The vice chairman of the Federal Election Commission (FEC) submitted his resignation letter to President Trump on Monday, leaving the agency without the necessary number of commissioners to vote on proposed actions. Matthew Petersen, a Republican who has served as a commissioner since 2008, wrote that he will formally step down on Aug. 31. “Throughout my service, I have faithfully discharged my duty to enforce the law in a manner that respects free speech rights, while also fairly interpreting the relevant statutes and regulations and providing meaningful notice to those subject to FEC jurisdiction,” Petersen wrote. “I am honored to have served the American people in this capacity and to have fulfilled the oath taken 11 years ago.” A spokesperson for the FEC confirmed Petersen’s resignation, declining to comment further. His departure leaves the agency with only three of the four members required to vote on proposed actions.
National: As Russia Eyes 2020, America’s Election Watchdog Is Out of Commission | Nicole Goodkind/Newsweek
The Federal Election Commission, an independent agency that enforces all campaign finance law and ensures the integrity of political campaigns, lost its vice chairman Monday evening, essentially rendering the agency useless. In order to take any official enforcement or regulatory action, the agency is required to have a quorum of four members on its board, but the resignation of Matthew Petersen, effective this week, leaves the commission with only three members, all of whom are still working even though their six-year terms of service have all expired. There were already three vacancies before this week’s kerfuffle. The FEC issued about $33.6 million in fines between 1999 and 2008, but over the last 10 years that dropped to $11.4 million. Yet, election security has become an increasingly important issue. Just last month, former special counsel Robert Mueller ominously warned Congress that Russia had lofty plans to interfere in the next election. “They’re doing it as we sit here and they expect to do it during the next campaign,” he said.
National: Ransomware threat raises National Guard’s role in state cybersecurity | Benjamin Freed/StateScoop
National Guard units already play a large role in state governments’ cybersecurity activities, such as protecting election systems, but the threat of ransomware to cripple a state or city organization is a growing concern for uniformed personnel, the top military official overseeing the National Guard across the United States said. While Americans are long used to seeing guardsmen and women roll into to disaster-stricken areas after a hurricane or wildfire, deployments following cyberattacks are increasingly common, Air Force Gen. Joseph Lengyel said Friday on a conference call with reporters, likening the recent ransomware incidents in Texas and Louisiana to a “cyber storm,” though not quite a “cyber hurricane.” “We’re seeing the whole of the first responder networks come to assist and mitigate the damage and get everything back up and running, and the National Guard is part of that response,” he said.
The U.S. government plans to launch a program in roughly one month that narrowly focuses on protecting voter registration databases and systems ahead of the 2020 presidential election. These systems, which are widely used to validate the eligibility of voters before they cast ballots, were compromised in 2016 by Russian hackers seeking to collect information. Intelligence officials are concerned that foreign hackers in 2020 not only will target the databases but attempt to manipulate, disrupt or destroy the data, according to current and former U.S. officials. “We assess these systems as high risk,” said a senior U.S. official, because they are one of the few pieces of election technology regularly connected to the Internet. The Cybersecurity Infrastructure Security Agency, or CISA, a division of the Homeland Security Department, fears the databases could be targeted by ransomware, a type of virus that has crippled city computer networks across the United States, including recently in Texas, Baltimore and Atlanta. “Recent history has shown that state and county governments and those who support them are targets for ransomware attacks,” said Christopher Krebs, CISA’s director. “That is why we are working alongside election officials and their private sector partners to help protect their databases and respond to possible ransomware attacks.”
National: Federal officials working with states to protect elections | Andrew Selsky/Associated Press
Huddled in small groups in a remote town in Oregon, county and state elections officials tried to overcome hacking attempts, power failures and other problems as election day approached and finally arrived. It was a tabletop exercise, held as federal officials work to bolster defenses against interference in the 2020 elections, with states being a main line of defense against attempts by Russia or others to disrupt the elections. Officials from the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency traveled to La Grande, a town located in ranching country in northeast Oregon, for Wednesday’s exercise with county and state officials. During the event held on the campus of Eastern Oregon University, the officials had to work through various scenarios, like official websites being hacked, disinformation being spread on social media and electrical power and communications going down, Oregon Elections Director Stephen Trout said in a telephone interview. Disinformation involves deliberately spreading falsehoods and rumors, while misinformation — another election security threat that experts point to — entails simply disseminating incorrect or misleading information.
Editorials: Prediction: 2020 election is set to be hacked, if we don’t act fast | Adam K. Levin/The Hill
Since 1993, hackers have traveled to Las Vegas from around the world to demonstrate their skills at DefCon’s annual convention, and every year new horrors of cyber-insecurity are revealed as they wield their craft. Last year, for example, an eleven-year-old boy changed the election results on a replica of the Florida state election website in under ten minutes. This year was no exception. Participants revealed all sorts of clever attacks and pathetic vulnerabilities. One hack allowed a convention attendee to commandeer control of an iPhone with a non-Apple-issue charging cord, one that is identical to the Apple version. Another group figured out how to use a Netflix account to steal banking information. But for our purposes, let’s focus on election security because without it democracy is imperiled. And if you think about it, what are the odds of something like DefCon being permitted in the People’s Republic of China? Speaking of China (or Russia or North Korea or Iran or…) will the 2020 election be hacked? In a word: Yes.
Voting rights and election security groups on Monday urged two House and Senate committees to hold hearings on the security of voting machines. The groups, which include the National Election Defense Coalition, Electronic Privacy Information Center, R Street Institute and Public Citizen, asked the House Administration Committee and the Senate Rules and Administration Committee in a letter to schedule election security hearings that include testimony from voting machine vendors and election security experts. “The security of our nation’s elections is acutely dependent on the vendors that supply our computerized voting systems,” the groups wrote. “The voting system vendors have operated with little oversight and no regulation for decades.” “Given the gravity and urgency of this issue, we write to you to urge the committees to hold a hearing on election system security featuring sworn testimony from officers of the voting system vendors to shed more light on their practices which directly impact the security of the nation,” they added. The groups cited reports in recent months that certain voting systems rely on outdated Windows 7 operating systems, that one major election machine vendor installed remote access software on its election systems and concerns about a lack of transparency from voting machine vendors.
A security audit of all 67 Florida counties ordered by Gov. Ron DeSantis has been completed, but once a report is published, it’s not going to advertise what problems were found. “The secretary, basically, reported to us they had visited all 67 counties already,” said Okaloosa County Supervisor of Elections Paul Lux, who is the former president of the Florida State Association of Supervisors of Elections. “And they are in the process of producing a remediation report and we’ll go from there.” Lux added he was not aware of how much remediation has been ordered. DeSantis ordered the security audit in May after Special Counsel Robert Mueller’s report said Russians successfully hacked two Florida counties in 2016. “There was no manipulation. It didn’t have any effect,” DeSantis said in May. But he said the FBI would not let him name the counties, partly because the FBI said it would help the hackers learn how they were detected.
Iowa Secretary of State Paul Pate on Wednesday likened the ongoing struggle against forces trying to hack the state’s election network to a “war.” “It’s a war for public opinion, and it’s a war, if you will, for minds rather than a physical one,” Pate said in pointing to efforts by Russians, North Koreans, Chinese and others trying to disrupt the U.S. election process and weaken the American public’s trust. “Their manipulation of the social media, their manipulation of certain types of probes that they’re doing is to try to create doubt, to make Americans question their elections process,” Pate told reporters. “So, yes, I consider that a war. I consider it something we need to push back and not tolerate.” Pate raised concerns about challenges to Iowa’s election process during a breakfast meeting with members of the Westside Conservative Club. He also shared his worries that any snafu in the upcoming 2020 Democratic “virtual” caucuses could have a “devastating” impact and jeopardize Iowa’s starting position in the presidential selection process every four years.
Florida: Russian hackers likely to target Florida again in 2020 election, experts warn | Peter Stone/The Guardian
Florida’s record as a vital swing state made it a target for meddling in the 2016 election when Russians breached two county voting systems and a software vendor and now concerns are being raised about voting security in the state for the 2020 ballot, say election and cyber security experts, federal reports and Democrats. With FBI director Christopher Wray and other intelligence officials predicting more Russian and possibly other foreign interference in the next elections, experts say Florida is again a likely target for Russian hackers, or others bent on disrupting voting, which potentially could alter tallies and create other problems. “Obviously, Florida will be a critical state in 2020 and Florida election officials should assume they will be targeted again,” said Larry Norden, who runs the election reform program at the Brennan Center for Justice. Election security experts are concerned about several potential problem areas, including software that stores sensitive voter registration data, the short timetable for any post-election audits and Florida’s history of voting snafus. Some of Florida’s election problems in 2016 were highlighted in April by special counsel Robert Mueller’s report about Russian interference and in a July Senate intelligence committee study on Russian meddling and election security issues nationwide.
The Montana Secretary of State’s office plans to sign-off on a new touchscreen voting system designed for voters with disabilities that could be used at county polling sites as early as this November. The ExpressVote system resembles a touchscreen desktop computer or ATM. Voters insert a ballot, scroll through pages of candidates or initiatives and make their picks, and then hit print. The system includes audio, visual, and other aids designed to help individuals with disabilities vote. A separate machine does the vote counting. The Secretary of State’s Office and system developer ES&S ran demonstrations of the device Monday in the state Capitol ahead of an official certification event scheduled Tuesday. Staff with the Secretary’s office say the ExpressVote system is replacing an outdated device from the early 2000s that was also designed for people with disabilities. The state is using $750,000 of a $3 million federal grant to buy the equipment, with counties chipping in matching funds if they want to take part in the upgrade.
North Carolina: State certifies barcode ballot voting systems despite security concerns | Jordan Wilkie/Carolina Public Press
Amid threats of litigation from all sides, the North Carolina State Board of Elections voted 3-2 Friday afternoon to certify a voting system that experts say is insecure, voting rights groups advocated against and many public comments opposed.Chairman Damon Circosta, a Democrat, in his first meeting after being appointed by Gov. Roy Cooper, voted against a motion to make voting system certification requirements more stringent. The board’s two Republican members, David Black and Kenneth Raymond, voted with Circosta.The new certification requirements, proposed by Dr. Stella Anderson and supported by fellow Democrat Jeff Carmon III, would have precluded one voting-machine vendor, Election Systems and Software (ES&S), from having its system certified.The room for Friday’s meeting was packed with voters and advocates from civil rights and voting rights organizations, such as Democracy NC, which seeks to improve voter turnout in elections.“This is disappointing,” Democracy NC executive director Tomas Lopez said. “But the decision on what ultimately gets purchased is with the counties, and with the county boards of elections in particular.” Two counties, Davie and Transylvania, submitted letters to the board asking that existing certification requirements not be changed. Both counties use voting-machine-for-all systems, using old technology that the state will decertify on Dec. 1.
Burleigh County has received new election equipment being distributed to North Dakota counties over the next few weeks by state election officials. Auditor/Treasurer Kevin Glatt said the county on Monday received 50 ballot scanners, 50 accessibility devices for voters who may have difficulty marking ballots and one central scanner for tabulating absentee ballots. The equipment vendor is now testing the devices after delivery before formal training in September. “We’re excited that we have them,” Glatt said. Morton County Auditor Dawn Rhone said she expects the new machines, including 18 ballot scanners, this week, likely on Thursday after the old machines are taken away Wednesday from the courthouse in Mandan. The secretary of state’s office in 2015 pressed the Legislature for new election equipment, but funding priorities didn’t favor the request, especially during deep budget cuts in 2017.
Secretary of State Nellie Gorbea’s most important job is to make sure Rhode Island elections are on the up-and-up. Unfortunately, she has unilaterally blocked the public from obtaining information that was previously available in digital form to check on the accuracy of the voter lists she maintains. (In this year’s session, the legislature balked at Ms. Gorbea’s attempt to deny the public such information by law.) And now it turns out that she bought voting machines that could be liable to hacking. The issue came to light recently through a Vice.com investigation, which found that, for a period of time, Rhode Island’s elections system was connected to the internet. The public had been assured the machines were walled off from potential hacking. Researchers were able to find online the reporting system for results from the entire state. Not good. The problem is striking a balance between quick reporting of results — which in itself helps protect our elections from fraud — and making sure machines are free from tampering. Modems in the voting machines Ms. Gorbea bought transmit election results quickly to the state Board of Elections after the polls close.
International: Governments risk cyber attacks if they continue to demand encryption backdoors | Sara Barker/Security Brief
Governments that flout encryption best practice and mandate the inclusion of backdoors into technology are putting their entire countries at risk, according to security professionals. With election time looming, backdoors are perfect targets for cyber attackers who look to target election infrastructure. It was only last year with ‘Five Eyes’ nations (United States, Canada, United Kingdom, Australia, and New Zealand) were lobbying for technology providers to build backdoors into their solutions. According to 384 IT professionals polled at Black Hat USA 2019, 74% believe that countries with government-mandated encryption backdoors are more susceptible to nation-state attacks. Furthermore, many professionals believe that backdoors won’t make countries any safer – 72% believe laws that allow governments to access encrypted personal data will not make countries safer from terrorists.
Victoria’s Electoral Commissioner, Warwick Gately AM, says that Victoria should legislate to allow Internet voting because “there is an inevitability about remote electronic voting over the internet.” According to Mr Gately, the NSW iVote system has, “proven the feasibility of casting a secret vote safely and securely over the internet”. The key word here is “proven”. Anyone can claim that their system is secure and protects people’s privacy, but how would we know? Elections have special requirements. Ballot privacy is mandated by law. And elections must demonstrate that the result accurately reflects the choice of the people. So, what has iVote proven? In 2015, our team found that the iVote site was vulnerable to an internet-based attacker who could read and manipulate votes. The attack wouldn’t have raised any security warnings at either the voter’s or the NSW Electoral Commission (NSWEC) end, but it should have been apparent from iVote’s telephone-based verification. When the NSWEC claimed that “some 1.7 per cent of electors who voted using iVote® also used the verification service and none of them identified any anomalies with their vote,” we took that as reasonable evidence that the security problem hadn’t been exploited. But it wasn’t true.
It’s almost federal election time — that means many Canadian voters will be trying to guess whether political parties will do what they say they will if elected. That’s a difficult guess. But what about judging a political party’s credibility on a policy issue by seeing whether it practises what it preaches? Here’s an easy example: cybersecurity is in the news. It’s in the budget, too. A while ago, the federal government devoted hundreds of millions of dollars to the threat. And every day there’s news from the U.S. about past and present meddling in the political process. There are also serious worries about future elections, and even the need for paper ballots to ensure the meddling isn’t in cyberspace or a cloud somewhere. Fans of detective novels and movies enjoy the denouement at the end when the culprit is exposed.
Russia: Moscow’s blockchain-based internet voting system uses an encryption scheme that can be easily broken | Sugandha Lahoti/Security Boulevard
Russia is looking forward to its September 2019 elections for the representatives at the Parliament of the city (the Moscow City Douma). For the first time ever, Russia will use Internet voting in its elections. The internet-based system will use blockchain developed in-house by the Moscow Department of Information Technology. Since the news broke out, security experts have been quite skeptical about the overall applicability of blockchain to elections. Recently, a French security researcher Pierrick Gaudry has found a critical vulnerability in the encryption scheme used in the coding of the voting system. The scheme used was the ElGamal encryption, which is an asymmetric key encryption algorithm for public-key cryptography. Gaudry revealed that it can be broken in about 20 minutes using a standard personal computer and using only free software that is publicly available. The main problem, Gaudry says is in the choice of three cyclic groups of generators. These generators are multiplicative groups of finite fields of prime orders each of them being Sophie Germain primes. These prime fields are all less than 256-bit long and the 256×3 private key length is too little to guarantee strong security. Discrete logarithms in such a small setting can be computed in a matter of minutes, thus revealing the secret keys, and subsequently easily decrypting the encrypted data. Gaudry also showed that the implemented version of ElGamal worked in groups of even order, which means that it leaked a bit of the message. What an attacker can do with these encryption keys is currently unknown, since the voting system’s protocols weren’t yet available in English, so Gaudry couldn’t investigate further.