Editorials: ImageCast Evolution voting machine: Mitigations, misleadings, and misunderstandings | Andrew Appel/Freedom to Tinker

Two months ago I wrote that the New York State Board of Elections was going to request a reexamination of the Dominion ImageCast Evolution voting machine, in light of a design flaw that I had previously described. The Dominion ICE is an optical-scan voting machine. Most voters are expected to feed in a hand-marked optical scan ballot; but the ICE also has an integrated ballot-marking device for use by those voters who wish to mark their ballot by machine. The problem is, if the ICE’s software were hacked, the hacked software could make the machine print additional (fraudulent votes) onto hand-marked paper ballots. This would defeat the purpose of voter-verifiable paper ballots, which are meant to serve as a safeguard against buggy or fraudulent software. The Board of Elections commissioned an additional report from SLI Compliance, which had done the first certification of this machine back in April 2018. SLI’s new report dated March 14, 2019 is quite naive: they ran tests on the machine and “at no point was the machine observed making unauthorized additions to the ballots.” Well indeed, if you test a machine that hasn’t (yet) been hacked, it won’t misbehave. (SLI’s report is pages 7-9 of the combined document.)

North Carolina: State Board of Elections to oust executive director | WRAL

The new Democrat-controlled State Board of Elections will move to oust its longtime executive director, a Republican appointee, next week. Kim Strach, originally hired by the board former Gov. Pat McCrory appointed in 2013, has technically been on borrowed time since the new board formed in January. Soon after the board’s first meeting, state law gave members the authority to reappoint Strach or appoint a new director to a two-year term expiring in May 2021. That legislation was the result of a protracted court battle between Democratic Gov. Roy Cooper and Republican leaders in the General Assembly over appointments to the elections board. Democrats now outnumber Republicans on the board 3-2. It’s not yet clear whether the new executive director will replace Strach immediately or after some period of transition. Reached by phone Friday morning, State Board of Elections member David Black, a Republican, said the board planned to have a teleconference Monday to discuss Strach’s ouster. “The general move from the Democrats on the board is to replace her,” Black said.

Europe: Russia Is Targeting Europe’s Elections. So Are Far-Right Copycats. | The New York Times

Less than two weeks before pivotal elections for the European Parliament, a constellation of websites and social media accounts linked to Russia or far-right groups is spreading disinformation, encouraging discord and amplifying distrust in the centrist parties that have governed for decades. European Union investigators, academics and advocacy groups say the new disinformation efforts share many of the same digital fingerprints or tactics used in previous Russian attacks, including the Kremlin’s interference in the 2016 U.S. presidential campaign. Fringe political commentary sites in Italy, for instance, bear the same electronic signatures as pro-Kremlin websites, while a pair of German political groups share servers used by the Russian hackers who attacked the Democratic National Committee. The activity offers fresh evidence that despite indictments, expulsions and recriminations, Russia remains undeterred in its campaign to widen political divisions and weaken Western institutions. Despite online policing efforts by American technology companies, it remains far easier to spread false information than to stop it. Russia remains a driving force, but researchers also discovered numerous copycats, particularly on the far right. Those groups often echo Kremlin talking points, making it difficult to discern the lines between Russian propaganda, far-right disinformation and genuine political debate.

Ohio: Lawmakers look into strengthening state's election, cybersecurity efforts | The Cleveland American

With election security frequently in the news, the Ohio House Transportation and Public Safety Committee took the opportunity recently to discuss a cybersecurity bill. The panel convened a hearing on Senate Bill 52, which deals with bolstering the state’s cybersecurity. A major part of the initiative is to protect the state’s elections from outside interference or tampering. Secretary of State Frank LaRose said it’s an important issue, especially given that Ohio’s likely to be a swing state in next year’s presidential election. “The eyes of the world will be on Ohio in 2020, and we will rise to that occasion,” he said. The Secretary of State told the committee that, if passed, the measure gives Ohio a chance to become a national leader in cybersecurity. It received unanimous support in the Senate.

National: Microsoft offers software tools to secure elections | Associated Press

Microsoft has announced an ambitious effort to make voting secure, verifiable and subject to reliable audits by registering ballots in encrypted form so they can be accurately and independently tracked long after they are cast. Two of the three top U.S elections vendors have expressed interest in potentially incorporating the open-source software into their voting systems. The software is being developed with Galois, an Oregon-based company separately creating a secure voting system prototype under contract with the Pentagon’s advanced research agency, DARPA. Dubbed “ElectionGuard,” it will be available this summer, Microsoft says, with early prototypes ready to pilot for next year’s U.S. general elections. CEO Satya Nadella announced the initiative Monday at a developer’s conference in Seattle, saying the software development kit would help “modernize all of the election infrastructure everywhere in the world.” Three little-known U.S. companies control about 90 percent of the market for election equipment, but have long faced criticism for poor security, antiquated technology and insufficient transparency around their proprietary, black-box voting systems. Open-source software is inherently more secure because the underlying code is easily scrutinized by outside experts but has been shunned by the dominant vendors whose customers — the nation’s 10,000 election jurisdictions — are mostly strapped for cash. None offered bids when Travis County, Texas, home to Austin, sought to build a system with the “end-to-end” verification attributes that ElectionGuard promises to deliver. Two of the leading vendors, Election Systems & Software of Omaha, Nebraska, and Hart InterCivic of Austin, Texas, both expressed interest in partnering with Microsoft for ElectionGuard. A spokeswoman for a third vendor, Dominion Voting Systems of Denver, said the company looks forward to “learning more” about the initiative.

National: Democrats focus on election security, voting rights | McClatchy

Democratic leaders are launching a more aggressive push this month that could widen their probe of possible voter suppression into states other than those now under scrutiny, seeking to make it particularly less difficult for minority voters, who tend to vote Democratic, to go to the polls. House Oversight Committee Chairman Elijah Cummings told McClatchy he wants to “make sure we spend significant effort and time, perhaps even looking at even more states and seeing what they’re doing and shining a light on what they may be doing illegally or improperly to stop or hinder people from voting and having those votes counted.” Cummings was already planning to look at possible voter suppression in North Carolina, Georgia, Texas and Kansas. The Maryland Democrat did not name additional states. At the same time, congressional Democrats are stepping up pressure on Republicans to address election security lapses to prevent a repeat of Russian meddling in the 2016 election. The Russian interference, combined with allegations of voter suppression, erode confidence in the electoral system, Democrats argue, and if both are not addressed, voters could be discouraged from participating in the 2020 election. “This is my worry, that we have done very little now to correct the threat of Russian interference with our electoral system,” Cummings said, “which means that it might be that the only way this whole situation that we’re in is corrected is through the ballot, with people voting.”

National: U.S. Cyber Command Bolsters Allied Defenses to Impose Cost on Moscow | The New York Times

American officials are pushing ahead on efforts with allied nations to counter Russia’s interference in democratic elections and other malign activities, military cybercommanders said on Tuesday, an effort intended to allow the United States to better observe and counter Moscow’s newest cyberweapons. American officials deployed last year to Ukraine, Macedonia and Montenegro, and United States Cyber Command officials said that their missions included defending elections and uncovering information about Russia’s newest abilities. Cyber Command will continue some of those partnerships and expand its work to other countries under attack from Russia, officials said Tuesday. The deployments, officials said, are meant to impose costs on Moscow, to make Russia’s attempts to mount online operations in Europe and elsewhere more difficult and to potentially bog down Moscow’s operatives and degrade their ability to interfere in American elections. “We recognize and understand the importance of being in constant contact with the enemy in this space, especially below the level of armed conflict, so we can defend ourselves and we can impose costs,” Maj. Gen. Charles L. Moore, the director of operations for Cyber Command, said Tuesday. “That is it in a nutshell.” With new authorities from the White House, as well as congressional legislation that declared online operations a traditional military activity, Cyber Command stepped up its election defenses last year, allowing commanders to develop a strategy to engage American adversaries.

National: Can open source help safeguard elections? | FCW

Lawmakers and policy experts are demonstrating increased interest in open source technology as a means to solving longstanding challenges and road blocks around election security. State and local governments rely on proprietary software and hardware from a small handful of private vendors to power their voting machines, voter registration systems and other technologies. Those vendors have historically been reluctant or unwilling to allow third-party audits of their products, and when outside researchers have gotten their hands on voting machines or probed commonly used software like voter registration systems, they’ve found extensive and worrying cybersecurity vulnerabilities in nearly every model. That reluctance has led to a number of projects that have sprouted up over the past year from organizations aiming to disrupt the status quo. One such organization, Voting Works, was created last year in partnership with the non-profit Center for Democracy and Technology and seeks to build “secure, usable, affordable and open-source voting machines” that will help to restore trust in the modern election system.

National: Limiting the cyber threat to elections infrastructure | GCN

Voter confidence in the integrity of elections is critical to a vibrant democracy. Recent cyberattacks by foreign state actors accompanied by disinformation campaigns aimed at U.S. voters have contributed to an erosion in the public’s trust of electoral results. But there’s another set of issues just as concerning: persistent, preventable “seams” or vulnerabilities in election system tools, processes and guidelines. E-voting machines are among the most prominent business technology solutions of the 21st century, yet they remain vulnerable to physical and data tampering and weaknesses in the chain of custody. In a 2012 study, the Argonne National Laboratory’s vulnerability assessment team discovered that attackers could exploit the integrity of an e-voting machine chassis with relative ease regardless of tamper-evident seals or locks. Data stored on e-voting machines was not encrypted, leaving it susceptible to interception, modification or deletion by an attacker. In the Argonne study, white-hat hackers used after-market wireless card adapters to intercept and alter communications exchanged between e-voting machines and the elections network infrastructure. The study concluded that successful tampering with just one in three voting machines is enough to change the outcome of an election.

Florida: FBI to meet with Florida delegation to discuss Russian hacking | Politico

The FBI will hold a classified briefing with members of the Florida congressional delegation next week about suspected Russian hacking during the 2016 elections. The FBI is scheduled to meet with House members May 16. The agency will sit down Republican Sen. Rick Scott ahead of the delegation meeting. The FBI briefings were confirmed by three people with knowledge of the meetings who weren’t authorized to discuss them publicly. Special counsel Robert Mueller last month revealed the suspected hacking in a report on Russian interference in the 2016 election. The disclosure jolted Florida officials, who had previously insisted the Russians had been unsuccessful in their hacking efforts. Republican Sen. Marco Rubio later confirmed the intrusion in an interview with The New York Times. His office has clarified that the Russians had access to a statewide voter registration database, not systems used to tally actual votes. A person with access to the database could have altered or changed voter information. Scott last month asked FBI Director Christopher Wray for any information the agency had to back up Mueller’s conclusion. Reps. Michael Waltz (R-Fla.) and Stephanie Murphy (D-Fla.), both former national security professionals, last week wrote to Wray and Attorney General William Barr asking for a classified briefing “on the nature and extent of the Russian government’s efforts to interfere with the 2016 election in our state.”

National: What’s Russia still doing to interfere with U.S. politics — and what’s the U.S. doing about it? | The Washington Post

President Trump and Russian President Vladimir Putin spoke by phone Friday morning, covering, according to both sides, a wide range of issues. Included among them, according to a subsequent tweet from Trump, was the “Russian hoax” — apparently a reference to the recently concluded investigation into Russian interference in the 2016 election. It’s a bit uncertain, though: Trump regularly referred to the investigation as a hoax but has also repeatedly claimed that the idea that Russia interfered at all was questionable. The probe led by special counsel Robert S. Mueller III left little doubt about Russia’s role. Mueller obtained indictments against two dozen Russians for the two-pronged effort to steal and publish material from Democratic sources and to foster political divisions through events and on social media. Trump has long argued that the source of the hacking in particular was unknowable, reiterating shorthand allusions to his skepticism as recently as February.

TRUMP on whether he discussed election meddling with PUTIN:
“We discussed it. He actually sort of smiled when he said something to the effect that it started off as a mountain and it ended up being a mouse, but he knew that because he knew there was no collusion, whatsoever.” pic.twitter.com/qlEaWP6Eqy— JM Rieger (@RiegerReport) May 3, 2019

In an interview with Fox News on Thursday, Trump was asked whether he had spoken to Putin about Russia’s efforts to interfere in U.S. politics, an effort that Attorney General William P. Barr said in Senate testimony this week was ongoing. “I don’t think I’ve spoken to him about the 2020, but I certainly have told him you can’t do what you’re doing,” Trump said. “And I don’t believe they will be.”

National: Sen. Klobuchar on Russian interference: Trump ‘makes it worse by calling it a hoax’ | The Washington Post

Sen. Amy Klobuchar (D-Minn.) on Sunday sharply criticized President Trump’s response to Russian interference in U.S. elections, saying that the president “makes it worse by calling it a hoax.” Trump had a lengthy phone call with Russian President Vladi­mir Putin on Friday. After being repeatedly asked by reporters whether he raised the issue of election interference or warned Putin not to do it again, Trump eventually acknowledged the issue, saying, “We didn’t discuss that.” Klobuchar, who is running for the 2020 Democratic presidential nomination, said Sunday that there is “ample evidence” that Trump is not concerned about the possibility that Russia may try to interfere in the next election. She accused Trump of dismissing the seriousness of the issue. “This was actually an invasion of our democracy, okay?” Klobuchar said on CNN’s “State of the Union.” U.S. national security officials have been preparing for Russian interference in 2020 by tracking cyberthreats, sharing intelligence about foreign disinformation efforts with social media companies and helping state election officials protect their systems against foreign manipulation. But Trump has repeatedly rebuffed warnings from senior aides about Russia and sought to play down the country’s potential to influence American politics.

Editorials: Everyone has a stake in a secure federal elections in 2020 | Ben Hovland/The Kansas City Star

The 2018 midterm election cycle was one of the most closely scrutinized in recent memory. Election officials across the country took potential threats seriously and, in the run-up to Election Day, doubled down on efforts to secure election systems and educate voters to ensure confidence in the process as a whole. Their hard work paid off. There were no cybersecurity compromises of election infrastructure, and data from the U.S. Census Bureau indicates the 2018 midterms saw the highest voter turnout in four decades, including here in Missouri, where more than 58% of voters cast a ballot. This is an example of the nation’s election system working as it should: with high public interest and civic engagement, and election officials focused on election security, accessibility and accuracy. We can learn many lessons from both the 2016 and 2018 federal elections, but chief among them is that our election system has integrity. And we all have a role in ensuring it remains secure.

Georgia: State Supreme Court to Hear Appeal in Challenge to Lt. Governor’s Election | Daily Report

The Supreme Court of Georgia will hear oral arguments Tuesday on a challenge to last year’s election of the state’s lieutenant governor. The high court took the appeal after Senior Superior Court Judge Adele Grubbs tossed out a suit contesting the election of Lt. Gov. Geoff Duncan last January. A slate of plaintiffs including the Coalition for Good Governance, a nonprofit organization focused on election integrity; Smythe Duval, the Libertarian Party’s 2018 candidate for secretary of state; and voters from Fulton and Morgan counties challenged the lieutenant governor’s election, claiming that electronic voting anomalies not reflected in the paper ballot count showed a significant and unexplainable undervote. Duncan, the Republican candidate, won the race by 123,172 votes out of 3.78 million ballots cast. But plaintiffs attorney Bruce Brown contended that as many as 127,000 votes may have been affected. Duncan’s Democratic challenger, Sarah Riggs Amico, is not a plaintiff, although the lawsuit mirrors a complaint she made last November to Georgia’s secretary of state citing “significant anomalies” with “an unusually high rate” of residual undervotes  that were either invalid, not recorded or never cast on electronic ballots in the lieutenant governor’s race.

New Jersey: On Eve of Primaries, New Jersey Is at Early Stage of Shoring Up Election Security | NJ Spotlight

New Jersey wasn’t one of the 21 states whose electoral systems were targeted by Russian hackers in 2016, but it has weaknesses at both state and county level. With less a month to go before this year’s primary elections, New Jersey officials are continuing to fortify state and county election infrastructure, including the addition of more new voting machines with a verifiable paper trail, to ensure the integrity of elections. Secretary of State Tahesha Way, who oversees elections, told the budget committees of both houses of the Legislature last week that while New Jersey was not one of the 21 states that Russian hackers targeted or scanned in 2016, the state is taking several steps to prevent any unwanted access to its election systems. Her department has also been working with counties to assess the security of their machines and data. “The soundness of our elections sits at the top of my agenda,” Way told lawmakers, several of whom expressed concern about the safety of the state’s election infrastructure and whether she is getting enough money to fund necessary security upgrades. “The Department of State has been extremely proactive on election security and has become recognized for these election integrity efforts,” Way said. New Jersey received almost $9.8 million in federal funds through the Help America Vote Act, and is matching that with about $500,000, to spend over five years updating and enhancing the security of voting machines and systems. DOS has some leeway in deciding how to spend the money and has outlined how it expects to do so.

Pennsylvania: Mayor on Philadelphia Controller’s Voting Machine Objections: “I Don’t Know What Her Problem Is” | Philadelphia Magazine

Mayor Jim Kenney has come out swinging in defense of the city’s looming purchase of more than $50 million worth of new voting machines that critics say are too expensive, susceptible to hackers, and the product of a tainted procurement process. On Monday, the City Commissioners’ Office, which oversees elections, took delivery of 83 new ExpressVoteXL machines worth about $8,000 each, or some $664,000, without benefit of a contract, public vote, or any money appropriated to pay for it. City controller Rebecca Rhynhart has publicly pledged to block the purchase of the machines because she’s “deeply concerned about the legality of this process.” “We believe we’re right,” the mayor insisted in a brief interview following a press conference on economic development at City Hall on Thursday. “We think she’s wrong; we did our due diligence. I don’t know what her problem is.” At a Wednesday meeting of the county Board of Elections, city commissioner Anthony Clark stated that he personally “was not aware … that these machines would be here.” “How these machines came, I don’t know,” Clark said. “Who’s paying for them, I don’t know.” At the meeting, Clark asserted that the delivery was in violation of the state Sunshine Law, because no vote had ever been taken by the commissioners. “No decisions should be made without the board knowing what’s going on,” Clark said.

Europe: Facebook Opens a Command Post to Thwart Election Meddling in Europe | The New York Times

Inside a large room in Facebook’s European headquarters in Ireland’s capital, about 40 employees sit at rows of desks, many with two computer screens and a sign representing a country in the European Union. Large screens at the front display charts and other information about trends on the social network’s services, including Instagram and the messaging app WhatsApp. In the back, muted televisions broadcast BBC and other European news stations. The cramped space is home to Facebook’s newly opened operations center to oversee the European Union’s parliamentary election, which will be held May 23 to May 26 in 28 countries. Modeled after the “war room” that the Silicon Valley company created before last year’s midterm elections in the United States, the people inside are tasked with washing Facebook of misinformation, fake accounts and foreign meddling that could sway European voters. A similar command post was set up in Singapore for elections in India. Eager to show it is taking threats seriously as it faces pressure from governments across Europe to protect the integrity of the election, Facebook invited about two dozen journalists to visit its hub last week. “We are fundamentally dealing with a security challenge,” said Nathaniel Gleicher, Facebook’s head of cybersecurity policy. “There are a set of actors that want to manipulate public debate.”

Australia: Technology problems are not going to be sorted out by more Kool-Aid | ZDNet

An Australian election is on again. The triennial ritual where the electorate makes a choice of which parliamentarian to elect — who will then decide what sort of greying, white male party apparatchik becomes the Prime Minister. With the dumping of racist and homophobic candidates being a daily occurrence, the campaign is plumbing the depths expected upon its announcement. However, on the plus side, Russian trolls and foreign actors have not stoked or created the scandals that are occurring — this is pure, unabashed, organic, embarrassing Australian politics. For the folks able to take their eyes off the sideshow, a common refrain from the technically minded has been the lack of policy directed towards them. But this week, like an ancient Greek god that hasn’t had a good laugh in a while, the Labor party decided to announce it would erect a AU$3 million Blockchain Academy in Perth if it is elected. This was followed in short order by AU$2 million being put towards a Broadmeadows cyber training centre, adding to the AU$3 million National Centre of Artificial Intelligence Excellence announced last month. On the opposing side, Morrison government said last month it would spend AU$156 million to build a cyber workforce and fight cybercrime if re-elected.

Editorials: Russia’s attacks on our democratic systems call for diverse countermeasures | Bruce Schneier/The Hill

What do attacks on the integrity of our voting systems, the census and the judiciary all have in common? They’re all intended to reduce our faith in systems necessary for our democracy to function, and they’re also targets of Russian propaganda efforts. To understand how these efforts can effectively undermine a democracy, it helps to think of a government as an information system. In this conceptualization, there are two types of knowledge that governments use to function. The first is what we call common political knowledge, which consists of the political information we all agree on. This includes things such as how the government works, how leaders are elected, and the laws that the courts uphold. This is contrasted with contested political knowledge, which are the things we disagree on: what the correct level of taxation should be, in what ways government should get involved in social issues, and so on. Both are essential in a democracy, because we draw upon our disagreements to solve problems. Different political groups work to advance their own agendas, and the inevitable compromises between those groups advance laws and policies. Uncertainty over who will be in power in the long term incents everyone to keep the whole system running. But for any of this to work, we need the shared knowledge of the rules by which society operates. We all have to agree on the rules for elections, the authority of regulatory agencies, and even what the dominant political parties are and what they stand for. When what previously has been common political knowledge becomes contested political knowledge, democracy itself is in jeopardy.

Indonesia: Can e-voting solve Indonesia’s election woes? | The Jakarta Post

The idea of holding digital elections is picking up steam following reports that dozens of election workers died of reported extreme fatigue during and after organizing the nation’s first-ever concurrent elections, billed by many as “the world’s most complex”. While it is hard to determine if the April 17 general elections directly caused the deaths, a consensus has been reached that the current election system — in which five different paper-based elections are held on a single day — has to be changed. One of the proposed changes is for Indonesia to apply e-voting to make elections less complicated. The proposal, however, remains controversial, with lawmakers saying that even after so many election-related deaths, e-voting still seems like a distant dream. The controversy revolves around the question of whether Indonesia — an archipelago with a population of more than 250 million people — is ready for e-voting and whether the technology is the right solution to election problems. Lawmakers, election organizers, election observers and election engineers have given different answers.

Malawi: Election Results System Tested Amid Network Challenges | VoA News

An election governing body in Malawi has done its first test of a system that tallies election results, as a May 21 poll draws near. Testing of the Results Management System is meant to find weaknesses and glitches, as officials hope Tuesday’s exercise will help calm fears of election rigging. Officials placed staff and equipment at election centers across Malawi to transmit results to the main tally center in Blantyre. Jane Ansah, chairperson for the Malawi Electoral Commission, says the test exercise is meant to calm fears that election results might be tampered with. “This is one of the issues of transparency. We invited people to come and witness this test run, and I believe, as they witness the test run, they will be assured that there is no reason or any basis for any fears of hacking the system,” Ansah said. However, the test did uncover network glitches in the Results Management System, especially at voting centers in rural areas. The test exercise began nearly an hour late because of connectivity problems. Some tallying centers in southern Malawi — like Nsanje district — failed to transmit results to the main tally center.