Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.
At 1,500 words, this briefing is about a 5-minute read.
At a Glance.
- Hackers find vulnerabilities in voting machines.
- Online children safety bill hits roadblock in House.
DEF CON hackers find vulnerabilities in voting machines but have no time to implement fixes.
The News.
This past weekend, DEF CON held its annual cybersecurity conference in Las Vegas. One event involved participants working to break into the various voting machines that will be used in the upcoming elections. This event, also known as “Voting Village” involved hackers working together from Friday to Sunday to analyze voting equipment and find different methods to potentially compromise these machines.
From this year's event, hackers were able to find “multiple pages” of vulnerabilities. While a full report will be released in the coming weeks to better detail each of these vulnerabilities, Voting Village co-founder, Harri Hursti, stated that the amount of these vulnerabilities discovered was fairly consistent with previous years. However, implementing fixes for these vulnerabilities is not as simple as issuing a patch. After these findings are published, any machine used in at least one United States (US) jurisdiction would need to go through an extensive process to remediate the issue, which will take longer than two to three months to fully fix.
Scott Algeier, the executive director for the Information Technology-Information Sharing and Analysis Center (IT-ISAC) commented on the issue stating that “even if you find a vulnerability next week…there’s a challenge in getting the patch and getting the fix out to the state and local elections officials and onto the equipment before the November election.” Solutions have been proposed to accelerate this process, such as bringing together these hackers and machine designers in a more formalized setting; however, these solutions have yet to be actualized.
The Knowledge.
With Voting Village’s findings, these vulnerabilities add to already heightened concerns surrounding the upcoming 2024 election. For several months now, experts have continued to raise their concerns regarding the upcoming elections as they have highlighted a variety of different attacks that could be used to negatively impact the process. For example, in May, the Senate’s Intelligence Committee held a hearing discussing the potential foreign threats that could target the 2024 elections. In this hearing the directors of the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence, each testified on the matter highlighting the steps that have been taken to secure the elections and what threats still exist. During this hearing, Avril Haines, the Director of National Intelligence, highlighted how Russia, China, and Iran all remain the nation’s most significant foreign election threats. Haines says that out of these three main threat actors, Russia remains the most active, highlighting the nation’s attempts to both erode confidence in US institutions as well as increase political divides.
Misinformation concerns have also increased, especially with the rapid proliferation of artificial intelligence (AI). As AI has continued to become more sophisticated and easier to access, already its potentially negative impacts have been felt. Earlier this year, AI was used to mimic President Biden to convince New Hampshire voters to not vote in the state’s primary elections. While the actor behind these calls was eventually discovered, the incident was reflective of how damaging the technology could potentially be if left unaddressed. While federal agencies and Congress have attempted to address these issues, so far most of the proposed solutions are still being debated or were blocked.
The Impact.
As it currently stands, US election security remains a major topic that has yet to be fully addressed. While security leaders have stated that the US is the most prepared that it has ever been heading into this election, numerous threats and concerns have continued to emerge and remain unsolved.
For people in charge of securing the elections or designing voting equipment, organizations need to be aware of the multitude of threats that will likely be employed to target and undermine these elections. By remaining vigilant and taking as many proactive measures as possible, organizations can better secure these elections and minimize threats. For US voters, people should remain vigilant against misinformation as these elections approach. With foreign actors looking to spread fake news and division, AI will likely be abused to expand these efforts. Voters should understand these concerns and always validate the information they consume to ensure its authenticity before spreading it or forming their opinions.
Kids online safety bill hits roadblock in House.
The News.
Both the Kids Online Safety Act (KOSA) and Children’s Online Privacy Protection Action Act (COPPA 2.0) have hit a roadblock within the House of Representatives after overwhelmingly passing the Senate last month. A House leadership aide commented that these bills “cannot be brought in its current form.” The aide continued stating that “it could lead to censorship of conservative speech, such as pro-life views, is almost certainly unconstitutional, and grants sweeping new authority to unelected bureaucrats at the [Federal Trade Commission].”
With this announcement, the future of these bills is now murky as no amendments to the bills have been proposed at this time. Furthermore, even if the bills were to be amended and passed in the House, the bills would then need to be repassed in the Senate before heading to the President’s desk. Given the overwhelming amount of bipartisan support that the bills had leaving the Senate, the House’s pushback will likely result in significant delays and potentially kill the momentum these bills had only a few weeks ago.
The Knowledge.
This subject gained national attention after a January Senate hearing heard the testimonies of parents whose children were harmed by social media platforms and Senators grilled these companies’ CEOs for answers on how to better protect minors online. For greater context, both KOSA and COPPA 2.0 were passed as a joint package in July by the Senate in a 91-3 vote. KOSA is a bill aimed at increasing the safety of children online by implementing stronger safeguards, increasing parental powers, and requiring greater transparency. The other major bill, COPPA 2.0, serves as an update to the original law passed in 1998, which increased the original bill's scope to now include protections for children under seventeen rather than thirteen, closed loopholes, and updated the law’s definition of personal information.
Despite these most recent setbacks, KOSA advocates have expressed their optimism. Both Senators Blackburn and Blumenthal stated that they were “confident that [KOSA] will be signed into law this year.” However, with the House only having thirteen more voting days before its next break, there is mounting pressure to pass these bills before the recess.
The Impact.
While neither of these bills have made any notable progress since being passed to the House, neither of these bills have been given up on. Even if neither bill is passed before the House goes on break or the upcoming elections are decided, each has seen substantial support from both parties in the Senate and has overwhelming support from parents across the nation.
For social media platforms and other sites that would be included under these bills’ purviews, organizations should examine these bills closely to understand what their new responsibilities would be if passed and ensure that they are in line with these new requirements. Parents passionate about these issues should continue to monitor these laws to understand what their new rights are and how they could impact their children’s presence online.
Other Noteworthy Stories.
What: A new Microsoft report has found that Iran is using fake news and cyberattacks to target the 2024 election.
Why: With this report, Microsoft announced they had discovered an “emergence of significant influence activity by Iranian actors.” Throughout this report, the Microsoft Threat Analysis Center (MTAC) found that Iranian actors are posing as “American extremists” aiming to sow division and incite violence. MTAC highlighted how these actors have also used fake news sites, such as Nio Thinker, to aid in these influence operations on both sides of the political spectrum.
In their report, MTAC stated that these efforts were likely done to “agitate conflict” and create misunderstandings. In response to these reports, Iran’s United Nations mission denied any involvement with these activities.
What: Austrian advocacy group, NOYB, filed a complaint against X accusing the company of training its AI model with user personal data without gaining explicit consent.
Why: On Monday, NOYB announced that it had filed a GDPR complaint with European Union (EU) regulators in nine different EU authorities. This complaint comes a week after X agreed to not train its AI systems using EU user data without consent in an Irish court. However, despite this development, NOYB stated that the previous trial mainly concerned itself with mitigation strategies rather than questioning the legality of the data processing. With this announcement, NOYB stated that “we want to ensure that Twitter fully complies with EU law, which…requires [it] to ask users for consent in this case.”