The Cybersecurity 202: New voting machine security standards are already drawing controversy

“Adopting VVSG 2.0 is the most important action the EAC has taken in 15 years”  EAC Commissioner Ben Hovland said at the vote yesterday.

They worry they leave loopholes allowing voting machine companies to skirt best practices and leave machines vulnerable to interference. They were approved as some of the nation’s most prominent voting machine companies are suing Fox News and top lawyers for Trump because of their unfounded fraud claims related to their machines.

In a letter led by Rep. Bill Foster (D-Ill.), more than 20 members of Congress are asking the EAC to reconsider its recommendations. The letter expresses concerns about how the guidelines frame the use of machines with parts that can connect to the Internet. 

“This is extremely troubling, as computer security and networking experts have warned that merely disabling networking capability is not enough,” they wrote. “Benign misconfigurations that could enable connectivity are commonplace and malicious software can be directed to enable connectivity silently and undetectable, allowing hackers access to the voting system software.”

Foster tweeted after the meeting:

House Homeland Security Committee Democrats also expressed disappointment on Twitter:

More than two dozen election security experts and voter advocacy groups also have criticized the language, accusing the agency of pulling a last-minute switch from draft guidelines that went through a public comment process before approval. (The new language did not go through the comment process.)

“The EAC’s decision to make substantive security changes to the VVSG 2.0 draft, outside of the legally mandated process is not just legally troubling, it is particularly tone-deaf. Transparency, accountability and trust in our election processes and systems are principles the EAC should be advancing, not degrading,” Susan Greenhalgh, senior adviser on election security at Free Speech For People wrote in a statement.

The group believes there are “valid concerns that the EAC amended requirements … as a result of nonpublic meetings with voting system vendors.” 

Election officials from the National Association of State Election Directors in a statement expressed concerns with the agency’s failure to provide a public comment period for manuals accompanying the new guidelines. 

The lack of transparency raises concerns since its manuals that will actually shape the process for certification for voting machines.

“They really go a long way to shaping the incentive structures for manufacturers,” says Eddie Perez, a former HartIntercivic executive who is now global director of technology development at the Open Source Election Technology Institute.  The policies can make the difference between manufacturers “quickly developing technology to [the] new standards” or just leaving “a lot of loopholes so manufacturers can sit back on old tech and just keep modifying it,” he says.

EAC Executive Director Mona Harrington disputed the idea the draft guidelines were significantly altered.

Rather, she said, the language clarified the guidelines’ intent, which was never to outright ban Internet-enabled hardware. She also dismissed the idea the added language is equivalent to putting Internet-enabled devices inside the machines on “airplane mode” since hardware and systems that can connect to the Internet will be cut off.

They offer significant changes from previous recommendations, including requirements for design processes making voting more accessible to disabled voters, systems that ensure privacy for voters, and requirements for end-to-end encryption of data.

They also codify the need for vote-auditing technology, which was essential in validating the results of the 2020 election.

While only a handful of states require post-election audits, technology that makes it easier could drive more states to require the process, Perez says.

Voting machine companies only need to apply for certification to the new standards for new machines. But within existing guidelines there’s some gray area as to what constitutes a new machine, Perez says. A voting machine company could update just a part of its system and argue it has not released a new machine, dodging the need to meet new certification standards.

And companies have not historically been eager to line up for new certification, a time-intensive process. When the EAC made a minor update to standards in 2015, not a single company presented for recertification. Machines from three different companies last certified in 2005 that contain modems with Internet connectivity were used in at least three states in the 2020 elections.

So far, they say the EAC still needs to do more on its end.

A letter from voting systems providers yesterday encouraged the EAC to help with the transition by working with labs certified to test voting machines on an accreditation progress for the new standards as well as “working with technology providers to finalize their review of the requirements to design and build VVSG 2.0-compliant systems over the coming years.

Even if the guidelines are a success, it’s unlikely their impact will be felt by the 2022 midterm elections, Perez says.

“Everyone should temper their expectations as to how long it will take for this to make an impact. New standards are not going to fix the current dysfunctions that have resulted in a slow pace for voting technology.”

Correction: This story has been updated to include a correct link to the final requirements.

“I’m not sure we’re ever going to see it,” the former Cybersecurity and Infrastructure Security Agency director told members of the House Homeland Security Committee at a hearing yesterday dedicated to assessing American cyberthreats. Rather, what’s happened so far with the SolarWinds breach should be enough for Congress to act, he says.

The Russian hack of multiple government agencies and U.S. companies through vulnerabilities in SolarWinds and other software was top of mind for lawmakers during the hearing, which is the first of several planned by the committee dedicated to cybersecurity for early this year.

Cybersecurity expert Dmitri Alperovitch offered a five-point plan for addressing the concerns raised by the attack, which included tasking CISA with taking on a chief information security officer role for civilian agencies. Alperovitch and other experts also stressed the importance of strengthening security standards for vendors supplying software to the government.

Lawmakers also raised concerns that domestic actors could turn to cyberattacks as a weapon. 

Sue Gordon, a principal deputy director of national security during the Trump administration, told lawmakers that the disinformation employed by the groups “is a part of the cyber threat.” She didn’t rule out that actors could turn to technical cyberattacks in the future.

“I think you would expect them to use tools to disrupt normal business processes,” she said.

Fears of domestic attacks have escalated since the hack of a Florida town’s water supply this week, though Krebs cautioned that the actor behind the attack was likely a “disgruntled employee.”

Anne Neuberger, a top National Security Council cyber official, is overseeing the investigation into the cyberattack, the New York Times’s Julian E. Barnes and David E. Sanger report. The move was praised by Senate Intelligence Committee Chairman Mark R. Warner (D-Va.) and the committee’s top Republican, Sen. Marco Rubio (R-Fla.), as “welcome news.” 

Neuberger said that the Biden administration is working on a national cyber strategy in the wake of the cyberattack, which officials have called the worst breach in U.S. history.

Politico’s Eric Geller reports:

She also brought up the attempted hack of a Florida water treatment facility, telling attendees to “watch this space” for a renewed focus on industrial control systems:

“The competition is real,” she said, “and it has consequences,” later noting that “it affects all of us, and we need to be better postured to compete in this domain.”

They tricked United Arab Emirates government employees into opening links and attachments that installed remote desktop software, researchers from Anomali said. The researchers said that “it is very likely that data theft is the primary objective” of the campaign.

Meanwhile, researchers from Lookout Threat Intelligence say that a group of pro-India hackers targeted Pakistani and Indian officials with new Android malware. The victims of the attack, which allowed hackers to take photos and scrape call logs and WhatsApp messages, included electoral officials in the disputed Kashmir region, as well as people linked to Pakistan’s nuclear agencies.

Senate Foreign Relations Committee Chairman Robert Menendez (D-N.J.) and Marco Rubio (R-Fla.) asked whether Bezos knew that Dahua Technology was on a government blacklist when Amazon negotiated a $10 million deal with the company, and whether he was aware of its role in China’s surveillance of Uighurs. Amazon received the cameras in April.

The letter comes after reports that Dahua’s software purports to identify the races of people on camera and alerts authorities when it identifies Uighurs. In their letter, the senators press Bezos, who owns The Washington Post, for more information about Amazon’s human rights criteria for companies with which it has business relationships.

The plan has been indefinitely shelved as the Biden administration looks into the Trump administration’s designation of the company as a national security threat, the Wall Street Journal’s John D. McKinnon and Alex Leary report. Discussions between U.S. officials and the company have continued, with talks focusing on data security.

Authorities say the 10 hackers who were arrested across Europe stole more than $100 million in cryptocurrency from the sports stars, musicians and influencers last year, the AP reports. They also took personal information and posted on the celebrities’ social media accounts. They apparently gained access to the accounts by SIM swapping, which deactivates cellphone SIM cards so phone numbers can be transferred to hackers.

• Japan’s former ambassador to the United States, Kenichiro Sasae, speaks at an event on supply chain security cooperation hosted by the Center for Strategic and International Studies today at 7:30 p.m.

CISA appeared on Jeopardy! on Wednesday night. Here’s the agency’s former public affairs director, Sara Sendek:

Chris Krebs, its former director, also reacted:

CISA appreciated the love:

Send us your best cybersecurity Valentine’s Day card ideas

And tomorrow we might just feature you