Email and internet voting risks

Watchdog spotlights DoD cyber risks — Cybercrime ringleader indicted

Election integrity advocates released a report today cautioning against online voting as an overlooked threat to election infrastructure. It’s susceptible to cyberattacks at nearly every point in the journey from voter to county clerk’s office, they say, warning that malware can remain undetected on a voter’s computer, voter authentication can be stolen, emailed ballots can be manipulated without detection and servers hosting ballots can be penetrated — none of which can be effectively audited.

Voters cast at least 100,000 ballots online in 32 states in the 2016 general election, according to the report, titled “Email and Internet Voting: The Overlooked Threat to Election Security.” It’s a collaboration between the National Election Defense Coalition, the Association for Computing Machinery, R Street and Common Cause.

“Until there is a major technological breakthrough in or fundamental change to the nature of the internet, the best method for secure elections is a tried-and-true one: paper ballots,” the groups say. “Paper ballots aren’t tamper-proof, but they are not vulnerable to the same sort of wholesale fraud or manipulation associated with email voting.”

The groups recommend federal agencies acknowledge vulnerabilities in online voting, as no published guidance on the security of emailed ballots currently exists from the Election Assistance Commission, DHS or National Association of Election Officials. They also caution against blockchain voting — such as the mobile app used in West Virginia — and end-to-end verifiable systems as inadequate to address fundamental security concerns.

HAPPY WEDNESDAY and welcome to Morning Cybersecurity! We hope you’re liking the new look that debuted this week. Send your thoughts, feedback and especially tips to our full team using the contact info below, and be sure to follow @POLITICOPro and @MorningCybersec.

PRESIDENT TRUMP SAYS A RED WAVE IS COMING ON ELECTION DAY. Is he right, or will the tide turn blue? Compete against the nation’s top political minds in the POLITICO Playbook Election Challenge, by correctly picking the winning candidates in some of the most competitive House, Senate and gubernatorial races in the country. Win awesome prizes and eternal bragging rights. Sign up today! Visit to play.

POLITICO IS PARTNERING WITH THE MILKEN INSTITUTE to bring a special edition of the POLITICO Pulse newsletter to the Milken Institute Future of Health Summit. Written by Dan Diamond, the newsletter will take readers inside one of the most influential gatherings of global health industry leaders and innovators as they tackle today’s most pressing health challenges. The newsletter will run Oct. 23-24. Sign up today to begin receiving exclusive coverage on Day One of the summit.

TODAY: HSGAC HEARING ON HOMELAND THREATS — The Senate Homeland Security Committee holds a hearing this morning on threats to the homeland with DHS Secretary Kirstjen Nielsen, FBI Director Chris Wray and acting National Counterterrorism Center Director Russell Travers. Chairman Ron Johnson will be among those focusing some of his attention on cyber threats, based on past hearings. “We learned how adversaries constantly attempt to breach government and private sector networks,” Johnson says in prepared opening remarks. “Yet we know that the federal government’s own networks remain at high risk, according to the Government Accountability Office, and that more must be done to support the private sector and to deter adversaries who threaten our cybersecurity.”

MORE BAD PENTAGON NEWS — The fresh GAO audit issued Tuesday found that the Pentagon’s top weapon systems are easily hacked and rife with vulnerabilities. The watchdog office found that DoD testers were able to break into systems and take them over unnoticed, often because of things like poor passwords or a lack of encryption. And while the department was aware of some of the weak spots, it didn’t take steps to cauterize them. “For example, officials from a DOD agency we met with expressed confidence in the cybersecurity of their systems, but could not point to test results to support their beliefs. Instead, they identified a list of security controls they had implemented,” according to the study.

The audit is the latest bad news for the department, which was raked over the coals last week for poor cybersecurity in a report about the defense industrial base. On Tuesday, Rep. Anthony Brown, a member of the House Armed Services Committee, said that lawmakers must help DoD turn the ship around. The report revealed a problem that Congress is well acquainted with — the existence of critical shortages in the defense industry workforce,” he said in a statement. “In order to meet the challenges that we are faced with head-on, Congress must play a role in modernizing the defense industry workforce.”

WHAT IS GOING ON? — The chairmen of the House Intelligence and Oversight committees on Tuesday requested briefings on reportedly compromised microchips used throughout the government and sensitive industries. Chairmen Devin Nunes and Trey Gowdy want the FBI, DHS and intelligence community to explain a Bloomberg story that said Chinese companies had placed infected microchips on motherboards that were then installed in countless devices shipped to the U.S. Senate Commerce Chairman John Thune is calling for Amazon, Apple and Super Micro — the allegedly compromised company at the center of the tale — to brief congressional staffers by Friday, while Sens. Richard Blumenthal and Marco Rubio directed his own questions to Super Micro. On Tuesday, Bloomberg also reported that a U.S. telecom company found one of the compromised motherboards on its network and removed it in August.

But the unfolding microchip saga remains maddeningly murky. The four major U.S. wireless telecoms — Verizon Wireless, AT&T, T-Mobile and Sprint — all told Motherboard that the new Bloomberg story wasn’t about them, as did cable provider CenturyLink. Bloomberg told the publication that it continued to stand by its story and was “confident in our reporting and sources.”

Security experts continued to tear apart that initial story, though. Patrick Gray, the host of the security podcast Risky Business, delved deep into the story with one of Bloomberg’s few named sources, who said it “didn’t make sense.” The episode won praise from former White House cyber coordinator and current senior NSA official Rob Joyce, who implied that he had no knowledge of the situation. And Dragos founder Robert M. Lee offered a cautionary tale about the reporters behind the story, who he said had written several erroneous stories in the past.

THE CIRCUS IS OVER — A Romanian man accused of being the leader of an international cyber fraud ring that stole more than $4 million was extradited to the U.S. last week, the Justice Department announced Tuesday. Romeo Vasile Chita allegedly led an effort that used malware to steal peoples’ bank account information, passwords and other sensitive personal data. He faces charges of racketeering, wire fraud conspiracy, conspiracy to launder money and conspiracy to traffic in counterfeit services. In all, authorities named eight defendants in an indictment unsealed Tuesday, two of whom have already have been extradited from Romania. The ring operated in the U.S., Romania, Bosnia, Canada, China, Croatia, Hungary, Jordan, Latvia and Malaysia, according to the indictment.

This article originally appeared on