National: New Election Security Bills Face a One-Man Roadblock: Mitch McConnell | Nicholas Fandos/The New York Times

A raft of legislation intended to better secure United States election systems after what the special counsel, Robert S. Mueller III, called a “sweeping and systematic” Russian attack in 2016 is running into a one-man roadblock in the form of the Senate majority leader, Mitch McConnell of Kentucky. The bills include a Democratic measure that would send more than $1 billion to state and local governments to tighten election security, but would also demand a national strategy to protect American democratic institutions against cyberattacks and require that states spend federal funds only on federally certified “election infrastructure vendors.” A bipartisan measure in both chambers would require internet companies like Facebook to disclose the purchasers of political ads. Another bipartisan Senate proposal would codify cyberinformation-sharing initiatives between federal intelligence services and state election officials, speed up the granting of security clearances to state officials and provide federal incentives for states to adopt paper ballots. But even bipartisan coalitions have begun to crumble in the face of the majority leader’s blockade. Mr. McConnell, long the Senate’s leading ideological opponent to federal regulation of elections, has told colleagues in recent months that he has no plans to consider stand-alone legislation on the matter this term, despite clamoring from members of his own conference and the growing pressure from Democrats who also sense a political advantage in trying to make the Republican response to Russia’s election attack look anemic.

National: Election Security Is Still Hurting at Every Level | Lily Hay Newman/WIRED

The Russian meddling that rocked the 2016 US presidential election gave the public a full view of something officials and advocates have warned about for years: weak voting infrastructure and election systems around the US, and a lack of political will and funding to strengthen them. Two and a half years later, real progress has been made in key areas. But with a new presidential election less than 18 months away, glaring systemic risks remain. Many of those inadequacies show up in a new report from the Stanford Cyber Policy Center, which breaks down the threats facing the 2020 election and beyond, and proposes paths to managing them. But as the report also makes clear, many of those necessary steps will not be completed before 2020. Smooth-running elections will require a clear-eyed view of those lingering deficiencies.

National: Stanford group calls for major overhaul on election security. Here are their recommendations | Joseph Marks/The Washington Post

A plan released this week by a Stanford University group that includes former top government and tech industry officials aims to be the equivalent of the 9/11 Commission report for election security. Like the 9/11 report, which fundamentally reorganized the nation’s homeland security and intelligence structure after the Sept. 11, 2001, terrorist attacks, “Securing American Elections” aims big. It argues Russia’s 2016 election interference operation was an attack on fundamental American values, and should provoke the government and private sector to step up “defenses against efforts to erode confidence in democracy.”  The report’s 108 pages include 45 recommendations ranging from securing voting systems and combating online disinformation campaigns to negotiating major election security norms with allies and punishing adversaries who violate them. Like the 9/11 commission leaders who spent years pushing the government to fully implement their reforms amid partisan bickering, this group is preparing for a fierce lobbying campaign to turn its recommendations into reality, said Nate Persily, a report author and director of Stanford’s Cyber Policy Center.

National: House subcommittee approves funding bill with $600 million for election security | Maggie Miller/The Hill

A House Appropriations subcommittee approved a bill Monday night that includes $600 million in funding for the Election Assistance Commission (EAC) meant for states to bolster election security, with the money specifically earmarked for states to buy voting systems with “voter-verified paper ballots.” The approval comes as recent remarks by special counsel Robert Mueller emphasizing the dangers posed by foreign interference in U.S. election systems injected new life into the election security debate on Capitol Hill. The Senate already approved a bill Monday night to ban foreign individuals who meddle in U.S. elections from entering the country. The funds are part of the Financial Services fiscal 2020 budget, and were approved by voice vote by the House Appropriations Subcommittee on Financial Services and General Government. The bill now goes to the full House Appropriations Committee for consideration.

National: Election Rules Are an Obstacle to Cybersecurity of Presidential Campaigns | Nicole Perlroth and Matthew Rosenberg/The New York Times

One year out from the 2020 elections, presidential candidates face legal roadblocks to acquiring the tools and assistance necessary to defend against the cyberattacks and disinformation campaigns that plagued the 2016 presidential campaign. Federal laws prohibit corporations from offering free or discounted cybersecurity services to federal candidates. The same law also blocks political parties from offering candidates cybersecurity assistance because it is considered an “in-kind donation.” The issue took on added urgency this week after lawyers for the Federal Election Commission advised the commission to block a request by a Silicon Valley company, Area 1 Security, which sought to provide services to 2020 presidential candidates at a discount. The commission questioned Area 1 about its request at a public meeting on Thursday, and asked the company to refile the request with a simpler explanation of how it would determine what campaigns qualified for discounted services. Cybersecurity and election experts say time is running out for campaigns to develop tough protections.

National: DHS needs help peeking into state and local networks, cybersecurity official says | Benjamin Freed/StateScoop

A top federal cybersecurity official said Wednesday the Department of Homeland Security often lacks a clear picture of state and local governments’ network security, even as foreign adversaries increase their attempts to disrupt all levels of the public sector. And while federal agencies are getting better at working with state and local authorities, they face an ongoing challenge of staying ahead of an evolving threat landscape. “We don’t have good visibility in the state and local dot-gov [domain],” Rick Driggers, the deputy assistant director for cybersecurity at DHS’s Cybersecurity and Infrastructure Agency, said at FedScoop’s FedTalks event in Washington. Driggers said one of the most immediate steps state and local governments can take is to enact more robust information sharing with federal cybersecurity authorities. He said hackers, especially those backed by foreign governments, have increased their focus on state and local governments, raising the threat that a local population could suffer the brunt of a successful cyberattack.

National: NGA selects six states for election cybersecurity policy academy | Benjamin Freed/StateScoop

The National Governors Association announced Wednesday the six states that will participate in the organization’s latest cybersecurity policy academy. Officials from Arizona, Hawaii, Idaho, Minnesota, Nevada and Virginia will spend the next six months studying election security to come up with plans and practices to protect the integrity of their voting systems ahead of the 2020 presidential election. The NGA has convened the cybersecurity policy academies, which are run by the group’s Homeland Security and Public Safety division, since 2016. Last year’s program — which included Indiana, North Carolina, West Virginia and Wisconsin — focused broadly on IT security, ultimately producing a set of recommendations for greater collaboration between state and local governments.

National: States, experts ask EAC for more flexibility in voting machine standards | Derek B. Johnson/FCW

State officials and security experts say security updates contained in the Election Assistance Commission’s new Voluntary Voting System Guidelines 2.0 are badly needed, but there is concern that the bureaucratic process the agency has set up to approve and update those standards can’t keep up with the pace of technological change. Later this year, the commission is expected to vote to approve a five-page document outlining principles that will guide the development of VVSG 2.0, including a new emphasis on security. That process will be followed up with far more detailed technical guidance and standards that companies will rely on to design their new voting machines. At a May 21 hearing, the commission heard from a number of stakeholders who advised that the agency refrain from requiring a full vote to approve the technical portions of the guidelines, saying it would run counter to the goal of ensuring that voting machine standards account for the latest developments in technology.

National: Democratic base fired up by effort to ban Internet-connected voting machines | Joseph Marks/The Washington Post

As the 2020 election approaches, voting security groups are trying to rally the public behind an effort to ban Internet connections from U.S. voting machines that could be hacked by Russia and other foreign adversaries. And they’re getting an assist from activists on the left, who are still burned by the 2016 election, when Russia hacked troves of Democratic emails and strategically released them to damage the Hillary Clinton campaign. The joint effort has resulted in a staggering number of people — 50,000 — submitting comments on the issue to the Election Assistance Commission, a federal body that’s rewriting voluntary guidelines for voting machines, the organizing groups told me. The fact that a topic this technical can be an effective rallying cry for tens of thousands of people underscores that election security has become an increasingly pivotal issue in the 2020 contest — and tangible proof it’s resonating with a Democratic base that fears Russia, which sought to help the Trump campaign in 2016, might try to deliver the president a second term.

National: Voatz has raised $7 million in Series A funding for its mobile voting technology | Connie Loizos/TechCrunch

Voatz, the four-year-old, Boston, Mass.-based voting and citizen engagement platform that has been at the center of debate over the merits and dangers of mobile voting, has raised $7 million in Series A funding. The round was co-led by Medici Ventures and Techstars, with participation from Urban Innovation Fund and Oakhouse Partners. Voatz, which currently employs 17 people, is modeled after other software-as-a-service companies but geared toward election jurisdictions, working with state and local governments to conduct elections and provide related election management and cybersecurity services. As we reported back in March, the city of Denver agreed to implement a mobile voting pilot in its May municipal election using Voatz’s technology, an opportunity that was offered exclusively to active-duty military, their eligible dependents and overseas voters using their smartphones.

National: ES&S reverses position on election security, promises paper ballots | Zack Whittaker/TechCrunch

Voting machine maker ES&S has said it “will no longer sell” paperless voting machines as the primary device for casting ballots in a jurisdiction. ES&S chief executive Tom Burt confirmed the news in an op-ed. TechCrunch understands the decision was made around the time that four senior Democratic lawmakers demanded to know why ES&S, and two other major voting machine makers, were still selling decade-old machines known to contain security flaws. Burt’s op-ed said voting machines “must have physical paper records of votes” to prevent mistakes or tampering that could lead to improperly cast votes. Sen. Ron Wyden introduced a bill a year ago that would mandate voter-verified paper ballots for all election machines. The chief executive also called on Congress to pass legislation mandating a stronger election machine testing program. Burt’s remarks are a sharp turnaround from the company’s position just a year ago, in which the election systems maker drew ire from the security community for denouncing vulnerabilities found by hackers at the annual Defcon conference.

Editorials: The Mueller Report Sounded the Alarm on Election Attacks. Will Congress Act? | The New York Times

Members of Congress have several major decisions to make after the special counsel Robert Mueller’s investigation into Russian interference in the 2016 election. Whether to pursue an impeachment inquiry is the one that’s gotten the most attention — and reasonable people can disagree about that. But Mr. Mueller’s findings leave no room for debate about the need to address the legal and institutional deficiencies that allowed a foreign adversary to tamper with America’s democracy. From cyberattacks on state voter systems to disinformation campaigns waged on social media to the hacking of materials belonging to a major political party, Mr. Mueller made plain that the country’s electoral infrastructure remains vulnerable to attack. If the problems are left unaddressed, nothing will stop Russia or other actors from once again undermining free and fair elections in the United States — and they seem to be gearing up to try to do just that.

National: FEC allows nonprofit to provide free cybersecurity services to campaigns | Shannon Vavra/CyberScoop

The Federal Election Commission has decided that a nonprofit spinoff of Harvard’s Defending Digital Democracy Project may provide free and low-cost cybersecurity services to political campaigns without violating campaign finance laws, given the fact that there is a “highly unusual and serious threat” posed to U.S. elections by foreign adversaries. The driving force behind the FEC’s advisory opinion, which FEC Chair Ellen Weintraub issued Tuesday, is the fact that there is a “demonstrated, currently enhanced threat of foreign cyberattacks against party and candidate committees,” she writes in the advisory. The nonprofit, Defending Digital Campaigns, has political campaign veterans Matt Rhoades and Robby Mook among its board members, as well as former National Security Agency executive Debora Plunkett. In the ruling, Weintraub notes the FEC’s decision is partly due to the other efforts by the government, primarily to expose and prosecute foreign adversaries, that she indicates have not done enough to protect campaigns and political parties.

National: Election Assistance Commission staff ‘strained to the breaking point’ | Christopher Bing/Reuters

As the U.S. government prepares to defend the 2020 presidential election from cyber threats, the federal agency charged with helping administer elections, the Election Assistance Commission, says it is “strained to the breaking point,” according to Chairwoman Christy McCormick. “Obviously we’re a very small agency and quite under funded,” McCormick said on Wednesday during a…

National: Trump not doing enough to thwart Russian 2020 meddling, experts say | Peter Stone/The Guardian

Intelligence warnings are growing that Russia will probably meddle in the 2020 elections, but Donald Trump and a powerful Senate ally are downplaying these concerns and not doing enough to thwart interfering, say Russia and cyber experts and key congressional Democrats. Despite fears that Moscow may seek to influence the 2020 elections by launching cyber attacks, social media disinformation, covert agent operations and other “active measures” as it did in the 2016 election, adequate funding and White House focus to counter any new Russian meddling are lagging, experts and officials say. Election security concerns that critics say require more resources and attention include: a paper ballot system to replace or backup electronic voting machines vulnerable to hacking; more resources and attention for cybersecurity programs at the Department of Homeland Security (DHS); a requirement that campaigns report to the FBI any contacts with foreign nationals; and a strong public commitment from the president to an interference-free election. Federal efforts to beef up election security, critics say, have been undercut by Trump’s apparent willingness to accept Russian president Vladimir Putin’s word that the country did not interfere in 2016, and Trump’s slighting of intelligence community conclusions about Russian meddling.

Editorials: Russia hacked us: We made it far too easy — and still do | Jeremy Epstein/The Hill

Florida Gov. Ron DeSantis recently made it official: when it comes to the security of America’s elections, we have seen the enemy… and it is us. Governor DeSantis forthrightly acknowledged that, according to the FBI, two Florida counties’ election systems were infected by malware in the 2016 elections. Reportedly, that malware was furtively installed on at least two county employees’ computers via a run-of-the-mill email “spearphishing” campaign. The malware installed then compromised county databases when those county employees used their computers to access their employers’ computer networks, allowing hackers to access vote and voter data stored elsewhere on those same networks. Fortunately, it appears that the malicious code was used “merely” to infect databases separate from voting machines themselves and other internal ballot-tallying systems.

Verified Voting Blog: Verified Voting Public Comments on VVSG 2.0 Principles and Guidelines

Download the PDF Verified Voting is pleased to see the VVSG 2.0 principles and guidelines finally moving forward. We are enthusiastic about the VVSG 2.0 structure and, with some reservations, about the content of the principles and guidelines. Full implementation of the VVSG 2.0 will, in time, help bring about voting systems that set new…

Florida: Election officials wanted an elections cybersecurity team. Lawmakers said no. | Lawrence Mower/Tampa Bay Times

Gov. Ron DeSantis said Wednesday he wants state officials to “review” the state’s elections systems after news that two county elections offices were hacked in 2016. But for the last two years, Florida’s secretaries of state have asked for that help — only to be turned down twice by state lawmakers. Last year, then-Secretary of State Ken Detzner asked the Legislature for $488,000 to create a full-time elections cybersecurity team with five people, according to the department. Even though it was a measly amount in the scope of their $88.7 billion budget, lawmakers refused, and the department instead hired five cybersecurity contractors to help local supervisors in last year’s election. This year, Secretary of State Laurel Lee asked lawmakers for $1.5 million to keep those cybersecurity contractors, and lawmakers again refused. Thankfully, all were not lost.

Florida: VR Systems says it has proof it wasn’t breached by Russians | Kim Zetter/Politico

A Florida-based maker of voter registration software says it has proof that neither its employees’ email accounts nor its systems were penetrated in a Russian cyberattack in 2016 — an attack that could have allowed hackers to prevent voters from casting ballots during the presidential election if successful. The company, VR Systems, said in a letter to Sen. Ron Wyden (D-Ore.) this month that an analysis by a cybersecurity firm found that it had not been breached, despite allegations to the contrary in special counsel Robert Mueller’s report on Russian election interference. Mueller’s report said Russian hackers installed malware on the network of an unnamed voting technology company. A leaked National Security Agency document published by The Intercept contained details that indicate VR Systems was the most likely victim. Furthermore, in its letter to Wyden, the company admits to receiving so-called “spearphishing emails” in 2016. In the letter, VR Systems responded to questions from the senator about whether computer forensic experts or a government agency had examined the company’s computers and networks after the phishing campaign occurred.

North Carolina: Is North Carolina rushing into major election changes? Some officials warn of confusion in 2020 | Will Doran/Charlotte Observer

Roughly a third of North Carolina voters use electronic machines with no paper ballots. But that might all change next year for the 2020 presidential election. Supporters of the change say it will help ensure election security, especially given reports from the FBI and other sources that the Russian government attempted to influence America’s 2016 elections and may have hacked into some U.S. voting software. But the switch has been held up for years, despite first being ordered in a 2013 law. Now, some officials — including the new state elections director — worry that there’s not enough time left to get new voting systems in place for the 2020 elections. The state’s biggest county, Mecklenburg, is one of the counties that will have to make the switch away from touchscreen voting machines. But officials there still don’t know what machines they might be allowed to buy as replacements, or how much they’ll cost. Meanwhile, the deadline to get new machines in place is coming up at the end of this year.

North Carolina: Federal Government To Check North Carolina Election Equipment Over Hacking Fears | Pam Fessler/NPR

The Department of Homeland Security has finally agreed to conduct a thorough inspection of election equipment used in North Carolina that was supplied by a vendor whose system was targeted by Russian hackers in 2016. It has been three years since the machines — laptops used to check in voters in Durham County — malfunctioned on Election Day, telling voters that they had already voted, even though they had not. The county took the laptops out of service that day and switched to using paper poll books, but what caused the problem has remained a mystery. It’s one of several remaining questions about what happened in the 2016 elections, the answers to which could help the U.S. protect itself against future cyberattacks. “This support may help to provide a better understanding of previous issues and help to secure the 2020 elections,” said Sara Sendek, a DHS spokesperson. She added that the agency “has no information that there is any previous or ongoing issues regarding elections systems” in the state.

North Carolina: Software vendor may have opened a gap for hackers in 2016 swing state | Kim Zetter/Politico

A Florida election software company targeted by Russians in 2016 inadvertently opened a potential pathway for hackers to tamper with voter records in North Carolina on the eve of the presidential election, according to a document reviewed by POLITICO and a person with knowledge of the episode. VR Systems, based in Tallahassee but with customers in eight states, used what’s known as remote-access software to connect for several hours to a central computer in Durham County, N.C., to troubleshoot problems with the company’s voter list management tool, the person said. The software distributes voter lists to so-called electronic poll books, which poll workers use to check in voters and verify their eligibility to cast a ballot. The company did not respond to POLITICO’s requests for comment about its practices. But election security experts widely condemn remote connections to election-related computer systems — not only because they can open a door for intruders but because they can also give attackers access to an entire network, depending on how they’re configured.

Oregon: On Election Day, Oregon Senate passes bill requiring future election audits | Associated Press

County clerks in Oregon would be required to audit results after each election under a bill that overwhelmingly passed the Senate on Election Day. The bill approved Tuesday requires county clerks to conduct hand-count or risk-limiting audits after every primary, general and special election. Risk-limiting audits are based on counts of statistical samples of paper ballots. Sen. Lew Frederick, a Portland Democrat, said the bill ensures more audits happen to make sure election results are correct. The bill requires audits after every election, instead of just general elections. It goes next to the House. Heading into the 2020 cycle, a new report out Tuesday provides a stark warning about the cyber-insecurity of the highest-profile U.S. political organizations even after years of concerted efforts to improve digital safeguards and an intense focus in Washington on the need to secure campaigns and elections.

Pennsylvania: Here’s who makes money from the voting machine requirement for Pennsylvania counties — and how those decisions are being made | Emily Previti & Ed Mahon|PA Post

As Jeff Frank strode out of his polling place on a recent Tuesday morning, poll watchers thanked him for voting. “Have a great day – enjoy the complaints as they come out the door,” Frank responded. Municipal elections tend to be relatively quiet – even in Montgomery, which consistently turns out a higher number of voters than any other county in the state but more-populous Philadelphia and Allegheny counties  But this year, several counties debuted new voting machines – and two, including Montgomery, went to an entirely different way of voting. “When I came and discovered what the process was, I said, okay, but it is ridiculous, a waste of time and will cause lines so long that people will not be here when the presidential election comes up,” Frank said. Other voters exiting the Temple Brith Achim Synagogue polling location in Upper Merion weren’t quite as animated over the switch from push-button machines to scannable paper ballots filled out by hand. “It’s even it’s better now that you actually get a confirmation ticket that your vote was cast. We never got that before,” said Tykia Turner.

Verified Voting Blog: Verified Voting Testimony before the Allegheny County Pennsylvania Board of Elections

Download the pdf Thank you, Chairman Baker and members of the Board, for allowing Verified Voting to submit written testimony in connection with the Public Meeting on the Purchase of Voting Systems. We hope to provide background on the security needs that counsel for the adoption of a new voting system with a verifiable and…

Tennessee: Official: No funds means Shelby County’s old voting machines to be used in 2020 | Katherine Burgess /Commercial Appeal

Unless funding for new voting machines is included in the capital improvements budget for fiscal year 2020, voters in Shelby County will continue using antiquated machines through the 2020 presidential elections, said Linda Phillips, administrator of elections. Phillips spoke with the Shelby County Board of Commissioners a day after Shelby County Mayor Lee Harris announced that he is withholding $5 million that would have gone for new machines from his proposed budget until a conversation can be had regarding voter registration, access to the vote and the delivery of timely and accurate results. “From when I started in 2011 to even before when I started — when machines were young, when machines were old — almost every election I have been observing has been a performance disaster. At some point, somebody’s got to be held accountable,” Harris said. “Although my means is not perfect, this is not the right lever, I’ve got to do what I’ve got to do, and that’s the lever in front of me.”

Texas: Secretary of State David Whitley resigns as end-of-session deadline nears | Austin American-Statesman

Shortly before the Senate’s closing gavel ended his term as Texas secretary of state, David Whitley delivered his letter of resignation, “effective immediately,” to Gov. Greg Abbott on Monday afternoon. Whitley needed Senate confirmation by the end of the legislative session to remain on the job but fell short of the required 21 votes despite expected support from all 19 Republican senators. All 12 Democrats, however, held firm in their opposition to Whitley over his handling of an error-filled investigation into the citizenship status of registered voters that prompted three federal lawsuits and an eventual court settlement that halted the probe and limited the scope of future investigations. Abbott, Whitley’s friend and mentor, was unable to dislodge opposition to the nominee in the 3½ months since Whitley’s confirmation hearing before the Senate Nominations Committee.

India: Roads, boats and elephants: How India mobilised a million polling stations | Simon Scarr, Manas Sharma and Marco Hernandez/Reuters

The final day of voting in India’s mammoth general election was on Sunday. Over 900 million people were eligible to cast their ballots in the staggered seven-phase polling. The world’s biggest election involved around 1 million polling stations spread across the country, from remote corners of the Himalayas to crocodile-infested mangrove swamps of the Andaman Islands. Each polling station served about 900 voters on average but some catered for over 3,000 people. Each voting location used electronic voting machines (EVMs) which were first introduced in 1982. Instead of issuing a ballot paper, electors cast their votes by pressing a button next to a candidate’s name and party symbol. The Voter-Verifiable Paper Audit Trail (VVPAT) system is attached to the EVM to confirm the vote. It prints a small slip of paper carrying the symbol and name of the candidate voted for. This is visible to the voter for a short period, and can be later used by the Election Commission of India (ECI) to verify the votes. After voting, people receive a mark of purple ink on their index finger as an indication that they have cast their ballot.

Iraq: Electronic Voting in Iraq: Mission Unaccomplished | e-lected blog

Fifteen years after US President George W. Bush gave his “Mission Accomplished” address, Iraq continues its struggle for democracy. Regrettably, key institutions like its Independent High Electoral Commission have proven inefficient in laying the foundations for a thriving democracy. What is worst, they are failing to learn from their own recent experiences. In May 2018, Iraq headed to the polls for its first election in the post-ISIS era. What initially appeared to be a relatively decent election gradually emerged to have involved massive potential fraud, forcing a manual recount of the results of a failed electronic voting system. These botched elections cast into serious doubt Iraq’s ability to strengthen its own democratic institutions and conduct future election processes. The tragic episode of the 2018 elections could have had a positive spin, had authorities learned the lesson. However, the fact that they are mulling over the idea of using the same unreliable technology, is a sad testament to the struggle facing Iraq’s fragile, corrupt and inefficient institutions.