Verified Voting Blog: Counting Votes: Paper Ballots and Audits in Congress, Crisis at the EAC?, Florida’s Mystery Counties

In her testimony at an election security hearing before the Committee on House Administration last week, Verified Voting President Marian Schneider joined advocates and election officials in calling on Congress to help states and local jurisdictions replace aging voting systems, conduct risk-limiting audits and enhance election infrastructure security. In order to prepare for 2020, Congress must provide “adequate financial investment in cyber security best practices, replacement equipment and post-election audit processes … immediately and continue at a sustainable level moving forward.”

Writing in Governing, Graham Vyse highlighted the significant bipartisan agreement between the two secretaries of state who testified, Jocelyn Benson (D-MI) and John Merrill (R-AL), on efforts needed to address emerging threats to election security. Significantly, the state election officials, along with all the witnesses, were unanimous in recommending the replacement of direct recording electronic voting machines with paper ballot voting systems and conducting post-election ballot audits.

Two days after the hearing, House Homeland Security Committee Chairman Bennie Thompson (D-MS), House Administration Committee Chairwoman Zoe Lofgren (D-CA) and Rep. John Sarbanes (D-MD), the chairman of the Democracy Reform Task Forcereintroduced The Election Security Act. Aimed at reducing risks posed by cyberattacks by foreign entities or other actors against U.S. election systems, the bill would establish cybersecurity standards for voting system vendors and require states to use paper ballots during elections.

Florida: Hacked Florida counties could disclose their identities — if they wanted to | Marc Caputo/Politico

Local election officials in the two unnamed Florida counties where Russian agents hacked voter rolls in 2016 are able to publicly disclose whether they had been attacked. But the bureaucrats are clamming up instead. And voters in those counties have no right to know that information, according to the FBI. Nor is the state’s governor or its congressional delegation allowed to tell the public the names of those counties. That’s because the FBI made the governor sign a non-disclosure agreement in order to receive a classified briefing about the hack, along with the members of Congress. Some lawmakers are outraged at what they see as bizarre reasoning from the agency. For now, the information about the two counties is being kept officially secret — even though the identity of one of the hacking “victims,” Washington County’s election office, has leaked out.

Florida: Wyden seeks answers in Florida election hacking allegations | Politico

Sen. Ron Wyden (D-Ore.) has questions that a lot of people are still asking three years after the 2016 presidential race — what exactly happened with VR Systems, the Florida voter-registration software maker that the FBI apparently believes Russia hacked. The redacted version of special counsel Robert Mueller’s report indicated that in 2016 Russian hackers infiltrated a US maker of voter-registration software and installed malware on its network — information that was based on an FBI investigation. Furthermore, the 2017 indictment of Russian military officers for hacking Democratic computer systems that was based on the FBI investigation as well also asserted that a company fitting VR Systems’ description was hacked in 2016 and had malware installed on its network.. VR Systems, however, has long insisted it wasn’t hacked, though the company has never produced evidence showing it wasn’t compromised. Wyden wants to know whether the company ever engaged a third party to conduct a forensic examination of its computer networks and systems since the hacking assertions first came to light after the 2016 election and has asked to see a copy of a report from any such investigation, according to a letter he sent last week to VR Systems that his office shared with POLITICO.

National: Report: U.S. political parties need to shore up cyber | Derek B. Johnson/FCW

Three years after the 2016 election, major political parties in the U.S. are still displaying sloppy digital security practices, according to a report from Security Scorecard. In new research released May 21, the company found vulnerabilities for the public facing, internet-connected digital assets of two major political parties. The Green Party and the Libertarian Party websites also displayed weaknesses. Vulnerabilities range from smaller sins like serving expired security certificates and sending unencrypted data to larger ones like leaking personally identifiable information and failing to put in place anti-spoofing protocols. In one case, an unnamed U.S. party was caught leaking data from a voting validation application containing the names, dates of birth and addresses of voters to the internet.

California: California tech official rushed Motor Voter, despite testing issues | Bryan Anderson/The Sacramento Bee

The California government technology officials who developed an automatic voter registration program for the Department of Motor Vehicles last year raced to the finish line even though they acknowledged they should have slowed down. In April 2018, the state delayed the launch of its Motor Voter program by one week because of technical errors, inadequate testing and infrastructure concerns, according to records obtained by The Sacramento Bee. Amy Tong, director of the California Department of Technology, told colleagues working on the project the morning of the scheduled launch that, “In some strange way, this maybe (sic) a sign that we need to slow down in order to go fast again.” The one-week delay may not have been enough time.

National: The vote-by-phone tech trend is scaring the life out of security experts | Eric Halper/Los Angeles Times

With their playbook for pushing government boundaries as a guide, some Silicon Valley investors are nudging election officials toward an innovation that prominent coders and cryptographers warn is downright dangerous for democracy. Voting by phone could be coming soon to an election near you. As seasoned disruptors of the status quo, tech pioneers have proven persuasive in selling the idea, even as the National Academies of Science, Engineering and Medicine specifically warn against any such experiment. The fight over mobile voting pits technologists who warn about the risks of entrusting voting to apps and cellphones against others who see internet voting as the only hope for getting most Americans to consistently participate on election day. “There are so many things that could go wrong,” said Marian Schneider, president of Verified Voting, a coalition of computer scientists and government transparency advocates pushing for more-secure elections. “It is an odd time for this to be gaining momentum.”

National: In Congressional Hearing, Election Officials Appear United Yet Divided on Security | Graham Vyse/Governing

Jocelyn Benson and John Merrill are a political odd couple. She’s a Michigan Democrat who backed Hillary Clinton, and he's a Donald Trump supporter who represents Alabama. But both are secretaries of state, and when they testified side-by-side before Congress on Wednesday -- she in a blue dress and he in a red tie -- they repeatedly insisted they were friends ready to work together to strengthen the nation’s voting system. Benson and Merrill called on the federal government to provide more funding and resources for states and localities to address the issue. This weekend, they’re leading 18 other secretaries of state on a voting-rights history tour of Alabama with the hope of inspiring further bipartisan collaboration. "It’s the first time in our country’s history where you’ve got the chief election officers collectively, Democrats and Republicans, going to Selma to walk across the Edmund Pettus Bridge together," Benson told Governing. The question is whether the secretaries can bridge enough of their differences to unite around federal legislation to improve election security. Benson and Merrill appeared alongside cybersecurity experts before the U.S. Committee on House Administration this week, more than two years after Russia's cyberattack on American election systems during the 2016 presidential campaign.

National: After Russian Election Interference, Americans Are Losing Faith in Elections | Susan Milligan/US News

As lawmakers, state elections officials and social media executives work to limit intervention in the 2020 elections by Russia and other foreign operatives, an unsettling truth is emerging. Vladimir Putin may already be succeeding. The troubling disclosures of Russian meddling in the 2016 campaign – "sweeping and systematic," special counsel Robert Mueller concluded in his report on the matter – have policymakers on guard for what intelligence officials say is a continuing campaign by Russia to influence American elections. But even if voting machines in all jurisdictions are secured against hacking and social media sites are scrubbed of fake stories posted by Russian bots, the damage may already have been done, experts warn, as Americans' faith in the credibility of the nation's elections falters.

National: House Democrats reintroduce bill to protect elections from cyberattacks | Maggie Miller/The Hill

House Democratic chairmen on Friday reintroduced a bill to protect U.S. election systems against cyberattacks, including requiring President Trump to produce a “national strategy for protecting democratic institutions.” The Election Security Act is aimed at reducing risks posed by cyberattacks by foreign entities or other actors against U.S. election systems. The national strategy from President Trump would “protect against cyber attacks, influence operations, disinformation campaigns, and other activities that could undermine the security and integrity of United States democratic institutions.”

National: House Administration Committee to make election security a 'primary focus' | TRegina Zilbermintshe Hill

The secretaries of state of Michigan and Alabama went before the House Administration Committee Wednesday to advocate for more federal resources to secure election systems against cyber attacks and committee leaders vowed to make the issue a "primary focus." “Federal action is needed now to grasp the scope of the problem and to innovate concrete solutions that can be implemented before the next federal election cycle in 2020,” House Administration Committee Chairwoman Zoe Lofgren (D-Calif.) said at the hearing on election security. 

National: Election commission names new lead for testing and certifying voting systems | Sean Lyngaas/CyberScoop

The federal Election Assistance Commission has appointed Jerome Lovato, a former Colorado state election official, as head of the commission’s program for testing and certifying voting systems, according to a commission email obtained by CyberScoop. Lovato replaces Ryan Macias, who was filling the role in an acting capacity and will step down this month. The crucial EAC program works with the country’s top voting equipment vendors to certify and decertify voting system hardware and software. 

Verified Voting Blog: Verified Voting Letter in Support of Congressional Election Cybersecurity Legislation

This letter was sent to Senators Cory Gardner (R-CO), Mark Warner (D-VA) and Representatives Derek Kilmer (D-WA) and Michael McCaul (R-TX) on May 14, 2019. Download the PDF. Thank you for introducing legislation aimed at increasing cybersecurity at the state and local levels of government. We recognize the need for this important legislation, which is aimed at hardening cyber resiliency efforts and preventing vulnerabilities from becoming nightmare realities. For the states that would respond to the proposed grants in H.R. 2130 and S.1065, and for the protection of the citizens who live in them, we applaud your support in the battle against cyberattacks. At the same time that you are bolstering cybersecurity defenses, we encourage you to add provisions specifically prohibiting these funds from being used for internet-based voting. Cybersecurity experts agree that internet return of marked ballots lacks sufficient safeguards for security and privacy. We urge you to specifically name internet voting as a threat and prohibit the funding provided by your legislation from being used to support internet voting programs and pilots. Cybersecurity experts agree that no current technology, including blockchain voting, can guarantee the secure, verifiable, and private return of voted ballots over the internet. Both because vote-rigging malware could already be present on the voter's computer and because electronically returned ballots could be intercepted and changed or discarded en route, local elections officials would be unable to verify that the voter’s ballot accurately reflects the voter’s intent. Furthermore, even if the voter's selections were to arrive intact, the voted ballot could be traceable back to the individual voter, violating voter privacy.

Florida: Ron DeSantis ‘not allowed’ to disclose which two Florida counties were hacked by Russians | Emily L. Mahoney/Tampa Bay Times

Gov. Ron DeSantis met with the FBI and the U.S. Department of Homeland Security last week to discuss the revelation in the Mueller report that “at least one” Florida county had its election information accessed by Russian hackers in 2016. On Tuesday, DeSantis told reporters that he had been briefed on that breach — which actually happened in two counties in Florida — but that he couldn’t share which counties had been the target. “I’m not allowed to name the counties. I signed a (non)disclosure agreement,” DeSantis said, emphasizing that he “would be willing to name it” but “they asked me to sign it so I’m going to respect their wishes.”

Florida: Russian government hackers targeted small county in Florida panhandle in 2016 | Ellen Nakashima and Karoun Demirjian/The Washington Post

The voter registration database of a small county in the Florida panhandle was breached by Russian government hackers in 2016, according to two U.S. officials. The Russian military spy agency, the GRU, was responsible for the penetration of Washington County’s database, according to the two officials, who spoke on the condition of anonymity to discuss a sensitive matter. The county has a population of about 25,000. Carol F. Rudd, county elections supervisor, declined to comment on the breach but said it’s important for federal, state and local officials to be able to communicate confidentially. “If each agency gets suspicious of the other’s ability to follow the rules of confidentiality, then those tenuous lines of communication quickly break down,” she said in an email. “That would set our security capabilities back years and severely compromise our ability to protect our elections. THAT would be a big win for the Russians going into 2020.”

Florida: Even Without Russian Hacking, Florida’s Voting System Is ‘Not Secure,’ Says Election Expert | WJCT

The FBI will brief Florida’s congressional members this week on Russian attempts to hack the 2016 election, after the Mueller report revealed last month that the election system of at least one Florida county was compromised. But even before details emerge, a former supervisor of elections in Florida is saying he is not surprised that the state’s system was compromised. Ion Sancho, the longtime former supervisor of elections of Leon County, said Friday on The Florida Roundup that Florida’s election infrastructure is, frankly, “not secure.” “It’s been clear to me that the election infrastructure, not only in Florida but in the country, is not secure,” he said.

Georgia: High court to hear appeal in election challenge | Kate Brumback/Associated Press

Georgia’s outdated voting machines are in the spotlight as election integrity advocates try to convince the state’s highest court that a judge shouldn’t have dismissed a lawsuit challenging the outcome of November’s race for lieutenant governor. The lawsuit says tens of thousands of votes were never recorded in the race and the contest was “so defective and marred by material irregularities” as to place the result in doubt. It contends an unexplained undervote in the race was likely caused by problems with the state’s paperless touchscreen voting machines. Republican Geoff Duncan beat Democrat Sarah Riggs Amico by 123,172 votes to become lieutenant governor.

North Carolina: Karen Brinson Bell new North Carolina elections director, replaces Kim Strach | Will Doran/Raleigh News & Observer

Kim Strach, who has led the North Carolina Board of Elections since 2013, was dismissed by the board Monday. She will be replaced by Karen Brinson Bell. The vote was split along party lines, with the five-member elections board voting 3-2 in favor of replacing Strach with Brinson Bell. The board’s Democrats voted for Brinson Bell, while the board’s Republicans voted against her. “Our top priorities will be promoting voter confidence in elections and assisting the 100 county boards, the boots on the ground in every election,” Brinson Bell said in a written statement after the vote Monday. “I plan to roll up my sleeves and work with State Board staff to prepare for the important elections ahead.” She will start June 1.

Pennsylvania: Pushing buttons: No one in City offices approved new voting machines, so why did 83 arrive in Philadelphia? | Courtenay Harris Bond/Philadelphia Weekly

The brouhaha over the buying of new voting machines for the city reached a crescendo when 83 of the most expensive and least secure varieties – according to voters’ rights advocates – arrived in Philadelphia last week. The machines toured by a crew from a local television station before the procurement process had been finalized. That move subsequently has raised lots of eyebrows and questions and now has the whole affair under investigation by City controller’s Rebecca Rhynhart’s office. City Commissioner Lisa Deeley, who has recused herself from sitting on the commission because she is running for re-election, gave NBC10 a look at the ES&S Express Vote XL machines, which cost about $8,000 each and which advocates from Protect Our Vote Philly Coalition and other groups say are less reliable and less protected against tampering than paper ballot systems with scanners. “I think they we picked the worst, most expensive, least secure machines, unfortunately,” said Democratic commissioner candidate Jen Devor, who is running in a pool of 12 other Democrats, including Deeley, in the May 21 primary.

Philippines: Voting machine glitches disrupt Philippines poll | Andreo Calonzo and Philip J. Heijmans/Washington Post

Malfunctioning machines and hundreds of arrests for suspected vote buying disrupted the Philippines’ midterm elections on Monday. Philippine President Rodrigo Duterte is poised for a majority win in both houses of Congress, even with slowing economic growth and controversial policies including a deadly drug war. Over 18,000 government positions are up for grabs in the midterm elections, including half of the 24-seat Senate and about 300 posts in the House. Polls are set to close at 6pm and among the stumbles have been defects in 600 voting machines, causing long queues and delays in several areas, the Commission on Elections said.

Russia: E-voting bill faces second reading in Russia’s lower house of parliament | RAPSI

The State Duma will consider a bill envisaging a test remote voting via electronic communications during the elections to the Moscow parliament in the second reading on May 16, the Moscow City Duma Chairman Alexey Shaposhnikov has told journalists. Under the draft law, the test voting is to be conducted in only one city district. The remote voting would require changes and development of public control over the elections, Alexander Brod, a member of the Presidential Council of Human Rights, said earlier. Previously, the Central Election Commission (CEC) proposed to ease the procedure governing the elections of municipal deputies.