Verified Voting Blog: Verified Voting Urges Congress to Pass Comprehensive, Bipartisan Election Security Funding

With the 2020 election rapidly approaching, Verified Voting continues to urge Congress to pass comprehensive election security legislation and allocate adequate funding for state and local officials to make critical improvements to our country’s election infrastructure. Congress is negotiating a spending package for the U.S. Election Assistance Commission (EAC) to allocate funding for states to…

National: Democrats seize on whistleblower report to push for election security | Maggie Miller/The Hill

Democrats renewed their push for election security legislation after a stark warning from acting Director of National Intelligence Joseph Maguire and the release of a whistleblower complaint about President Trump’s call with Ukraine’s leader. Maguire on Thursday warned that the “greatest challenge” the U.S. is facing is “maintaining the integrity of our election system” and said “there are foreign powers that are trying to get us to question the validity of whether or not our elections are valid. “The intelligence official made the comment during testimony before the House Intelligence Committee on Thursday about a whistleblower complaint alleging that Trump tried to persuade Ukraine to mount a corruption investigation against former Vice President Joe Biden, the current front-runner for the Democratic nomination. Democrats also highlighted a section in the whistleblower complaint that Trump’s actions could pose “risks to U.S. national security and undermine the U.S. Government’s efforts to deter and counter foreign interference in U.S. elections.” The two events have bolstered the need for election security legislation, these Democrats argued, not long after former special counsel Robert Mueller’s report highlighted Russia’s efforts to interfere in the 2016 elections. “The President again, just [as] he did in 2016, sought out assistance from a foreign power to help in his reelection,” House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) said in a statement on Thursday. “This is election interference, plain and simple. The President has continually and persistently undermined the integrity of our elections and our democracy.”

National: Russian Secret Weapon Against U.S. 2020 Election Revealed In New Cyberwarfare Report | Zak Doffman/Forbes

The FBI has warned that “the threat” to U.S. election security “from nation-state actors remains a persistent concern,” that it is “working aggressively” to uncover and stop, and the U.S. Director of National Intelligence has appointed an election threats executive, explaining that election security is now “a top priority for the intelligence community—which must bring the strongest level of support to this critical issue.” With this in mind, a new report from cybersecurity powerhouse Check Point makes for sobering reading. “It is unequivocally clear to us,” the firm warns, “that the Russians invested a significant amount of money and effort in the first half of this year to build large-scale espionage capabilities. Given the timing, the unique operational security design, and sheer volume of resource investment seen, Check Point believes we may see such an attack carried out near the 2020 U.S. Elections.” None of which is new—it would be more surprising if there wasn’t an attack of some sort, to some level. What is new, though, is Check Point’s unveiling of the sheer scale of Russia’s cyberattack machine, the way it is organised, the staggering investment required. And the most chilling finding is that Russia has built its ecosystem to ensure resilience, with cost no object. It has formed a fire-walled structure designed to attack in waves. Check Point believes this has been a decade or more in the making and now makes concerted Russian attacks on the U.S. “almost impossible” to defend against. The new research was conducted by Check Point in conjunction with Intezer—a specialist in Genetic Malware Analysis. It was led by Itay Cohen and Omri Ben Bassat, and has taken a deep dive to get “a broader perspective” of Russia’s threat ecosystem. “The fog behind these complicated operations made us realize that while we know a lot about single actors,” the team explains, “we are short of seeing a whole ecosystem.”

National: After Resisting, McConnell and Senate G.O.P. Back Election Security Funding | Carl Hulse/The New York Times

Facing mounting criticism for blocking proposals to bolster election security, Senator Mitch McConnell on Thursday threw his weight behind a new infusion of $250 million to help states guard against outside interference in the 2020 voting. Mr. McConnell, Republican of Kentucky and the majority leader, has been under regular attack from both Democrats and a conservative group for refusing to allow the Senate to vote on various election security proposals, some of them bipartisan, despite dire warnings from the intelligence community that Russia is already trying to replicate the elaborate meddling campaign it carried out during the 2016 presidential contest. The additional funding, Mr. McConnell said in announcing his support, “will bring our total allocation for election security — listen to this — to more than $600 million since fiscal 2018.” The money was quickly approved by the Appropriations Committee later Thursday. Though Mr. McConnell has embraced other seemingly derogatory nicknames over the years, he was incensed at being called “Moscow Mitch” by those who claimed his opposition showed he was willing to accept foreign election interference because it had benefited his own party by helping to elect President Trump, despite the senator’s long record of taking a hard line against Russia.

National: For latest election security moves, the devil is in the details | Derek B. Johnson/FCW

Last week it looked like a logjam was cleared on election security. The Senate approved $250 million in funding to states to secure election infrastructure ahead of 2020. Microsoft announced it would continue supporting Windows 7, the soon-to-be-obsolete operating system used on voting machines in thousands of jurisdictions, throughout the 2020 election cycle. Additionally, the Election Assistance Commission met to discuss its latest security standards for voting machines. While new federal dollars for election security are welcome, experts caution that more money might be required and more direction is needed on how to spend the money in the form of new legislation to put smart policy behind congressional outlays. The Brennan Center for Justice estimates the cost of replacing all paperless voting machines in the country at $734 million over five years. When added to the costs estimated to tackle other problems like protecting voter registration data, implementing post-election audits and extending cybersecurity assistance to state and local governments, the total price comes out to more than $2.1 billion. According to research from the OSET Institute, software licenses, maintenance fees and other costs to support voting machines past their first year are hard to quantify and can end up costing more than the initial equipment purchase. Contract language tends to leave the timing, nature and additional costs of such updates at the discretion of voting machine manufacturers.

National: McConnell’s support for election security funding is just the start of a big fight | Joseph Marks/The Washington Post

Senate Majority Leader Mitch McConnell (R-Ky.) partially relented yesterday in the fight over election security by throwing his support behind a $250 million infusion of cash for state election officials. But that concession is likely just the start of what could be a battle royal in Congress. Democrats, who have derided McConnell as “Moscow Mitch” for blocking progress on election security after the Russian interference in the 2016 election, were already arguing the majority leader had only embraced a half measure. McConnell signed on to a measure, which is expected to be approved as part of a must-pass spending bill, to provide cash to states to upgrade their election systems, but it doesn’t mandate how it should be spent. Senate Minority Leader Chuck Schumer (D-N.Y.) took to the Senate floor to bemoan the language supported by McConnell for not requiring changes such as paper ballots and post-election security audits experts say are vital to thwart hackers from Russia and elsewhere. “It doesn’t include a single solitary reform that virtually everyone knows we need, but it’s a start,” Schumer said. A bill that delivers money for election security but doesn’t mandate any particular fixes is a good bargain for McConnell and many Republicans who are wary of expanding federal authority over state and local-run elections — and who fear blowback from President Trump if they talk too much about Russia’s 2016 hacking and influence operation aimed at helping Trump’s election.

National: Senate’s Election Security Funding Bill Leaves Election Assistance Commission Strapped for Cash | Courtney Buble/Government Executive

he cash-strapped, understaffed federal agency responsible for promoting voting machine security standards and best practices for election administration will receive very little new funding under a Senate appropriations bill aimed at bolstering election security. Bowing to pressure from Democrats and some Republicans, Senate Majority Leader Mitch McConnell last week reversed course and said he would support legislation aimed at preventing foreign interference in U.S. elections. On Sept. 19, the Senate Appropriations Committee reported out the “Financial Services and General Government Appropriations Act of 2020” (S.2524), which includes funding for $250 million in election security grants for state and local election administrators. But the bill includes almost no new funds for the Election Assistance Commission, the severely understaffed and underfunded agency that serves as a clearinghouse for information about voting machine security standards and administrative best practices. Under the Senate legislation, EAC would receive $11,995,000 in 2020, about $2 million more than it received in 2019, however $1.5 million of that would be transferred to the National Institute for Standards and Technology to develop voluntary state voting system guidelines, and another  $2.4 million is designated for the EAC’s relocation to new offices.

National: States try to combat election interference as Washington deadlocks | Evan Halper/ Los Angeles Times

With the White House and Congress paralyzed over how — or even whether — to act on intelligence agency warnings about foreign interference in U.S. elections, Maryland opted to take matters into its own hands. The state adopted transparency rules for political advertising on Facebook, Twitter and elsewhere online. The pioneering move drew praise from election reformers as a blow against foreign meddling. Then came the backlash. And it wasn’t from Russia. Newspaper publishers hauled the state into federal court. The new rules ran afoul of the 1st Amendment and created burdens on media organizations that could push struggling local papers under, they protested. Even one of the world’s most vocal advocates for transparency, the Reporters Committee for Freedom of the Press, joined the objectors. Along with the Washington Post, Associated Press and others, they successfully blocked the state’s effort in federal court.

National: EAC says it won’t de-certify voting systems running old versions of Windows | Sean Lyngaas/CyberScoop

The U.S. Election Assistance Commission has told lawmakers that it will not de-certify certain voting systems that use outdated Microsoft Windows systems, a disclosure that highlights the challenge of keeping voting equipment secure after a vendor ceases offering support for a product. While a voting system would fail certification if it were running software that wasn’t supported by a vendor, the act of de-certifying the system is cumbersome and “has wide-reaching consequences, affecting manufacturers, election administration at the state and local levels, as well as voters,” EAC commissioners wrote in a letter to the Committee on House Administration that CyberScoop obtained. To pass certification, voting vendors must meet a series of specifications outlined in the Voluntary Voting Systems Guidelines (VVSG), a set of standards that the EAC has been slow to update. In response to questions from the committee’s staff, EAC commissioners said the laborious de-certification process can be initiated if there is credible information that a voting system no longer complies with the guidelines. However, in the case of Election Systems & Software, the country’s largest voting vendor, for example, the EAC said it didn’t have “grounds to decertify any ES&S product that uses software that is no longer supported by a third-party vendor.” The commissioners also said that there is no stipulation for how far into the future operating systems must support security patches for them to be certified.

National: EAC parting ways with embattled top staffer | Eric Geller/Politico

The embattled executive director of the Election Assistance Commission, whose tenure has been marked by internal turmoil, will not serve another term, two government employees with knowledge of the decision told POLITICO. While the departure of Brian Newby will remove a controversial figure from one of the federal agencies charged with helping states secure their election systems, the shakeup will likely further hamper its mission ahead of the 2020 election, which intelligence officials say hackers working for Russia and other U.S. adversaries will once again attempt to disrupt. EAC commissioners voted over the weekend of Sept. 7-8 not to reappoint Newby for four more years, according to an agency staffer and a House aide, who declined to be named because of the sensitivity of the issue. The commissioners also voted not to retain Cliff Tatum, the agency’s general counsel. Both men joined the EAC on Oct. 22, 2015. The vote on the two appointments was 2-2, splitting the Democratic and Republican commissioners, said the House aide. A decision to reappoint them would have required a majority. The vote came three months after a POLITICO story about how Newby has faced extensive criticism from inside and outside the EAC for undermining its election security work and ignoring, micromanaging and mistreating staff.

National: Microsoft will offer free Windows 7 support for election officials through 2020 | Sean Lyngaas/CyberScoop

Microsoft said Friday it will offer state and local election officials free security support for Windows 7 operating systems used in voting systems through 2020. “We want to make sure that Windows 7 end-of-life doesn’t…become a barrier to having a secure and safe election,” Jan Neutze, head of Microsoft’s cybersecurity and democracy team, said in announcing the news, which CyberScoop was first to report. “It’s the right thing to do,” he said at a conference hosted by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Microsoft has long planned to stop providing security updates for Windows 7 users in general in January 2020, but was allowing users to pay for those updates through January 2023. But the offer of free services through next year’s U.S. presidential election is an additional effort to make it easier to update operating software used in voting systems, such as the election management systems that format ballots. Some systems that support voting in the U.S. still rely on Windows 7, which is not nearly as straightforward to update on those machines as it is on a personal computer. Patches require installation and testing to verify that they will not disrupt a voting system.

National: Voting machine companies may throw their doors open to ethical hackers | Joseph Marks/The Washington Post

Voting machine companies, which for years have been loath to acknowledge any security weaknesses, are finally saying they will consider allowing ethical hackers to search for them. But hackers are skeptical of the election industry’s recent commitment to security and transparency. The olive branch to hackers marks a huge about-face for the industry, which last week asked for feedback from researchers and companies about the best ways to let outsiders vet their security. They’ve long argued that researchers, by exposing security flaws, could give a roadmap to foreign hackers intent on compromising the 2020 contest. Now they’re saying the threat of Russian hacking and disinformation is too severe for the security of election systems to be treated as a private matter to be managed behind closed doors. “For many years the industry…preferred to work quietly behind scenes. [But] 2016 brought cybersecurity to the front burner and folks in this industry who were uncomfortable talking about vulnerabilities have warmed up to it,” Chris Wlaschin, the top cybersecurity official for Election Systems and Software, told me. But some ethical hackers worry the industry, which has historically prioritized making their machines easier for election administrators to use rather than making them as secure as possible, isn’t ready to make big changes. They fear the companies won’t work quickly enough to fix the bugs they discover and could use non-disclosure agreements to enforce silence about dangerous bugs that could compromise an election.

Colorado: Colorado the First State to Remove Bar Codes from Ballots | Andrew Westrope/Government Technology

Since learning the scope of Russia’s interference in the 2016 election, state and federal officials have been vocal about the need to secure America’s next elections. For many jurisdictions, that might mean less technology rather than more, and resisting pressure from voting-tech vendors to buy expensive solutions where pen and paper is more secure. This week, Colorado took the lead as the first state to require all ballots to be tabulated using only the marked ovals, as opposed to QR (quick response) codes, or bar codes in which the voter’s choices are encoded. According to a news release from Secretary of State Jena Griswold, the use of ballot-marking devices had created a situation in which votes tabulated by QR codes could not be verified by the human eye. Serena Woods, a spokeswoman for Griswold’s office, explained that while Colorado’s in-person voters would get a printed out summary of their choices, they couldn’t verify that the QR code accurately reflected those. While there had been no specific incidents of QR codes being tampered with, Woods said, a nefarious actor could theoretically program a tabulation machine to misread QR codes, or reprogram ballot-marking devices to print inaccurate codes.

Georgia: Election security investigation opened after Atlanta computers stolen | Mark Niesse and Arielle Kass/The Atlanta Journal-Constitution

Georgia Secretary of State Brad Raffensperger opened an investigation Wednesday into Fulton County’s election security procedures after two voting check-in computers were stolen from an Atlanta precinct. “It is unacceptable that bad actors entered a polling location under the cover of night and were able to steal critical elections machinery,” Raffensperger said. Atlanta police are also investigating the theft of the express poll computers from the Grove Park Recreation Center, which occurred the night before Tuesday’s special election for a seat on the city school board. New computers were brought in before polls opened Tuesday morning. Richard Barron, Fulton’s director of registration and elections, said the county will be reviewing its procedures, but poll workers did what they were supposed to do. “Other than providing 24-hour security at all polling locations, I’m unsure how you secure every building,” he said. “Ours was in a government facility that had an alarm and was locked.”

Indiana: Election upgrade leaves widespread paperless voting | Brynna Sentel/South Bend Tribune

By the next election, one in 10 direct recording electronic (DREs) voting machines will have a small black box attached to them that will let voters see a printout of their ballot, providing a paper trial that can be used in post-election audits. Secretary of State Connie Lawson held one-on-one interviews with reporters to discuss the new voting equipment as well as the other steps her office is taking to assure Hoosiers that every ballot cast in an election will be accurately counted. “I still believe that the most important concern for us is voter confidence,” Lawson said Wednesday. “We want voters to know that the vote they cast is counted the way it was cast and that elections are safe and secure.” Lawson will go to the State Budget Committee Friday to ask for the release of $10 million that had been budgeted during the legislative session for election security. The committee is meeting at Purdue University. “There were so many priorities this last budget cycle,” Lawson said. “Honestly, I felt very fortunate that our original $10 million request, and that’s what it was when the session began, stayed the same and did not change.”

Kansas: Cyberattacks vandalized Kansas county websites in August, exposing security weaknesses | Jonathan Shorman/The Wichita Eagle

Cyberattacks crippled the websites of about a dozen Kansas counties in early August — replacing their homepages with cryptic messages and an image of Mecca. One county, which was conducting an election during the assault, decided against posting results online. The attacks did not affect vote counting but meant citizens didn’t have access to normal government information, such as contacts for local agencies, for several hours. The hacks defaced websites, but did not affect other systems. It does not appear the hacker or hackers took data hostage, as has happened elsewhere in the country. State officials don’t think the hacking was connected to the August primary election. But the attacks — not widely known until now — showcased the cyber vulnerabilities of local governments in Kansas. And they took place as online threats are rising.

Maine: Voter database unaffected after computers in Maine election office hit by cyber attack | Christopher Burns/Bangor Daily News

A virus hit several state computers and servers, including in the state’s election office, on Wednesday afternoon, the Maine secretary of state’s office said. The virus was detected about 3 p.m. and affected Maine Bureau of Corporations, Elections and Commissions staff computers, two servers at the Maine Bureau of Motor Vehicles and a server at the Maine State Archive, according to Kristen Schulze Muszynski, a spokeswoman for the Maine secretary of state’s office. The Bureau of Motor Vehicles’ servers are only used for internal testing purposes, while the state archive server is used for scanning documents. The Office of Information Technology and the secretary of state’s office are working to restore computer services, Muszynski said Thursday morning. They were expected to be restored later on Thursday. No public data was accessed and the state’s voter database was not affected, she said. The cyber attack consisted of 1,600 emails, but only 18 emails reached employee inboxes, Muszynski said, adding that the virus appeared to have entered through a spam email that included a malicious link.

Minnesota: Guard’s coders, hackers may help shore up election defenses | Stephen Montemayor/Minneapolis Star Tribune

Minnesota election officials working to beef up the state’s cyber defenses against hackers now want to call in the National Guard. In an effort to protect the 2020 election just months before early primary voting starts, Secretary of State Steve Simon said he wants to formalize a long-term agreement to work with a new “cyber protection team” developed by the Minnesota National Guard ahead of a workshop planned this week in St. Paul as part of a national “policy academy” on election security. The gathering of federal and state officials comes as Congress deepens its impeachment inquiry over a whistleblower allegation that President Donald Trump solicited Ukrainian help in undermining former Vice President Joe Biden, one of his top Democratic challengers in 2020. But a more pressing concern for local and state election officials is the prospect of foreign hacking and social media disinformation. Simon and other state election officials have warned that more foreign sources are likely to try to penetrate states’ election systems than in 2016, adding that there are already signs of widespread online disinformation campaigns underway. “This is a security issue,” Simon said. “It isn’t just about bullets or boots on the ground, it’s about this cyber realm and the fact that adversaries try to expose or exploit weaknesses in the cyber world just as they would in other areas as well.”

North Carolina: Did North Carolina skip a step? New voting machines questioned again | Travis Fain/WRAL

Activists and computer scientists have raised questions about the process used to certify new voting machines in North Carolina that, for weeks, the State Board of Elections hasn’t answered. The board’s chairman and its executive director say answers are coming and that staff plan to bring detailed information to the board at its meeting next Tuesday. But at least two board members, along with a string of academics and activists, are concerned that the state skipped steps as it certified three new election systems. Counties around the state are weighing whether to buy those systems to use in the 2020 elections. Frustrated by slow progress at the state level, activists worried about the security of touchscreen systems reached out to county officials responsible for picking and buying new machines, spurring an email Tuesday from the state elections director promising local officials answers next week. If the issue lingers, it may “throw chaos into the 2020 elections,” said Marilyn Marks, a Charlotte activist who founded the Coalition for Good Governance and has pushed this line of inquiry. “The lack of response to date is irresponsible, given that the questions have been swirling for at least three weeks,” Marks wrote to state board members and other election officials on Sept. 14. “Obviously, if the legally mandated certification work had been performed, documentation would have been produced weeks ago.”

Pennsylvania: Allegheny County Elections board approves vendor for new voting machines | Paula Reed Ward/Pittsburgh Post-Gazette

The Allegheny County Board of Elections voted Wednesday to approve Election Systems and Security as the vendor to provide a hand-marked paper balloting system to be used beginning next year. The vote means the county will enter negotiations with ES&S to fulfill a contract to provide enough scanners to count the ballots. The bid proposed by ES&S was $10.5 million. The 3-0 decision came after additional public comment in which advocates expressed concerns about how the ES&S system handles ballots for people with disabilities, including the use of bar codes. The concern is that ballots completed on the Americans with Disabilities Act-compliant ballot-marking device cannot be reviewed for accuracy. “There’s not a perfect decision to be made,” said Tom Baker, a county councilman and chair of the elections board. Elections board member Kathryn Hens-Greco, a Common Pleas Court judge, agreed that the decision to choose ES&S was not optimal, but it is necessary. “Right now, we’re at a point where a decision needs to be made, and it needs to be a confident decision.”

Verified Voting Blog: Election Security Experts Urge Congress for Additional Funding;  Say $250 Million in Election Security Funding is Progress, but Not Enough

Download the PDF Marian K. Schneider: “Despite the progress shown today, Congress still needs to vote on bipartisan, comprehensive election security legislation to protect and ensure trustworthy elections.”  The following is a statement from Marian K. Schneider, president of Verified Voting, on Senate Majority Leader Mitch McConnell’s (R-KY) backing of an amendment that will provide…

National: Democrats launch ‘full court press’ on election security | Joseph Marks/The Washington Post

Democrats are pressing hard this week in what could be their final chance to pass legislation aimed at protecting the 2020 contest against Russian hackers. Senate Democrats have failed for months to force Senate Majority Leader Mitch McConnell (R-Ky.) to allow a vote on bills committing an additional $600 million to election security and also mandating security reforms such as paper ballots and post-election cybersecurity audits. Now they’re shifting tactics and trying to force some of that funding into a must-pass spending bill. Round one of the fight starts Thursday at a Senate Appropriations Committee meeting where the top-ranking Democrat, Sen. Patrick Leahy (Vt.), and the top Democrat on the committee’s general government panel, Sen. Chris Coons (Del.), will try to force the money into the Republican draft of a spending bill. If that doesn’t work, Democrats can keep trying to push Republicans to add the measure through the lengthy give-and-take of the appropriations process that’s likely to drag on for several months. Aides for Leahy and Coons declined to tell me precisely what was in the amendment they’ll be introducing Thursday, but Sen. Ron Wyden (D-Ore.) and other senators are pushing for at least the $600 million that’s included in legislation already passed by the House. If the last-ditch effort fails, many Americans are likely to cast votes in 2020 in a process still governed by the same lax rules as in 2016 – when a Russian hacking and disinformation operation upended the election and severely damaged voters’ confidence in the democratic process. The federal government has surged its cybersecurity help to state election officials since then and several states and localities have voluntarily improved protections, but the improvements are far from universal.

National: Election security funds caught in crosshairs of spending debate | Maggies Miller-The Hill

Funding to bolster election security efforts at the state level could become a sticking point during the ongoing government spending talks, with the House approving the funds while Republicans in the Senate remain staunchly opposed. The spotlight will be on the Senate on Tuesday, as the Appropriations Subcommittee on Financial Services and General Government marks up its portion of the annual spending bill, with the full committee due to vote on the bill Thursday. While the subcommittee will wait until after the markup to release its version of the annual financial services and general government funding bill, which includes appropriations for the Election Assistance Commission (EAC), it’s unlikely to include election security funds due to Republican opposition. This could become a factor in negotiations between the House and Senate over government funding bills and make it even more difficult for Congress to approve funding legislation prior to the end of the fiscal year on Sept. 30, which is needed to avert a shutdown.

National: How state election officials are contributing to weak security in 2020 | Joseph Marks/The Washington Post

It’s not just a question of paper ballots. The offices charged with administering elections across the country are falling short on a slew of basic cybersecurity measures that could make the 2020 contest far more vulnerable to hacking, according to a report out this morning. Numerous state election offices aren’t patching their computer systems against known digital attacks and rely heavily on outdated, weak software, the report from the cybersecurity company NormShield found. They’re not fully protecting their websites against attacks or taking technical steps that would help prevent hackers from impersonating employees over email. And employee emails and passwords have leaked online. Any one of those vulnerabilities could be the weak spot that allows hackers to compromise a swath of election systems — especially since several states with the worst security practices were swing states, the company’s Chief Security Officer Bob Maley told me. He declined to disclose how specific states fared at this time.

National: How counties are war-gaming Election Day cyberattacks | Joseph Marks/The Washington Post

If Russian hackers seek to disrupt the 2020 election, it will be county election officials on the front lines. And some are diving in to war games so they can be ready for anything Moscow or another U.S. adversary can throw at them. Election officials from New Jersey’s 21 counties huddled at tables in a hotel ballroom here, hashing out how they’d respond to Election Day cyberattacks. In some attack scenarios, hackers shut down voter registration databases, loaded voter files with phony information, or compromised county social media accounts so they start spreading false information about polling locations. They also prepared for what happens if attackers locked up election office computers with ransomware or shut down cellphone towers across multiple states. How the U.S. fares during an Election Day hack is likely to rest on the response of local election administrators in the first few hours, state and federal officials told me. “The county level is where all the risk is,” a Homeland Security Department cybersecurity official who was helping one county with its response-planning told me. “They own it in a way no state official does and certainly no federal official could. It’s always live or die at the county level.” The war-games are a sign of how drastically local politics has changed in this new era of cyberwar — preparing responses to attacks by a powerful nation-state is a far cry from more ordinary tasks of getting poll workers to voting locations on time and planning contingency operations for storms or other physical disasters. And there’s no turning back, as federal offiicals have warned Russia is likely to try to repeat its hacking and disinformation campaign in 2020 and other U.S. adversaries, including China, Iran and North Korea, may try as well.

National: Cyber firm examines supply-chain challenge in securing election ecosystem | Charlie Mitchell/InsideCyberSecurity.com

State election officials are doing a better job of securing systems but still need to pay more attention to “internet facing infrastructure” and possible weak links in their supply chains, according to a new report from NormShield, a cybersecurity firm that develops risk scorecards for companies. According to NormShield, “We noticed … that states may be focusing on their internal assets and may not be examining their broader cyber ecosystem footprint. So we undertook the exercise of examining that broader footprint to better understand what election system integrity looks like from that perspective.” The firm did not examine cyber hygiene around voting machines, but did look at “Network Connected Systems and Components” as identified in the Center for Internet Security “Handbook for Elections Infrastructure Security.” It found significant improvements between an initial scan in July and a follow-up August, according to the report issued today. “NormShield privately provided its findings to the Secretaries of State and election commissions in July in order to empower them with the information needed to remediate vulnerabilities,” the firm said. “NormShield ran a second scan in August and found significant improvement in the security posture of several election commissions.”

Editorials: Cyber attacks threaten security of 2020 election | Ray Rothrock/San Jose Mercury-News

Following the 2016 elections, investigators found evidence that Russian hackers successfully infiltrated the computerized voting systems of several states. Hackers also stole data from campaigns and weaponized social media polarizing the electorate against and for certain candidates.  All of this undermines the trust we all place in the United States’ election system. There is nothing more powerful in a democratic country than a legitimate election.  Unchecked, these actions and future similar future actions against our elections are a significant danger to our democracy.  It’s clear we’ll be facing similar threats in the 2020 election cycle. Elections have become a new target in asymmetrical cyber warfare, allowing smaller groups to launch targeted attacks that have an outsized impact. To ensure our democracy is resilient in the face of these bad actors and nation-states, Congress must take action to adequately fund our election system’s cyber defenses and implement programs that bring about greater digital resilience in our government systems and in candidate’s campaigns. More importantly, something so fundamental to the country – trust in our elections – must be pursued with vigor on a bipartisan basis and in a manner that makes our systems more resilient.

Arizona: Is Arizona doing enough to protect 2020 elections? Computer security experts weigh in | Andrew Oxford/Arizona Republic

Some aspects of how to secure Arizona’s elections from hackers and fraudsters may seem obvious. Change the passwords on equipment every once in a while, for a start. Oh, and make it complicated, with some numbers and uppercase letters tossed in. Of course, there is a lot more to fending off cyber attacks. The Arizona Secretary of State’s Office is writing a new manual for county election officials and its first draft includes additional provisions on security. While experts praise some of those measures as big steps to prevent tampering, they are raising concerns about potential vulnerabilities with other measures. County officials who administer elections can adopt tighter security standards than those set by the state, but the new election procedures manual will set out the minimum requirements that local officials must follow. It revises policies last updated in 2014. Among the provisions that raised concerns is a suggestion that a USB stick used to transfer files from one device to another can be re-used if it is cleaned and reformatted.

Georgia: Check-in computers stolen in Atlanta hold statewide voter data | Mark Niesse and Arielle Kass/The Atlanta Journal-Constitution

Two computers that are used to check in voters were stolen from a west Atlanta precinct hours before polls opened Tuesday for a city school board election. Officials replaced the computers before voters arrived, and the election wasn’t disrupted, according to the Georgia Secretary of State’s Office.The express poll computers contain names, addresses, birth dates and driver’s license information for every voter in the state, said Richard Barron, Fulton County’s elections director. They don’t include Social Security numbers. They are password-protected, and the password changes for every election.The computers, which were in a locked and sealed case, haven’t been recovered.Poll workers discovered the burglary early Tuesday morning at the Grove Park Recreation Center near Donald Lee Hollowell Parkway.Atlanta police said they were first called to the recreation center at 12:30 a.m. on an alarm call. They found an unlocked door but saw no one inside. When election employees arrived, they told police “the kitchen had been ransacked,” a microwave had been moved to a different room, food items were missing and the express poll machines were missing, Atlanta police Sgt. John Chafee said. Georgia Secretary of State Brad Raffensperger said he’s concerned about the stolen election equipment. “They may not have realized what they were stealing. They may have just thought they were stealing computer hardware of some sort, but they stole a whole lot more than they thought,” Raffensperger said. “They’re in a whole lot of trouble. There will be a thorough investigation.”

Louisiana: New Louisiana election, same old voting machines | Melinda DeSlatte/Associated Press

Despite a national uproar over election security, Louisiana voters will be casting their ballots next month in a statewide election on the same type of paperless voting machines the state has used since 2005. No changes are expected for the 2020 presidential election either. Allegations of improper bid handling derailed plans to replace to Louisiana’s voting machines, so the secretary of state’s office had to redo its vendor search process. The agency still is drafting the solicitation for bid proposals, so new voting machines aren’t coming soon. Still, Secretary of State Kyle Ardoin said voters should feel confident in the machines they will use to cast their ballots in the Oct. 12 and Nov. 16 elections for Louisiana governor, six other statewide positions and state legislative seats.