Media Release: Verified Voting Applauds Rep. Daryl Metcalfe, Rep. Garth Everett and Lt. Col. Anthony Shaffer’s Nonpartisan Call for the Penn. General Assembly to Appropriate Funding to Replace Vulnerable Electronic Voting Machines

Marian K. Schneider: “Election security is a nonpartisan issue and the goal of hardening our voting systems against potential threats is shared across the aisle.” The following is a statement from Marian K. Schneider, president of Verified Voting, formerly Deputy Secretary for Elections and Administration in the Pennsylvania Department of State, following the press conference with Lt. Col. Anthony…

National: DARPA Is Building a $10 Million, Open Source, Secure Voting System | Motherboard

For years security professionals and election integrity activists have been pushing voting machine vendors to build more secure and verifiable election systems, so voters and candidates can be assured election outcomes haven’t been manipulated. Now they might finally get this thanks to a new $10 million contract the Defense Department’s Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking.

The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and verifiable systems. The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA. The voting system will also be designed to create fully verifiable and transparent results so that voters don’t have to blindly trust that the machines and election officials delivered correct results.

National: Voting tech creates growing concern for local officials | The Hill

Some voters in Johnson County, Ind., found themselves waiting for hours to cast their ballots in last year’s midterm elections, but not because of a massive surge in turnout or malfunctioning voting machines. What struggled to work were the electronic poll books used to check a voter’s registration, triggering long lines at polling stations. A state investigation determined that the vendor for the e-poll books, Election Systems & Software (ES&S), was responsible for the technical issue, and the Johnson County election board ultimately voted to terminate the contract. ES&S is one of the biggest voting machine vendors in the country. And despite the report’s findings, other counties in Indiana have continued to work with it, including some that recently signed new contracts. Experts told The Hill that the scenario underscores the new issues that local election officials have to consider as they juggle the benefits and security risks of voting technology, particularly in light of heightened concerns over election hacking.

National: State election officials opt for 2020 voting machines vulnerable to hacking | Politico

Election officials in some states and cities are planning to replace their insecure voting machines with technology that is still vulnerable to hacking. The machines that Georgia, Delaware, Philadelphia and perhaps many other jurisdictions will buy before 2020 are an improvement over the totally paperless devices that have generated controversy for more than 15 years, election security experts and voting integrity advocates say. But they warn that these new machines still pose unacceptable risks in an election that U.S. intelligence officials expect to be a prime target for disruption by countries such as Russia and China. The new machines, like the ones they’re replacing, allow voters to use a touchscreen to select their choices. But they also print out a slip of paper with the vote both displayed in plain text and embedded in a barcode — a hard copy that, in theory, would make it harder for hackers to silently manipulate the results. Security experts warn, however, that hackers could still manipulate the barcodes without voters noticing. The National Academies of Sciences, Engineering and Medicine has also warned against trusting the barcode-based devices without more research, saying they “raise security and verifiability concerns.”

National: I Bought Used Voting Machines on eBay for $100 Apiece. What I Found Was Alarming | WIRED

In 2016, I bought two voting machines online for less than $100 apiece. I didn’t even have to search the dark web. I found them on eBay. Surely, I thought, these machines would have strict guidelines for lifecycle control like other sensitive equipment, like medical devices. I was wrong. I was able to purchase a pair of direct-recording electronic voting machines and have them delivered to my home in just a few days. I did this again just a few months ago. Alarmingly, they are still available to buy online. If getting voting machines delivered to my door was shockingly easy, getting inside them proved to be simpler still. The tamper-proof screws didn’t work, all the computing equipment was still intact, and the hard drives had not been wiped. The information I found on the drives, including candidates, precincts, and the number of votes cast on the machine, were not encrypted. Worse, the “Property Of” government labels were still attached, meaning someone had sold government property filled with voter information and location data online, at a low cost, with no consequences. It would be the equivalent of buying a surplus police car with the logos still on it.

National: U.S. Military Steps Up Cyberwarfare Effort | Govenment Technology

The U.S. military has the capability, the willingness and, perhaps for the first time, the official permission to preemptively engage in active cyberwarfare against foreign targets. The first known action happened as the 2018 midterm elections approached: U.S. Cyber Command, the part of the military that oversees cyber operations, waged a covert campaign to deter Russian interference in the democratic process. It started with texts in October 2018. Russian hackers operating in the Internet Research Agency – the infamous “troll factory” linked to Russian intelligence, Russian private military contractors and Putin-friendly oligarchs – received warnings via pop-ups, texts and emails not to interfere with U.S. interests. Then, during the day of the election, the servers that connected the troll factory to the outside world went down.

National: Election security threats loom as presidential campaigns begin | TechTarget

Never has it been more important to have a mechanism to audit U.S. voting results, but experts say election security risks combined with the weaponization of social media make the task more difficult than ever. The electronic voting systems used in a number of states are a concern for security experts who have seen serious flaws in these systems. If the 2020 U.S. election results are disputed by a candidate, there must be a clear way to show voting results are accurate to ensure a peaceful transition of government, said Avi Rubin a computer science professor at Johns Hopkins University, during an RSA Conference 2019 session on election hacking. … Ronald Rivest, a professor in MIT’s Cryptography and Information Security research group, said during a separate session at RSA Conference that “keeping it simple with low-tech paper ballots” is the lesson learned over the past decade. We still need to know that the tabulation of those ballots is accurate, via audits, and states like Colorado and Rhode Island are piloting new risk-limiting audit systems, Rivest said.

National: New ‘Hybrid’ Voting System Can Change Paper Ballot After It’s Been Cast | WhoWhatWhy

For years, election security experts have assured us that, if properly implemented, paper ballots and routine manual audits can catch electronic vote tally manipulation. Unfortunately, there is no universal definition of “paper ballot,” which has enabled vendors and their surrogates to characterize machine-marked paper printouts from hackable ballot marking devices (BMDs) as “paper ballots.” Unlike hand-marked paper ballots, voters must print and inspect these machine-marked “paper ballots” to try to detect any fraudulent or erroneous votes that might have been marked by the BMD. The machine-marked ballot is then counted on a separate scanner.

Most independent cybersecurity election experts caution against putting these insecure BMDs between voters and their ballots and instead recommend hand-marked paper ballots as a primary voting system (reserving BMDs only for those who are unable to hand mark their ballots). But vendors and many election officials haven’t listened and are now pushing even more controversial “hybrid” systems that combine both a BMD and a scanner into a single unit. These too are now sold for use as a primary voting system.

Unlike hand-marked paper ballots counted on scanners and regular non-hybrid BMDs,  these new hybrid systems can add fake votes to the machine-marked “paper ballot” after it’s been cast, experts warn. Any manual audit based on such fraudulent “paper ballots” would falsely approve an illegitimate electronic outcome. According to experts, the hybrid voting systems with this alarming capability include the ExpressVote hybrid by Election Systems & Software, LLC (ES&S), the ExpressVote XL hybrid by ES&S, and the Image Cast Evolution hybrid by Dominion Voting.

California: Contra Costa County elections detects attempted hacking into system | San Jose Mercury News

An unknown hacker recently tried to access Contra Costa County’s election internet system, according to an email sent by the county’s elections chief. The unsuccessful hacking attempt “fits a pattern of other attempts/attacks that trace back to foreign interests,” Clerk-Recorder and Registrar of Voters Joe Canciamilla wrote, in an internal email to county staff on Friday morning. He said the elections office notified the California Secretary of State’s office, as well as the Department of Homeland Security, about the “attempted intrusion.” “Our security protocols captured and isolated the threat almost immediately,” Canciamilla wrote in the email. It’s unclear when the attack took place. Elections spokesman Paul Burgarino said the investigation into the incident is still in its early stages, but preliminary information indicated the attempt was unsuccessful.

Colorado: Denver Offers Blockchain Voting to Military, Overseas Voters | The Denver Post

The city of Denver will allow thousands of voters to cast their ballots with a smartphone application this year. The pilot program is one of the first U.S. deployments of a phone-based voting system for public elections — but it will only be available to military members and voters living in other countries. The city has invited all of its international voters — about 4,000 people — to use the app in the May 2019 election. The idea of digital voting has been met with skepticism from some elections security experts, but Denver officials say it could make life easier for a limited set of voters. “This pilot enables us to offer that convenience for our military and overseas citizens who have the most difficult time voting and participating in the democratic process here at home,” said Deputy Elections Director Jocelyn Bucaro.

Georgia: Final vote approves new Georgia statewide voting machines | Atlanta Journal Constitution

Legislation to replace Georgia’s electronic voting machines with a touchscreen-and-paper ballot election system is heading to Gov. Brian Kemp for his signature after winning final approval from state lawmakers Thursday. The Georgia House’s 101-69 vote, mostly along party lines, concluded a polarized debate over how to protect democracy and ensure accurate election results. Republicans and Democrats fiercely disagreed over whether voters should use computer-printed ballots or paper ballots bubbled in with a pen. The Republican majority’s decision to go with voting machines and printed ballots comes in time for the system to be in place for next year’s presidential election, when the state’s 7 million registered voters will be eligible to cast their ballots.

Related: How electronic voting with a paper ballot would work in Georgia

The $150 million statewide system that won approval includes the same kind of touchscreens that Georgia voters have been using for the past 17 years. Printers are designed to spit out paper ballots for voters to review and then insert into a scanning machine for tabulation. The state’s current voting machines lack a paper ballot.

Texas: SB9, Election Integrity And Voter Rights | Texas Public Radio

The next time Texans vote in a stateside election will be Super Tuesday, on March 3, 2020. Ten states are expected to hold their primaries and caucuses on Super Tuesday, including three big ones: Texas, California and Virginia. There will be a lot on the line for the national and local primary races in Texas, and voting could look very different on that day … if Senate Bill 9 is passed. SB 9 is also known as the Omnibus Elections Integrity Bill. It’s sponsored by Republican State Sen. Bryan Hughes. And in there is a long list of proposed fixes to the way elections are held and ballots are counted in Texas. Some of the big changes would include a requirement for counties to have a paper-vote receipt trail. Critics of the bill say it does nothing to address the biggest problem with voting in Texas. They say it’s too difficult to register and vote. They complain SB9 would make it even harder to vote.

Europe: Russian hackers target European governments ahead of election: FireEye | CNBC

Russian hackers have targeted European government systems ahead of the EU parliament election, cybersecurity firm FireEye said Thursday. The company found that two state-sponsored hacking groups, APT28 and Sandworm, used spear phishing — the practice of sending out emails designed to look like they’re from a trusted party — in an attempt to obtain government information. FireEye said European government institutions were sent emails with links to websites that appeared to be authentic, luring a person into changing their password and thus sharing their credentials with hackers. APT28, more popularly known as Fancy Bear, is believed to be linked to Russian military intelligence agency GRU and has been labeled as one of the malicious actors behind the 2016 Democratic National Convention hack.

Canada: Several webpages from Elections Canada and MPs lack basic data protections, expert says | CBC

Several Elections Canada webpages and personal websites from MPs don’t have the basic encryption necessary to stop your information from being hacked as it’s sent from point A to point B. Pages to request publications from Elections Canada, as well as the websites of Liberal, Conservative and NDP MPs use an outdated, unprotected chain to carry information you send to them through the network. Liberal Democratic Institutions Minister Karina Gould, Conservative Finance Critic Pierre Poilievre and the NDP’s Ruth Ellen Brosseau had this deficiency on the “contact me” form that asks for personal information — like your email, name and address — before sending feedback to your MP. Gould and other Liberal MPs updated their sites after queries from CBC News. 

Indonesia: Russian, Chinese language Hackers Interfering With Indonesian Presidential Election | Brinkwire

Indonesia has identified China and Russia as sources of an ongoing wave of relentless cyber assaults intended to disrupt the country’s presidential elections on April 17. The attacks originate in Russia and China, said Arief Budiman, head of Indonesia’s General Elections Commission or KPU. Budiman also said some of the cyberattacks are attempts to “manipulate or modify” content. Others aim to create ghost voters, or fake voter identities. “They try to hack our system,” according to Budiman. “Not only every day. Almost every hour,” he said. The KPU head said it remains unclear if the motive of this continuing wave of attacks is “to disrupt Indonesia” or to help one of the candidates win. Incumbent president Joko Widodo is squaring-off against Prabowo Subianto, a former special forces general in the election.

Malta: No more manual counting: is Malta justified in joining the voting future? | Malta Today

Maltese elections are unique in the way hundreds of party activists and canvassers congregate inside the national counting hall to monitor the live count of votes, collecting tallies of the data as it is read out to calculate samples, and hit the Perspex separator wall hard when a vote is incorrectly counted. The process, which usually takes over three days to fully complete, usually delivers a first-count vote tally within 12 hours, but sampling of votes delivers a clear picture of who the winner is within the first hour of sorting. In November of last year, the vote counting hall in Naxxar was transformed to include a fully-functioning electronic system from Idox, a Scottish software company. Their technology will be used for the European Parliament and local council elections in May this year, less than two months from now. E-counting will be used in a bid to speed up the process and to minimise human error. Voting will still be a manual endeavour via a ballot paper.

Switzerland: Experts Find Serious Problems With Switzerland’s Online Voting System | Motherboard

Switzerland made headlines this month for the transparency of its internet voting system when it launched a public penetration test and bug bounty program to test the resiliency of the system to attack. But after source code for the software and technical documentation describing its architecture were leaked online last week, critics are already expressing concern about the system’s design and about the transparency around the public test. Cryptography experts who spent just a few hours examining the leaked code say the system is a poorly constructed and convoluted maze that makes it difficult to follow what’s going on and effectively evaluate whether the cryptography and other security measures deployed in the system are done properly. “Most of the system is split across hundreds of different files, each configured at various levels,” Sarah Jamie Lewis, a former security engineer for Amazon as well as a former computer scientist for England’s GCHQ intelligence agency, told Motherboard. “I’m used to dealing with Java code that runs across different packages and different teams, and this code somewhat defeats even my understanding.”

Ukraine: Security service ready to take on Russian election hackers | AFP

At the headquarters of Ukraine’s SBU more than a dozen local and Western security experts watch a simulated foreign cyber attack on several big screens ahead of this month’s presidential vote. During the joint EU-Ukraine cyber security drills the Westerners pretend to be hackers attacking the country’s central election commission, while the Ukrainians seek to neutralise them. The exercises held in Kiev last week involved around a hundred experts and were part of efforts to prevent arch-foe Russia from interfering in the crucial March 31 election. Ukrainian security officials said they had registered a growing number of distributed denial-of-service attacks and phishing attempts to gain access to computers of the country’s ministries and other state structures in recent months.