National: Democrats launch ‘full court press’ on election security | Joseph Marks/The Washington Post

Democrats are pressing hard this week in what could be their final chance to pass legislation aimed at protecting the 2020 contest against Russian hackers. Senate Democrats have failed for months to force Senate Majority Leader Mitch McConnell (R-Ky.) to allow a vote on bills committing an additional $600 million to election security and also mandating security reforms such as paper ballots and post-election cybersecurity audits. Now they’re shifting tactics and trying to force some of that funding into a must-pass spending bill. Round one of the fight starts Thursday at a Senate Appropriations Committee meeting where the top-ranking Democrat, Sen. Patrick Leahy (Vt.), and the top Democrat on the committee’s general government panel, Sen. Chris Coons (Del.), will try to force the money into the Republican draft of a spending bill. If that doesn’t work, Democrats can keep trying to push Republicans to add the measure through the lengthy give-and-take of the appropriations process that’s likely to drag on for several months. Aides for Leahy and Coons declined to tell me precisely what was in the amendment they’ll be introducing Thursday, but Sen. Ron Wyden (D-Ore.) and other senators are pushing for at least the $600 million that’s included in legislation already passed by the House. If the last-ditch effort fails, many Americans are likely to cast votes in 2020 in a process still governed by the same lax rules as in 2016 – when a Russian hacking and disinformation operation upended the election and severely damaged voters’ confidence in the democratic process. The federal government has surged its cybersecurity help to state election officials since then and several states and localities have voluntarily improved protections, but the improvements are far from universal.

National: Election security funds caught in crosshairs of spending debate | Maggies Miller-The Hill

Funding to bolster election security efforts at the state level could become a sticking point during the ongoing government spending talks, with the House approving the funds while Republicans in the Senate remain staunchly opposed. The spotlight will be on the Senate on Tuesday, as the Appropriations Subcommittee on Financial Services and General Government marks up its portion of the annual spending bill, with the full committee due to vote on the bill Thursday. While the subcommittee will wait until after the markup to release its version of the annual financial services and general government funding bill, which includes appropriations for the Election Assistance Commission (EAC), it’s unlikely to include election security funds due to Republican opposition. This could become a factor in negotiations between the House and Senate over government funding bills and make it even more difficult for Congress to approve funding legislation prior to the end of the fiscal year on Sept. 30, which is needed to avert a shutdown.

National: How state election officials are contributing to weak security in 2020 | Joseph Marks/The Washington Post

It’s not just a question of paper ballots. The offices charged with administering elections across the country are falling short on a slew of basic cybersecurity measures that could make the 2020 contest far more vulnerable to hacking, according to a report out this morning. Numerous state election offices aren’t patching their computer systems against known digital attacks and rely heavily on outdated, weak software, the report from the cybersecurity company NormShield found. They’re not fully protecting their websites against attacks or taking technical steps that would help prevent hackers from impersonating employees over email. And employee emails and passwords have leaked online. Any one of those vulnerabilities could be the weak spot that allows hackers to compromise a swath of election systems — especially since several states with the worst security practices were swing states, the company’s Chief Security Officer Bob Maley told me. He declined to disclose how specific states fared at this time.

National: How counties are war-gaming Election Day cyberattacks | Joseph Marks/The Washington Post

If Russian hackers seek to disrupt the 2020 election, it will be county election officials on the front lines. And some are diving in to war games so they can be ready for anything Moscow or another U.S. adversary can throw at them. Election officials from New Jersey’s 21 counties huddled at tables in a hotel ballroom here, hashing out how they’d respond to Election Day cyberattacks. In some attack scenarios, hackers shut down voter registration databases, loaded voter files with phony information, or compromised county social media accounts so they start spreading false information about polling locations. They also prepared for what happens if attackers locked up election office computers with ransomware or shut down cellphone towers across multiple states. How the U.S. fares during an Election Day hack is likely to rest on the response of local election administrators in the first few hours, state and federal officials told me. “The county level is where all the risk is,” a Homeland Security Department cybersecurity official who was helping one county with its response-planning told me. “They own it in a way no state official does and certainly no federal official could. It’s always live or die at the county level.” The war-games are a sign of how drastically local politics has changed in this new era of cyberwar — preparing responses to attacks by a powerful nation-state is a far cry from more ordinary tasks of getting poll workers to voting locations on time and planning contingency operations for storms or other physical disasters. And there’s no turning back, as federal offiicals have warned Russia is likely to try to repeat its hacking and disinformation campaign in 2020 and other U.S. adversaries, including China, Iran and North Korea, may try as well.

National: Cyber firm examines supply-chain challenge in securing election ecosystem | Charlie Mitchell/InsideCyberSecurity.com

State election officials are doing a better job of securing systems but still need to pay more attention to “internet facing infrastructure” and possible weak links in their supply chains, according to a new report from NormShield, a cybersecurity firm that develops risk scorecards for companies. According to NormShield, “We noticed … that states may be focusing on their internal assets and may not be examining their broader cyber ecosystem footprint. So we undertook the exercise of examining that broader footprint to better understand what election system integrity looks like from that perspective.” The firm did not examine cyber hygiene around voting machines, but did look at “Network Connected Systems and Components” as identified in the Center for Internet Security “Handbook for Elections Infrastructure Security.” It found significant improvements between an initial scan in July and a follow-up August, according to the report issued today. “NormShield privately provided its findings to the Secretaries of State and election commissions in July in order to empower them with the information needed to remediate vulnerabilities,” the firm said. “NormShield ran a second scan in August and found significant improvement in the security posture of several election commissions.”

Editorials: Cyber attacks threaten security of 2020 election | Ray Rothrock/San Jose Mercury-News

Following the 2016 elections, investigators found evidence that Russian hackers successfully infiltrated the computerized voting systems of several states. Hackers also stole data from campaigns and weaponized social media polarizing the electorate against and for certain candidates.  All of this undermines the trust we all place in the United States’ election system. There is nothing more powerful in a democratic country than a legitimate election.  Unchecked, these actions and future similar future actions against our elections are a significant danger to our democracy.  It’s clear we’ll be facing similar threats in the 2020 election cycle. Elections have become a new target in asymmetrical cyber warfare, allowing smaller groups to launch targeted attacks that have an outsized impact. To ensure our democracy is resilient in the face of these bad actors and nation-states, Congress must take action to adequately fund our election system’s cyber defenses and implement programs that bring about greater digital resilience in our government systems and in candidate’s campaigns. More importantly, something so fundamental to the country – trust in our elections – must be pursued with vigor on a bipartisan basis and in a manner that makes our systems more resilient.

Arizona: Is Arizona doing enough to protect 2020 elections? Computer security experts weigh in | Andrew Oxford/Arizona Republic

Some aspects of how to secure Arizona’s elections from hackers and fraudsters may seem obvious. Change the passwords on equipment every once in a while, for a start. Oh, and make it complicated, with some numbers and uppercase letters tossed in. Of course, there is a lot more to fending off cyber attacks. The Arizona Secretary of State’s Office is writing a new manual for county election officials and its first draft includes additional provisions on security. While experts praise some of those measures as big steps to prevent tampering, they are raising concerns about potential vulnerabilities with other measures. County officials who administer elections can adopt tighter security standards than those set by the state, but the new election procedures manual will set out the minimum requirements that local officials must follow. It revises policies last updated in 2014. Among the provisions that raised concerns is a suggestion that a USB stick used to transfer files from one device to another can be re-used if it is cleaned and reformatted.

Georgia: Check-in computers stolen in Atlanta hold statewide voter data | Mark Niesse and Arielle Kass/The Atlanta Journal-Constitution

Two computers that are used to check in voters were stolen from a west Atlanta precinct hours before polls opened Tuesday for a city school board election. Officials replaced the computers before voters arrived, and the election wasn’t disrupted, according to the Georgia Secretary of State’s Office.The express poll computers contain names, addresses, birth dates and driver’s license information for every voter in the state, said Richard Barron, Fulton County’s elections director. They don’t include Social Security numbers. They are password-protected, and the password changes for every election.The computers, which were in a locked and sealed case, haven’t been recovered.Poll workers discovered the burglary early Tuesday morning at the Grove Park Recreation Center near Donald Lee Hollowell Parkway.Atlanta police said they were first called to the recreation center at 12:30 a.m. on an alarm call. They found an unlocked door but saw no one inside. When election employees arrived, they told police “the kitchen had been ransacked,” a microwave had been moved to a different room, food items were missing and the express poll machines were missing, Atlanta police Sgt. John Chafee said. Georgia Secretary of State Brad Raffensperger said he’s concerned about the stolen election equipment. “They may not have realized what they were stealing. They may have just thought they were stealing computer hardware of some sort, but they stole a whole lot more than they thought,” Raffensperger said. “They’re in a whole lot of trouble. There will be a thorough investigation.”

Louisiana: New Louisiana election, same old voting machines | Melinda DeSlatte/Associated Press

Despite a national uproar over election security, Louisiana voters will be casting their ballots next month in a statewide election on the same type of paperless voting machines the state has used since 2005. No changes are expected for the 2020 presidential election either. Allegations of improper bid handling derailed plans to replace to Louisiana’s voting machines, so the secretary of state’s office had to redo its vendor search process. The agency still is drafting the solicitation for bid proposals, so new voting machines aren’t coming soon. Still, Secretary of State Kyle Ardoin said voters should feel confident in the machines they will use to cast their ballots in the Oct. 12 and Nov. 16 elections for Louisiana governor, six other statewide positions and state legislative seats.

New Jersey: Activists press for federal support to upgrade New Jersey’s vulnerable voting machines | Briana Vannozzi/NJTV News

Progressive activists on Tuesday called for an overhaul of New Jersey’s voting system, saying that the lack of a paper backup to the electronic machines at the polls in many counties could undermine the faith of voters that their ballots will be counted. “This is our most important fundamental right, the right to vote,” said Marcia Marley, president of BlueWave NJ. “And if it doesn’t count, why vote?” The activists are also looking to put pressure on federal lawmakers to approve $600 million for election security funding at the state level. The allocation has already been approved by the Democratic-majority House of Representatives but has failed to get any traction in the upper house, which is controlled by the GOP and led by Majority Leader Mitch McConnell, the Kentucky Republican. Carrying signs that read “Moscow Mitch” and “Protect Our Elections,” the activists gathered outside the offices of the state’s two Democratic senators, Cory Booker and Robert Menendez. “Robert Mueller explained that the threat of foreign intervention in our elections is very much still alive and probably escalating for the 2020 elections,” said BlueWave NJ member Mark Lurinsky, referencing testimony before Congress by the former Special Counsel to the Justice Department who investigated Russia’s attempts to influence the 2016 presidential election.

North Carolina: Experts Warn of Voting Machine Vulnerabilities in North Carolina | Nancy McLaughlin/Greensboro News & Record

A hacker hired to find flaws in voting machines around the world and a computer code writer appointed by a judge to take a forensics look at a controversial election told an emergency meeting of the NAACP in Greensboro, N.C., that even the newest era voting machines are vulnerable to reprogramming. The panel of cyber experts, who were video-broadcasted into the discussion at New Light Baptist Church, took shots at bar code systems like the ones that Guilford County, N.C., is considering. “It suggests more information than is there,” said computer scientist and engineer Duncan Buell of the University of South Carolina. Buell is part of a team auditing election data in his state that has discovered problems in the process that led to uncounted votes in previous elections. The bar codes are only as good as what they are programmed to do, Buell said. Without a paper ballot showing how people voted, he said, they are unreliable even in a recount.

North Carolina: Voting equipment approval didn’t follow law | Jordan Wilkie/Carolina Public Press

North Carolina’s recent decision to certify new voting systems for use next year did not follow state law, according to a letter that a group of experts on election security and administration sent to the N.C. Board of Elections late Wednesday night. North Carolina has been in the process of reviewing new voting systems for certification for over two years. The system that is currently in use across the state was certified in 2005. The law requires a security review of the source code of all voting systems before they are certified for use in the state. The letter states that there is no indication that the state, either through its own contractors or through required federal testing, reviewed the source code for the computers in the voting systems it recently certified. The experts in question, including Duncan Buell, a professor of computer science at the University of South Carolina, reviewed testing documentation from the state and from the federal government. “You read all of that, and it’s clear,” Buell said. “There was no source code review conducted. That would certainly seem to suggest that things are not in accordance with North Carolina law.”

Pennsylvania: Elections officials touted new electronic poll books. Now the city says they don’t work right. | Jonathan Lai/Philadelphia Inquirer

Philadelphia was supposed to use new, electronic poll books in its election this November, allowing poll workers to search for voters on an iPad and sign them in electronically, rather than use thick paper books. The change was supposed to reduce human error, and to make checking in voters faster and easier. City officials promised it would to help troubleshoot problems, such as providing correct information to voters who show up in the wrong polling place. It was supposed to, eventually, provide real-time turnout numbers from every polling site across the city. Turns out the system was not ready for prime time. Instead, “the city observed several problems with KNOWiNK’s pollbook system” during a test election conducted last month, the city’s Acting Chief Administrative Officer, Stephanie Tipton, said in a letter Tuesday to the acting board of elections.

Tennessee: Federal judge dismisses voting security lawsuit in Tennessee | Adrian Sainz/Associated Press

A federal judge dismissed a lawsuit Friday challenging the security of voting machines in Tennessee’s largest county and calling for a switch to a handwritten ballot and a voter-verifiable paper trial. U.S. District Judge Thomas Parker ruled that the lawsuit filed by a group of Shelby County voters in October 2018 failed to show that any harm has come to the plaintiffs and that they have no standing to bring the suit. Attorney Carol Chumney sued on claims that the outdated touchscreen voting machines used by Shelby County are not secure because they do not produce a voter-verifiable paper trail, and security checks and other safeguards are needed to protect the system from outside manipulation. Chumney wanted the county election commission to let outside experts examine its election management software and report any evidence of hacking, possible editing of votes cast or unauthorized software to the Tennessee Bureau of Investigation. The suit questioned the security and reliability of the voting machines and its software, provided by vendor Election Systems & Software. Advocates claim the software is obsolete and presents a risk to the election system. The suit also questioned the security of memory cards, computers, and modems used by the county. The lawsuit asked that the county replace its entire elections system ahead of this October’s municipal elections in Memphis with an optical scan system that uses hand-marked paper ballots. Chumney also asked that officials require Election Systems & Software to install advanced security sensors on their system and ask the U.S. Department of Homeland Security to perform risk and vulnerability assessments on electronic voting systems.

Australia: Australia concluded China was behind hack on parliament, political parties – sources | Colin Packham/Reuters

Australian intelligence determined China was responsible for a cyber-attack on its national parliament and three largest political parties before the general election in May, five people with direct knowledge of the matter told Reuters. Australia’s cyber intelligence agency – the Australian Signals Directorate (ASD) – concluded in March that China’s Ministry of State Security was responsible for the attack, the five people with direct knowledge of the findings of the investigation told Reuters. The five sources declined to be identified due to the sensitivity of the issue. Reuters has not reviewed the classified report. The report, which also included input from the Department of Foreign Affairs, recommended keeping the findings secret in order to avoid disrupting trade relations with Beijing, two of the people said. The Australian government has not disclosed who it believes was behind the attack or any details of the report.

Ghana: EC To Acquire New Technology For Elections | GNA

Chairperson of the Electoral Commission (EC) Jean Mensah Thursday disclosed that the Commission was in the process of acquiring technology that would guarantee the absolute sovereignty of the Ghanaian electoral process. The system, which she said would be owned, managed and operated at a lesser cost by the Commission, would ensure that elections were free, fair, credible, and not subject to third party manipulations. Madam Jean made the disclosure when the EC called on President Nana Addo Dankwa Akufo-Addo at the Jubilee House in Accra. The call on the President formed part of the Commission’s wider consultations with key stakeholders as it seeks to initiate reforms to promote efficiency, transparency and accountability around its activities. Explaining that the EC was weakest at its Information Technology Department, the EC Chairperson said since 2011, vendors controlled elections and had unlimited access to the department both remotely and physically. And as a result, the vendors, who supplied both software and hardware and managed it for the EC, could shut the Commission’s Data Centre down at anytime.

Israel: ‘Election on Tuesday will be target of cyber-attacks’ | Maayan Jaffe-Hoffman/Jerusalem Post

t the conclusion of the April 9 election, an Israeli watchdog group exposed a network of hundreds of social media accounts, many of them fake, used to smear opponents of Prime Minister Benjamin Netanyahu and to amplify the messages of his Likud Party. Shortly before that, in January, it was reported that Iranians had been using hundreds of fake accounts on Israeli social media pages, in an effort to sow social division and influence the then upcoming Israeli election. Now right before Israelis go to the polls, due to the proximity of the two elections as well as the immediacy and scale of the threats, it is highly doubtful that Israel has built a digital defense against cyberattacks this time around either, said Dr. Gabriel Weimann, a professor of communications at the University of Haifa. He told The Jerusalem Post that this Israeli election is likely to be marred by online election interference just like the last election, something that will only be fully understood after Tuesday. #url#