Monthly Archives: August 2019

Macon County, Ill., is the latest government entity to be targeted by hackers who hijacked a web page and disabled access. The Circuit Clerk’s Office main web page on Sunday night was overtaken by an image of a Guy Fawkes mask, Iranian flag and the text: “Hacked by Iranian Hackers. Hacked by Mamad Warning. We are always closer to you. Your identity is known to us. Your information is for us 😉 take care.” Circuit Clerk Lois Durbin said the county Information Technology department restored the page by 10 a.m. Monday. The office handles all records of traffic, civil and criminal cases in the county, but Durbin said personal identification information is stored on a separate system and wasn’t in danger of being accessed. “The firewall went up, and everything was protected and nothing was compromised,” she said. The county joins a growing list of government entities that are the victims of hacking attempts. Another technique involves disabling a website with malware and demanding money to restore it.

New Jersey: State’s Department of Homeland Security warned Russians could interfere in our elections next year. Trump’s not worried. | Jonathan D. Salant/NJ.com

New Jersey’s Department of Homeland Security has warned state and county elections officials that Russia or another foreign actor could hijack their websites or social media accounts, “severely impacting and eroding confidence in the election results.” The warning, which went to elections officials on the state level and in all 21 counties, was contained in a bulletin sent earlier this month by the state Cybersecurity and Communications Integration Cell. The state agency acted after the Senate Intelligence Committee warned about “Russian intentions to undermine the credibility of the election process” and a civil grand jury in San Mateo County, California, warned of hackers using government accounts to report false election results or issue false voting instructions. “The threat of foreign interference in our elections is a pressing national security issue,” said Rep. Mikie Sherrill, D-11th Dist., chairwoman of the House Science subcommittee on investigations and oversight, which held a hearing last month to highlight problems with state elections systems.

North Carolina: Vote security on the line in Board of Elections meeting | Jordan Wilkie/Carolina Public Press

When the NC Board of Elections meets Friday, it will make decisions about voting equipment for 2020 elections that could determine the security of the state’s election process and how much confidence voters can have that the system records and tabulates their votes as they intended. Security experts, federal research agencies and the US Senate agree on best practices for secure election equipment. They recommend that most voters use hand-marked paper ballots, count the ballots using digital scanners and audit the paper ballots for correctness before election results are made official. Most North Carolinians already vote this way. However, 23 of the state’s 100 counties use touch screens to cast their ballots, a system that experts consider insecure and outdated because it cannot be effectively audited. For that reason, North Carolina is set to decertify those systems by Dec. 1. This week, the state board of elections will consider certifying replacement systems. The decisions the board makes will have a domino effect of consequences for the security, privacy and accessibility of elections across the state.

Editorials: Rage against the voting machines | Philadelphia Inquirer

The latest controversy over the city’s ongoing voting machines saga presents multiple choices of questions and concerns. Last week, City Controller Rebecca Rhynhart, while investigating the contract for new voting machines, found that the company, Election Systems & Software, failed to disclose that it had hired lobbyists and made campaign contributions to the reelection campaigns of two city commissioners who were in charge of selecting the vendor. These mistakes, which ES&S says were inadvertent, made the contract “voidable.” But so far the contract is moving ahead — 3,700 voting machines have already been delivered. ES&S has agreed to pay a $2.9 million fine for its failure to disclose. The Controller’s Office is withholding payment on the contract until it completes its investigation sometime next month. The choices for questions are multiple: Are the resulting disclosures (and fines) proof that the system is working, or A. An indictment of the city’s new best value procurement policy, initiated in 2017 when voters approved a change that allowed the city to award contracts on factors other than the lowest price? While overwhelmingly approved by voters, others (including this board) had concerns that the new policy opened the door to granting contracts to insiders and encouraging a pay-to-play culture, as well as more expensive contracts. The $30 million machine contract is the first major test of the new policy.

Editorials: Guess which ballot costs less and is more secure– paper or electronic? | Kevin Skoglund and Christopher Deluzio/PennLive

Pennsylvania’s counties are choosing new voting systems, with implications for the security, reliability, and auditability of elections across the commonwealth and beyond. Our organizations’ analysis of county selections reveals that several have decided to purchase expensive electronic machines with security challenges over the better option: hand-marked paper ballots. Pennsylvania—where vulnerable paperless machines have been the norm—needs new paper-based voting systems. But not all systems are the same. The main choice counties face is the style of voting and polling place configuration. They can have most voters mark a paper ballot with a pen and offer a touchscreen computer to assist some voters (a ballot-marking device or “BMD”). Or they can have all voters use touchscreen computers to generate a ballot (an all-BMD configuration). The hardware in each configuration is often the same, but this fundamental choice creates significant differences. In fact, our analysis shows that many counties have chosen the all-BMD configuration and are paying a hefty sum for it—twice as much per voter as counties that selected systems that rely principally on voters hand-marking their ballots. Pricier electronic systems also carry greater security risks and make it harder for voters to verify their ballots before casting.

Texas: Ransomware Attack Hits 22 Texas Towns, Authorities Say | Manny Fernandez, Mihir Zaveri and Emily S. Rueb/The New York Times

Computer systems in 22 small Texas towns have been hacked, seized and held for ransom in a widespread, coordinated cyberattack that has sent state emergency-management officials scrambling and prompted a federal investigation, the authorities said. The Texas Department of Information Resources said Monday that it was racing to bring systems back online after the “ransomware attack,” in which hackers remotely block access to important data until a ransom is paid. Such attacks are a growing problem for city, county and state governments, court systems and school districts nationwide. By Tuesday afternoon, Texas officials had lowered the number of towns affected to 22 from 23 and said several government agencies whose systems were attacked were back to “operations as usual.” The ransomware virus appeared to affect certain agencies in the 22 towns, not entire government computer systems. Officials said that there were common threads among the 22 entities and that the attacks appeared not to be random, but they declined to elaborate, citing a federal investigation. It was unclear who was responsible. The state described the attacker only as “one single threat actor.”

Vermont: Ethical Hackers Breach Vermont Voting Machines, But Officials Say No Need To Panic | Peter Hirschfeld/Vermont Public Radio

Elections security experts have discovered new ways to manipulate the type of voting machine used in Vermont, but local elections officials say it’s unlikely that bad actors could exploit those vulnerabilities to change the results of an election. At a recent technology conference in Las Vegas, ethical hackers from across the country tried to infiltrate some of the voting machines used in U.S. elections. Probing for vulnerabilities in ballot tabulators is an annual tradition at the DEF CON Hacking Conference. This year, however, hackers tried to gain access to the same type of voting machine used by 135 towns in Vermont. Montpelier City Clerk John Odum retrieved one of the machines from a vault last week and placed it on a desk in his office. It’s a pretty ancient-looking piece of technology — like something you might have seen in a middle school computer room in the early 1990s. “As I understand it, the memory cards that we use, the technology was originally developed for the original Tandy laptops,” Odum said, “so this is some old stuff.” The machine is called an AccuVote, and its name is clearly meant to inspire confidence in the results it spits out. But when white-hat hackers set to work on this tabulator at DEF CON earlier this month, they quickly found all kinds of ways to manipulate results.

Wisconsin: Outdated operating systems could affect Wisconsin elections | Capitol Report/HNG News

A Wisconsin Elections Commission security official is expressing concern that outdated operating systems are being used by local elections clerks across the state, raising the prospect of foreign interference in Wisconsin’s elections ahead of the 2020 presidential race. In a memo, Election Security Lead Tony Bridges details how a number of local clerks are using Windows XP or Windows 7 on office computers to access the WisVote voter database. According to Bridges, failure to maintain an up-to-date operating system poses “a tremendous risk.” Security patches on Windows XP have not been supported since 2014, while Windows 7 will reach its end-of-life cycle in January 2020, meaning Microsoft will no longer provide free security updates. Bridges pointed to a recent cyberattack in Georgia that brought down systems across Jackson County and warned a similar attack could “dramatically impact voter confidence in the electoral process” in Wisconsin. “It could, for example, expose confidential information, prevent the timely distribution of absentee ballots, prevent the timely printing of poll books, disrupt communications with voters, expose voters to potential cyberattack, destroy digital records, prevent the display of election night results,” he wrote recently.

Philippines: Clans in Congress want to go ‘hybrid’: Comelec line change: 7 Duterte appointees to run 2022 elections | Malou Mangahas and Karol Ilagan/MindaNews

Clean, honest, inclusive, and credible elections might well turn into just a pipedream when the votes for president, vice president, legislators, and local officials come up in May 2022. As it is, the Commission on Elections (Comelec) has already found itself confronted by big back and forward issues: unsettled flawed supplies contracts and weak project management systems that marked the May 2019 elections; five of its seven commissioners, and its executive director, retiring between January next year to February 2022; and an apparently concerted effort by politicians to write finish to its automated-election system or AES. Claiming fraud was triggered by defective vote-counting machines, politicians from old political clans led no less by President Rodrigo R. Duterte have urged Comelec and Congress to junk the AES and instead revert to a hybrid system of elections, or one that is partly manual and partly automated. But election observers worry that this hybrid system posits opportunities for ballot-box stuffing and snatching, and the dagdag-bawas system driven by the guns, goons, and gold of elections past. Complicating matters is the fact that the push for ‘hybrid’ elections is unfolding as Comelec prepares for impending major changes among its commissioners. In fact, by the time of the next synchronized presidential, legislative, and local elections in May 2022, the poll body will face a major topline change. Worse yet, the changing of guards could happen midway in the campaign period.

Russia: Moscow’s blockchain voting system cracked a month before election | Catalin Cimpanu/ZDNet

A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election. Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system’s private keys based on its public keys. This private keys are used together with the public keys to encrypt user votes cast in the election. Gaudry blamed the issue on Russian officials using a variant of the ElGamal encryption scheme that used encryption key sizes that were too small to be secure. This meant that modern computers could break the encryption scheme within minutes. “It can be broken in about 20 minutes using a standard personal computer, and using only free software that is publicly available,” Gaudry said in a report published earlier this month. “Once these [private keys] are known, any encrypted data can be decrypted as quickly as they are created,” he added.

Georgia: Lawsuit says new Georgia voting system should be stopped | Mark Niesse/The Atlanta Journal-Constitution

Voters who want paper ballots filled out by hand asked a federal judge late Friday to prevent Georgia from using the $107 million voting system the state just bought. The request comes a day after the judge ruled that voters must use some type of paper ballots next year, but her decision didn’t address the legality of the state’s new voting system.Election officials plan to replace Georgia’s 17-year-old electronic voting machines with a system that combines touchscreens with paper ballots. Voters will pick their candidates on a 21.5-inch tablet that’s connected to a ballot printer starting with the March 24 presidential primary.The lawsuit, filed by voters and election integrity advocates, alleges the new voting machines will remain vulnerable to hacking, malware, bugs and misconfiguration.But state election officials have said that paper ballots will ensure the accuracy of results during recounts and audits.In addition, the lawsuit said the printed ballots aren’t truly verifiable. Although voters will be able to review ballots before casting them, the ballots embed voters’ choices in bar codes that are only readable by scanning machines.“No elector can visually review and confirm whether the bar code accurately conveys their intended selections,” according to the amended complaint.

National: America faces a voting security crisis in 2020. Here’s why – and what officials can do about it. | Emily Goldberg/Politico

Paperless voting machines are just waiting to be hacked in 2020. And “upgrading” to paper-based voting machines may sound like an oxymoron, but it’s something cybersecurity experts are urging election officials across the country to do. A POLITICO survey found that in 2018, hundreds of counties in 14 states used paperless voting machines — and almost half of the counties that responded to the survey said they don’t plan on changing that ahead of 2020. Security experts said paperless voting machines are vulnerable to hacking because they leave no paper trail and there’s no way to reliably audit the results when an error occurs. Thousands of Redditors joined us as cybersecurity reporter Eric Geller and voting security expert and University of Michigan professor J. Alex Halderman took on Reddit’s most pressing questions about the weaknesses in America’s election systems. We chatted about voting methods in various countries from the U.S. to India, how much the transition to paper ballots would cost, and even “Star Wars.”

National: Most states still aren’t set to audit paper ballots in 2020 – Despite expert recommendations | Colin Lecher/The Verge

Despite some progress on voting security since 2016, most states in the US aren’t set to require an audit of paper ballots in the November 2020 election, according to a new report out this week from the Brennan Center for Justice. The report notes that experts and government officials have spent years recommending states adopt verifiable paper ballots for elections, but a handful still use electronic methods potentially vulnerable to cyberattacks. In 2016, 14 states used paperless machines, although the number today is 11, and the report estimates that no more than eight will use them in the 2020 election. But the report also found that most states won’t require an audit of those paper records, in which officials review randomly selected ballots — another step experts recommend. Today, only 22 states and the District of Columbia have voter-verifiable paper records and require an audit of those ballots before an election is certified. The number will increase to at least 24 states by the 2020 elections, according to the report. “However,” the report notes, “there is nothing stopping most of these remaining states from conducting such audits if they have the resources and will to do so.”

National: Russian hackers, town budgets, Windows updates: Officials grapple with realities of election security | Ben Popken and Kenzi Abou-Sabe/NBC

The nation’s highest agency dedicated to election administration convened a security summit on Thursday to figure out how to confront a problem: The majority of the country’s 10,000 voting jurisdictions still run outdated software. In July, Associated Press reported that many counties still use Windows 7, initially released in 2009, or even older software in their back office election management systems used by officials to administer elections, but not on the machines where voters cast their ballots. It’s so old that Microsoft announced last year it will soon stop supporting it — shipping free updates to bugs or fixing security issues. After 2020, updates will require a fee. But inside a 21-seat conference room in Silver Spring, the discussion of the Election Assistance Commission — which included state election directors, secretaries of state and representatives from the Department of Homeland Security, election system manufacturers and testing laboratories — the hastily organized meeting also touched on broader frustrations over challenges local election officials face in trying to secure their voting systems as well as inaction from politicians in Washington. “We are talking about local communities having trouble funding roads and water bills, and now we want them to take part in defense against foreign and state actors,” said Kentucky State Election Director Jared Dearing.

National: Election Security in 2020 Comes Down to Money, and States Aren’t Ready | Kartikay Mehrotra and Alyza Sebenius/Bloomberg

The front line to protect the integrity of the U.S. presidential election is in a Springfield strip mall, next to a Chuck E. Cheese’s restaurant. There, inside the Illinois Board of Elections headquarters, a couple dozen bureaucrats, programmers, and security experts are furiously working to prevent a replay of 2016, when Russian hackers breached the state’s voter registration rolls. For 2020, Illinois is deploying new U.S. government software to detect malicious intrusions and dispatching technology experts to help local election officials. Even the National Guard, which started its own cyber unit several years ago, is on speed dial for election night if technicians needed to be rushed to a faraway county. Still, Illinois officials are nervous. The cash-strapped state remains far short of the resources needed to combat an increasing number of nations committing geopolitical breaches. “We’re in an unusual time, and yes, there is concern about whether we have enough to go into 2020 totally prepared for what the Chinese, Russians, or North Koreans or any enemy of the United States may do to influence our elections,” says Governor J.B. Pritzker, a Democrat. “We’re securing our elections with state resources, but there is a federal need. This is a national crisis.”

National: Only One Republican Supported That Divisive Election Security Bill. Here’s Why He Voted in Favor | Robert Hackett/Fortune

Last week we discussed election security. Let’s dig a little deeper into divisions provoked by one of the major pieces of proposed legislation, the Securing America’s Federal Elections Act. The bill has lately become a political flashpoint, blocked by Senate Majority Leader Mitch McConnell of Kentucky, who ostensibly fears further federalizing elections more than he fears the subversion of American democracy through hacking, foreign interference, or other hi-jinx. The bill primarily aims to require states to use voting machines that are up-to-date, not Internet-connected, made in America, and produce paper-based, voter-verifiable ballots. These are all sensible criteria, and it’s hard to argue against their adoption. In addition, the bill would earmark federal funds to help states get the new gear in place by 2020—a more contentious component. (See also this Wall Street Journal editorial which lays out other gripes.) While the Democratic House passed the bill with 225 votes in June, only one Republican voted in favor: Representative Brain Mast of Florida. It’s worth noting that Mast is not Republican in name only, as an analysis by the data junkie blog FiveThirtyEight makes clear. As of the end of last year, Mast had voted in line with President Donald Trump’s policy initiatives 92.7% of the time.

National: Windows 7 woes crash into 2020 election cycle | Derek B. Johnson/FCW

Thousands of jurisdictions are relying on a nearly obsolete operating system to run their election systems, and it’s not clear they will have the money or time to wean themselves off before the 2020 elections. At an Aug. 15 election security forum hosted by the U.S. Election Assistance Commission (EAC), state officials, vendors and experts warned that a lack of money and resources as well as technical and logistical hurdles are preventing them from migrating their election systems from the Windows 7 operating system to Windows 10. Lousiana Secretary of State Kyle Ardoin illustrated the costs and complexities associated with replacing outdated operating systems on election equipment like voter registration systems, e-pollbooks and other software. He said Louisiana will have spent more than $250,000 to replace computers using Windows 7 in clerks of court and voter registration offices. An additional $2 million has been spent to temporarily lease voting machines that require Windows 10 while the state waits for a new batch to go through the procurement process. He estimated the cost of updating to Windows 10 to be around $670 per machine, not including the costs associated with testing, configuration and deployment.

Editorials: There’s no excuse for failing to secure election systems from Russian meddling | St. Louis Post-Dispatch

More than a dozen states are still using electronic ballot systems that leave no paper trail — an invitation to Russia and anyone else who wants to hack into and disrupt America’s next national election. This gaping security hole is being blamed on lack of money in state and local budgets, and a lack of urgency among some Republican officials. Both reasons are unacceptable. Americans may be divided about the veracity of some aspects of the report and testimony from special counsel Robert Mueller, but those who think that renders debatable his conclusions about Russian election interference are simply not paying attention. Mueller’s unambiguous warning that Russia hacked into the election systems of all 50 states in 2016 and is planning to do so again next year has been confirmed on both sides of the aisle. U.S. intelligence agencies have long insisted it happened and will happen again. Even the Republican-controlled Senate Intelligence Committee reached the same conclusion in a recent report. “Russian activities demand renewed attention to vulnerabilities in U.S. voting infrastructure,” the report found. “In 2016, cybersecurity for electoral infrastructure at the state and local level was sorely lacking. … Aging voting equipment, particularly voting machines that had no paper record of votes, were vulnerable to exploitation by a committed adversary.”

Georgia: Judge blasts Georgia officials’ handling of election system | Kate Brumback/Associated Press

Georgia election officials have for years ignored, downplayed and failed to address serious problems with the state’s election management system and voting machines, a federal judge said in a scathing order this week. U.S. District Judge Amy Totenberg said those problems place a burden on citizens’ rights to cast a vote and have it reliably counted. She called Georgia’s voting system “antiquated, seriously flawed, and vulnerable to failure, breach, contamination, and attack.” Despite those findings, Totenberg ruled Thursday that Georgia voters will use that same election system this fall because of concerns about the state’s capacity to make an interim switch while also implementing a new system. Plaintiffs in a lawsuit challenging Georgia’s system had asked Totenberg to order an immediate switch to hand-marked paper ballots for special and municipal elections this fall. But she declined, citing worries about the state’s capacity to manage an interim switch while also implementing a new system that is supposed to be in place for the March 24 presidential primaries. ″(T)he totality of evidence in this case reveals that the Secretary of State’s efforts in monitoring the security of its voting systems have been lax at best — a clear indication that Georgia’s computerized election system is vulnerable in actual use,” Totenberg wrote in a 153-page ruling that devotes considerable space to chronicling those shortcomings.

Pennsylvania: Most Pennsylvania counties pick paper ballots | John Finnerty/CHNI

Counties buying voting machines that allow voters to fill out paper ballots are paying half what counties buying tablet-based voting technology are paying, according to an analysis released Thursday by the University of Pittsburgh. Researchers examined the costs paid by 31 counties for voting machines, as counties across the state move to replace their election equipment before the 2020 presidential election. In total, the counties are calculated to spend $69 million on those systems. The state has told the counties to replace their voting machines with new equipment that provide a paper record of votes cast before the 2020 presidential election. That move was prompted by a settlement to a lawsuit filed by former Green Party presidential candidate Jill Stein after the 2016 election.

Wisconsin: Election security threats and the proposed solution | WXOW

Outdated Windows systems could impact election security in Wisconsin. Officials say the Wisconsin Elections Commission (WEC) has started a pilot program to address concerns. The proposal, prepared by Election Security Lead Tony Bridges, cites concerns over aging computer systems. He states, “the strength or weakness of any one work station could affect the security of the entire state’s elections infrastructure.” Bridge then explained at least a handful of computers that access WisVote no longer receive security updates; that includes Windows XP which hasn’t been updated since 2014. WEC won’t specify which users are vulnerable due to privacy concerns. “We always want to be careful when we’re talking about elections security,” said WEC PIO Reid Magney. “We don’t want to divulge where there might be vulnerabilities in the system.”

Belarus: Belarus to use semitransparent ballot boxes, e-voting | BelTA

Belarus plans to use semitransparent ballot boxes and electronic voting in the future, Chairperson of the Central Election Commission (CEC) of Belarus Lidia Yermoshina said in an interview to the STV channel, BelTA has learned. “We are gradually introducing different standards. Some things we have not introduced yet are no longer used in other countries. For example, we have always been pressurized to use transparent ballot boxes everywhere. I can say that this is no longer in fashion. Moreover, it contradicts the international standards. Transparent ballot boxes do not secure the secret expression of voters’ will. Today’s trend is to use semitransparent boxes and apply e-voting. I believe we will be introducing this in the future,” Lidia Yermoshina said. Speaking about the rotation of the parliament, the CEC chair said that the head of state insists on some one third of MPs to stay for the second term. At the same time, the term of office for every MP should not exceed two terms in a row. “We support and select future candidates taking into consideration all the proportions,” she stressed.

Russia: Blockchain Voting System in Moscow Municipal Elections Vulnerable to Hacking: Research Report | Trevor Holman/CryptoNewsZ

A recent research report by a French cryptographer demonstrates that a blockchain voting framework utilized in Moscow’s municipal elections is susceptible to hacking. The researcher at the French government research establishment CNRS, Pierrick Gaudry, have examined the open code of the e-voting platform dependent on Ethereum in his paper. Gaudry inferred that the encryption plan utilized by a portion of the code is “totally insecure.” The research report titled, “Breaking the encryption scheme of the Moscow internet voting system” by Pierrick Gaudry, a researcher from CNRS, French governmental scientific institution had examined the encryption plan used to verify the open code of the Moscow city government’s Ethereum-based platform for e-voting. Gaudry concluded that the encryption scheme utilized by a portion of the code is entirely insecure by clarifying –

We will show in this note that the encryption scheme used in this part of the code is completely insecure. It can be broken in about 20 minutes using a standard personal computer and using only free software that is publicly available. More precisely, it is possible to compute the private keys from the public keys. Once these are known, any encrypted data can be decrypted as quickly as they are created.

United Kingdom: Subcontractor’s track record under spotlight as London Mayoral e-counting costs spiral | Kat Hall/The Register

Concerns have been raised over a key supplier of an e-counting system for the London Mayoral elections in 2020. The contract, split between Canadaian integrator CGI and Venezuelan-owned Smartmatic, will cost nearly £9m – more than double the procurement cost of £4.1m for the system at the last election in 2016. During a July hearing about the 2020 elections at the London Assembly Oversight Committee, members heard that Smartmatic, which builds and sells electronic voting tech, had worked on the Scottish elections. However, the London Assembly has since confirmed to The Register that Smartmatic was not involved. The company was also recently blamed for a number of technical glitches in the Philippine elections. The London Assembly was told costs had increased because the new vote-counting system offered better functionality than the previous procurement.

Pennsylvania: ‘It’s disappointing’ Elections Board reaffirms $29M voting machine contract over objections, violations | Michael D’Onofrio/ Philadelphia Tribune

Objections from an official and activists did not prevent Philadelphia City Commissioners on Thursday from reaffirming a $29 million city contract with a voting system vendor that violated anti-pay-to-play laws. The three-member commission voted 2-0-1 to continue a city contract with Election System & Software (ES&S) to supply new voting machines for the November election.…

National: Election officials want security money, flexible standards | Dean DeChiaro/Roll Call

State officials from Louisiana and Connecticut on Thursday asked for more money and clear standards from the federal government to help secure voting systems before the 2020 elections. But the officials, Louisiana Secretary of State Kyle Ardoin and Connecticut Secretary of State Denise Merrill, stressed the differences between their election systems and asked for leeway from the federal government in deciding how to spend any future funding. “The cultures are different and the voters have different expectations,” Ardoin told commissioners from the federal Election Assistance Commission, or EAC, at a public forum. Both states received federal funds to upgrade cyber and physical security of their voting systems after Congress approved $380 million for election security in 2018. They spent their share of those funds differently. Connecticut has put much of its funding toward training, Merrill said, while Louisiana is scrambling to upgrade systems running Windows 7 to Windows 10 before Microsoft stops offering support for the older operating system in January. Ginny Badanes, the director of Microsoft’s Defending Democracy Program, which is working to help both states and companies that build voting machines and software to prepare for the switch in operating systems, said the company “will do whatever it takes to make sure these customers have access to updates that are straightforward and affordable.” Both the state officials and private sector witnesses urged the commission to adopt and publish standards that would set the best practices for election security.

National: States Struggle to Update Election Systems Ahead of 2020 | Alyza Sebenius and Kartikay Mehrotra/Bloomberg

U.S. states operating outdated and insecure voting machines face major hurdles in protecting them in time for the 2020 presidential election, officials said at a meeting of elections experts. Budgets are strained, decision-making authority is diffuse and standards put in place years ago haven’t kept up with today’s cyberthreats, according to testimony Thursday to the Election Assistance Commission in Silver Spring, Maryland. The Senate Intelligence Committee reported last month that Russia engaged in “extensive” efforts to manipulate elections systems throughout the U.S. from 2014 through “at least 2017.” The Brennan Center for Justice reported Thursday that states will have to spend more than $2 billion to protect their election systems in the next five years, including replacing outdated machines or purchasing the software improvements necessary to help harden existing equipment against hackers. Updating software is a “regular and important part” of cybersecurity, the Center for Democracy & Technology warned in a statement. But even when a software patch is available, states can’t compel “severely under-resourced” local elections officials to buy and implement the improvement, said Jared Dearing, executive director of the Kentucky State Board of Elections. On top of those hurdles, Dearing said, the process of certifying elections equipment to federal standards leaves machines in “a time capsule of when that system was developed.”

National: Hackers can easily break into voting machines used across the U.S.; play Doom, Nirvana | Igor Derysh/Salon

Voting machines used in states across the United States were easily penetrated by hackers at the Def Con conference in Las Vegas on Friday. Participants at Def Con, a large annual hacker conference, were asked to try their skills on voting machines to help expose weaknesses that could be used by hostile actors. A video published by CNN shows a hacker break into a Diebold machine, which is used in 18 different states, in a matter of minutes, using no special tools, to gain administrator-level access. Hackers also quickly discovered that many of the voting machines had internet connections, which could allow hackers to break into machines remotely, the Washington Post reported. Motherboard recently reported that election security experts found that election systems used in 10 different states have connected to the internet over the last year, despite assurances from voting machine vendors that they are never connected to the internet and therefore cannot be hacked. The websites where states post election results are even more susceptible. The event had 40 child hackers between the ages of 6 and 17 attempt to break into a mock version of the sites. Most were able to alter vote tallies and even change the candidates’ names to things like “Bob Da Builder,” CNNreported. “Unfortunately, it’s so easy to hack the websites that report election results that we couldn’t do it in this room because [adult hackers] would find it boring,” event organizer Jake Braun told CNN.

National: Election Assistance Commission Urged to Finalize 2020 Security Standards | Jack Rodgers/Courthouse News

During a forum on election security Thursday, Connecticut’s secretary of state urged a federal agency in charge of the process to act quickly in issuing new security standards for voting systems so states can update software in time for the 2020 election. The U.S. Election Assistance Commission hosted three panels of witnesses, all of whom testified on ways to improve the security of the nation’s election systems during a three-hour forum in Washington, D.C. Last year, Congress appropriated $380 million under the Help America Vote Act, which makes funds available for states to update election security measures and voter registration methods. However, the federal funds, coupled with a state-required match, were not enough to completely update voting equipment across the country. During Thursday’s first panel, the secretaries of state for Connecticut and Louisiana, Denise Merrill and Kyle Ardoin, respectively, both spoke to the benefits of this funding. Merrill said that with the $5 million in HAVA funds appropriated to her state last year, Connecticut had implemented a virtual system that allows those in election advisory roles to view every desktop used for counting and reporting votes in the state. In most of the state’s 169 towns, methods of recording votes differ depending on the area, Merrill said, also noting that some towns don’t use computers.

National: States and localities are on the front lines of fighting cyber-crimes in elections | Elaine Kamarck/Brookings