Student debt relief is not only an election issue in the 2020 race for president, but a problem for HR managers. Some firms, including a hospital in New York, are doing something about it.
Montefiore St. Luke’s Cornwall Hospital began offering a student loan relief program this year for its non-union employees. It employs 1,500 people and provides employees 32 vacation days a year.
Most employees don’t take all that time off, said Dan Bengyak, vice president of administrative services at the not-for-profit medical center with hospitals in Newburgh and Cornwall. He oversees HR, IT and other administrative operations.
In February, the hospital detailed its plan to apply paid time off to student debt relief. Employees in the Parents Plus Loan program had the option as well. The hospital set two sign-up windows, the first in May. Forty employees signed up. The next window is in November.
The program “has been extremely well received and it definitely has offered us a real competitive advantage in the recruiting world,” Bengyak said. He believes it will help with retention as well.
The maximum employee contribution for student debt relief is $5,000. The hospital also provides tuition help. This combination “offers significant financial assistance,” to employees seeking advanced degrees, Bengyak said.
A SaaS platform handles payments
The hospital uses Tuition.io, a startup founded in 2013 and based in Santa Monica, Calif. The platform manages all of the payments to the loan services. Its users pay a lump sum to cover the cost of the assistance. The employer doesn’t know the amount of the employee’s debt. The platform notifies the employee when a payment is posted.
Dan BengyakVP of administrative services, Montefiore St. Luke’s Cornwall Hospital
Payments can be made as a monthly contribution, a lump sum on an employment anniversary or other methods, according to Scott Thompson, CEO at Tuition.io.
Tuition.io also analyzes repayment data, which can show the program’s retention impact, according to Thompson.
“Those individuals who are participating in this benefit stay longer with the employer — they just do,” he said.
About one in five students has over $100,000 in debt and is, by definition, broke, Thompson said. They can’t afford an employer’s 401K program or buy a house. Employees with a burdensome loan “are always looking for a new job that pays you more money because you simply have to,” he said.
Legislation in pipeline
The amount of student loan debt is in excess of $1.5 trillion and exceeds credit card and auto debt combined, said Robert Keach, a past president at the American Bankruptcy Institute, in testimony at a recent U.S. House Judiciary Committee hearing on bankruptcy. More than a quarter of borrowers are in delinquency or default, he said. Student loan debt is expected to exceed $2 trillion by 2022.
“High levels of post-secondary education debt correlate with lower earnings, lower rates of home ownership, fewer automobile purchases, higher household financial distress, and delayed marriage and family formation, among other ripple effects,” Keach said.
Congress is considering legislation that may make it easier for firms to help employees with debt. One example is the Employer Participation in Repayment Act, a bill that has bipartisan support in both chambers. It would enable employers to give up to $5,250 annually per employee, tax free.
Election security continues to be a hot topic, as the 2018 midterm elections draw closer. So, the Voting Village at DEF CON 26 in Las Vegas wanted to re-create and test every aspect of an election.
Jake Braun, CEO of Cambridge Global Advisors, based in Arlington, Va., and one of the main organizers of the DEF CON Voting Village, discussed the pushback the event has received and how he hopes the event can expand in the future.
What were the major differences between what the Voting Village had this year compared to last year?
Jake Braun: The main difference is it’s way bigger. And we’ve got, end to end, the voting infrastructure. We’ve got voter registration, a list of voters in the state of Ohio that are in a cyber range that’s basically like a county clerk’s network. Cook County, Illinois, their head guy advised us on how to make it realistic [and] make it like his network. We had that, but we didn’t have the list of voters last year.
That’s the back end of the voter process with the voter infrastructure process. And then we’ve got machines. We’ve got some new machines and accessories and all this stuff.
Then, on the other end, we’ve got the websites. This is the last piece of the election infrastructure that announces the results. And so, obviously, we’ve got the kids hacking the mock websites.
What prompted you to make hacking the mock websites an event for the kids in R00tz Asylum?
Braun: It was funny. I was at [RSA Conference], and we’ve been talking for a long time about, how do we represent this vulnerability in a way that’s not a waste of time? Because the guys down in the [Voting Village], hacking websites is not interesting to them. They’ve been doing it for 20 years, or they’ve known how to do it for 20 years. But this is the most vulnerable part of the infrastructure, because it’s [just] a website. You can cause real havoc.
I mean, the Russians — when they hacked the Ukrainian website and changed it to show their candidate won, and the Ukrainians took it down, fortunately, they took it down before anything happened. But then, Russian TV started announcing their candidate won. Can you imagine if, in November 2020, the Florida and Ohio websites are down, and Wolf Blitzer is sitting there on CNN saying, ‘Well, you know, we don’t really know who won, because the Florida and Ohio websites are down,’ and then RT — Russian Television — starts announcing that their preferred candidate won? It would be chaos.
Anyway, I was talking through this with some people at [RSA Conference], and I was talking about how it would be so uninteresting to do it in the real village or in the main village. And the guy [I was talking to said], ‘Oh, right. Yeah. It’s like child’s play for them.’
I was like, ‘Exactly, it’s child’s play. Great idea. We’ll give it to R00tz.’ And so, I called up Nico [Sell], and she was like, ‘I love it. I’m in.’ And then, the guys who built it were the Capture the Packet guys, who are some of the best security people in the planet. I mean, Brian Markus does security for … Aerojet Rocketdyne, one of the top rocket manufacturers in the world. He sells to [Department of Defense], [Department of Homeland Security] and the Australian government. So, I mean, he is more competent than any election official we have.
The first person to get in was an 11-year-old girl, and she got in in 10 minutes. Totally took over the website, changed the results and everything else.
How did it go with the Ohio voter registration database?
Braun: The Secretaries of State Association criticized us, [saying], ‘Oh, you’re making it too easy. It’s not realistic,’ which is ridiculous. In fact, we’re protecting the voter registration database with this Israeli military technology, and no one has been able to get in yet. So, it’s actually probably the best protected list of voters in the country right now.
Have you been able to update the other machines being used in the Voting Village?
Braun: Well, a lot of it is old, but it’s still in use. The only thing that’s not in use is the WinVote, but everything else that we have in there is in use today. Unlike other stuff, they don’t get automatic updates on their software. So, that’s the same stuff that people are voting on today.
Have the vendors been helpful at all in providing more updated software or anything?
Braun: No. And, of course, the biggest one sent out a letter in advance to DEF CON again this year saying, ‘It’s not realistic and it’s unfair, because they have full access to the machines.’
Do people think these machines are kept in Fort Knox? I mean, they are in a warehouse or, in some places, in small counties, they are in a closet somewhere — literally. And, by the way, Rob Joyce, the cyber czar for the Trump administration who’s now back at NSA [National Security Agency], in his talk [this year at DEF CON, he basically said], if you don’t think that our adversaries are doing exactly this all year so that they know how to get into these machines, your head is insane.
The thing is that we actually are playing by the rules. We don’t steal machines. We only get them if people donate them to us, or if we can buy them legally somehow. The Russians don’t play by the rules. They’ll just go get them however they want. They’ll steal them or bribe people or whatever.
They could also just as easily do what you do and just to get them secondhand.
Braun: Right. They’re probably doing that, too.
Is there any way to test these machines in a way that would be acceptable to the manufacturers and U.S. government?
Braun: The unfortunate thing is that, to our knowledge, the Voting Village is still the only public third-party inspection — or whatever you want to call it — of voting infrastructure.
Jake BraunCEO of Cambridge Global Advisors
The vendors and others will get pen testing done periodically for themselves, but that’s not public. All these things are done, and they’re under [nondisclosure agreement]. Their customers don’t know what vulnerabilities they found and so on and so forth.
So, the unfortunate thing is that the only time this is done publicly by a third party is when it’s done by us. And that’s once a year for two and a half days. This should be going on all year with all the equipment, the most updated stuff and everything else. And, of course, it’s not.
Braun: Yes. This is why DEF CON is so great, because everybody is here. I was just talking to them yesterday, and they were like, ‘Hey, can you get us the report as soon as humanly possible? Because we want to take it into consideration as we are putting together our guidelines.’ And they said they used our report last year, as well.
How have the election machines fared against the Voting Village hackers this year?
Braun: Right, of course, they were able to get into everything. Of course, they’re finding all these new vulnerabilities and all this stuff.
The greatest thing that I think came out of last year was that the state of Virginia wound up decommissioning the machine that [the hackers] got into in two minutes remotely. They decommissioned that and got rid of the machine altogether. And it was the only state that still had it. And so, after DEF CON, they had this emergency thing to get rid of it before the elections in 2017.
What’s the plan for the Voting Village moving forward?
Braun: We’ll do the report like we did last year. Out of all the guidelines that have come out since 2016 on how to secure election infrastructure, none of them talk about how to better secure your reporting websites or, since they are kind of impossible to secure, what operating procedures you should have in place in case they get hacked.
So, we’re going to include that in the report this year. And that will be a big addition to the overall guidelines that have come out since 2016.
And then, next year, I think, it’s really just all about, what else can we get our hands on? Because that will be the last time that any of our findings will be able to be implemented before 2020, which is, I think, when the big threat is.
A DEF CON spokesperson said that most of the local officials that responded and are attending have been from Democratic majority counties. Why do you think that is?
Braun: That’s true, although [Neal Kelley, chief of elections and registrar of voters for] Orange County, attended. Orange County is pretty Republican, and he is a Republican.
But I think it winds up being this functionally odd thing where urban areas are generally Democratic, but because they are big, they have a bigger tax base. So then, the people who run them have more money to do security and hire security people. So, they kind of necessarily know more about this stuff.
Whereas if you’re in Allamakee County, Iowa, with 10,000 people, the county auditor who runs the elections there, that guy or gal — I don’t know who it is — but they are both the IT and the election official and the security person and the whatever. You’re just not going to get the specialized stuff, you know what I mean?
Do you have any plans to try to boost attendance from smaller counties that might not be able to afford sending somebody here or plans on how to get information to them?
Braun: Well, that’s why we do the report. This year, we did a mailing of 6,600 pieces of mail to all 6,600 election officials in the country and two emails and 3,500 live phone calls. So, we’re going to keep doing that.
And that’s the other thing: We just got so much more engagement from local officials. We had a handful come last year. We had several dozen come this year. None of them were public last year. This year, we had a panel of them speaking, including DHS [Department of Homeland Security].
So, that’s a big difference. Despite the stupid letter that the Secretary of State Association sent out, a lot of these state and local folks are embracing this.
And it’s not like we think we have all the answers. But you would think if you were in their position and with how cash-strapped they are and everything, that they would say, ‘Well, these guys might have some answers. And if somebody’s got some answers, I would love to go find out about those answers.’
Election system security was compromised by the installation of remote access software on systems over the span of six years, a vendor admitted in a letter to a senator.
Election Systems & Software (ES&S), a voting machine manufacturer based in Omaha, Neb., admitted it installed the flawed PCAnywhere remote access software on its election management system (EMS) workstations for a “small number of customers between 2000 and 2006,” according to a letter sent to Sen. Ron Wyden (D-Ore.) that was obtained by Motherboard.
The PCAnywhere source code was stolen from Symantec servers in 2006, leaving the software vulnerable, and further issues in 2012 caused Symantec to suggest users uninstall the program before officially putting PCAnywere to its end of life in 2014.
ES&S had previously denied knowledge of the use of remote access software on its election management systems, but told Wyden about the vulnerable software that could have put voting machine security at risk. ES&S wrote that it stopped installing the PCAnywhere software in December 2007 due to new policies enacted by the Election Assistance Commission regarding voting machine security.
Gene Shablygin, CEO and founder of WWPass, an identity and access management company based in Manchester, N.H., said the actions by ES&S were “pretty consistent with the overall state of computer security” for the time.
“Today, these technologies and general approaches are totally unacceptable, and must be completely reworked. The last decade especially, was the period of explosive growth of hacking technologies, and the defensive side of many systems was left in the dust. So, most of the systems that are still in use — and voting systems are no exception — have multiple vulnerabilities, some of which are zero-day, or not yet discovered,” Shablygin wrote via email. “You can’t stop progress, and sooner or later, remote voting will become a matter of everyday life.”
Lane Thames, senior security researcher at Tripwire, agreed that the failures of ES&S with election system security shouldn’t be surprising, “especially during the 2000 to 2007 timeframe when cybersecurity was hardly ever on the roadmap for companies producing computing systems.”
“Another concerning point is the underlying arguments that imply the devices built from 2000 to 2007 are still in use. As with many critical infrastructure systems, costs can prohibit frequent hardware refresh cycles,” Thames wrote via email. “As such, many voting machines are likely to contain older operating systems and other software with many vulnerabilities due to these systems not being able to be updated with operating system patches and such. This is a challenging problem we face with all of our critical infrastructure, with very few good solutions at this time.”
ES&S did not respond to requests for comment and it is unclear if the affected election systems were ever fixed or if they are still in use.
Fixing voting machine security
Voting machine security was already proved to be in a troubling state after hackers at Defcon 2016 were able to crack all systems tested within just a few days.
Jonathan SanderCTO, Stealthbits Technologies
Sean Newman, director of product management at Corero Network Security, said the news about PCAnywhere will make “little difference” in the likelihood of finding other election system security issues.
“They run software and, if they have any kind of internet connectivity, even for managing the voting system/process itself, then there’s a reasonable chance that vulnerabilities exist, which could provide unauthorized users with the ability to have an impact on the normal operation of the system,” Newman wrote via email. “The focus should be for vendors, like ES&S, to ensure they use secure coding practices to develop the software for such systems and avoid any need to expose such systems to the public Internet.”
Jonathan Sander, CTO at Stealthbits Technologies, noted that government “pressures to do everything cheaply and with world class, state actor proof security are in tension” when it comes to election system security and outside audits are needed.
“Every system charged with securing our government’s processes — a.k.a. protecting our collective benefit — should be open to large security audits. To sell anything to the federal government you need to go through tons of certifications. But that’s not enough,” Sander wrote via email. “Bug bounties to get the hacker community to find vulnerabilities, open review at a source level for all solutions to be used in government, and mandatory standards for any remote access features should be table stakes for putting in systems like this.”
Thames notes that a major issue is that “although the U.S. electoral infrastructure is part of the nation’s critical infrastructure, it is still largely up to local and state agencies to ultimately enforce security of the systems.”
“Herein lies another challenging problem. Local and state agencies likely have little to no expertise or budget for securing their voting systems. Every time I go to the voting polls, I see mostly volunteers with a few dedicated staff. Most volunteers at the polls will not have experience with cyber and/or physical security issues related to voting machines,” Thames wrote. “Moreover, the nation already has a significant deficit for staffing our cyber security departments, in both government and industry. Funding will likely need to be increased, somehow, for local and state government agencies in order to provide adequate security for our voting systems.”
Two senators introduced a new election security bill with the aim of providing assistance to states in order to protect against cyberattacks on voting infrastructure.
The bipartisan bill — the Securing America’s Voting Equipment (SAVE) Act — was put forward by Senators Susan Collins (R-Maine) and Martin Heinrich (D-N.M.). The aim of the bill, according to Collins, is to “assist states in protecting the integrity of their voting systems.
“Our bill seeks to facilitate the information sharing of the threats posed to state election systems by foreign adversaries, to provide guidance to states on how to protect their systems against nefarious activity and, for states who choose to do so, to allow them to access some federal grant money to implement best practices to protect their systems,” Collins said on the Senate floor.
Collins said that she knew of “no evidence to date that actual vote tabulations were manipulated in any state” during the 2016 U.S. election, but noted that the FBI and Department of Homeland Security (DHS) found 21 states had election systems probed by Russian hackers.
“Our democracy hinges on protecting Americans’ ability to fairly choose our own leaders. We must do everything we can to protect the security and integrity of our elections,” Sen. Heinrich said in a public statement. “The SAVE Act would ensure states are better equipped to develop solutions and respond to threats posed to election systems. Until we set up stronger protections of our election systems and take the necessary steps to prevent future foreign influence campaigns, our nation’s democratic institutions will remain vulnerable.”
Requirements of the SAVE Act
According to the announcement, the SAVE Act would require the Director of National Intelligence to designate security clearance to the chief state election official — usually the secretary of state — and share all “appropriate classified information with those state officials to protect election systems from security threats.”
The SAVE Act would also classify state-run election systems as critical infrastructure and require the DHS to work with states to ensure election security.
Prior to the 2016 U.S. presidential election, the DHS offered to aid states with election security and Jeh Johnson, former secretary of Homeland Security, claimed 18 states had accepted that offer.
The SAVE Act would also call for the creation of the “Cooperative Hack the Election” program which would essentially be a bug bounty program for electronic voting systems.
The DEFCON team, which has offered to help election officials test voting equipment, did not respond to requests for comment at the time of this post.
Mike Pittenger, vice president of security strategy at Black Duck, said he thought a bug bounty program would help “build more secure voting machines, assuming the bounties are attractive,” but wanted more information on the SAVE Act.
Mike Pittengervice president of security strategy at Black Duck
“The other point to remember is that security is ephemeral. A secure application can become a ripe target overnight if a new vulnerability is disclosed and not remediated. We saw this with Equifax. How can we ensure that every device is updated?” Pittenger told SearchSecurity. “I do worry about designating this as critical infrastructure, however, if it requires that all states and local governments use electronic voting, even if a variety of choices are available.”
At the DEFCON conference in July, Barbara Simons, former president of the Association for Computing Machinery and president of Verified Voting, a non-partisan and non-profit organization promoting laws and regulations that support accuracy, transparency and verifiability of elections, said risk limiting audits are an essential part of ensuring election results but are very difficult with electronic voting systems and are much more effective with paper ballots.
While the SAVE Act calls for audits of election systems for states that receive federal grant money, there are no stipulations for auditing actual election results.
“If we are talking about vote integrity, the major shortcoming of any electronic voting system is an independent, auditable record. With paper voting, someone could miscount ballots or ‘stuff the ballot box.’ It’s not perfect, but when an election is over we can match the records of individuals who registered, and rescan and recount the paper ballots,” Pittenger said. “With electronic voting, we have an electronic audit trail, but any competent criminal would cover their tracks.”