California: Sweeping change is coming for Los Angeles County voters. If things go wrong, he’ll get the blame | Matt Stiles/Los Angeles Times

Long before Dean Logan was the elections chief for the most populous county in California, he was an administrator for the most populous county in Washington state — and he was dealing with a crisis. It was the fall of 2004, four years after the contested Bush-versus-Gore presidential election, and voters had just produced one of the closest gubernatorial contests in American history. Fewer than 300 votes separated the candidates. Then things got worse. Logan realized that his staff had misfiled a batch of uncounted mail-in ballots — enough to sway the election. Under pressure, Logan insisted that the ballots be counted, making him a target of critics, including the state’s Republican Party chairman who insisted that the election was being “stolen.” A judge eventually validated Logan’s decision. Fifteen years later, the experience still haunts him. But it has informed and inspired his years-long personal quest to overhaul the way elections are conducted in Los Angeles County. Starting next year, some 5.2 million residents — a figure that eclipses the number of registered voters in most states — will change the way they cast ballots. If the process goes awry — either in the earlier-than-normal presidential primary in March or in the crucial November general election, in which President Trump will probably be on the ballot — blame could fall on Logan yet again.

National: State Election Infrastructure Is Still Vulnerable, Report Finds | by Phil Goldstein/StateTech Magazine

The 2020 presidential election is more than 14 months away, but some experts are warning that state governments face an uphill battle in defending election infrastructure from cyberattacks. According to a recent report, “Defending Elections: Federal Funding Needs for State Election Security,” many election security projects at the state level are either unfunded or underfunded. The report calls on the federal government to provide more funding for state-level election security measures ahead of next year’s election. “In administering our elections, states face security challenges of unprecedented magnitude,” the report concludes. “They are, in many cases, ill-equipped to defend themselves against the sophisticated, well-resourced intelligence agencies of foreign governments. States should not be expected to defend against such attacks alone. Our federal government should work to provide the states with the resources they need to harden their infrastructure against cybersecurity threats.” The paper was authored by a bipartisan group of organizations including the Brennan Center for Justice, the Alliance for Securing Democracy, the R Street Institute and the University of Pittsburgh Institute for Cyber Law, Policy, and Security.

National: 2020 election security to face same vulnerabilities as in 2016 | Michael Heller/TechTarget

For the third year running, the Voting Village at DEF CON shined a light on election security and one thing was made clear: no one agrees on what to expect in 2020. In opening remarks at DEF CON, founders Harri Hursti, Matt Blaze and Jake Braun laid out the long road the Voting Village has traveled to raise awareness of election security issues. Blaze, who serves as the McDevitt Chair of Computer Science and Law at Georgetown University, pointed out the troubles began with the Help America Vote Act (HAVA), which passed in 2002 as an effort to modernize and improve election administration. “They didn’t understand as much at the time as we do now about building voting machines and almost everything produced to comply with the Help America Vote Act has terrible vulnerabilities associated with it,” Blaze said. “That’s partly because we’ve taken these systems that weren’t dependent on software before and made them dependent on software. And, as everybody here in Las Vegas can tell you, software is utterly terrible. So we essentially took a problem that was hard and we added software to it.” A new initiative at this year’s Voting Village was to connect security researchers and hackers directly to election officials to provide pro bono work to help secure the 2020 election. Braun, an executive director for the University of Chicago Harris School of Public Policy’s Cyber Policy Initiative, noted the past work of the Voting Village had been corroborated. “The Mueller report reinforced a lot of what we identified last year, like you can hack a website with a SQL injection and get into a voter registration database, which is exactly what Mueller said the Russians did in 2016,” Braun said. “And frankly, they didn’t even go as far as we said was possible [in last year’s election.]”

National: Civilians, military abroad may find it more expensive to vote | Bill Theobald/The Fulcrum

Election officials are growing increasingly concerned that the Trump administration’s trade war with China could make it more difficult and expensive for overseas voters — including those in the military — to cast ballots in the 2019 and 2020 local, state and federal elections. The issue is the pending withdrawal in October by the U.S. from the Universal Postal Union, a group of 192 nations that has governed international postal service and rates for 145 years. Last October, the U.S. gave the required one-year notice stating it would leave the UPU unless changes were made to the discounted fees that China pays for shipping small packages to the United States. The subsidized fees — established years ago to help poor, developing countries — place American businesses at a disadvantage and don’t cover costs incurred by the U.S. Postal Service. With the U.S.-imposed deadline for withdrawal or new rates fast approaching, states officials are running out of time to prepare for overseas mail-in voting. Last week, Kentucky elections director Jared Dearing pleaded for help from the Election Assistance Commission — for himself and his peers in other states. The deadline for his state and most others to send out absentee ballots for the fall elections, Dearing said, falls a few days before a Sept. 24-25 UPU meeting in Geneva, Switzerland, to discuss the U.S. proposal to revise the rate system. That makes it difficult to provide voters with guidance about how to return their ballots. If the United States ends up withdrawing from the UPU, overseas citizens may not be able to return their ballots using regular mail service and could have to pay upward of $60 to use one of the commercial shipping services, Dearing said.

National: Republicans use McConnell allies to try and force his hand on election security | Lesley Clark/McClatchy

A conservative group is increasing pressure on Senate Majority Leader Mitch McConnell to put election security legislation up for a vote in the Senate by airing ads that target the Kentucky Republican and four other Republican senators in their home states. Republicans for the Rule of Law is unveiling new spots that urge Sens. Marco Rubio, R-Florida, Roy Blunt, R-Missouri, Lindsey Graham, R-South Carolina, and James Lankford, R-Oklahoma, to push McConnell for a vote, urging them “don’t let Mitch McConnell stand in your way.” The group is also re-airing a 60-second ad that calls on McConnell to act. The 30-second spots will air nearly daily on Fox & Friends starting Wednesday. They’ll also run on Fox News Sunday and NBC’s Meet the Press in the senators’ home cities on Sunday as part of a $400,000 ad buy that includes digital ads. The ads note the senators’ support for election security legislation. “McConnell and all Republican Senators have no greater responsibility than protecting our elections from foreign enemies like Russia and Iran,” said Republicans for the Rule of Law legal advisor and spokesman Chris Truax.

Editorials: The malware election: Returning to paper ballots only way to prevent hacking | Lulu Friesdat/The Hill

The key takeaway of special counsel Robert S. Mueller’s report on Russian interference in the 2016 election was that “There were multiple, systematic efforts to interfere in our election … and that allegation deserves the attention of every American.” But with so much attention on what happened in 2016, we have lost much of the time available to protect the 2020 election. This was immediately apparent recently at DEF CON, one of the largest hacker conventions on the planet. The conference, where tens of thousands of hackers descend on the pseudo-glamourous “pleasure pit” that is Las Vegas, includes the Voting Village, a pop-up research lab with an array of U.S. voting equipment available for security researchers to compromise. They were terrifyingly successful. High school hackers and security professionals united to take control of almost every voting system in the room, most of it currently in use around the U.S. They found systems with no passwords, no encryption, and operating systems so old that young hackers often had no previous experience with them. That did not prevent them from completely dominating the machines. They accessed USB, compact flash and ethernet ports that were glaringly unprotected, and then proceeded to play video games and run pink cat graphics across the screens of ballot-marking devices and voter registration database systems.

California: New Los Angeles County voting system highlights trade offs between security and accessibility | Joseph Marks/The Washington Post

Starting in 2020, Los Angeles County’s 5.2 million voters will cast their ballots on new machines that the county had custom built over a decade to be highly accessible to citizens with all manner of disabilities and who speak 13 different languages. The new machines mark the biggest challenge in years to the highly consolidated voting machine industry in the United States in which just three companies control more than 90 percent of the market. The dominant players have faced withering criticism from security advocates and lawmakers since the 2016 election for being too slow to adapt to election hacking threats from Russia and other adversaries and not transparent enough about their security. The plan is for the machines to be piloted at some voting locations during local elections in November and then to be used by all voters for the first time in the March 3, 2020 primaries. The challenge is even bigger because Los Angeles plans to make the computer code its machines are running on freely available to be used or modified by other voting jurisdictions who similarly want to go it alone. But the new systems are also likely to add fire to a battle between cybersecurity hawks and advocates for voters with disabilities that’s already playing out in Congress and among state election boards.

Georgia: Voters challenge legality of new election system | Kate Brumback/Associated Press

Georgia voters who want hand-marked paper ballots are challenging the new election system state officials are rushing to implement in time for next year’s presidential primaries, saying the new touchscreen machines remain vulnerable and their results unverifiable, even though they produce paper records. Secretary of State Brad Raffensperger announced the state’s purchase of a $106 million election system from Denver-based Dominion Voting Systems last month, with plans to replace the outdated election management system and paperless touchscreen voting machines in use since 2002. He then certified the new system on Aug. 9, and said it will be in place in time for the March 24 primaries. The voters’ petition, seeking a withdrawal of the certification and a re-examination of the Dominion system, was submitted Monday to Raffensperger’s office. It says the system doesn’t meet Georgia’s voting system certification requirements and doesn’t comply with the state election code. Georgia law allows voters to request that the secretary of state “reexamine any such device previously examined and approved by him or her” as long as at least 10 voters sign onto the request. The petition submitted Monday includes signatures of more than 1,450 registered voters from 100 counties, including some elected officials, and was filed by voting integrity advocates and the state Libertarian Party. Additionally, some of the plaintiffs in a lawsuit challenging the state’s outdated voting system filed an amended complaint on Friday asking U.S. District Judge Amy Totenberg to prohibit the state from using the new Dominion system, calling it “illegal and unreliable.”

Illinois: ‘Iranian Hackers’ Claim Hack on Macon County Website | Kennedy Nolan/Decatur Herald & Review

Macon County, Ill., is the latest government entity to be targeted by hackers who hijacked a web page and disabled access. The Circuit Clerk’s Office main web page on Sunday night was overtaken by an image of a Guy Fawkes mask, Iranian flag and the text: “Hacked by Iranian Hackers. Hacked by Mamad Warning. We are always closer to you. Your identity is known to us. Your information is for us 😉 take care.” Circuit Clerk Lois Durbin said the county Information Technology department restored the page by 10 a.m. Monday. The office handles all records of traffic, civil and criminal cases in the county, but Durbin said personal identification information is stored on a separate system and wasn’t in danger of being accessed. “The firewall went up, and everything was protected and nothing was compromised,” she said. The county joins a growing list of government entities that are the victims of hacking attempts. Another technique involves disabling a website with malware and demanding money to restore it.

New Jersey: State’s Department of Homeland Security warned Russians could interfere in our elections next year. Trump’s not worried. | Jonathan D. Salant/NJ.com

New Jersey’s Department of Homeland Security has warned state and county elections officials that Russia or another foreign actor could hijack their websites or social media accounts, “severely impacting and eroding confidence in the election results.” The warning, which went to elections officials on the state level and in all 21 counties, was contained in a bulletin sent earlier this month by the state Cybersecurity and Communications Integration Cell. The state agency acted after the Senate Intelligence Committee warned about “Russian intentions to undermine the credibility of the election process” and a civil grand jury in San Mateo County, California, warned of hackers using government accounts to report false election results or issue false voting instructions. “The threat of foreign interference in our elections is a pressing national security issue,” said Rep. Mikie Sherrill, D-11th Dist., chairwoman of the House Science subcommittee on investigations and oversight, which held a hearing last month to highlight problems with state elections systems.

North Carolina: Vote security on the line in Board of Elections meeting | Jordan Wilkie/Carolina Public Press

When the NC Board of Elections meets Friday, it will make decisions about voting equipment for 2020 elections that could determine the security of the state’s election process and how much confidence voters can have that the system records and tabulates their votes as they intended. Security experts, federal research agencies and the US Senate agree on best practices for secure election equipment. They recommend that most voters use hand-marked paper ballots, count the ballots using digital scanners and audit the paper ballots for correctness before election results are made official. Most North Carolinians already vote this way. However, 23 of the state’s 100 counties use touch screens to cast their ballots, a system that experts consider insecure and outdated because it cannot be effectively audited. For that reason, North Carolina is set to decertify those systems by Dec. 1. This week, the state board of elections will consider certifying replacement systems. The decisions the board makes will have a domino effect of consequences for the security, privacy and accessibility of elections across the state.

Editorials: Rage against the voting machines | Philadelphia Inquirer

The latest controversy over the city’s ongoing voting machines saga presents multiple choices of questions and concerns. Last week, City Controller Rebecca Rhynhart, while investigating the contract for new voting machines, found that the company, Election Systems & Software, failed to disclose that it had hired lobbyists and made campaign contributions to the reelection campaigns of two city commissioners who were in charge of selecting the vendor. These mistakes, which ES&S says were inadvertent, made the contract “voidable.” But so far the contract is moving ahead — 3,700 voting machines have already been delivered. ES&S has agreed to pay a $2.9 million fine for its failure to disclose. The Controller’s Office is withholding payment on the contract until it completes its investigation sometime next month. The choices for questions are multiple: Are the resulting disclosures (and fines) proof that the system is working, or A. An indictment of the city’s new best value procurement policy, initiated in 2017 when voters approved a change that allowed the city to award contracts on factors other than the lowest price? While overwhelmingly approved by voters, others (including this board) had concerns that the new policy opened the door to granting contracts to insiders and encouraging a pay-to-play culture, as well as more expensive contracts. The $30 million machine contract is the first major test of the new policy.

Editorials: Guess which ballot costs less and is more secure– paper or electronic? | Kevin Skoglund and Christopher Deluzio/PennLive

Pennsylvania’s counties are choosing new voting systems, with implications for the security, reliability, and auditability of elections across the commonwealth and beyond. Our organizations’ analysis of county selections reveals that several have decided to purchase expensive electronic machines with security challenges over the better option: hand-marked paper ballots. Pennsylvania—where vulnerable paperless machines have been the norm—needs new paper-based voting systems. But not all systems are the same. The main choice counties face is the style of voting and polling place configuration. They can have most voters mark a paper ballot with a pen and offer a touchscreen computer to assist some voters (a ballot-marking device or “BMD”). Or they can have all voters use touchscreen computers to generate a ballot (an all-BMD configuration). The hardware in each configuration is often the same, but this fundamental choice creates significant differences. In fact, our analysis shows that many counties have chosen the all-BMD configuration and are paying a hefty sum for it—twice as much per voter as counties that selected systems that rely principally on voters hand-marking their ballots. Pricier electronic systems also carry greater security risks and make it harder for voters to verify their ballots before casting.

Texas: Ransomware Attack Hits 22 Texas Towns, Authorities Say | Manny Fernandez, Mihir Zaveri and Emily S. Rueb/The New York Times

Computer systems in 22 small Texas towns have been hacked, seized and held for ransom in a widespread, coordinated cyberattack that has sent state emergency-management officials scrambling and prompted a federal investigation, the authorities said. The Texas Department of Information Resources said Monday that it was racing to bring systems back online after the “ransomware attack,” in which hackers remotely block access to important data until a ransom is paid. Such attacks are a growing problem for city, county and state governments, court systems and school districts nationwide. By Tuesday afternoon, Texas officials had lowered the number of towns affected to 22 from 23 and said several government agencies whose systems were attacked were back to “operations as usual.” The ransomware virus appeared to affect certain agencies in the 22 towns, not entire government computer systems. Officials said that there were common threads among the 22 entities and that the attacks appeared not to be random, but they declined to elaborate, citing a federal investigation. It was unclear who was responsible. The state described the attacker only as “one single threat actor.”

Vermont: Ethical Hackers Breach Vermont Voting Machines, But Officials Say No Need To Panic | Peter Hirschfeld/Vermont Public Radio

Elections security experts have discovered new ways to manipulate the type of voting machine used in Vermont, but local elections officials say it’s unlikely that bad actors could exploit those vulnerabilities to change the results of an election. At a recent technology conference in Las Vegas, ethical hackers from across the country tried to infiltrate some of the voting machines used in U.S. elections. Probing for vulnerabilities in ballot tabulators is an annual tradition at the DEF CON Hacking Conference. This year, however, hackers tried to gain access to the same type of voting machine used by 135 towns in Vermont. Montpelier City Clerk John Odum retrieved one of the machines from a vault last week and placed it on a desk in his office. It’s a pretty ancient-looking piece of technology — like something you might have seen in a middle school computer room in the early 1990s. “As I understand it, the memory cards that we use, the technology was originally developed for the original Tandy laptops,” Odum said, “so this is some old stuff.” The machine is called an AccuVote, and its name is clearly meant to inspire confidence in the results it spits out. But when white-hat hackers set to work on this tabulator at DEF CON earlier this month, they quickly found all kinds of ways to manipulate results.

Wisconsin: Outdated operating systems could affect Wisconsin elections | Capitol Report/HNG News

A Wisconsin Elections Commission security official is expressing concern that outdated operating systems are being used by local elections clerks across the state, raising the prospect of foreign interference in Wisconsin’s elections ahead of the 2020 presidential race. In a memo, Election Security Lead Tony Bridges details how a number of local clerks are using Windows XP or Windows 7 on office computers to access the WisVote voter database. According to Bridges, failure to maintain an up-to-date operating system poses “a tremendous risk.” Security patches on Windows XP have not been supported since 2014, while Windows 7 will reach its end-of-life cycle in January 2020, meaning Microsoft will no longer provide free security updates. Bridges pointed to a recent cyberattack in Georgia that brought down systems across Jackson County and warned a similar attack could “dramatically impact voter confidence in the electoral process” in Wisconsin. “It could, for example, expose confidential information, prevent the timely distribution of absentee ballots, prevent the timely printing of poll books, disrupt communications with voters, expose voters to potential cyberattack, destroy digital records, prevent the display of election night results,” he wrote recently.

Philippines: Clans in Congress want to go ‘hybrid’: Comelec line change: 7 Duterte appointees to run 2022 elections | Malou Mangahas and Karol Ilagan/MindaNews

Clean, honest, inclusive, and credible elections might well turn into just a pipedream when the votes for president, vice president, legislators, and local officials come up in May 2022. As it is, the Commission on Elections (Comelec) has already found itself confronted by big back and forward issues: unsettled flawed supplies contracts and weak project management systems that marked the May 2019 elections; five of its seven commissioners, and its executive director, retiring between January next year to February 2022; and an apparently concerted effort by politicians to write finish to its automated-election system or AES. Claiming fraud was triggered by defective vote-counting machines, politicians from old political clans led no less by President Rodrigo R. Duterte have urged Comelec and Congress to junk the AES and instead revert to a hybrid system of elections, or one that is partly manual and partly automated. But election observers worry that this hybrid system posits opportunities for ballot-box stuffing and snatching, and the dagdag-bawas system driven by the guns, goons, and gold of elections past. Complicating matters is the fact that the push for ‘hybrid’ elections is unfolding as Comelec prepares for impending major changes among its commissioners. In fact, by the time of the next synchronized presidential, legislative, and local elections in May 2022, the poll body will face a major topline change. Worse yet, the changing of guards could happen midway in the campaign period.

Russia: Moscow’s blockchain voting system cracked a month before election | Catalin Cimpanu/ZDNet

A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election. Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system’s private keys based on its public keys. This private keys are used together with the public keys to encrypt user votes cast in the election. Gaudry blamed the issue on Russian officials using a variant of the ElGamal encryption scheme that used encryption key sizes that were too small to be secure. This meant that modern computers could break the encryption scheme within minutes. “It can be broken in about 20 minutes using a standard personal computer, and using only free software that is publicly available,” Gaudry said in a report published earlier this month. “Once these [private keys] are known, any encrypted data can be decrypted as quickly as they are created,” he added.