Election security is a complex challenge. One essential step, however, is so simple it can be carried out with a pen and paper. Pennsylvania officials have announced that Philadelphia and Mercer County will conduct a post-election pilot next month of what’s called a risk-limiting audit. The procedure is new to most of the country, but 12 states are experimenting with it — because it’s that much of a no-brainer. Currently, 17 states are not required by law to verify the accuracy of their vote tallies at all. Those that are mostly do so the “traditional” way, which in this case means the wrong way. The process auditors typically use — manually recounting votes in a predetermined percentage of precincts — tells officials whether a particular machine or group of machines is working, but it doesn’t actually answer the essential question: Did the declared winner actually win? Risk-limiting audits instead do what any mathematician . They hand-count a statistically meaningful sample of all votes to determine whether the original tally was correct. The required sample increases as the margin of victory narrows. It’s easy, and it’s time-consuming only in the tightest elections, or when something actually has been tampered with. Of course, that’s when it’s most worth investing the time. So why isn’t everyone doing it?
National: The Market for Voting Machines Is Broken. This Company Has Thrived in It. | Jessica Huseman/ProPublica
In the glare of the hotly contested 2018 elections, things did not go ideally for ES&S, the nation’s largest manufacturer of voting technology. In Georgia, where the race for governor had drawn national interest amid concerns about election integrity, ES&S-owned technology was in use when more than 150,000 voters inexplicably did not cast a vote for lieutenant governor. In part because the aged ES&S-managed machines did not produce paper backups, it wasn’t clear whether mechanical or human errors were to blame. Litigation surrounding the vote endures to this day. In Indiana, ES&S’ systems were plagued by mishaps at the local level. In Johnson County, for instance, the company’s brand-new machines faltered in ways that made it difficult to know whether some people had voted more than once. “ES&S misjudged the need for appropriate resources to serve Johnson County on Election Day 2018,” a report issued by state election officials later concluded. Johnson County subsequently terminated its contract with ES&S and, this September, paid more than $1.5 million to purchase an entirely new set of equipment. The uneven performance by ES&S in 2018, however, did little to dent its position as one of the most popular and powerful voting technology companies in the U.S. Any number of prior controversies hadn’t either.
National: Here’s where U.S. cyber warriors are working to protect against election threats | Olivia Gazis/CBSNews
The U.S. government’s actions to disrupt Russia’s attempted cyber incursions into the 2018 midterm elections took place in part in a newly constructed Joint Operations Center (JOC) on the National Security Agency’s expanding Fort Meade campus in Maryland. Efforts to protect the 2020 elections are expected to follow a similar drill. Located in the middle of the Cyber Integration Center — a 380,000 square foot, $520 million building whose construction was completed last September — the JOC links two adjoining facilities where NSA and U.S. Cyber Command personnel reside. A massive floor dotted by pods of desks and dominated by three curved, 20-foot-tall screens, the JOC is run by roughly 200 civilian and military officials who work 12-hour, rotating shifts — 24 hours a day, seven days a week, 365 days a year. “One of the first activities that were run out of here was NSA and U.S. Cyber Command support to the 2018 elections,” said Colonel Stephen Landry, a senior officer in the NSA’s recently launched Cybersecurity Directorate. That included support, he said, to the Russia Small Group, an election security task force comprising NSA and Cyber Command officials that was created last year by General Paul Nakasone, who heads both agencies. The Russia Small Group was instrumental in carrying out an offensive cyber operation that took the Internet Research Agency, a Kremlin-linked troll farm known to have waged an influence campaign in 2016, offline ahead of the November midterms. Nakasone has since publicly touted the success of the group, made it a permanent fixture, and said its approach in 2018 would serve as a model for 2020. (Its members are scattered throughout NSA and Cyber Command, not physically concentrated in the JOC.)
National: Election Assistance Commission Loses Its Top Leaders | Courtney Bublé/Government Executive
s the nation’s elections clearinghouse faces tight funding and criticism from advocacy groups on its new voting guidelines, the agency is losing its top two officials. Election Assistance Commission commissioners voted in early September to not reappoint Executive Director Brian Newby and General Counsel Cliff Tatum, Politico reported. Under the previous succession plan, the chief operating officer would assume the role of acting executive director; however, that position has been vacant since 2015. Commission Chief Information and Security Officer Mona Harrington will assume the role of acting executive director on Wednesday, under the new plan, as the agency starts the search process for a permanent leader. “The [Election Assistance Commission] is charged with providing top quality resources that support accurate, secure and accessible elections for all eligible voters,” the EAC commissioners said in a press release regarding the vacancies. “We are lock-step in our commitment to fulfilling that mandate.”
Senate Republicans blocked three election security bills on Wednesday, marking the second time in as many days they’ve stymied legislation. Sens. Mark Warner (D-Va.), Amy Klobuchar (D-Minn.) and Ron Wyden (D-Ore.) asked for unanimous consent to pass three election-related bills. But they were blocked by Sen. Marsha Blackburn (R-Tenn.), who noted that the unsuccessful attempt was the latest by Democrats to pass election security bills in the Senate ahead of 2020. “You know, it’s not a good sign if you’re doing the same thing over and over and expecting a different result,” Blackburn said. Under Senate rules, any one senator can ask to vote on or pass a bill. But because it requires unanimous support, any one senator can also block their requests. Election security has become a point of contention during the Trump era. House Democrats have passed several election-related bills, including a sweeping ethics and election reform measure, but they’ve hit a wall in the GOP-controlled Senate.
National: What Battleground States Need to Do to Prevent Voting Machine Hacking in 2020 | Hadley Hitson/Fortune
Three companies control the fate of United States elections. Election Systems & Software, Dominion Voting Systems, and Hart InterCivic dominate 92% of the voting machine market, standing to make bank as states rush to update their systems before the looming 2020 election. In 2016, counties in 16 states used paperless equipment without backup records. The Department of Homeland Security later notified six of those states that hackers targeted their systems. There’s now widespread recognition that paperless machines are the least secure. Some state governments control voting methods, others delegate the decision to local authority, but in most of those states, officials are moving to purchase new machines. “The transition is still happening, but I’m hopeful every battleground state will have a paper backup of every vote,” said Lawrence Norden, director of the Election Reform Program at the NYU Brennan Center For Justice. Norden predicts 90% of votes will have paper backups in 2020.
In the 1,006 days since Donald Trump became president, his administration has shown little vigilance when it comes to its own security, and a new internal memo suggests the White House is working to weaken its own cybersecurity safeguards. Axios has published a memo written by the White House computer network defense branch chief Dimitrios Vastakis that warns “the White House is posturing itself to be electronically compromised once again.” The White House did not immediately respond to a Gizmodo request for comment. Vastakis submitted the memo as a letter of resignation last Thursday. As Axios reports, the letter comes after at least twelve top officials were dismissed or resigned from a cybersecurity team that protected the White House from security threats from Russia and other entities. This team—the Office of the Chief Information Security Officer (OCISO)—was built after the Obama administration was attacked by Russian hackers in 2014. As the memo states, the OCISO “was established to take on the responsibility of securing the Presidential Information Technology Community (PITC) network.” Since then, the team has “significantly matured the security posture of PITC and no major compromise has occurred,” according to the memo.
National: NSA: ‘We know we need to do some work’ on declassifying threat intel | Shannon Vavra/CyberScoop
One of the National Security Agency’s newly minted Cybersecurity Directorate’s goals is to quickly share information on adversarial threats with the private sector — but the process for doing that needs to be refined, the directorate’s leader said Thursday. “The process in place today is where we know we need to do some work,” Anne Neuberger said while speaking at CyberTalks, produced by CyberScoop. “When we find indications of a threat, we see planning to execute a particular operation, or we see the operation being executed. [But] because we learn about it in a classified way, we treat it as classified.” Part of the difficulty the NSA faces is that adversaries often run operations and then discard their compromised infrastructure, making a protracted declassification process nearly useless since “indicators of compromise pretty much they have a ticking time clock for how useful they are,” Neuberger said. The new directorate, which started operations earlier this month, is measuring success by examining how well it is able to prevent attacks moving forward.
National: Trolls could turn to cyber to disrupt the 2020 census | Amanda Seitz and Rachel Lerman/Fifth Domain
Worried about internet trolls and foreign powers spreading false news, census officials are preparing to battle misinformation campaigns for the first time in the count’s 230-year history. The stakes are huge. Who participates in the 2020 census count could influence how U.S. congressional seats and billions of federal tax dollars to educate children, help low-income families and pave new roads are divvied up. “It’s a fine target,” former U.S. Census Bureau director John Thompson said of the form, which is sent every decade to households in America to count the population. “If you want to disrupt a democracy, you can certainly go about it by disrupting a census.” Already, false and inaccurate social media posts about the census have begun to appear online, where they have been viewed thousands of times. Foremost on everyone’s mind are the misinformation wars waged during the last presidential election to confuse U.S. voters. Fake posts about the census began popping up days after the U.S. Supreme Court ruled in June that the Trump administration could not ask about citizenship status on the 2020 census: Conservative bloggers, Twitter users and pundits falsely blamed former President Barack Obama for scrubbing the question from the form in 2010. In fact, the main census form hasn’t included a citizenship question since 1950, and the bureau’s own analysis found it would discourage people from participating, possibly skewing results.
Verified Voting Blog: DEFCON Voting Village Report highlights election system vulnerabilities and solutions
Verified Voting staff joined the Voting Village at the 27th annual DEFCON conference in Las Vegas in August. DEFCON brings security professionals, journalists, lawyers, researchers, and – of course – hackers under one roof at the world’s largest annual hacking convention. Since its launch in 2017, the Voting Village has served as an “open forum…
Colorado: The public, election officials may be kept in the dark on hacks around the U.S. But not in Colorado. | Colleen Long and Christina A. Cassidy/The Associated Press
If the FBI discovers that foreign hackers have infiltrated the networks of your county election office, you may not find out about it until after voting is over. And your governor and other state officials may be kept in the dark, too. There’s no federal law compelling state and local governments to share information when an electoral system is hacked. And a federal policy keeps details secret by shielding the identity of all cyber victims regardless of whether election systems are involved. Election officials are in a difficult spot: If someone else’s voting system is targeted, they want to know exactly what happened so they can protect their own system. Yet when their own systems are targeted, they may be cautious about disclosing details. They must balance the need for openness with worries over undermining any criminal investigation. And they want to avoid chaos or confusion, the kind of disruption that hackers want. The secrecy surrounding foreign hacks is not a hypothetical issue. The public still doesn’t know which Florida counties were breached by Russian agents in the 2016 election. Rick Scott, Florida’s governor in 2016 and now a U.S. senator, was not told at the time and didn’t learn most of the details until this year. And the threat to electoral systems is real. Federal officials believe Russian agents in 2016 searched for vulnerabilities within election systems in all 50 states. And the nation’s intelligence chiefs warn that Russia and other nations remain interested in interfering in U.S. elections.
Ohio: Governor signs into law measure to increase cybersecurity of elections | Maggie Miller/The Hill
Ohio Gov. Mike DeWine (R) on Friday signed into law legislation that will increase cyber protections for election systems and enhance the overall cybersecurity posture of the state. The legislation, which had bipartisan support, requires post-election audits by county boards of elections to ensure the accuracy of the vote count, while also creating a “civilian cyber security reserve” that can be called into duty to protect state and local government entities against cyberattacks, including those involving elections and those against critical infrastructure The bill gives the Ohio secretary of state a seat on the Ohio Homeland Security Advisory Council and creates a chief information security officer position within the secretary of state’s office to increase attention on election security issues. Ohio Secretary of State Frank LaRose (R), the top election official in the state, said in a statement on Friday that the legislation will give local officials “the support they need” to combat foreign cyber threats. “Imagine looking out the window and seeing foreign paratroopers parachuting into your town,” LaRose said. “We wouldn’t tell a community, ‘you’re on your own – your sheriff department can fight off that threat.’ Well likewise, in the online world, we can now respond with Ohio’s best cyber warriors so these counties and cities have the support they need.”
Pennsylvania: Cost, Security Questions Arise After Westmoreland County Voting Machine Approval | Deb Erdley/Tribune-Review
Chuck Anderson, the outgoing Westmoreland County commissioner, said he wanted to ensure county residents had the best voting system available before he leaves office in December. The $7.1 million touch screen/scanner system he and fellow Commissioners Ted Kopas and Gina Cerilli approved this month will cost $30 per voter — or nearly triple the $11 per voter Allegheny County paid for a new paper ballot/scanner voting system. Total cost for that system was $10.5 million. The price per voter is based on the number of registered voters. In Allegheny County, there are 952,685 registered voters. In Westmoreland, there are 235,970 voters. “The people from Westmoreland County expect to have the very best, and this is the best solution to the problem,” Anderson said. Experts who follow elections and cybersecurity say that’s not true. They maintain touch screen/scanner systems, such as the ES&S product Westmoreland County officials bought, are both more costly and less secure than systems that rely on paper ballots and scanners. Christopher Deluzio, policy director for the University of Pittsburgh Institute for Cyber Law and Security, has studied the issue for the past two years. An ongoing study that looked at what counties paid for voting systems found the average cost in places that bought touch screen/scanner systems was just more than $24 per voter, compared to about $12 per voter for those who bought paper ballot/scanner systems.
Secretary of State Nellie Gorbea told her audience on Friday how during the March 2016 presidential primary she was accused on election-related websites of rigging the election in favor of Hillary Clinton to the detriment of Bernie Sanders and closing down polling sites. “A year later it was determined that Bernie bots of the Russian Internet Research Agency were at work,” Gorbea said. “If your head is spinning, believe me, everyone’s head is spinning.” Gorbea was addressing more than 140 election officials and information technology experts who gathered for a five-hour Cybersecurity Summit at Salve Regina University’s Pell Center in Newport. Media were allowed to listen for 1 ½ hours, but then cleared out before speakers like Noah Praetz, a senior election security advisor with the U.S. Department of Homeland Security, and Jessica Cone, a specialist with the U.S. Elections Infrastructure — Information Sharing and Analysis Center, made their presentations. “We don’t want to give away our game plan,” Gorbea said.
This November, Texas voters may be less surprised by what’s on their ballots than by what their ballots look like. Dozens of counties across the state—including Collin, Dallas, and Tarrant—are rolling out brand-new, “hybrid” voting systems that combine paper-based and electronic balloting. With hybrid systems, voters use an electronic touch screen to mark paper ballots, which are then counted using a separate tabulating machine. Voters can confirm their selections on paper before scanning their ballots for electronic counting, and election officials have a paper record to use for audits and recounts. Electronic ballot-marking eliminates stray marks and over-votes (marking more than one choice in a race) that can make it difficult or impossible to interpret a voter’s intent. The systems include multiple security features and are not connected to the internet. “Russia cannot tie into this voting equipment,” Collin County Elections Administrator Bruce Sherbet said at a training class for election workers last week, adding that the rollout has been very smooth during early voting.
The National Cyber Security Advisor, Dr Albert Antwi-Boasiako has called on the Electoral Commission to put robust cyber security measures in place to protect its system from hacking. Given the reported cases of hacking of electoral systems in other countries during elections, there was the need for the EC to put measures in place to protect the Commission of cyber attack. Dr Antwi-Boasiako made the call in an interview with the Ghanaian Times after a high-level discussion on election and cyber security to close the 2019 National Cyber Security Awareness Month. The one-week programme, attended by participants and ministers from some West African countries was on the theme “Demonstrating Ghana’s cyber security readiness.” It was organised by the Ministry of Communications and National Cyber Security Centre to create awareness on cyber security issues and attacks and the impact of the menace on the economy, corporate bodies and individuals.
Recent reports that a number of electronic voting machines (EVMs) were missing from the Electoral Commission of Namibia (ECN) have sparked massive public criticism, with some people questioning the integrity of the election body in the run-up to next month’s presidential and National Assembly elections. Some political commentators and legal experts have accused the electoral commission of concealing information regarding the disappearance of the EVMs, while others called for the arrest of people responsible for the missing EVMs. The Namibian reported last week that the Namibian Police were investigating a case involving the disappearance of three EVMs from the ECN. The ECN issued a statement on Sunday, explaining that the missing EVMs were rented out to the ruling Swapo Party to conduct an internal election for the party’s Elders’ Council in 2017. The commission, however, remains tight-lipped about the issue, saying it could not publicly pronounce itself on the matter due to “concerns of compromising the investigation process, as the police are working to trace the EVMs that had gone missing.”
American intelligence is warning of a concerted effort overseen by Russian president Vladimir Putin to swing next year’s presidential election in favor of Donald Trump. Reports prepared by the National Security Agency and the Central Intelligence Agency are unequivocal, detailing a two-pronged Russian strategy: sow dissension inside America by manipulating social media and attack the voting process itself. There is also concern that a new front could be opened in this battle by the use of deepfakes, videos generated using artificial intelligence that recreate the image and voice of anyone, who can be made to say and do anything. The leading Democratic candidate, for example, could be seen to suggest pardoning Patrick Crusius, the man who killed 22 people in El Paso in August. Such fake videos are both easy to make and difficult to detect, and they could undermine any candidate. Already in the Democratic primaries, trolls have been hard at work influencing the conversation. One fake meme that proved popular, for example, declared that every Democratic candidate had changed his or her name. ‘Democrats are so fraudulent and corrupt that they don’t even use their real names with the American people,’ claimed the meme, which said Cory Booker’s real name is Tony Booger and Bernie Sanders’s is Bernard Gutman.
United Kingdom: How cyber criminals and fake news could ruin Britain’s next election | James Cook/The Telegraph
Elections in the UK are more likely to bring to mind visions of kindly pensioners in church halls ticking names off lists than shadowy hacking groups attempting to subvert democracy. But hackers, with terrifying powers to spread fake news on a massive scale, are fast becoming a reality of British politics. Last year, ahead of the local elections, the National Cyber Security Centre (NCSC), a division of spy agency GCHQ, published a starkly worded report for local authorities which warned of “insider activity” that could attempt to “manipulate or compromise electoral information or processes for financial gain [or] ideological reasons.” The report urged local authorities to make regular backups of the electoral roll and to keep these backups in secure facilities to make it more difficult for hackers to access them. Ask spies and security experts about the digital threat to elections and you’ll encounter the curious lexicon of intelligence agencies. Hackers are known as “threat actors” who engage in either overt or covert influence campaigns. And when hackers manage to break into a computer network, they typically create an “implant” which allows them to return or to funnel data out without anyone noticing. A series of government departments have found themselves at the frontline of the battle to keep elections secure. In recent months, committee hearings in the Houses of Parliament and briefings by spy agencies have outlined how the government keeps elections safe.