How do we prevent outside influences (Koch Bros) influencers from getting sway on how our voter data is protected?

Not sure if this is an overlapping topic, but thought I’d add it to the General Discussion.

“Every state I travel to, state official I talk to, is taking this seriously,” Masterson said before an overflow crowd in the hearing room on the second floor of the Dirksen Senate Office Building. Notably, there were plenty of seats left on the Republican side of the bench, with only Charles Grassley of Iowa, who chairs the committee, present. The absence of other Republicans only underscored how divisive the issue of Russian electoral meddling remains; when Dianne Feinstein urged fellow legislators to “put aside politics and act decisively,” she was speaking almost entirely to members of her own party.

After testifying before the committee, Nina Jankowicz, a Kennan Institute scholar who has spent the last several years advising the Ukrainian government on how to counter Russian disinformation campaigns, told Yahoo News that the United States needs a “generational solution” that will make Americans less susceptible to fake news and other forms of manipulation. She pointed to Finland and Sweden as two nations that have done especially impressive work in educating their citizens in this regard. It is work, however, they have been doing since the end of World War II.

For now, Jankowicz hopes that every election board in the nation should make sure that electronic voting records are bolstered by a paper trail of tamper-proof records. She also believes, like Hickey of the Justice Department, that a “credible threat of retaliation” should be presented to the Russians, lest they think of launching another misinformation campaign in November. Lastly, she would “enlist credible third parties,” such as technology companies, to explain to Americans how voting works, since a broad confusion about the electoral process is what makes that process potentially ripe for exploitation.

It’s mush,” she said. “It’s hard for Americans to wade through that.




DEFCON is back this weekend and they set up another election village.

This weekend saw the 26th annual DEFCON gathering. It was the second time the convention had featured a Voting Village, where organizers set up decommissioned election equipment and watch hackers find creative and alarming ways to break in. Last year, conference attendees found new vulnerabilities for all five voting machines and a single e-poll book of registered voters over the course of the weekend, catching the attention of both senators introducing legislation and the general public. This year’s Voting Village was bigger in every way, with equipment ranging from voting machines to tabulators to smart card readers, all currently in use in the US.

In a room set aside for kid hackers, an 11-year-old girl hacked a replica of the Florida secretary of state’s website within 10 minutes — and changed the results.

“There’s an interesting paradox.” Blaze said. “We know these systems are wildly insecure, and there’s been precious little evidence of these vulnerabilities so far being exploited in real elections. I think we’ve been very lucky, and I think there’s a little bit of a ticking time bomb here.”

Since October 2016, when intelligence agencies first put forth a statement warning that Russia was attempting to interfere in the US election, the US government has walked a tightrope between warning that Russia was trying various tactics to influence the outcome and insisting that everyone’s vote was counted accurately. While a number of Russian tactics with a range of effects have been exposed — hacking and leaking Democrats’ emails, scanning state voter registration databases, and sending phishing emails to county employees — there is, as numerous agencies have repeatedly stated, no known evidence of foreign hackers ever changing a US vote tally. One of Russia’s fundamental goals with such attacks, analysts stress, is undermining Americans’ faith in democracy itself.


Just unbelieveable…we suspected as such, and with questionable facts on whether that FLA voting set up has been infiltrated, one would think a huge panic would set in.

In a statement, the National Association of Secretaries of State disagreed with the village’s hacking efforts, arguing that the village is setting up an unrealistic scenario.

"Providing conference attendees with unlimited physical access to voting machines, most of which are no longer in use, does not replicate accurate physical and cyber protections established by state and local governments before and on Election Day," the organization said.

Despite the voting machine vulnerabilities being exposed in Defcon, it’s not clear whether the exercise will be able to help with the midterm elections in November. Braun said Defcon’s report on the voting machines will publish in September, giving election officials two months to fix all the reported security issues.


Hacking The Electric Grid Is Damned Hard

But, surprisingly, some electrical system experts are thinking about it in a different way. Cyberattacks on the grid are a real risk, they told me. But the worst-case scenarios we’re imagining aren’t that likely. Nor is this a short-term crisis, with risks that can be permanently solved. Bringing down the grid is a lot harder than just flicking a switch, but the danger is real — and it may never go away

It helps that the North American electric grid is both diverse in its engineering and redundant in its design. For instance, the Ukrainian attacks are often cited as evidence that hundreds of thousands of Americans could suddenly find themselves in the dark because of hackers. But Lawrence considers the Ukrainian grid a lot easier to infiltrate than the North American one. That’s because Ukraine’s infrastructure is more homogeneous, the result of electrification happening under the standardizing eye of the former Soviet Union, he told me. The North American grid, in contrast, began as a patchwork of unconnected electric islands, each designed and built by companies that weren’t coordinating with one another. Even today, he said, the enforceable standards set by NERC don’t tell you exactly what to buy or how to build. “So taking down one utility and going right next door and doing the same thing to that neighboring utility would be an extremely difficult challenge,” he said.

Meanwhile, the electric grid already contains a lot of redundancies that are built in to prevent blackouts caused by common problems like broken tree limbs or heat waves — and those redundancies would also help to prevent a successful cyberattack from affecting a large number of people. Suh-Lee pointed to an August 2003 blackout that turned the lights off on 50 million people on the east coast of the U.S. and Canada. “When we analyzed it, there was about 17 different things lined up that went wrong. Then it happened,” she said. Hackers wouldn’t necessarily have control over all the things that would have to go wrong to create a blackout like that.


The Cybersecurity 202: Def Con hackers couldn’t crack a mock voter database. It’s a rare bright spot for election security.

There is some good news, we do have the ability to protect these machines, we just need political will and funding.

They tried all weekend to hack the database, which was modeled after a real Ohio county’s and bolstered with extra layers of digital defenses. One got close, but nobody was able to manipulate the voter information inside.

To create the mock database, Voting Village organizers downloaded a publicly available list of voters from the Ohio secretary of state’s website. They then worked with officials from Cook County, Ill., who helped them create a realistic replica of a county computer network. They uploaded the database there and secured it behind layers of firewalls set up by Bash Kazi, a cybersecurity contractor who consulted on the project.

Hackers were invited to try to gain enough access to change voter information. If this were to happen in the real world on Election Day, it could cause long delays and create confusion at the polls. And the risks are well known: The Senate Intelligence Committee found that Russian hackers were in a position to “alter or delete” voter registration data in a “small number” of states when they intruded on election websites in 2016.

Kazi, who runs the firm KIG, which specializes in cybersecurity simulation training, said he hoped the exercise would help election administrators understand the threats. “The idea is to bring attention to the need to train local officials in the vulnerabilities that exist and the types of scenarios they’ll be encountering,” Kazi told me. He said the system he helped set up was “one of the more sophisticated networks relative to other small counties, which haven’t spent much money mitigating the risks that they have.”

Kazi watched as different hackers tried their luck throughout the day Friday. “After six and a half hours, no cigar,” he told me when I stopped by at the end of the afternoon. They didn’t fare any better the rest of the weekend.


Pervasive hacking…that DNI is aware of…what will be done on this front?

Documents Reveal Successful Cyberattack in California Congressional Race

The FBI investigated hacking attempts targeting a Democrat who ran against “Putin’s favorite congressman”

WASHINGTON — FBI agents in California and Washington, D.C., have investigated a series of cyberattacks over the past year that targeted a Democratic opponent of Rep. Dana Rohrabacher (R-CA). Rohrabacher is a 15-term incumbent who is widely seen as the most pro-Russia and pro-Putin member of Congress and is a staunch supporter of President Trump.

The hacking attempts and the FBI’s involvement are described in dozens of emails and forensic records obtained by Rolling Stone.

The target of these attacks, Dr. Hans Keirstead, a stem-cell scientist and the CEO of a biomedical research company, finished third in California’s nonpartisan “top-two” primary on June 5th, falling 125 votes short of advancing to the general election in one of the narrowest margins of any congressional primary this year. He has since endorsed Harley Rouda, the Democrat who finished in second place and will face Rohrabacher in the November election.

Cybersecurity experts say that it’s nearly impossible to identify who was behind the hacks without the help of law enforcement or high-priced private cybersecurity firms that collect their own threat data. These experts speculate that the hackers could have been one of many actors: a nation-state (such as Russia), organized crime, so-called e-crime or a hacktivist with a specific agenda. The FBI declined to comment.

Kyle Quinn-Quesada, who was Keirstead’s campaign manager, tells Rolling Stone that the campaign is now going public about the attacks for the sake of voter awareness. “It is clear from speaking with campaign professionals around the country that the sustained attacks the Keirstead for Congress campaign faced were not unique but have become the new normal for political campaigns in 2018,” Quinn-Quesada says. He added that the Keirstead campaign did not believe the cyberattacks had an effect on the primary election results.

The timing of the attacks is significant. Last month, Director of National Intelligence Dan Coats said the warning lights for future cyberattacks aimed at the U.S. were “blinking red.” A week later, a senior Microsoft executive said that Microsoft had identified and helped block hacking attempts aimed at three congressional candidates during the 2018 midterms. The executive declined to name those candidates, but the Daily Beast reported that the Russian intelligence agency responsible for the cyberattacks in 2016 had attempted to hack the office of Sen. Claire McCaskill (D-MO), who is running for reelection this year. (A Microsoft spokesperson declined to say if Keirstead was one of three people targeted by hackers, citing “customer privacy.”) Just last week, Sen. Bill Nelson (D-FL) said that Russian hackers had “penetrated” county voting systems in Florida.

While the spear-phishing attack targeting Keirstead’s work account was successful, none of the attempts to gain unauthorized access to the campaign’s website, hosting company or Twitter account were effective, according to the campaign emails.


Proposed legislation where every check and balance has been thought out by this bipartisan Secure Election Act giving States ultimate authority to run their elections.

Secure Elections Act

Somehow the WH is not giving it a go…nor is Mitch McConnell being clear about what he’s done or not done to support this.

WASHINGTON — A bill that would have significantly bolstered the nation’s defenses against electoral interference has been held up in the Senate at the behest of the White House, which opposed the proposed legislation, according to congressional sources.

The Secure Elections Act, introduced by Sen. James Lankford, R-Okla., in December 2017, had co-sponsorship from two of the Senate’s most prominent liberals, Kamala Harris, D-Calif., and Amy Klobuchar, D-Minn., as well as from conservative stalwart Lindsey Graham, R-S.C., and consummate centrist Susan Collins, R-Me.

Sen. Roy Blunt, R-Mo., was set to conduct a markup of the bill on Wednesday morning in the Senate Rules Committee, which he chairs. The bill had widespread support, including from some of the committee’s Republican members, and was expected to come to a full Senate vote in October. But then the chairman’s mark, as the critical step is known, was canceled, and no explanation was given.

As it currently stands, the legislation would grant every state’s top election official security clearance to receive threat information. It would also formalize the practice of information-sharing between the federal government—in particular, the Department of Homeland Security—and states regarding threats to electoral infrastructure. A technical advisory board would establish best practices related to election cybersecurity. Perhaps most significantly, the law would mandate that every state conduct a statistically significant audit following a federal election. It would also incentivize the purchase of voting machines that leave a paper record of votes cast, as opposed to some all-electronic models that do not. This would signify a marked shift away from all-electronic voting, which was encouraged with the passage of the Help Americans Vote Act in 2002.

“Paper is not antiquated,” Lankford says. “It’s reliable.

In a statement to Yahoo News, White House spokeswoman Lindsay Walters says that while the administration “appreciates Congress’s interest in election security, [the Department of Homeland Security] has all the statutory authority it needs to assist state and local officials to improve the security of existing election infrastructure.”

Under current law, DHS is already able to work with state and local authorities to protect elections, Walters wrote. If Congress pursues the Secure Elections Act, it should avoid duplicating “existing DHS efforts or the imposition of unnecessary requirements” and “not violate the principles of Federalism.

We cannot support legislation with inappropriate mandates or that moves power or funding from the states to Washington for the planning and operation of elections,” she added. However, the White House gave no specifics on what parts of the bill it objected to.

A spokesperson for Senate Majority Leader Mitch McConnell, who sits on the Rules Committee, declined to say whether the majority leader, widely renowned on Capitol Hill for his backroom tactics, was involved in efforts to hobble the Secure Elections Act.


DEFCON story about kids hacking election wedsite - Debunked by ProPublica!


Politico’s Nat Security writer discusses the continuing problems with shoring up our cyber security. GAO - Government Accountability Office.

@EricGeller Another day, another urgent warning from GAO about cybersecurity vulnerabilities.