Marian K. Schneider: “Oregon is leading the way towards better integrity and security with the passage of SB 944.” The following is a statement from Marian K. Schneider, president of Verified Voting, on Oregon’s Senate passage of SB 944, offering counties the option to audit elections using a process known as risk-limiting audits, which are…
One in five national elections held worldwide since 2016 were potentially influenced by foreign interference, according to a joint report from the Australian Strategic Policy Institute (ASPI) and IT industry professional association ACS. An analysis of 97 national elections and 31 referenda that have been held since the 2016 US presidential election identified 20 countries with clear examples of foreign interference, including Australia. The analysis was limited to countries considered to be free or partly free countries. These incidents ranged from cyber attacks to voter registration systems, to DDoS attacks to national election commissions, to the use of Facebook to spread disinformation and discourage voter turnout.
“According to a joint report from the Australian Strategic Policy Institute (ASPI) and IT industry professional association ACS, one in five national elections held worldwide since 2016 were potentially influenced by foreign interference, … “Democracies around the world have been struggling to grapple with foreign interference from state actors during elections,” International Cyber Policy Centre…
From 8 a.m. to noon on Election Day last November, voting in Johnson County, Ind., ground to a halt. Lines at precincts across the county, just south of Indianapolis, swelled. Some voters waited hours to cast a ballot; some left furious that they were unable to do so. “People weren’t happy. People had to leave and go to work,” said Cindy Rapp, the Democratic member on Johnson County’s election board. The county votes on electronic voting machines, which don’t provide a paper trail — something cybersecurity experts vehemently warn against. But those machines weren’t what caused the issue in November. Instead, the problem came from the computer system, known as an electronic poll book, that poll workers were using to check people in. Increasingly, more and more states and voting jurisdictions are using these systems to speed up and improve in-person voting. According to federal data, nearly half of all voters who voted in person in 2016 signed in at their polling place using an electronic poll book. That’s up from 27 percent just one presidential election prior. Like many issues surrounding elections, moving from paper to a digital process may bring convenience, but it also brings big questions about security and reliability.
Google, Facebook and Twitter executives came to Capitol Hill to testify about election security. Instead they faced a grilling about whether their platforms are biased against conservatives. A string of Republicans on the House Oversight and Reform Committee skipped questions about how the companies were tackling disinformation campaigns or preventing Russians from purchasing political ads on their platforms in the run-up to the 2020 election. They were more interested in whether Facebook and Twitter were “shadow-banning” — quietly blocking or restricting — conservatives’ accounts on their platform. “The minute you start putting your hand on the scale of freedom and justice to tilt it one way or another, quite frankly we’ve got to act as members of Congress,” warned Rep. Mark Meadows (R-N.C.). The technology executives vehemently denied that they engage in shadow banning. There is no evidence that the platforms have been systematically biased against one political party.
Two members of the U.S. House of Representatives from Florida said Thursday they will introduce a bill that would require federal officials to inform Congress, state and local authorities and the public if an election-related computer system is hacked. The measure, from Democrat Stephanie Murphy and Republican Michael Waltz, comes as a response to federal authorities’ refusal to publicly name the two Florida counties where voter registration databases were successfully breached by Russian military intelligence hackers during the 2016 presidential election. Under the bill, text of which has not yet been released, federal law enforcement and cybersecurity authorities who detect unlawful access of election systems would be required to “promptly” notify the relevant state and local officials, as well as members of Congress representing the targeted jurisdiction. In turn, state and local officials would be obligated to notify any potentially affected voters.
Robert Mueller’s first public comments about the Russia investigation Wednesday had everyone from Fox News to the New York Times reporting that House Democrats would now feel increased pressure to begin an impeachment inquiry against the president. No doubt, the question of whether Donald Trump obstructed justice and should be subject to impeachment is of critical importance to Congress and the nation. But Robert Mueller also began and ended his comments with another issue that he said “deserves the attention of every American.” Namely, that a foreign government made multiple, systematic attempts to interfere in our elections. Congress is not doing enough to prevent it from happening again, despite ongoing attempts to sound the alarm by cybersecurity experts, intelligence agencies, and Robert Mueller himself. By the next presidential election, the Russians will have had four years to leverage the knowledge they gained in 2016. That could mean even more harm the next time around. That harm will no doubt include more disinformation on social media and potential attacks on our election infrastructure. And there is every reason to believe other nation-states will now get in on the game.
Legislation aimed at securing U.S. elections got an unexpected shot in the arm this week when Robert Mueller devoted a fair share of his first remarks on the Russia probe to the threat posed by foreign actors seeking to undermine democracy at the ballot box. Election security bills have been languishing in Congress for months, due in large part to Republicans who do not want to shine a light on Russia’s actions and risk the fury of President Trump. The president weighed in on the issue Thursday, telling reporters that “we are doing a lot, and we are trying to do paper ballots as a backup system as much as possible, because going to good old-fashioned paper in this modern age is the best way to do it.” Those remarks came after he said Russia did not help him secure the presidency — his first on-camera response to Mueller’s comments, though he tweeted earlier in the day that Russia helped him win the election. The president’s comments came a day after Mueller shined a spotlight on Russia’s attempts to interfere in the 2016 U.S. presidential election. Mueller emphasized that “the central allegation of our indictments” was “there were multiple, systematic efforts to interfere in our election.” He ended his 10-minute statement by saying this “deserves the attention of every American.”
Texas’ embattled elections chief who wrongly questioned the U.S. citizenship of tens of thousands of voters was on the brink of losing his job Sunday, while Republican lawmakers prepared to head home hoping to save their own in 2020. Secretary of State David Whitley appeared set to go down without a public fight in the final hours of an unusually quiet session of the Texas Legislature, where a weakened GOP majority this year showed little appetite for partisan battles over signs their grip on the Capitol is slipping. Whitley, a former top aide of Republican Gov. Greg Abbott, can’t stay in office unless the state Senate confirms his nomination before the session ends Monday. But his prospects were dimming by the minute as Democrats continued blocking a vote on his confirmation, as they have done since February. That was after Whitley’s office rolled out a bungled scouring of voter rolls that flagged nearly 100,000 voters as potential noncitizens. President Donald Trump seized on the news out of Texas to renew his unsubstantiated claims of widespread voter fraud, but within days, it became clear the data used was deeply flawed.
Speaker Nancy Pelosi was correct when she recently said that the best way to avoid a disputed election is for the result to be a blowout. But that is a hope, and we need a plan. If the midterm elections are any indication, the number of states with razor thin majorities is increasing. With partisan distrust on the rise, the result could be a constitutional standoff, a loss of democratic legitimacy for the outcome, and even violence stemming from anger. We need to agree in advance on procedures for resolving electoral disputes that determine the winner of the presidential election next year.
Although the security updates to the Election Assistance Commission’s new Voluntary Voting System Guidelines 2.0 are sorely needed, its approval and updating process can’t keep up with the technological changes. Later this year, the full commission is expected to vote to approve a five-page document outlining principles that will guide the development of VVSG 2.0, including a new emphasis on security. At a May 21 hearing, however, a number of stakeholders advised the agency to refrain from requiring a full vote to approve the technical portions of the guidelines, saying it could keep the latest technology from being incorporated into voting machine standards. “We cannot wait weeks or months for a decision on a federal level when there’s a need to act immediately,” Iowa Secretary of State Paul Pate said. “I’m asking all of you to have a dialogue about what happens if we run into that situation again when there is not a full quorum on the EAC. How will decisions be made, and will that make it more difficult for state election officials to protect the security and integrity of the vote?”
Sen. Roy Blunt (R-Mo.), a member of Senate GOP leadership, said Wednesday that the chamber is unlikely to vote on any election security legislation, despite requests from a federal agency for more funding to improve election systems nationwide. Blunt made the remarks at a Senate Rules Committee hearing where Election Assistance Commission (EAC) officials highlighted what they said is an urgent need for more resources. His comments were in response to Senate Minority Whip Dick Durbin (D-Ill.) pointedly asking during the hearing whether the Rules Committee, chaired by Blunt, would mark up any election security bills already introduced this Congress. “At this point I don’t see any likelihood that those bills would get to the floor if we mark them up,” Blunt said. When Durbin asked why that was the case, Blunt said, “I think the majority leader is of the view that this debate reaches no conclusion. And frankly, I think the extreme nature of H.R. 1 from the House makes it even less likely we are going to have that debate.”
The first primary in the 2020 presidential race is a little more than 250 days away, but lawmakers and experts worry that elections will be held on voting machines that are woefully outdated and that any tampering by adversaries could lead to disputed results. Although states want to upgrade their voting systems, they don’t have the money to do so, election officials told lawmakers last week. Overhauling the nation’s election systems would mean injecting as much as $1 billion in federal grants that would then be supplemented by states, but top Senate Republicans have said they are unlikely to take up any election security bills or give more money to the states. The deadlock could mean that even as federal government and private companies spend tens of billions of cybersecurity dollars annually to protect their computers and networks from attacks, the cornerstone of American democracy could remain vulnerable in the upcoming elections.
For the first time in nearly a decade, the Election Assistance Commission has a full slate of commissioners in place. Now, with the agency sitting at the center of several key election security debates, they’re asking Congress to make their budget whole too. At a May 15 Senate Rules Committee hearing, Christy McCormick, who chairs the EAC, said the commission is at “a critical crossroads with regard to having sufficient resources necessary to better support state and local election administrators and the voters they serve” and asked members of Congress for more funding. “With additional resources, the EAC would have the opportunity to fund additional election security activities within its election technology program,” said McCormick. There is no shortage of ambition at EAC when it comes to supporting this work, but there is a stark shortage of funds for such activities.”
The U.S. Election Assistance Commission has added two experienced hands to its voting system certification program amid concerns it had a shortage of technical experts overseeing election infrastructure. The agency is staffing up its crucial certification program by hiring Jessica Bowers, a former executive at Dominion Voting Systems, one of the country’s three largest voting system vendors, and Paul Aumayr, a former Maryland election official. Both new hires will work as senior election technology specialists. In an email announcement to staff obtained by CyberScoop, EAC Executive Director Brian Newby touted Bowers and Aumayr’s technical acumen. Bowers has “over 18 years of software development and product support experience,” while Aumayr is a “Microsoft-certified systems engineer,” Newby wrote.
Russia viewed the midterm elections as a “warm-up” for 2020. The U.S. military’s hacking division is treating it that way, too. In the run-up to the presidential election, U.S. Cyber Command is surging election defense efforts that proved useful during the midterms, officials told reporters Tuesday — including probing allies’ computer networks to glean insights about Russian threats. Cybercom is also working more closely with election defense teams at the Department of Homeland Security and the FBI, and with industry sectors that are targeted by Kremlin hackers and might have early warnings about threats facing the election, my colleague Ellen Nakashima reported from that briefing. “Our goal is to have no interference in our elections,” said Maj. Gen. Tim Haugh, who heads the command’s cyber national mission force. “Ideally, no foreign actor is going to target our electoral process.” Cybercom is the only outfit among the myriad federal state and local government agencies tasked with protecting the 2020 election that is allowed to punch back against Russian hackers — and it’s using its new authorities granted during the Trump administration to be more aggressive in cyberspace.
Florida lawmakers are railing against the FBI for taking more than two years to acknowledge Russian hackers penetrated some of the state’s voter files — and for remaining mum about which voters were affected. The long delay signals to voters in Florida and elsewhere that the government won’t level with them if and when their votes are manipulated, the lawmakers say. And that lack of public faith could do just as much damage as the Russian hacking and disinformation operation that upended the 2016 election and cast doubts on the legitimacy of President Trump’s victory. “This lack of transparency is counterproductive,” Rep. Stephanie Murphy (D) told me. “I’m really concerned that it can erode public confidence in the integrity of our elections almost as much as the actual hacking did.”
Ever since a leaked classified intelligence document revealed that Russian hackers had tried to access Florida’s elections networks in 2016 by crafting malware-laced emails made to look like they came from a software vendor, reporters all over the country have been searching for electronic correspondence sent three years ago to the state’s 67 elections offices. But could emails crafted by the elections offices themselves hold the clue to determining which two jurisdictions were in fact hacked? This week, in response to hacking questions sent to every supervisor of elections in the state by the Tampa Bay Times and Miami Herald, two offices issued the same legalistic non-denial. Almost word-for-word, they gave the same response when asked if their voter registration networks were hacked in 2016, explaining that they could not answer questions because to do so could “directly or indirectly” help determine the answer — which has been deemed classified by the FBI. It now turns out that at least one of those two offices was, in fact, hacked.
The National Governors Association Center for Best Practices held their third National Summit on State Cybersecurity from May 14-15, 2019 at the Shreveport Convention Center. The unique event convened state homeland security advisors, chief information officers, chief information security officers, governors’ policy advisors, National Guard leaders, and others from all 55 states and territories to explore cybersecurity challenges and promising practices. Over the course of two days, participants engaged in a series of interactive sessions and breakouts to discuss countering the newest threats, disruption response planning, workforce development, and much more. … The sessions were packed with best practices, case studies, opportunities for improving cybersecurity in different areas and much more.
Baltimore City Council President Brandon Scott announced the creation of a Committee on Cybersecurity and Emergency Preparedness on Thursday, as the city works to restore the systems taken down by a debilitating ransomware attack last week. “This cyber attack against Baltimore City government is a crisis of the utmost urgency,” Scott said. “That is why I will convene a select committee, co-chaired by Councilman Eric Costello and Councilman Isaac ‘Yitzy’ Schleifer, to examine the City’s coordination of cybersecurity efforts, including the Administration’s response to the cybersecurity attack and testimony from cybersecurity experts.” A type of ransomware known as “RobinHood” took down several of the city’s services last week, including some of the capabilities of the Baltimore City Department of Transportation, the Department of Public Works, and the Department of Finance. The city is also currently unable to send or receive email.
The Election Assistance Commission and the Cybersecurity and Infrastructure Security Agency were sharply questioned in hearings this week by lawmakers about human resource decisions. The EAC has just a small handful of employees dedicated to testing and certification of voting machines, and the acting director of testing and certification stepped down earlier this month. While the agency quickly hired a new director and has worked to bring on more personnel, there’s concern that EAC staff could be under-resourced heading into the 2020 election cycle and beyond. The agency had nearly 50 full-time employees and a budget of $17 million budget in 2009. Today they have a headcount in the low twenties and a budget of $10 million despite an expanded role in election cybersecurity. Chair Christy McCormick and other commissioners were questioned over a host of perceived staffing and management failures at a May 21 House Administration committee hearing.
The front lines of today’s cyberwarfare battles are not just at Fort Meade. They are in Allegheny County’s Elections Division. And in Erie County. And Butler County. And Indiana County. And all across Pennsylvania. Our elections — and the integrity of your vote — are under threat from nation-state adversaries. As of today, Pennsylvania is not prepared to defend against what will almost certainly be unprecedented attacks in the next presidential election cycle. But there is still time to secure the 2020 election. The General Assembly, however, needs to help counties secure this most critical of battlegrounds. The Blue Ribbon Commission on Pennsylvania’s Election Security spent much of the past year studying current and future cyber-based threats to Pennsylvania’s elections. What we found was sobering. In the 2016 and 2018 elections, more than 80 percent of Pennsylvania voters were registered to vote in precincts that did not use paper-based voting systems, meaning that most of Pennsylvania’s counties would be unable to even detect the hack of a voting system, let alone recover from it.
Cyber-enabled election interference has already changed the course of history. Whether or not the Russian interference campaign during the US 2016 federal election was enough to swing the result, the discovery and investigation of the campaign and its negative effects on public trust in the democratic process have irrevocably shaped the path of Donald Trump’s presidency. Covert foreign interference presents a clear threat to fundamental democratic values. As nations around the world begin to wake up to this threat, new research by ASPI’s International Cyber Policy Centre has identified the key challenges democracies face from cyber-enabled election interference, and makes five core recommendations about how to guard against it. ICPC researchers studied 97 national elections which took place between 8 November 2016 and 30 April 2019. The 97 were chosen out of the 194 national-level elections that occurred during the time period because they were held in countries ranked as ‘free’ or ‘partly free’ in Freedom House’s Freedom in the world report. #url#
The European Union on Friday agreed to new rules that will grant it authority to impose travel bans and asset freezes against individuals responsible for cyber-attacks that pose a significant threat to the bloc. The new rules come amid concerns by European and U.S. officials over cyber-attacks related to election meddling or intellectual property theft by actors linked to Russia and China. The measures, which aim to “deter and respond to cyber-attacks which constitute an external threat to the EU,” would apply to actors responsible for attacks originating outside the bloc, the Council of EU member states said in a statement. The bloc said it would also consider measures in response to attacks targeted at countries outside the EU or international organizations.
The government should be thanked for their role in improving cybersecurity in Indonesia in the past five years, including during elections, an expert has said. “I’m seeing really good progress in Indonesian cybersecurity. A few years ago, it wasn’t as strong,” Fernando Serto, director of security technology and strategy at Akamai APJ said on the sidelines of the Akamai Security Summit in Jakarta at the end of last month. … Serto said cybercrimes often happen during elections all over the world. “This is not unique to Indonesia; every time a country holds an election, we see a lot of hacking activity. We’ve seen it happen during elections in the Philippines and the US,” he said. “We see a lot of hacktivists, people who disagree with the policies of a particular candidate, trying to hack into their official website and put very aggressive messages on it,” Serto said.
The hacking of U.S. election systems, including by foreign adversaries, is inevitable, and the real challenge is ensuring the country is resilient enough to withstand catastrophic problems from cyber breaches, government officials said Wednesday. The comments by representatives from the departments of Justice and Homeland Security underscored the challenges for federal and state governments in trying to ward off interference from Russia and other countries in the 2020 election. Special counsel Robert Mueller has documented a sweeping effort by Moscow to meddle in the 2016 election in Donald Trump’s favor by hacking Democrats and spreading disinformation online, and FBI Director Chris Wray said in April that the government regarded last November’s midterm election was “as just kind of a dress rehearsal for the big show in 2020.”
In her testimony at an election security hearing before the Committee on House Administration last week, Verified Voting President Marian Schneider joined advocates and election officials in calling on Congress to help states and local jurisdictions replace aging voting systems, conduct risk-limiting audits and enhance election infrastructure security. In order to prepare for 2020, Congress…
Local election officials in the two unnamed Florida counties where Russian agents hacked voter rolls in 2016 are able to publicly disclose whether they had been attacked. But the bureaucrats are clamming up instead. And voters in those counties have no right to know that information, according to the FBI. Nor is the state’s governor or its congressional delegation allowed to tell the public the names of those counties. That’s because the FBI made the governor sign a non-disclosure agreement in order to receive a classified briefing about the hack, along with the members of Congress. Some lawmakers are outraged at what they see as bizarre reasoning from the agency. For now, the information about the two counties is being kept officially secret — even though the identity of one of the hacking “victims,” Washington County’s election office, has leaked out.
Sen. Ron Wyden (D-Ore.) has questions that a lot of people are still asking three years after the 2016 presidential race — what exactly happened with VR Systems, the Florida voter-registration software maker that the FBI apparently believes Russia hacked. The redacted version of special counsel Robert Mueller’s report indicated that in 2016 Russian hackers infiltrated a US maker of voter-registration software and installed malware on its network — information that was based on an FBI investigation. Furthermore, the 2017 indictment of Russian military officers for hacking Democratic computer systems that was based on the FBI investigation as well also asserted that a company fitting VR Systems’ description was hacked in 2016 and had malware installed on its network.. VR Systems, however, has long insisted it wasn’t hacked, though the company has never produced evidence showing it wasn’t compromised. Wyden wants to know whether the company ever engaged a third party to conduct a forensic examination of its computer networks and systems since the hacking assertions first came to light after the 2016 election and has asked to see a copy of a report from any such investigation, according to a letter he sent last week to VR Systems that his office shared with POLITICO.
Three years after the 2016 election, major political parties in the U.S. are still displaying sloppy digital security practices, according to a report from Security Scorecard. In new research released May 21, the company found vulnerabilities for the public facing, internet-connected digital assets of two major political parties. The Green Party and the Libertarian Party websites also displayed weaknesses. Vulnerabilities range from smaller sins like serving expired security certificates and sending unencrypted data to larger ones like leaking personally identifiable information and failing to put in place anti-spoofing protocols. In one case, an unnamed U.S. party was caught leaking data from a voting validation application containing the names, dates of birth and addresses of voters to the internet.