The Cybersecurity 202: Trump’s government is working to protect mail voting while Trump attacks it

It even cautions that U.S. adversaries might use partisan differences over mail voting to undermine faith in the election. 

But it doesn’t mention fraud once. 

That stands in stark contrast to the president, who has repeatedly claimed without evidence that mail voting will lead to widespread fraud. More recently Trump has pared back his attacks by saying mail voting will be done well in Florida and Arizona but is still dangerous elsewhere — seemingly because that is politically advantageous for him. 

The document from DHS’s Cybersecurity and Infrastructure Security Agency (CISA) is dramatic evidence of the jarring difference between Trump’s views of mail voting and the assessments of security professionals in his own government.

Trump, for example, has slammed mail voting because late-arriving mail ballots may delay election results. “Must know Election results on the night of the Election, not days, months, or even years later!” he tweeted.

CISA, by contrast, acknowledges there might be delays and says “election officials, media, candidates, and non-governmental organizations are working collaboratively to educate voters and set the expectations that the results on election night will be less comprehensive and it will take days, if not weeks, to determine the outcome of many races.” 

A CISA spokesperson told me “CISA assesses a shift to absentee voting or voting by mail does not create a net increase in cybersecurity risk to voting infrastructure but instead moves risk to centralized processing infrastructure and additional third-party support. While this report examines those risks to infrastructure, issues of criminal abuses and fraud are outside the scope of the assessment.”

But it does note that “mail-in voting has already become an issue among partisan political voices” and warns that makes it a juicy target for Russia and other U.S. adversaries to exploit with disinformation campaigns.

Specifically, “threat actors may exploit a delay in [election] results to sow discord, manipulate public discourse, and discredit the electoral system, all to undermine the U.S. democratic system,” the assessment notes. 

“To mitigate the risk of disinformation, voters should receive accurate information about mail-in voting to increase their understanding of the process along with reminders to rely on authoritative sources such as their state and local election officials when questions arise,” it adds.

CISA’s assessment reflects how many groups are grappling with the possibility of delayed election results – and the opportunity that could create for Trump or someone else to sow doubts.

Facebook CEO Mark Zuckerberg, for example, warned during an employee meeting the social media giant may need to add explanatory labels to posts by media and political figures that claim victory in races where results aren’t final, BuzzFeed’s Craig Silverman and Ryan Mac report. 

Zuckerberg didn’t have a plan for Trump declaring victory before there are valid results, BuzzFeed reported. 

“This is where we’re in unprecedented territory with the president saying some of the things that he’s saying that I find quite troubling,” Zuckerberg said. “We’re thinking through what policy may be appropriate here. This is obviously going to be a sensitive thing to work through.” 

But it treats those risks as natural byproducts of any major undertaking, warning that “all forms of voting…bring a variety of cyber and infrastructure risks.”

For each risk, the document also lists “compensating controls” that state and local election officials can implement to make mail voting safer.

It also lists nine different “procedural controls” that should give voters confidence their votes are being tabulated correctly and phony ballots can’t sneak in. Those include verifying voters’ signatures against another signature on record, a privacy envelope preventing anyone from giving different treatment to ballots marked for particular candidates, specialized codes allowing voters to track their ballots, and watermarks linking ballots to particular jurisdictions.

“When implemented properly, mail-in voting has a series of layered safeguards to defend the process from manipulation,” the assessment states. 

That’s because it probably will reduce the number of people who vote on outdated machines that lack a paper record. Those machines make it impossible for officials to audit votes after the election and ensure they were recorded accurately and not manipulated by hackers. 

State election officials and DHS have been pushing relatively successfully to replace those machines since the 2016 election was undermined by Russia’s hacking and disinformation efforts. 

About 28 percent of voters cast ballots on such machines in 2016, according to a study by the Pew Research Center. CISA was estimating that figure would drop to about 8 percent in 2020 but it might be even lower because of mail voting, CISA Director Chris Krebs said during an address at the Black Hat cybersecurity conference this week. 

New Jersey, for example, has been among the slowest states to replace its paperless machines but is making a push to increase mail voting before November. 

“Because of covid, they’ve decided to adopt a more mail-in or absentee ballot approach,” Krebs said. “So, we may see that 92 percent of paper ballots associated with the 2020 vote actually increase again, [creating] auditability that enables us to roll back the tape and determine what happened and conduct meaningful post-election audits.”  

New Jersey has also been a focus of Trump’s attacks on mail voting because of criminal charges against one member of the Paterson, N.J., city council and a candidate for the council, who allegedly broke state law by mailing ballots they weren’t authorized to handle and trying to register ineligible voters. Experts say the case shows the rarity of such fraud efforts and how easy they are to catch. 

In this case, a postal worker tipped off authorities when he saw hundreds of ballots stuffed in a Paterson mailbox. 

He also issued a separate order banning transactions with WeChat owner Tencent, citing national security concerns about the two businesses, Rachel Lerman reports. Both orders take effect in 45 days.

The White House alleges both apps could provide the Chinese Communist Party access to “Americans’ personal and proprietary information” for the purposes of espionage. TikTok has denied these allegations in the past. 

The order would not affect a deal if Microsoft or another U.S. company buys TikTok within the 45-day window.

The orders come amid a huge crackdown by the White House on Chinese technology. The State Department urged companies this week to ban the download of Chinese apps including WeChat, which is used as a messaging app by millions of people across the world. It’s unclear if the order would prohibit U.S. users from sending messages or making payments using the service, Rachel reports.

The order could be designed to speed ByteDance into a deal to divest its U.S. operations.

“The whole thing strikes me as Trump trying to put pressure on TikTok,” said James Lewis, of the Center for Strategic and International Studies. “I think it’s a big pressure campaign to get ByteDance to move in the right direction.”

TikTok said it was shocked by the president’s move and would pursue “all remedies available to us.”  The company has 100 million users in the United States.

A bill to ban TikTok on federal devices also passed the Senate yesterday. The House already passed a similar bill so it’s unclear if the two chambers will need to confer before it heads to the president’s desk.

There are big differences between TikTok and WeChat. 

Wall Street Journal reporter Liza Lin:

Lindsay Gorman, emerging technologies fellow at the German Marshall Fund’s Alliance for Securing Democracy:

In addition to the fine, the Virginia-based bank will have to take steps to beef up its security under an order issued by the Office of the Comptroller of the Currency, an independent bureau under the Treasury Department, Devlin Barrett reports. 

The breached information included Social Security numbers of more than 100,000 customers. No credit card or login information was breached.

The FBI arrested Paige A. Thompson of Seattle for the hack in July. She is still awaiting trial.

The Capital One breach was one of the biggest data breaches against a financial firm. It was eclipsed by the 2017 hack of Equifax in which hackers stole the personal information of 147 million people. Equifax paid $700 million in a settlement with regulators

Rob Strayer, a Trump appointee, has served as the department’s deputy assistant secretary for cyber and international communications and information policy since 2017. He’s leaving to become executive vice president of policy at the Information Technology Industry Council, a tech trade group whose members include Facebook and Google, Alyza Sebenius at Bloomberg News reports. 

Strayer’s the latest in a string of cybersecurity officials decamping from the Trump administration. Jeanette Manfra, CISA’s assistant director, resigned in December to move to Google. Amy Hess, former executive assistant director of the Criminal, Cyber, Response and Services Branch of the FBI, also left and became chief of public safety for the city of Louisville, Ky.

Strayer’s departure comes as U.S. officials are continuing a push to bar Huawei from allies’ 5G telecommunications networks and cracking down on other Chinese technology.

The network of 35 accounts, three pages and 88 Instagram accounts racked up more than 1,600 followers on Facebook and more than 7,000 on Instagram, Isaac Stanley-Becker reports.

That’s relatively small as disinformation operations go. But it’s reminiscent of 2016 when Russian trolls targeted Black Americans by posing as Black Lives Matter and other groups on Facebook and Instagram in an effort to reduce voter turnout and sow discord. 

Facebook could not determine if the network was motivated by genuine support for Trump or if there was some financial incentive, Isaac reports. The network included pages dating back to 2018. Its accounts also spread posts touting the QAnon conspiracy theory that “deep state” actors are seeking to sabotage Trump. 

Facebook also disabled a larger, separate network that spread content critical of the Chinese Communist Party, including accusing it of intentionally spreading the coronavirus.

DEFCON is streaming speeches and inviting online participation in its signature “villages” where ethical hackers search for bugs in critical machinery such as voting machines and medical devices. 

The Voting Village has, in the past, been a hotbed of contention between hackers who say they’ve found severe vulnerabilities in election equipment and election officials who say those claims are overstated. This year it will feature speeches from top government officials from the FBI, CISA, the National Security Agency and U.S. Cyber Command. 

Other speeches will be from Election Assistance Commission Chairman Ben Hovland, Washington Secretary of State Kim Wyman (R) and Sen. Ron Wyden (D-Ore.). 

The company will also partner with BallotReady to launch a feature to help users learn about mail-in voting, Axios reports. Snap registered nearly half a million voters in 2018. Facebook and Twitter have rolled out similar features.