EAC to evaluate testing and certification of non-voting equipment – Politico

By TIM STARKS

06/17/2020 10:00 AM EDT

Updated 06/18/2020 07:02 PM EDT

With help from Eric Geller, Martin Matishak and Cristiano Lima

Programming announcement: This 10 a.m. version of Morning Cybersecurity will end daily publication on July 10 and move to a week-ahead style newsletter that publishes on Monday mornings. The daily 6 a.m. version will continue for POLITICO Pro subscribers. For information on how you can continue to receive daily policy content, as well as information for current POLITICO Pro subscribers, please visit our website.

The Election Assistance Commission and Center for Internet Security paired up on a pilot project to figure out how to test and certify non-voting election equipment.

The Senates annual defense policy bill largely gave the Trump administration what it asked for on Pentagon cyber spending, an Armed Services Committee aide said.

An infamous North Korean hacking group might be behind cyberattacks on European military and aerospace companies motivated by secrets and cash.

HAPPY WEDNESDAY and welcome to Morning Cybersecurity! None of these recent revivals of all-time classic comedy shows have worked out, have they? Send your thoughts, feedback and especially tips to [emailprotected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

A message from the NYU School of Professional Studies - MS in Global Security, Conflict, and Cybercrime:

The MS in Global Security, Conflict, and Cybercrime is a STEM-designated, graduate degree offered by the NYU School of Professional Studies Center for Global Affairs (CGA). It prepares students for leadership, management, analytical, and advocacy positions within organizations that are ready to confront the threat of cyber conflict. LEARN MORE.

MEET RABET-V The EAC is taking the first step toward a testing and certification program for e-poll books, results websites and other election technology not currently covered by federal certification standards. Eric reports this morning that the EAC has partnered with the nonprofit Center for Internet Security on a pilot project to evaluate ways to test and certify non-voting election equipment. Indiana, Maryland, Ohio, Pennsylvania, Texas and Wisconsin are part of the Rapid Architecture-Based Election Technology Verification project. So is the Federal Voting Assistance Program, which coordinates voting processes for overseas Americans and U.S. service members, the two largest constituencies for internet voting another technology currently outside the scope of federal certification.

The new pilot project, known as RABET-V, will also seek out ways to encourage manufacturers to design systems for frequent, incremental updates and recertifications, a major goal of election security experts who criticize the current cumbersome process. The EAC sees a need for jurisdictions across the U.S. to have a consistent way to evaluate the capabilities and security of manufacturers non-voting election technology, Vice Chairman Donald Palmer said in a statement.

The EAC first discussed plans to broaden election technology testing in February, when Palmer told state officials that the marketplace for non-voting equipment, which included some of our most vulnerable systems, was comparable to the Wild West in terms of security oversight. Federal testing standards, which are optional but have been adopted in most states, only cover equipment used to create, mark and tabulate ballots, such as voting machines and optical scanners. This excludes frequently targeted systems such as voter registration databases and election night results reporting websites.

ESCAPE FROM L.A. The hours-long wait times that snarled the March 3 primary in Los Angeles County stemmed from malfunctions in the electronic tablets used to check in voters at the polls, according to an unpublicized county report that adds to questions about the nations readiness for November, Kim Zetter reports for Pros. The report concludes that these devices known as electronic poll books and not the countys new $300 million voting machines were the source of those delays. Although the voting machines also had problems, the report faults inadequate planning, testing and programming of the poll books that workers used to check in voters and verify that theyre registered technology that has also been implicated in this months meltdown at the polls in Georgias primary. Read on if youre a Pro.

DoD CYBER BUDGET OKD, MORE OR LESS The Senates annual defense policy bill approves President Donald Trumps $9.8 billion budget request for Pentagon cyberspace activities, a congressional aide told reporters on Tuesday. At a high-level the [Senate Armed Services Committee] fully funded the cybersecurity priorities of the department, according to the aide, who spoke on condition of anonymity to discuss the $740 billion spending blueprint, which has yet to be publicly released.

The topline figure includes $3.8 billion for defensive and offensive digital operations, with $2.2 billion of that supporting the 133-team Cyber Mission Force at U.S. Cyber Command the same amount the administration requested last fiscal year. About $5.4 billion would go toward cybersecurity, including $673 million to protect next-generation platforms (e.g., new weapons systems, technology). The aide suggested lawmakers cut spending or added strings in a few small, isolated places of certain DoD cybersecurity programs due to oversight concerns but declined to provide specific examples before the measure is released.

MAYBE LAZARUS RISES AGAIN The North Korean government-linked Lazarus Group might be behind a series of targeted cyberattacks on European military and aerospace companies last fall, ESET said in research out this morning. The hackers used LinkedIn-based spearphishing in what ESET dubbed Operation In(ter)ception based on the name of a related malware sample. They appeared to be motivated by cyber espionage and extracting money from the companies.

The attacks that ESET investigated began with a message that was a quite believable job offer, seemingly from a well-known company in a relevant sector, said Dominik Breitenbacher, the ESET malware researcher who analyzed the malware and led the investigation. Of course, the LinkedIn profile was fake, and the files sent within the communication were malicious.

TARNISH ON THE NIGERIAN PRINCE CROWN The Trump administration issued sanctions on Tuesday against six Nigerians accused of business email compromise and romance scams against U.S. individuals and businesses. The action taken collectively by the departments of Justice, State, Treasury would block assets and prohibit people in the U.S. from dealing with Nnamdi Benson, Abiola Kayode, Alex Ogunshakin, Felix Okpoh, Michael Olorunyomi and Richard Uzuh.

The six individuals designated today manipulated their victims to gain access to their sensitive information and financial resources. The U.S. will not tolerate such gross misuse of technology, Secretary of State Mike Pompeo said. The United States will use all of the tools at our disposal to defend the American people and businesses from malign actors that seek to target them, including cyber-enabled actors who prey on vulnerable Americans and businesses.

GROUPS URGE CONGRESS TO DROP SURVEILLANCE TECH FUNDS First from our friends at Morning Tech: Over 100 civil rights and civil liberties groups today are calling on House leaders to cease federal funding for the surveillance technologies that are being used to militarize our communities and criminalize dissent. In a letter going out today to top lawmakers in the House and its Judiciary Committee, the groups say law enforcement use of cutting-edge tools to monitor protests against the killing of George Floyd has chilled activists' free expression rights.

What theyre pushing for: It has become abundantly clear that we need a dramatic change to policing in our communities, including divesting from police, write the groups, which include the ACLU, Color of Change, Free Press and the Center for Democracy & Technology. This reform must also include dramatic changes to our surveillance infrastructure, which has also contributed to increased militarization and policing abuses. And they say federal money for technologies that are antithetical to the First and Fourth Amendment should cease.

The push comes as Democratic lawmakers have increasingly sounded the alarm on law enforcement surveillance, including the use of emerging technologies like facial recognition software and drones, at the recent wave of racial justice protests.

Where talks stand on the Hill: The bicameral Democratic police reform package included some narrow checks on such tools, including banning warrantless federal law enforcement use of facial recognition software on body-cam footage. But the incoming Senate GOP policing package includes no mentions of facial recognition software, biometric identification or surveillance more broadly, according to bill text obtained by POLITICOs Marianne LeVine signaling daylight on the issue between the two sides.

TWEET OF THE DAY Just like the Founders intended.

RECENTLY ON PRO CYBERSECURITY Poor cybersecurity procedures at the CIA contributed to the Vault 7 leak, according to an internal agency task force. Physicists have extended the capabilities of secure quantum communication tenfold, marking a step forward in efforts to establish hack-proof network communications, according to a study published by scientific journal Nature. The European Data Protection Board cast doubt on whether a U.S.-EU data sharing deal has sufficient privacy safeguards.

Researchers uncovered vulnerabilities in the official Trump 2020 app that might have allowed hackers to access user data, and the campaign issued a fix. President Donald Trumps comments on a trade deal with China is a factor in the extradition case of Huawei executive Meng Wanzhou.

Jim Baker has joined Twitter as its deputy general counsel. The former FBI general counsel has been on both sides of the encryption fight.

Wired: A series of bugs in one companys software could have impacted hundreds of millions of internet-connected devices.

The Federal Information Security Modernization Act report on the Nuclear Regulatory Commission for this year has arrived, and it found some weaknesses.

ZDNet: Avon had a cybersecurity incident.

The Hill: A House Democrat is seeking an FBI briefing on foreign adversaries perhaps exploiting the police brutality protests.

Graphika released a report on a Russian disinformation campaign.

Amnesty International warned about privacy problems with some nations Covid-19 apps.

Motherboard: Theres no evidence of a DDoS attack by Anonymous causing a T-Mobile outage.

CyberScoop: The National Capital Region Threat Intelligence Consortium issued a memo about the outage.

Thats all for today.

Stay in touch with the whole team: Eric Geller ([emailprotected], @ericgeller); Bob King ([emailprotected], @bkingdc); Martin Matishak ([emailprotected], @martinmatishak); Tim Starks ([emailprotected], @timstarks); and Heidi Vogt ([emailprotected], @heidivogt).

CLARIFICATION: Morning Cybersecurity has been updated to clarify the item about RABET-V. It will not involve internet voting systems.

Read this article:
EAC to evaluate testing and certification of non-voting equipment - Politico

Related Posts

Comments are closed.