The Department of Homeland Security (DHS) provided cybersecurity assistance to 33 state election offices and 36 local election offices leading up to the 2016 presidential election, according to information released by Democratic congressional staff.
During the final weeks of the Obama administration, the DHS announced that it would designate election infrastructure as critical, following revelations about Russian interference in the 2016 election.
Since January, two states and six local governments have requested cyber hygiene scanning from the DHS, according to a memo and DHS correspondence disclosed Wednesday by the Democratic staff of the Senate Homeland Security and Governmental Affairs Committee.
The information is related to the committee’s ongoing oversight of the DHS decision to designate election infrastructure.
The intelligence community said back in January that in addition to directing cyberattacks on the Democratic National Committee and top Democratic officials, Russia also targeted state and local electoral systems not involved in vote tabulating.
In June, DHS officials told senators investigating Russian interference that there was evidence that Russia targeted election-related systems in 21 states, none of them involved in vote tallying.
Officials have previously confirmed breaches in Arizona and Illinois, though it remains unclear whether other systems were successfully breached. Lawmakers such as Sen. Mark Warner (D-Va.) have demanded more information on the specific states targeted.
Homeland Security and Government Affairs ranking member Claire McCaskill (D-Mo.) wrote then-Secretary of Homeland Security John Kelly back in March, asking for more information on his plans for the critical infrastructure designation. The information released Wednesday is drawn from his response on June 13. Kelly has since left his post to serve as President Trump’s chief of staff.
“Prior to the election, DHS offered voluntary, no-cost cybersecurity services and assistance to election officials across all 50 states. By Election Day, 33 state election offices and 36 local election offices requested and received these cyber hygiene assessments of their internet-facing infrastructure,” Kelly wrote.
“In addition, one state election office requested and received a more in-depth risk and vulnerability assessment of their election infrastructure.”
Given the critical infrastructure designation, the DHS is providing cyber hygiene assessments, which include vulnerability scanning of election-related systems excluding voting machines and tallying systems, which the department recommends being disconnected from the internet.
The department also offers risk and vulnerability assessments, which include penetration testing, social engineering, wireless discovery and identification, and database and operating systems scanning. The DHS is also responsible for sharing threat information with owners and operators of critical infrastructure, which now include state and local election officials.
“Following the establishment of election infrastructure as critical infrastructure, several state and local governments requested new or expanded cybersecurity services from DHS,” Kelly disclosed in June, according to the letter. “Specifically, an additional two states and six local governments requested to begin cyber hygiene scanning (one state has, however, ended its service agreement). DHS also received one request for the risk and vulnerability assessment service.”
Many state and local election officials have opposed the designation, saying that the DHS has not offered enough information about what it means. The department has insisted that assistance will be given only to states that request it.
In the letter, Kelly, who has acknowledged objections, said there are “no plans to make any changes to the designation of election infrastructure as a critical infrastructure subsector.”
All of the Democratic members of the Senate Homeland Security and Governmental Affairs Committee have called for a full investigation into Russian election interference. The matter is already under investigation by the House and Senate Intelligence committees. The memo issued by Democratic staff on Wednesday was sent to the full committee.
Background at a Las Vegas Convention:
LAS VEGAS—For the first time in the 25 years of the world’s largest hacker convention, DefCon, two sitting U.S. Congressmen trekked here from Washington, D.C., to discuss their cybersecurity expertise on stage.
Rep. Will Hurd, a Texas Republican, and Rep. Jim Langevin, a Rhode Island Democrat, visited hacking villages investigating vulnerabilities in cars, medical devices, and voting machines; learned about how security researchers plan to defend quantum computers from hacks; and met children learning how to hack for good.
On Sunday, the last day of the conference, Hurd and Langevin delivered their own message: We come in peace. Please help us.
During a fireside chat-style conversation moderated by Joshua Corman, director of the Cyber Statecraft Initiative at the Atlantic Council, Hurd, chairman of the House Subcommittee on Information Technology, and Langevin, co-founder and co-chair of the Congressional Cybersecurity Caucus, called for the more than 2,000 hackers in the audience to “develop a dialogue” with their local representative in Congress.
“Never underestimate the value that you can bring to the table in helping to educate members and staff of what the best policies are, what’s going to work, and what’s not going to work,” Langevin said, pointing to Luta Security CEO and bug bounty expert Katie Moussouris’ ongoing advocacy for changes to the Wassenaar Arrangement, a decades-old international accord on how countries can transport “intrusion software” and other weapons across international borders.
Moussouris and Iain Mulholland of VMware have effectively convinced Wassenaar member countries to delay their adoption of proposed revisions to the agreement, as they’ve pushed for new language to better protect security researchers’ work.
The conversation between hackers and Congress has never been monosyllabic. But it has been frosty for decades, as federal prosecutors have used American antihacking laws such as the Computer Fraud and Abuse Act and Electronic Communication Privacy Act to punish people conducting legitimate security research.
As many security researchers continue to worry about how these laws might affect them, some have begun to use their expertise to influence the laws—and the lawmakers behind them.
Langevin and Hurd’s plea for hacker-legislator collaboration follows calls by hackers at last year’s DefCon for greater government regulation of software security.
“We don’t have voluntary minimum safety standards for cars; we have a mandatory minimum,” Corman told The Parallax at the time. “What tips the equation [for software] is the Internet of Things, because we now have bits and bytes meeting flesh and blood.”
Hurd said security researchers could play an important role in addressing increasingly alarming vulnerabilities in the nation’s voting apparatus. DefCon’s first voting machine-hacking village this weekend hosted a voting machine from Shelby County, Tenn., that unexpectedly contained personal information related to more than 600,000 voters. Village visitors managed to hack the machine, along with 29 others.
“We have to ensure that the American people can trust the vote-tabulating process,” Hurd said, acknowledging that DefCon attendees were able to hack each machine in the village. “The work that has been done out here is important in educating the secretaries of state all around the country, as well as the election administrators,” about secure technologies and practices.
Langevin and Hurd’s comments seemed to strike the right notes with hackers in attendance. Following Edward Snowden’s leaking of NSA documents and Apple’s refusal to create an encryption backdoor for law enforcement to the iPhone, relations between the hacking community and Washington have been strained at best, notes Herb Lin, a computer security policy expert and research fellow at Stanford University’s Center for International Security and Cooperation. But markedly improving the relationship will require more than a plea for collaboration, he warns.
“It’s better than what’s happened in the past, which is both nothing and active hostility,” he says. “One act by itself is not a game changer.”
The chat ended with assurances of more action from both sides. Corman said he’d like to see members of Congress attend more hacker conferences, such as ShmooCon in Washington, and Hurd promised that he wouldn’t let his experiences this past weekend go to waste.
“These conversations are going to lead me to hold hearings on many of these topics in the subcommittee that I chair,” Hurd said.
*** More details that were recorded at the convention:
DEF CON 2017 – Are voting systems secure? In August 2016, the FBI issued a “flash” alert to election officials across the country confirming that foreign hackers have compromised state election systems in two states.
Although the US largely invested in electronic voting systems their level of security appears still not sufficient against a wide range of cyber attacks.
During an interesting session at the DEF CON hacking conference in Las Vegas, experts set up 30 computer-powered ballot boxes used in American elections simulating the Presidential election. Welcome in the DEF CON Voting Village!
At the 1st ever Voting Village at
#DEFCON, attendees tinker w/ election systems to find vulnerabilities. I’m told they found some new flaws
The organization asked the participant to physically compromise the system and hack into them, and the results were disconcerting.
“We encourage you to do stuff that if you did on election day they would probably arrest you.” John Hopkins computer scientist Matt Blaze said,
Most of the voting machines in the DEF CON Voting Village were purchased via eBay (Diebold, Sequoia and Winvote equipment), others were bought from government auctions.
In less than 90 minutes hackers succeeded in compromising the voting machines, one of them was hacker wirelessly.
“Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we’ve uncovered even more about exactly how,” said Jake Braun, cybersecurity lecturer at the University of Chicago.
The analysis of the voting machines revealed that some of them were running outdated OS like Windows XP and Windows CE and flawed software such as unpatched versions of OpenSSL.
Some of them had physical ports open that could be used by attackers to install malicious applications to tamper with votes.
Even if physical attacks are easy to spot and stop, some voting machines were using poorly secured Wi-Fi connectivity.
The experts Carsten Schurmann at the DEF CON Voting Village hacked a WinVote system used in previous county elections via Wi-Fi, he exploited the MS03-026 vulnerability in Windows XP to access the voting machine using RDP.
Greetings from the Defcon voting village where it took 1:40 for Carsten Schurmann to get remote access to this WinVote machine.
Another system could be potentially cracked remotely via OpenSSL bug CVE-2011-4109, it is claimed.
huge cheer just went up in @votingvilllagedc as hackers managed to load Rick Astley video onto a voting machine
The good news is that most of the hacked equipment is no longer used in today’s election.