The Election Assistance Commission and the Cybersecurity and Infrastructure Security Agency were sharply questioned in hearings this week by lawmakers about human resource decisions. The EAC has just a small handful of employees dedicated to testing and certification of voting machines, and the acting director of testing and certification stepped down earlier this month. While the agency quickly hired a new director and has worked to bring on more personnel, there’s concern that EAC staff could be under-resourced heading into the 2020 election cycle and beyond. The agency had nearly 50 full-time employees and a budget of $17 million budget in 2009. Today they have a headcount in the low twenties and a budget of $10 million despite an expanded role in election cybersecurity. Chair Christy McCormick and other commissioners were questioned over a host of perceived staffing and management failures at a May 21 House Administration committee hearing.Full Article: Congress focuses on money and staffing in election security -- FCW.
The front lines of today’s cyberwarfare battles are not just at Fort Meade. They are in Allegheny County’s Elections Division. And in Erie County. And Butler County. And Indiana County. And all across Pennsylvania. Our elections — and the integrity of your vote — are under threat from nation-state adversaries. As of today, Pennsylvania is not prepared to defend against what will almost certainly be unprecedented attacks in the next presidential election cycle. But there is still time to secure the 2020 election. The General Assembly, however, needs to help counties secure this most critical of battlegrounds. The Blue Ribbon Commission on Pennsylvania’s Election Security spent much of the past year studying current and future cyber-based threats to Pennsylvania’s elections. What we found was sobering. In the 2016 and 2018 elections, more than 80 percent of Pennsylvania voters were registered to vote in precincts that did not use paper-based voting systems, meaning that most of Pennsylvania’s counties would be unable to even detect the hack of a voting system, let alone recover from it.Full Article: David Hickton: Don’t nickel & dime Pennsylvania’s democracy | TribLIVE.com.
International: Cyber-enabled election interference occurs in one-fifth of democracies | Fergus Hanson and Elise Thomas/The Strategist
Cyber-enabled election interference has already changed the course of history. Whether or not the Russian interference campaign during the US 2016 federal election was enough to swing the result, the discovery and investigation of the campaign and its negative effects on public trust in the democratic process have irrevocably shaped the path of Donald Trump’s presidency. Covert foreign interference presents a clear threat to fundamental democratic values. As nations around the world begin to wake up to this threat, new research by ASPI’s International Cyber Policy Centre has identified the key challenges democracies face from cyber-enabled election interference, and makes five core recommendations about how to guard against it. ICPC researchers studied 97 national elections which took place between 8 November 2016 and 30 April 2019. The 97 were chosen out of the 194 national-level elections that occurred during the time period because they were held in countries ranked as ‘free’ or ‘partly free’ in Freedom House’s Freedom in the world report.Full Article: Cyber-enabled election interference occurs in one-fifth of democracies | The Strategist.
The European Union on Friday agreed to new rules that will grant it authority to impose travel bans and asset freezes against individuals responsible for cyber-attacks that pose a significant threat to the bloc. The new rules come amid concerns by European and U.S. officials over cyber-attacks related to election meddling or intellectual property theft by actors linked to Russia and China. The measures, which aim to “deter and respond to cyber-attacks which constitute an external threat to the EU,” would apply to actors responsible for attacks originating outside the bloc, the Council of EU member states said in a statement. The bloc said it would also consider measures in response to attacks targeted at countries outside the EU or international organizations.Full Article: EU Agrees Powers to Sanction, Freeze Assets Over Cyber-Attacks - Bloomberg.
Indonesia: Hacktivists, Bots, Elections: Indonesia Stepping Up Its Cybersecurity | Nur Yasmin/Jakarta Globe
The government should be thanked for their role in improving cybersecurity in Indonesia in the past five years, including during elections, an expert has said. “I’m seeing really good progress in Indonesian cybersecurity. A few years ago, it wasn’t as strong,” Fernando Serto, director of security technology and strategy at Akamai APJ said on the sidelines of the Akamai Security Summit in Jakarta at the end of last month. Serto is an expert in technology, specifically “zero-trust” web security and cybersecurity. He is a familiar face in Indonesia and has been assisting the government and local organizations with his expertise. Akamai APJ is the world’s largest and most trusted cloud delivery and security platform based in the United States. Serto said cyber attacks are increasing and constantly evolving, especially bot attacks.Full Article: Hacktivists, Bots, Elections: Indonesia Stepping Up Its Cybersecurity.
National: Foreign election hacking inevitable, say US officials | Eric Tucker and Colleen Long/Associated Press
The hacking of U.S. election systems, including by foreign adversaries, is inevitable, and the real challenge is ensuring the country is resilient enough to withstand catastrophic problems from cyber breaches, government officials said Wednesday. The comments by representatives from the departments of Justice and Homeland Security underscored the challenges for federal and state governments in trying to ward off interference from Russia and other countries in the 2020 election. Special counsel Robert Mueller has documented a sweeping effort by Moscow to meddle in the 2016 election in Donald Trump’s favor by hacking Democrats and spreading disinformation online, and FBI Director Chris Wray said in April that the government regarded last November’s midterm election was “as just kind of a dress rehearsal for the big show in 2020.”Full Article: Foreign election hacking inevitable, say US officials | Las Vegas Review-Journal.
Verified Voting Blog: Counting Votes: Paper Ballots and Audits in Congress, Crisis at the EAC?, Florida’s Mystery Counties
In her testimony at an election security hearing before the Committee on House Administration last week, Verified Voting President Marian Schneider joined advocates and election officials in calling on Congress to help states and local jurisdictions replace aging voting systems, conduct risk-limiting audits and enhance election infrastructure security. In order to prepare for 2020, Congress must provide “adequate financial investment in cyber security best practices, replacement equipment and post-election audit processes … immediately and continue at a sustainable level moving forward.”
Writing in Governing, Graham Vyse highlighted the significant bipartisan agreement between the two secretaries of state who testified, Jocelyn Benson (D-MI) and John Merrill (R-AL), on efforts needed to address emerging threats to election security. Significantly, the state election officials, along with all the witnesses, were unanimous in recommending the replacement of direct recording electronic voting machines with paper ballot voting systems and conducting post-election ballot audits.
Two days after the hearing, House Homeland Security Committee Chairman Bennie Thompson (D-MS), House Administration Committee Chairwoman Zoe Lofgren (D-CA) and Rep. John Sarbanes (D-MD), the chairman of the Democracy Reform Task Forcereintroduced The Election Security Act. Aimed at reducing risks posed by cyberattacks by foreign entities or other actors against U.S. election systems, the bill would establish cybersecurity standards for voting system vendors and require states to use paper ballots during elections.
Last month legislation was introduced in both chambers intended to strengthen election security by providing government grants to assist states, as well as local and tribal governments, in developing and implementing plans to address cybersecurity threats or vulnerabilities. This week Verified Voting wrote an open letter to the bills’ sponsors supporting their efforts and encouraging them to add provisions specifically prohibiting these funds from being used for internet-based voting. The letter notes that “[c]ybersecurity experts agree that no current technology, including blockchain voting, can guarantee the secure, verifiable, and private return of voted ballots over the internet.”
The departure of Ryan Macias from his position as acting head of the Election Assistance Commission’s head of voting system testing and certification program reflects an agency in crisis, according to Politico’s Morning Cybersecurity. Macias’ departure may be related to an exchange at an EAC field hearing, when Chairwoman Christy McCormick repeatedly asked Macias why EAC commissioners didn’t have final approval over the details of federal voting system standards.
Florida: Hacked Florida counties could disclose their identities — if they wanted to | Marc Caputo/Politico
Local election officials in the two unnamed Florida counties where Russian agents hacked voter rolls in 2016 are able to publicly disclose whether they had been attacked. But the bureaucrats are clamming up instead. And voters in those counties have no right to know that information, according to the FBI. Nor is the state’s governor or its congressional delegation allowed to tell the public the names of those counties. That’s because the FBI made the governor sign a non-disclosure agreement in order to receive a classified briefing about the hack, along with the members of Congress. Some lawmakers are outraged at what they see as bizarre reasoning from the agency. For now, the information about the two counties is being kept officially secret — even though the identity of one of the hacking “victims,” Washington County’s election office, has leaked out.Full Article: Hacked Florida counties could disclose their identities — if they wanted to - POLITICO.
Sen. Ron Wyden (D-Ore.) has questions that a lot of people are still asking three years after the 2016 presidential race — what exactly happened with VR Systems, the Florida voter-registration software maker that the FBI apparently believes Russia hacked. The redacted version of special counsel Robert Mueller’s report indicated that in 2016 Russian hackers infiltrated a US maker of voter-registration software and installed malware on its network — information that was based on an FBI investigation. Furthermore, the 2017 indictment of Russian military officers for hacking Democratic computer systems that was based on the FBI investigation as well also asserted that a company fitting VR Systems’ description was hacked in 2016 and had malware installed on its network.. VR Systems, however, has long insisted it wasn’t hacked, though the company has never produced evidence showing it wasn’t compromised. Wyden wants to know whether the company ever engaged a third party to conduct a forensic examination of its computer networks and systems since the hacking assertions first came to light after the 2016 election and has asked to see a copy of a report from any such investigation, according to a letter he sent last week to VR Systems that his office shared with POLITICO.Full Article: Wyden seeks answers in Florida election hacking allegations - POLITICO.
Three years after the 2016 election, major political parties in the U.S. are still displaying sloppy digital security practices, according to a report from Security Scorecard. In new research released May 21, the company found vulnerabilities for the public facing, internet-connected digital assets of two major political parties. The Green Party and the Libertarian Party websites also displayed weaknesses. Vulnerabilities range from smaller sins like serving expired security certificates and sending unencrypted data to larger ones like leaking personally identifiable information and failing to put in place anti-spoofing protocols. In one case, an unnamed U.S. party was caught leaking data from a voting validation application containing the names, dates of birth and addresses of voters to the internet.Full Article: Report: U.S. political parties need to shore up cyber -- FCW.
California: California tech official rushed Motor Voter, despite testing issues | Bryan Anderson/The Sacramento Bee
The California government technology officials who developed an automatic voter registration program for the Department of Motor Vehicles last year raced to the finish line even though they acknowledged they should have slowed down. In April 2018, the state delayed the launch of its Motor Voter program by one week because of technical errors, inadequate testing and infrastructure concerns, according to records obtained by The Sacramento Bee. Amy Tong, director of the California Department of Technology, told colleagues working on the project the morning of the scheduled launch that, “In some strange way, this maybe (sic) a sign that we need to slow down in order to go fast again.” The one-week delay may not have been enough time.Full Article: CA tech official rushed Motor Voter, despite testing issues | The Sacramento Bee.
National: The vote-by-phone tech trend is scaring the life out of security experts | Eric Halper/Los Angeles Times
With their playbook for pushing government boundaries as a guide, some Silicon Valley investors are nudging election officials toward an innovation that prominent coders and cryptographers warn is downright dangerous for democracy. Voting by phone could be coming soon to an election near you. As seasoned disruptors of the status quo, tech pioneers have proven persuasive in selling the idea, even as the National Academies of Science, Engineering and Medicine specifically warn against any such experiment. The fight over mobile voting pits technologists who warn about the risks of entrusting voting to apps and cellphones against others who see internet voting as the only hope for getting most Americans to consistently participate on election day. “There are so many things that could go wrong,” said Marian Schneider, president of Verified Voting, a coalition of computer scientists and government transparency advocates pushing for more-secure elections. “It is an odd time for this to be gaining momentum.”Full Article: The vote-by-phone tech trend is scaring the life out of security experts - Los Angeles Times.
National: In Congressional Hearing, Election Officials Appear United Yet Divided on Security | Graham Vyse/Governing
Jocelyn Benson and John Merrill are a political odd couple. She’s a Michigan Democrat who backed Hillary Clinton, and he’s a Donald Trump supporter who represents Alabama. But both are secretaries of state, and when they testified side-by-side before Congress on Wednesday — she in a blue dress and he in a red tie — they repeatedly insisted they were friends ready to work together to strengthen the nation’s voting system. Benson and Merrill called on the federal government to provide more funding and resources for states and localities to address the issue. This weekend, they’re leading 18 other secretaries of state on a voting-rights history tour of Alabama with the hope of inspiring further bipartisan collaboration. “It’s the first time in our country’s history where you’ve got the chief election officers collectively, Democrats and Republicans, going to Selma to walk across the Edmund Pettus Bridge together,” Benson told Governing. The question is whether the secretaries can bridge enough of their differences to unite around federal legislation to improve election security. Benson and Merrill appeared alongside cybersecurity experts before the U.S. Committee on House Administration this week, more than two years after Russia’s cyberattack on American election systems during the 2016 presidential campaign.Full Article: In Congressional Hearing, Election Officials Appear United Yet Divided on Security.
National: After Russian Election Interference, Americans Are Losing Faith in Elections | Susan Milligan/US News
As lawmakers, state elections officials and social media executives work to limit intervention in the 2020 elections by Russia and other foreign operatives, an unsettling truth is emerging. Vladimir Putin may already be succeeding. The troubling disclosures of Russian meddling in the 2016 campaign – “sweeping and systematic,” special counsel Robert Mueller concluded in his report on the matter – have policymakers on guard for what intelligence officials say is a continuing campaign by Russia to influence American elections. But even if voting machines in all jurisdictions are secured against hacking and social media sites are scrubbed of fake stories posted by Russian bots, the damage may already have been done, experts warn, as Americans’ faith in the credibility of the nation’s elections falters.Full Article: After Russian Election Interference, Americans Are Losing Faith in Elections | The Civic Report | US News.
National: House Democrats reintroduce bill to protect elections from cyberattacks | Maggie Miller/The Hill
House Democratic chairmen on Friday reintroduced a bill to protect U.S. election systems against cyberattacks, including requiring President Trump to produce a “national strategy for protecting democratic institutions.” The Election Security Act is aimed at reducing risks posed by cyberattacks by foreign entities or other actors against U.S. election systems. The national strategy from President Trump would “protect against cyber attacks, influence operations, disinformation campaigns, and other activities that could undermine the security and integrity of United States democratic institutions.”Full Article: House Dems reintroduce bill to protect elections from cyberattacks | TheHill.
National: House Administration Committee to make election security a ‘primary focus’ | TRegina Zilbermintshe Hill
The secretaries of state of Michigan and Alabama went before the House Administration Committee Wednesday to advocate for more federal resources to secure election systems against cyber attacks and committee leaders vowed to make the issue a “primary focus.” “Federal action is needed now to grasp the scope of the problem and to innovate concrete solutions that can be implemented before the next federal election cycle in 2020,” House Administration Committee Chairwoman Zoe Lofgren (D-Calif.) said at the hearing on election security.Full Article: House Administration Committee to make election security a 'primary focus' | TheHill.
National: Election commission names new lead for testing and certifying voting systems | Sean Lyngaas/CyberScoop
The federal Election Assistance Commission has appointed Jerome Lovato, a former Colorado state election official, as head of the commission’s program for testing and certifying voting systems, according to a commission email obtained by CyberScoop. Lovato replaces Ryan Macias, who was filling the role in an acting capacity and will step down this month. The crucial EAC program works with the country’s top voting equipment vendors to certify and decertify voting system hardware and software.Full Article: Election commission names new lead for testing and certifying voting systems.
Verified Voting Blog: Verified Voting Testimony Before the House Administration Committee hearing on “Election Security”
Election administration depends on computers at multiple points in the election process. Equipment for voting is but one part of a broad array of election technology infrastructure that supports the conduct of elections today. Some of that technology infrastructure includes voter registration databases, internet facing applications such as online voter registration and polling place lookup, network connections between state government and local jurisdictions, the computers that program the voting devices that record and count votes in addition to the voting devices themselves. Some jurisdictions also use electronic poll books to check voters in at polling sites and most states and localities report election night returns via a website. To the extent that any of these can be compromised or manipulated, can contain errors, or can fail to operate correctly—or at all—this can potentially affect the vote. Election system security requires not only efforts to prevent breaches and malfunctions, but also fail-safes that address breaches and malfunctions that do occur. The security of election infrastructure has taken on increased significance in the aftermath of the 2016 election cycle. During the 2016 election cycle, a nation-state conducted systematic, coordinated attacks on America’s election infrastructure, with the apparent aim of disrupting the election and undermining faith in America’s democratic institutions. Intelligence reports and recent investigations demonstrate that state databases and third-party vendors not only were targeted for attack, but were breached. The consensus among the intelligence community is that future attacks on American elections are inevitable.2 The inevitability of attacks is a key concept in cyber security: it’s not whether a system will be attacked, but when. Moreover, cyber security experts now agree that it is impossible to thwart all attacks on computer systems. Rather, best practice demands a multi-layered approach built around the concept of resiliency. Systems are resilient if owners can monitor, detect, respond and recover from either an intentional attack or a programming mistake or error. The capacity to recover from even a successful attack is integral to the security of U.S. elections. Despite considerable progress in the last few years, much work must be done to secure our nation’s elections infrastructure. Two primary areas that require immediate and sustained attention are 1) securing both the state and county networks, databases and data transmission infrastructure that touch elections; and 2) instilling confidence in election outcomes by replacing older, vulnerable legacy voting systems with new systems that permit reliable recounts and post-election audits. Full Article: Written Testimony for U.S. House Committee on House Administration hearing on “Election Security.”.Full Article: Written Testimony for U.S. House Committee on House Administration hearing on “Election Security.”.
Verified Voting Blog: Verified Voting Letter in Support of Congressional Election Cybersecurity Legislation
This letter was sent to Senators Cory Gardner (R-CO), Mark Warner (D-VA) and Representatives Derek Kilmer (D-WA) and Michael McCaul (R-TX) on May 14, 2019. Download the PDF.
Thank you for introducing legislation aimed at increasing cybersecurity at the state and local levels of government. We recognize the need for this important legislation, which is aimed at hardening cyber resiliency efforts and preventing vulnerabilities from becoming nightmare realities. For the states that would respond to the proposed grants in H.R. 2130 and S.1065, and for the protection of the citizens who live in them, we applaud your support in the battle against cyberattacks.
At the same time that you are bolstering cybersecurity defenses, we encourage you to add provisions specifically prohibiting these funds from being used for internet-based voting. Cybersecurity experts agree that internet return of marked ballots lacks sufficient safeguards for security and privacy. We urge you to specifically name internet voting as a threat and prohibit the funding provided by your legislation from being used to support internet voting programs and pilots.
Cybersecurity experts agree that no current technology, including blockchain voting, can guarantee the secure, verifiable, and private return of voted ballots over the internet. Both because vote-rigging malware could already be present on the voter’s computer and because electronically returned ballots could be intercepted and changed or discarded en route, local elections officials would be unable to verify that the voter’s ballot accurately reflects the voter’s intent. Furthermore, even if the voter’s selections were to arrive intact, the voted ballot could be traceable back to the individual voter, violating voter privacy.
Florida: Ron DeSantis ‘not allowed’ to disclose which two Florida counties were hacked by Russians | Emily L. Mahoney/Tampa Bay Times
Gov. Ron DeSantis met with the FBI and the U.S. Department of Homeland Security last week to discuss the revelation in the Mueller report that “at least one” Florida county had its election information accessed by Russian hackers in 2016. On Tuesday, DeSantis told reporters that he had been briefed on that breach — which actually happened in two counties in Florida — but that he couldn’t share which counties had been the target. “I’m not allowed to name the counties. I signed a (non)disclosure agreement,” DeSantis said, emphasizing that he “would be willing to name it” but “they asked me to sign it so I’m going to respect their wishes.”Full Article: Ron DeSantis ‘not allowed’ to disclose which two Florida counties were hacked by Russians | Tampa Bay Times.