Verified Voting Blog: Counting Votes May 16 2019

In her testimony at an election security hearing before the Committee on House Administration last week, Verified Voting President Marian Schneider joined advocates and election officials in calling on Congress to help states and local jurisdictions replace aging voting systems, conduct risk-limiting audits and enhance election infrastructure security. In order to prepare for 2020, Congress must provide “adequate financial investment in cyber security best practices, replacement equipment and post-election audit processes … immediately and continue at a sustainable level moving forward.”

Writing in Governing, Graham Vyse highlighted the significant bipartisan agreement between the two secretaries of state who testified, Jocelyn Benson (D-MI)and John Merrill (R-AL) on efforts needed to address emerging threats to election security. Along with all the witnesses, the state election officials agreed that more federal funding for election security was needed. Significantly the witnesses were also unanimous in recommending the replacement of direct recording electronic voting machines with paper ballot voting system and conducting post-election ballot audits.

Two days after the hearing, House Homeland Security Committee Chairman Bennie Thompson (D-MS), House Administration Committee Chairwoman Zoe Lofgren (D-CA) and Rep. John Sarbanes (D-MD), the chairman of the Democracy Reform Task Force reintroduced The Election Security Act. Aimed at reducing risks posed by cyberattacks by foreign entities or other actors against U.S. election systems, the bill would establish cybersecurity standards for voting system vendors and require states to use paper ballots during elections.

The resignation of the Election Assistance Commission’s head of voting system testing and certification reflects an agency crisis according to Politico’s Morning Cybersecurity. Macias’ departure may be related to an exchange  at an EAC field hearing, when Commissioner Christy McCormick repeatedly asked Macias why EAC commissioners didn’t have final approval over the details of federal voting system standards. After Macias leaves on May 17, the EAC will have only one employee working full-time on assessing voting machines based on federal standards former Colorado voting security expert Jerome Lovato, who, according to an email obtained by CyberScoop, the EAC has appointed Lovato to replace Macias. The EAC’s internal announcement cited Lovato’s experience testing and piloting voting systems and his familiarity with risk-limiting audits. He previously worked for a decade as a voting systems specialist at the Colorado Secretary of State’s office.

Sen. Ron Wyden (D-OR) has contacted VR Systems, the Florida voter-registration software maker that the FBI apparently believes Russia hacked, asking if “the company ever engaged a third party to conduct a forensic examination of its computer networks and systems since the hacking assertions first came to light after the 2016 election”. As Kim Zetter reports in Politico, VR Systems, insists it wasn’t hacked, referencing an analysis by FireEye to claim there was never an intrusion in VR System’s EVID servers or network. A separate FBI investigation indicated that malware was installed on the network of a vendor fitting VR Systems’ description.

After a briefing last Friday with the FBI and DHS, Florida Gov. Ron DeSantis, revealed that, according to the Müller investigation, election information in two Florida counties was accessed by Russian hackers in 2016.

International: Cyber security: This giant wargame is preparing for the next big election hack | ZDNet

A giant cyber-defence exercise has pitted teams from NATO nations against mysterious hackers trying to cause chaos during the elections of a small, fictional, country. The aim of the annual Locked Shields exercise is to give teams the chance to practice protection of national IT systems and critical infrastructure under the intense pressure of a severe cyberattack. The event organised by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE), which describes the event as the largest and most advanced international live-fire cyber exercise in the world. According to the Locked Shields scenario, the fictional island country of Berylia finds itself under a cyber attack just as the country is conducting national elections. The coordinated attacks aim to disrupt water purification systems, the electric power grid, 4G public safety networks, and other critical infrastructure components. The cyber attacks also attempt to undermine the trust in the election result -- leading to public unrest.

National: Feds say Russian 2016 election meddling spanned all US states | Naked Security

A multi-agency report has strengthened claims that Russia meddled with election systems in all 50 US states during the last presidential race. The report is called a joint intelligence bulletin (JIB), and it comes from the Department of Homeland Security and the FBI. It is an unclassified document intended for internal distribution to state and local authorities. Intelligence newsletter OODA Loop reports that the JIB reveals stronger evidence of Russian interference. Agencies believe that Russian agents targeted more than the 21 states initially suspected. According to the bulletin:

Russian cyber actors in the summer of 2016 conducted online research and reconnaissance to identify vulnerable databases, usernames, and passwords in webpages of a broader number of state and local websites than previously identified, bringing the number of states known to be researched by Russian actors to greater than 40.

Although there are some gaps in the data, the bulletin claims “moderate confidence” that Russia conducted “at least reconnaissance” against all US states because its research was so methodical, it added.

National: Inside the Russian effort to target Sanders supporters — and help elect Trump | The Washington Post

After Bernie Sanders lost his presidential primary race against Hillary Clinton in 2016, a Twitter account called Red Louisiana News reached out to his supporters to help sway the general election. “Conscious Bernie Sanders supporters already moving towards the best candidate Trump! #Feel the Bern #Vote Trump 2016,” the account tweeted. The tweet was not actually from Louisiana, according to an analysis by Clemson University researchers. Instead, it was one of thousands of accounts identified as based in Russia, part of a cloaked effort to persuade supporters of the senator from Vermont to elect Trump. “Bernie Sanders says his message resonates with Republicans,” said another Russian tweet. While much attention has focused on the question of whether the Trump campaign encouraged or conspired with Russia, the effort to target Sanders supporters has been a lesser-noted part of the story. Special counsel Robert S. Mueller III, in a case filed last year against 13 Russians accused of interfering in the U.S. presidential campaign, said workers at a St. Petersburg facility called the Internet Research Agency were instructed to write social media posts in opposition to Clinton but “to support Bernie Sanders and then-candidate Donald Trump.” That strategy could receive new attention with the release of Mueller’s report, expected within days.  

Editorials: Good, bad and ambiguous in Georgia’s new voting system | Wenke Lee/Atlanta Journal Constitution

Although I’m pleased the Georgia General Assembly acted quickly this session to address flaws in our current voting equipment, I remain concerned that, overall, our state has chosen the less-secure, more-cumbersome, costly option and that too many details — essential for election security and voter confidence — are still undefined. First, let’s review what’s right about HB 316 and what Georgia gained. It requires: pre-certification election audits to validate initial outcomes; “voting in absolute secrecy;” that voting equipment produce a paper record in a format readable by humans, and that equipment will “mark correctly and accurately.” I’m also pleased that voter education is part of this bill, in the albeit very modest stipulation that poll workers post signs reminding voters to read, review, and verify paper printouts before casting their final votes. What’s bad about HB 316 is what it could have accomplished but did not: human-readable, hand-marked paper ballots — by far the most cost-effective and cybersecure method of voting. Instead, it establishes a system where electronic ballot markers (EBMs) are used to generate a paper receipt of voter selections — rather than a hand, holding a pen to paper. Overwhelmingly, citizens, computer scientists, cybersecurity experts, and nonpartisan groups recommended and requested hand-marked paper ballots in Georgia over any other method. I am baffled as to why state lawmakers repeatedly ignored such an overwhelming cry.

Editorials: Georgia’s voting system must be secure, accessible, auditable | David Becker and Michelle Bishop/Atlanta Journal Constitution

Russia attacked our election infrastructure and spread disinformation in the 2016 election, and continues to interfere in our elections. While there remains zero evidence that any votes in any election have been changed, Russia achieved its goal of dividing this country and reducing Americans’ confidence in their democracy. Russia’s efforts are likely to continue through 2020, and it is critical now more than ever that we come together to secure our democratic systems, upgrade outdated voting technology, and improve auditing ballots post-election, to ensure that every eligible American is able to cast their ballots accurately and with confidence. There is a consensus among the intelligence community and cybersecurity experts that human-readable paper ballots, which can be audited by comparing them to the official tally of votes, are necessary to secure our elections. As a result, states such as Georgia are responding — moving toward paper-based voting systems for 2020 and planning for more robust audits to ensure the count is accurate, regardless of foreign interference.There are basically two types of voting systems that accommodate paper ballots. The most common are hand-marked ballots, where the voter fills in a bubble or connects an arrow. These ballots are then fed into a scanner that is programmed to read those handmade marks as votes in particular races, and those votes are tabulated to determine the winner. These systems have some advantages – they are considered cheaper by some (at first, though the costs of printing ballots adds up over time, and the cost benefits, if any, shrink), and voters are familiar with them.

Missouri: St. Louis County Board Of Elections Gearing Up For Upgrades | St. Louis Public Radio

The St. Louis County Board of Elections is upgrading its voting equipment for the upcoming 2020 elections. The county has roughly 1,800 touch voting machines and 500 optical scan paper ballot tabulators that have had their fair share of wear and tear, and the software is now out of date. Eric Fey, the Democratic director of elections for the St. Louis County Board, said the last time county voters had new voting equipment was in 2005. “Although the equipment is 100% accurate, we have to replace components more often,” Fey said. “It’s very hard to get replacement parts. And then with the software, the programming of the ballot, the tabulation of the ballots is very labor intensive.” Currently, the board of elections is holding public demonstrations with three contenders including Dominion, Hart InterCivic and the county’s current vendor Election Systems & Software.

New York: Oversight Committee head calls for halt on voting machines | New York Post

The chair of the City Council’s Oversight and Investigations Committee is calling for a halt to the Board of Elections’ plan to use machines supplied by a company with a spotty record for this fall’s early voting. “I’m against rigging the process in favor of a contractor with a dubious track record,” said Councilman Ritchie Torres (D-Bronx). Election Systems & Software came under fire after its ballot scanners reportedly jammed at polling places across the city in November’s elections. “There needs to be an investigation of the performance and conflicts of interest involving ES&S. There should be a competitive bidding process,” Torres said. BOE Executive Director Michael Ryan is also on the hot seat after it was revealed last year that he failed to report several posh business trips paid for by ES&S. He subsequently stepped down from an unpaid gig on the contractor’s advisory board.

Ohio: Heading off hackers: Ohio weighs Cyber Force | Dayton Daily News

In January, Akron suffered a “ransomware” attack when hackers shut down the city’s 311 non-emergency phone call system just as city plows were being deployed during a snowstorm. To undo the damage, hackers gave the city a demand: A five-figure sum.Ohio lawmakers are considering legislation — Senate Bill 52 — to deal with that kind of scenario in what they say will be a quick and organized way: The legislation would create a civilian force of 50 to 100 professionals across the state who would work to prevent such attacks and respond when they happen.RELATED: Ohio looks to set up a cyber reserve to fight, prevent attacks The all-volunteer Ohio Cyber Reserve would operate under Maj. Gen. John Harris, the Ohio adjutant general who commands the Army National Guard and the Air National Guard.“There’s so much cyber talent working out there in industry, in business and quite frankly in some municipalities, but we have no way to orchestrate that or organize that,” Harris said in an interview.

Pennsylvania: Philadelphia controller subpoenas city elections officials over voting machine decision | Philadelphia Inquirer

Philadelphia City Controller Rebecca Rhynhart last week subpoenaed the city’s elections officials for documents related to the controversial selection of new voting machines. Rhynhart’s subpoena is the most-pointed official effort known to date to obtain information about a voting machine selection process that critics have decried as opaque, lacking true public input, and biased. The items requested in the subpoena, dated April 1, include copies of all proposals received, the names of all committee members who scored them, and copies of those evaluations. The information was originally due by Tuesday, but the City Commissioners’ Office was granted an extension. (The new deadline was unclear Thursday; the Controller’s Office declined to comment on the subpoena.) Nick Custodio, deputy commissioner under Chairwoman Lisa Deeley, said only that the city’s Law Department “is handling everything as it relates to the request” from Rhynhart. He declined to comment further.

West Virginia: Division of Motor Vehicles is losing voter registrations | Register-Herald

State officials say the West Virginia Division of Motor Vehicles is losing voter registrations, but they don’t know how many and for how long. Donald Kersey, general counsel for Secretary of State Mac Warner’s office, said the DMV sends the Secretary of State’s office a daily list of voter registrations, but the secretary’s office estimate several registrations are lost per day because of technical problems at the DMV – “a systematic error,” he said. The problem, Kersey said, has been ongoing at least since the 2018 general election. During a five-day test period in January, 37 people, who were flagged as registering at the DMV, did not have their registration received by the Secretary of State. Kersey, who was previously elections director for the Secretary of State, noted that West Virginia law says the DMV should forward voter registrations to the Secretary of State’s office, which transfers it to county clerks. But he said that during early voting before the 2018 general election, dozens of people said they had registered at local DMVs to vote, but the Secretary of State’s office had no record of it.

Europe: Ensuring Legitimacy of the Vote by Boosting Cybersecurity | EuBulletin

As the May’s European elections are slowly approaching, EU institution have been intensively testing their own cyber systems to help prevent any potential outside attacks or breaches into their systems. Together with observers from the European Parliament, the European Commission and the EU Agency for Cybersecurity, over 80 representatives from EU governments have participated in a recent (5 April) exercise. Rainer Wieland, Vice-President of the European Parliament and German EPP MEP and many others voiced their concern about the dependability of the upcoming elections should cybersecurity be compromised. “A cyber-attack on elections could dramatically undermine the legitimacy of our institutions,” Mr. Wieland said. “The legitimacy of elections is based on the understanding that we can trust in their results.”

India: Opposition leaders questions reliability of electronic voting machines, demand 50 per cent VVPAT count | Business Standard

Opposition leaders including TDP chief N Chandrababu Naidu, Congress' Abhishek Manu Singhvi and AAP's national convenor Arvind Kejriwal, on Sunday questioned the reliability of the electronic voting machines (EVMS) and demanded a mandatory paper trail count in at least 50 per cent of the Assembly constituencies in all Lok Sabha seats. At a joint press conference, Singhvi said,"We will campaign in the whole country and outline that repeatedly questions are being raised on elections and the Election Commission is not paying due attention to it. We have heard many issues in these elections such as EVM button giving vote to a different candidate and lakhs of voters being deleted online. Fifteen state parties and six national parties are supporting this campaign. We believe that counting of five VVPATs per Assembly constituency is not good enough. We want that check of 50 per cent of VVPATs must be made mandatory in all constituencies." "There were arguments raised about logistics and it was stated that VVPAT counting may take days. However, we believe that if the number of teams of poll officials is increased it can be done in lesser time. Between logistics and credibility, we must choose the latter. We believe that paper trail is indispensible," he said.

Israel: How Israel Limited Online Deception During Its Election | The New Yorker

Earlier this year, Hanan Melcer, the chairman of Israel’s Central Elections Committee and a veteran justice on the Supreme Court, summoned representatives from major U.S. social-media and technology companies for talks about the role he expected them to play in curbing online deception during the country’s election, which took place on Tuesday. Facebook and Google sent representatives to meet with Melcer in person. Twitter executives, who weren’t in the country, arranged for a conference call. “You say you’ve learned from 2016,” Melcer told them, according to a government official who was present. “Prove it!” When Melcer, two years ago, assumed his role overseeing the election, he expected that covert influence campaigns by foreign adversaries, similar to Russia’s alleged interference during the 2016 U.S. Presidential race, could be his biggest challenge. But, as Melcer and his colleagues looked more closely into the issues they could face, they realized that the problem was broader than foreign interference. Russia’s campaign in the United States demonstrated that fake personas on social media could influence events. In Israel and elsewhere, political parties and their allies realized that they could use similar techniques to spread anonymous messages on the Internet and on social media to promote their candidates and undermine their rivals. The use of fake online personas has a long history in Israel. In the mid-two-thousands, an Israeli company called Terrogence used them to infiltrate suspected jihadi chat rooms. Later, Terrogence experimented with covertly influencing the jihadis they targeted. More recently, companies in Israel and elsewhere started using fake personas to spread messages on behalf of political parties and their allies.