First in MC: DEF CON reveals election security findings

With help from Eric Geller, Mary Lee, Martin Matishak and Matthew Brown

Editor's Note: This edition of Morning Cybersecurity is published weekdays at 10 a.m. POLITICO Pro Cybersecurity subscribers hold exclusive early access to the newsletter each morning at 6 a.m. Learn more about POLITICO Pro's comprehensive policy intelligence coverage, policy tools and services at www.politicopro.com.

Quick Fix


— The DEF CON Voting Village uncovered security gaps in electronic voting machines, and detailed them in its 2019 report.

— President Donald Trump made bizarre comments about a cybersecurity company according to the readout from his call with the Ukrainian president.

— Businesses are taking hours to respond to cyberattacks, researchers found.

HAPPY THURSDAY and welcome to Morning Cybersecurity! It’s a weird tradition we have here. Send your thoughts, feedback and especially tips to [email protected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

Driving the Day

FIRST IN MC: VENDORS, WE HAVE A PROBLEM — Popular new electronic voting machines “have not been designed with security considerations in mind,” and their weaknesses “open the door for various methods to attack the election process,” DEF CON’s Voting Machine Hacking Village said in its 2019 report, provided first to POLITICO. Hackers visiting the village found several flaws in these ballot-marking devices, including default passwords and clear-text administration credentials in the ES&S AutoMARK and an unencrypted file system on the Dominion ImageCast Precinct. BMDs are also susceptible to denial-of-service attacks, the report found, because resolving errors (including deliberate ones) requires a reboot.

Village organizers concluded that BMDs’ flaws raise “broad questions about their security and impact on overall election integrity if they were to be put into general use in elections.” But the problems uncovered went beyond BMDs, which are common replacements for paperless devices because they retain the convenience of a touchscreen. The village brought in other equipment, and the report said hackers used new and previously identified exploits to breach “every one of the devices in the room.”

Testers found a machine hard-coded to ping an overseas IP address with no explanation, and an e-poll book made by VR Systems — believed to be a victim of Russian hacking in 2016 — lacked a firmware password, enabling hackers to boot it into any operating system they wanted. Village organizers said most of the discovered attacks were possible under live-election conditions.

These findings demand scrutiny of BMDs, nationwide use of paper ballots and risk-limiting audits, as well as “dramatically increased funding” for local officials, the village’s organizers said in their report, which will be officially released later today. They also criticized voting machine vendors’ security engineering practices. “Historically, security measures provided by the hardware / low-level programming have been systematically turned off in all classes of devices used as part of the election infrastructure,” they wrote. “Unfortunately, this was found to be true also with newer generations of voting equipment in the Village.” Dominion did not respond to a request for comment, nor did the Election Assistance Commission. ES&S said it "look[ed] forward to reviewing the report."

AND THE CYBERSECURITY WORLD LET LOOSE A COLLECTIVE, ‘HUH?’ — The notes the White House released Wednesday from Trump’s call with Ukraine’s president contains a curious cyber-related passage. “I would like you to find out what happened with this whole situation with Ukraine, they say Crowdstrike,” Trump said. “I guess you have one of your wealthy people. The server, they say Ukraine has it.” It’s not the first time Trump has erroneously tied CrowdStrike (which investigated Russian intrusions into Democratic National Committee emails) to Ukraine, and an allegedly-but-not-really missing server. Trump also suggested Wednesday that Ukraine “could be” the location of emails deleted from Hillary Clinton’s private email server.

It’s a Russia-friendly narrative from a president who has frequently cast doubt on the Kremlin aiding his election, and that’s why he might have allowed a bewildering bit of absurdity to enter his dialogue. One possible explanation is that he misunderstands CrowdStrike itself; one of its founders, Dmitri Alperovitch, is a Russia-born U.S. citizen, and Trump has claimed in the past that the publicly traded company is owned by a rich Ukrainian. Perhaps he is conflating Alperovitch’s role as a senior fellow at the Atlantic Council and the fact that it receives funding from the foundation of Ukranian billionaire Viktor Pinchuk. The White House did not respond to multiple requests for comment.

“This is complete nonsense,” the DNC responded. “Trump still hasn't accepted that Russia interfered in our election, and instead, is using a call with a foreign leader to push conspiracy theories. This is surreal.” Said CrowdStrike: “With regards to our investigation of the DNC hack in 2016, we provided all forensic evidence and analysis to the FBI. As we’ve stated before, we stand by our findings and conclusions that have been fully supported by the US Intelligence community.”

SLOW AND STEADY WINS THE … WAIT, NO — Businesses take an average of three and a half hours to remediate a cyberattack, according to research out today from Barracuda. Eleven percent take more than six hours to investigate and remediate, the company found. To reach that conclusion, Barracuda examined email threat scan results of 383,790 mailboxes across 654 organizations over the course of a month.

In Congress

MAKING MY WAY DOWN THE CAPITOL — The House Homeland Security Committee on Wednesday approved a bill (H.R. 1975) that would establish a cyber committee within the DHS Cybersecurity and Infrastructure Security Agency. The committee would provide advice and make recommendations to the director of CISA on the development and implementation of policies, and programs relating to the agency’s cybersecurity mission. The panel also adopted an amendment offered by Lauren Underwood (D-Ill.) that would clarify who would comprise the committee, adding "the cybersecurity research community, and privacy policy organizations with expertise and experience."

Across the Capitol, the Senate Energy and Natural Resources Committee approved two measures: one (S. 2095) that would set up Energy Department programs for utilities to shore up their physical and cybersecurity programs and another (S.2333) that would authorize DOE programs to improve how it and others combat supply chain vulnerabilities. That measure would authorize $65 million for each of fiscal years 2020 through 2028 for a program to develop advanced cybersecurity applications and technologies for the energy sector, among other things.

— STAYING ON THIS SIDE: The Senate passed nonbinding resolutions Wednesday instructing negotiators on the annual defense policy bill (S. 1790) to include two cybersecurity-related measures. The first, S. 1060, would mandate sanctions against any nation found to interfere in U.S. elections. The second, S. 2118, would codify Trump’s telecom executive order and prohibit Huawei’s removal from a Commerce Department list of entities with which U.S. firms are forbidden from doing business, unless Congress approves.

WE CAN’T WORK IT OUT — DHS isn’t meeting the requirements of a 2014 cybersecurity workforce law, and because of that, it also needs to do a better job of cyber workforce planning, the department’s inspector general concluded in a report released Wednesday. DHS failed to meet deadlines for annual workforce assessments to Congress, nor did it deliver an annual workforce strategy to Congress at all between 2015 and 2018, the IG said. “Without a complete workforce assessment and strategy, DHS is not well positioned to carry out its critical cybersecurity functions in the face of ever-expanding cybersecurity threats,” the report states.

CLOUD KILLA — Fortune 500 company cloud services are under heavy attack from hackers, according to a study out Wednesday from the firm Proofpoint. The firm analyzed 20 million individual cloud accounts and detected a staggering 15 million attempts to hack those accounts in the first half of 2019. Of the attempted malicious logins, some 400,000 succeeded. The firm found that attackers targeted 92 percent of Fortune 500 companies’ cloud services and that 60 percent of those companies endured a successful attack. According to the research, attackers have a 50-50 chance of breaching a company through the cloud.

THERE’S AN APP FOR THAT — Chinese hackers are targeting certain Windows systems and replacing a real app with a trojanized version in order to gain remote access, according to a report from Blackberry Cylance on Wednesday. The attackers “deploy a Trojanized screen reader application, replacing the built-in Narrator ‘Ease of Access’ feature in Windows,” researchers found. “This backdoor allows them to surreptitiously control systems via remote desktop logon screens without the need for credentials.” The identity of the digital perpetrators remains elusive, but evidence points to a Chinese group known as Tropic Thunder targeting government and industry in Taiwan and the Philippines.

TWEET OF THE DAY — Factually correct.

RECENTLY ON PRO CYBERSECURITY — The Government Accountability Office faulted the Energy Department and Federal Energy Regulatory Commission over grid cybersecurity. … “The European Commission aims to create a ‘framework for data access and governance’ as part of its broader goal to create a common data space.”

Quick Bytes

— CISA is restructuring the National Cybersecurity and Communications Integration Center. Inside Cybersecurity

— “Magecart skimmers seen targeting routers for customer Wi-Fi networks.” Ars Technica

That’s all for today.

Stay in touch with the whole team: Mike Farrell ([email protected], @mikebfarrell); Eric Geller ([email protected], @ericgeller); Mary Lee ([email protected], @maryjylee) Martin Matishak ([email protected], @martinmatishak) and Tim Starks ([email protected], @timstarks).

Follow us on Twitter Heidi Vogt @HeidiVogt



Eric Geller @ericgeller



Martin Matishak @martinmatishak



Tim Starks @timstarks