Bipartisan group launches effort to improve election security

News roundup: The Defending Digital Democracy project brings together security experts to tackle election security. Plus, government shake-ups could hit cybersecurity, and more.

The former managers of the presidential campaigns for Hillary Clinton and Mitt Romney have teamed up with experts from the technology community and the U.S. government to improve election security measures.

The new bipartisan group, called Defending Digital Democracy (DDD), was formed at Harvard University amid growing concerns about election security and Russian hacking threats. The project will be run by Eric Rosenbach, the former U.S. assistant secretary of defense and current co-director of the Belfer Center for Science and International Affairs, which is one of the organizations at Harvard University sponsoring this initiative. Rosenbach called on Robby Mook, Clinton's former campaign manager from her 2016 run, and Matt Rhoades, who was Romney's campaign manager in 2012, as fellows and to co-lead the group.

According to the Belfer Center, the goal of the Defending Digital Democracy project is "to identify and recommend strategies, tools, and technology to protect democratic processes and systems from cyber and information attacks. By creating a unique and bipartisan team comprised of top-notch political operatives and leaders in the cyber and national security world, DDD intends to offer concrete solutions to an urgent problem."

In an effort to improve election security and to protect against the threats of malicious nation-state and nonstate actors, the group will provide "practical playbooks" that election administrators, election infrastructure providers and campaign organizations can use to bolster cybersecurity. The group also intends to look at the possibility of using blockchain and other emerging technologies to improve election security, specifically electronic voting.

"Americans across the political spectrum agree that political contests should be decided by the power of ideas, not the skill of foreign hackers," Rosenbach said in the statement. "Cyber deterrence starts with strong cyber defense -- and this project brings together key partners in politics, national security, and technology to generate innovative ideas to safeguard our key democratic institutions."

Along with Mook and Rhoades, the Defending Digital Democracy project has recruited the top Democratic and Republican election lawyers as advisers; as well as Google's director of information security and privacy, Heather Adkins; CrowdStrike's co-founder and CTO, Dmitri Alperovitch; the former director of the National Security Agency's Information Assurance Directorate, Debora Plunkett; Facebook's CSO Alex Stamos; and others.

The formation of the Defending Digital Democracy project follows in the wake of politically motivated cyberattacks, such as the phishing attack on Clinton's campaign chairman, John Podesta, as well as the Russian interference with the 2016 U.S. presidential elections. A Senate intelligence committee hearing last month revealed that Russian hackers targeted nearly 50% of states during the 2016 election. While the probing of election systems was detected last year, there is still no evidence that actual votes were changed.

"Cyberattacks on campaigns and elections are a threat to our democracy and affect people of all political stripes," Rhoades said of the DDD project. "Foreign actors could target any political party at any time, and that means we all need to work together to address these vulnerabilities. This project will bring together not just different parties and ideologies, but subject matter experts from cybersecurity, national security, technology and election administration to make a difference."

In other news:

  • Chris Painter, the coordinator for cyberissues at the U.S. Department of State, will leave his position at the end of this month. Painter was appointed in 2011 during the Barack Obama administration and has been widely praised for raising awareness about cybersecurity in the government and abroad. Painter previously worked in cybersecurity at the National Security Council, the FBI and the Department of Justice. Painter announced his resignation around the same time reports emerged that Secretary of State Rex Tillerson will merge the Office of the Coordinator for Cyber Issues with the Bureau of Economic and Business Affairs. This merger would mean a downgrade for Painter's position if the administration fills it after he leaves, cutting off the direct report to Tillerson. This would be part of the larger redesign of the State Department that Tillerson is overseeing. Regardless of the potential changes, the cyberissues office is still responsible for presenting a plan for an international cybersecurity strategy to President Donald Trump, as he mandated in an executive order earlier this year.
  • The Tor Project launched a public bug bounty program to encourage security researchers to report security issues in its products. The Tor Project has partnered with HackerOne on the program and is looking for vulnerabilities in its network daemon and the Tor Browsers. For each Tor component, there are several tiers of rewards available, depending on the vulnerability and its severity. Rewards range from $100 to $3,000 or more. The Tor Project is open source and not for profit, so the reward rates, while competitive, do not match those payouts associated with big companies, like Google and Apple. The Tor Project started its first bug bounty program 18 months ago, but the initial program was private or invite-only. While the private program helped identify three denial-of-service bugs, it was not successful in finding major bugs like a serious zero-day vulnerability in Mozilla's Firefox last year.
  • Oracle released its July 2017 Critical Patch Update (CPU) with a record total of 308 vulnerabilities fixed. This is the highest number of vulnerabilities ever fixed by the company in a quarter. The CPU deals with problems in 22 different Oracle products, including the Database Server, Enterprise Manager, Fusion Middleware, the E-Business Suite and others. More than half of the vulnerabilities addressed in the CPU could have been exploited remotely and without authentication. A CVSS score between 9.0 and 10.0 was assigned to 27 of the vulnerabilities, making them critical. The largest amount of fixed flaws was in the Oracle Hospitality Applications, numbering 48 in all. Previously, the highest number of vulnerabilities in an Oracle CPU was 299 in April 2017.

Next Steps

Find out why security experts fear voting machine hacks

Learn more about the former FBI director's warnings of more election hacking

Check out this podcast on why Voter database hacks triggered election concerns

Dig Deeper on Security operations and management