National: Expensive, Glitchy Voting Machines Expose 2020 Hacking Risks | Kartikay Mehrotra and Margaret Newkirk/Bloomberg

The first sign something was wrong with Northampton County, Pennsylvania’s state-of-the-art voting system came on Election Day when a voter called the local Democratic Party chairman to say a touchscreen in her precinct was acting “finicky.” As she scrolled down the ballot, the tick-marks next to candidates she’d selected kept disappearing. Her experience Nov. 5 was no isolated glitch. Over the course of the day, the new election machinery, bought over the objections of cybersecurity experts, continued to malfunction. Built by Election Systems & Software, the ExpressVote XL was designed to marry touchscreen technology with a paper-trail for post-election audits. Instead, it created such chaos that poll workers had to crack open the machines, remove the ballot records and use scanners summoned from across state lines to conduct a recount that lasted until 5 a.m. In one case, it turned out a candidate that the XL showed getting just 15 votes had won by about 1,000. Neither Northampton nor ES&S know what went wrong. Digital voting machines were promoted in the wake of a similarly chaotic scene 19 years ago: the infamous punch-card ballots and hanging chads of south Florida that tossed the presidential contest between George W. Bush and Al Gore into uncertainty.

United Kingdom: Labour Party hit by second cyber-attack | BBC

Labour is reportedly suffering a second cyber-attack after saying it successfully thwarted one on Monday. The party says it has “ongoing security processes in place” so users “may be experiencing some differences”, which it is dealing with “quickly”. The Distributed Denial of Service (DDoS) attack floods a computer server with traffic to try to take it offline. The BBC’s Gordon Corera has been told Monday’s attack was not linked to a state. Earlier, a Labour source said that attacks came from computers in Russia and Brazil. Our security correspondent said he had been told the first attack was a low-level incident – not a large-scale and sophisticated attack. A National Cyber Security Centre spokesman said the Labour Party followed the correct procedure and notified them swiftly of Monday’s cyber-attack, adding: “The attack was not successful and the incident is now closed.” Meanwhile, Labour has denied that there has been a data breach or a security flaw in its systems after the Times reported the party’s website had exposed the names of online donors.

National: Voatz smartphone voting app needs security review, senator says | Ben Popken/NBC

A smartphone voting app that has been tested in local elections around the United States should undergo a cybersecurity review, Sen. Ron Wyden, D-Ore., said Friday. In a letter sent to Defense Secretary Mark Esper, Wyden requested the review of the Voatz voting app, which has been used in elections in Colorado, Oregon and Utah as a way to make it easier for military and overseas voters to cast their ballots. According to the developer, the app combines “mobile voting” and blockchain technology to create a secure way for people to vote without having to visit a voting booth. But Wyden wrote that he is “very concerned about the significant security risks associated with voting over the internet.” He cited the National Academy of Sciences, which recommended in 2018 that no internet voting be used until much stricter security measures can be put into place. “No known technology guarantees the secrecy, security and verifiability of a marked ballot transmitted over the Internet,” the academy authors wrote. Wyden also wrote that Voatz has said it has conducted independent audits but hasn’t published the results or identified the auditors. The FBI is currently investigating an attempt to hack the Voatz app.

National: Targets of foreign election interference may get a call from US intel officials | Kevin Collier and Zachary Cohen/CNN

The US government has set up a new process to alert targets of foreign election interference in an attempt to be more transparent and counter ongoing efforts by Russia and other adversaries to influence the American political process. The FBI, Department of Homeland Security, Department of Justice and relevant intelligence agencies announced Friday that the government will notify relevant members of Congress, state and local officials, private sector and the public of foreign interference “where necessary to protect national security and the integrity of our elections,” beyond existing laws and policies. Most intelligence concerning threats to election security is initially classified, making it difficult to quickly release to the public. When Russian intelligence conducted its election interference campaign in the leadup to the 2016 election, the FBI and DHS had difficulty conveying information about some cyber threats to county and state election officials who didn’t have security clearance.

National: Swing state election websites aren’t secure against Russian hacking, McAfee says | Joseph Marks/The Washington Post

County election websites in two battleground states are highly vulnerable to hacking by Russia or another adversary that might seek to disrupt the 2020 vote by misleading voters about polling locations or spreading other false information. About 55 percent of county election websites in Wisconsin and about 45 percent in Michigan, both states that President Trump flipped from Democratic to Republican in 2016 lack a key and fairly standard security protection, according to data provided exclusively to me by the cybersecurity firm McAfee. Without this protection, called HTTPS, it’s far easier for an adversary to hijack those sites to deliver false information, divert voters to phony sites that mimic the real ones or steal voters’ information, per McAfee. (You can often tell if a site has HTTPS protection if there’s a small lock icon to the left of a Web address.) The repercussions could be huge if Russia or another country decided to manipulate sites in key counties to send voters to the wrong polling places or at the wrong times. They could even flood people seeking voting information with malicious software so they spend much of Election Day getting their phones and laptops fixed and have less time to actually go vote. In states with incredibly tight margins of victory in the last presidential election, a hacker who prevented just a few thousand people from voting in one of them in 2020 could swing an election or create broad doubt about the results.

National: Spy, law enforcement agencies step up U.S. election security measures | Mark Hosenball/Reuters

U.S. spy and law enforcement agencies on Friday said they had strengthened procedures for informing Congress, state and local governments, private business and the public about foreign interference in U.S. elections. The FBI has already given some American election candidates “defensive” briefings on evidence U.S. agencies collected of possible election interference, an FBI official told a briefing for journalists. The official, who spoke on condition of anonymity, declined to give further details regarding who might have been warned about the interference or where and how such interference might have originated. An official, also speaking on condition of anonymity, said that U.S. agencies believe that Russia, China and Iran all present continuing potential threats to the U.S. electoral system. However, officials stressed that U.S. agencies had not seen direct threats to American election systems recently. An FBI official added that the bureau has “invested a lot of time” in trying to help social media companies detect inauthentic politically related message traffic, and shares information on this with social media companies.

National: As 2020 US presidential election nears, voter systems are still vulnerable | Lydia Emmanouilidou/Public Radio International

With just a little more than a year to go before the 2020 US presidential election, security experts and lawmakers say progress has been made to guard against foreign interference. But they warn the country’s election infrastructure could be vulnerable to the types of hacking operations that took place in the lead-up to the 2016 election. One such attack was directed at the Illinois State Board of Elections, an agency that oversees and facilitates parts of election processes in the state, including a statewide voter registration system. “One of our IT people noticed that our [voter registration] system was running extremely slowly,” said Matt Dietrich, a spokesperson for the agency. “It had practically shut down.” The IT member inspected the system, and discovered that an intruder had exploited a vulnerability on the board’s online voter application, broken into the statewide voter registration database and gained access to voter information, including names, addresses and drivers’ license numbers. “It was terrifying. … We took the entire system down,” Dietrich said.

National: Every State Was Given Funding to Increase Election Security. Here’s How They Spent It | Nicole Goodkind/Fortune

The U.S. is less than a year out from one of the most consequential elections of the century, which President Donald Trump’s Department of Homeland Security has called “the big game” for foreign adversaries looking to attack and undermine the Democratic process. Congress, meanwhile, is locked in a stalemate about how to secure systems in the country’s 8,000 largely disjointed voting jurisdictions. Tuesday marks the last test of security preparedness before the 2020 elections, as certain statewide polls take place around the country. The Department of Homeland Security is gearing up “war rooms” to monitor for potential interference and test voting infrastructure, but with sluggish movement at a federal level there is little they’ll be able to do to correct any issues within the next 12 months. There is, however, one beacon of hope: 2002’s Help America Vote Act (HAVA)—a block grant issued to states to bolster election security following the Bush v. Gore hanging chad debacle some 19 years ago. In 2018, Congress used the Omnibus Appropriations Act to pad HAVA with an extra $380 million to be divided up amongst the states in proportion to their voting age population. The idea was that they spend it to prepare for the 2020 elections, and Democrats and Republicans are likely to approve at least another $250 million through the act this year.

National: Retirements pose threat to cybersecurity expertise in Congress | Maggie Miller/The Hill

Rep. Pete King’s (R-N.Y.) planned retirement after the 2020 elections is the latest in a string of House departures that look likely to deal a blow to Republican cybersecurity expertise on Capitol Hill. King said on Monday he would not seek reelection after 14 terms in the House, including serving previously as chairman of the House Homeland Security Committee and as a member of the House Intelligence Committee. Those two panels have a focus on cyber issues, such as election security and other cyber threats from foreign countries, and the departure of a longtime member such as King could make it more difficult for Congress to address growing cyber threats in the future. His resignation comes on the heels of announcements by almost two dozen other House Republicans that they will not run for reelection, with several of these members having become key players in the cybersecurity debate on Capitol Hill, including Rep. Will Hurd (R-Texas). Cybersecurity is listed as an area of interest by King on his congressional website, with the lawmaker writing, “As the only senior member of Congress serving on the two Committees with the largest cybersecurity oversight mission, I have made it my goal to ensure we are building an effective cybersecurity program across the federal government.”

Editorials: An Inconclusive 2020 Election Night Is Already Looming | Jonathan Bernstein/Bloomberg

We’re one year from the 2020 presidential election. And I hope that the folks who run newsrooms at the broadcast and cable news networks, as well as at any other major media outlets, are arriving at a plan to deal with one of the trickiest parts of Election Day coverage: The slow vote count in western states. We know it’s going to happen. In several states where voting by mail is either the only or a major form of casting ballots, and where those ballots take time to collect, the Election Day counts are — not can be, but are — highly misleading. We know that millions of votes will be counted after election night. And we know that those votes will tilt toward Democrats. Therefore, we know that the count on election night will be better for Republicans than the eventual total count. One of the states involved, Arizona, is likely to be an important swing state in 2020, so it’s possible that election night will end with Arizona seemingly giving Republicans the presidency, only to flip to the Democrats a few days later. After all, in the 2018 Arizona Senate contest, Republican Martha McSally led after Election Day, but Democrat Kyrsten Sinema won when all the ballots were counted and it wasn’t all that close; Sinema prevailed by 2.4 percentage points, or 55,900 votes. The late-count tilt to Democrats isn’t just found in the vote-by-mail states. One study after 2012 found that it had become a national phenomenon, with Democrats typically gaining ground after the initially reported election-night totals. In most states, however, it’s a relatively small effect, and not entirely consistent (that is, even though Democrats usually gain a bit, sometimes Republicans do). But in a few states, the effect is predictable and large enough that ignoring it really misses the story. After election night in 2016, Hillary Clinton’s advantage in the nationwide popular vote was just over 100,000; she eventually won by 2.9 million votes. Those are very different stories, and reporting correctly requires picking the right one while everyone is still watching.

Colorado: Operating system update causes upset for county clerks | Christian Burney/La Junta Tribune-Democrat

Otero County Clerk and Recorder’s Office is lagging in some areas after an update last Wednesday to the operating systems of their office computers. Elections Clerk Lynda Scott said at the Monday Board of County Commissioners meeting that after the state assisted the clerk and recorder’s office in updating their computers from Windows 7 to Windows 10 they began experiencing severe slowdowns with computer systems in the clerk’s office and with county vehicle and licensing services. Scott said she was told by state officials that Windows 10 requires a higher bandwidth and that is the source of their technical issues. Scott also added that the state had been aware of Windows 10′s bandwidth requirements and that at least a heads up about the issue would have been appreciated before the install happened last week. “We’re doing the best we can to let them know we are working on it,” said Scott. “State informed us today that they are looking into Comcast, possibly, to put us on that (service provider). But it may be two weeks or a month or more before we know for sure.

Indiana: IU receives $300,000 grant to improve cybersecurity for 2020 election | Jessica Prucha/Indiana Daily Student

Indiana General Assembly legislators awarded IU $301,958 to improve election cybersecurity across the state’s 92 counties. Researchers at the IU Center for Applied Cybersecurity Research are partnering with the Indiana Secretary of State’s Office to create and teach incident response plans to election officials across the state for the 2020 election. Von Welch,Director of the Center for Applied Cybersecurity Research, and his team are working alongside Secretary of State Connie Lawson to develop incident response training material. The initiative will train election officials from the state’s 92 counties on how to respond to incidents, such as power outages, social media threats or ransomware attacks during the 2020 election process. Training initiatives will prepare election officials for computer problems or cybersecurity breaches. “One concern is what happens if there’s an incident related to the computers in the election?” Welch said. “Do they know how to appropriately respond?”

Kentucky: Skeptics Urge Kentucky’s Matt Bevin To Show Proof Of Election Fraud Claims | Miles Parks/NPR

Trailing in the vote tally for Kentucky’s governorship by about 5,000 votes, incumbent Gov. Matt Bevin decided last week to play what’s becoming a familiar card: He questioned the election’s legitimacy. “What we know is that there really are a number of significant irregularities,” Bevin said Wednesday in front of the governor’s mansion, “the specifics of which we’re in the process of getting affidavits [about] — and other information that will help us to get a better understanding of what did or did not happen.” Bevin declined to take questions from reporters or give more specifics, other than saying that “we know there have been thousands of absentee ballots that were illegally counted.” No Kentucky election official, including Secretary of State Alison Lundergan Grimes, has corroborated that claim in the days since Bevin made it. Critics and elections specialists are calling for Bevin to provide evidence of the dramatic claim or retract it. “Gov. Bevin really needs to put up or shut up. Give us the evidence, or stop making these claims of voter fraud that have no evidence behind them,” said Josh Douglas, an election law professor at the University of Kentucky. “I think it’s a danger to the legitimacy of a democratic institution.”

Kentucky: Senate president says Bevin should concede election if recanvass doesn’t alter vote totals | Joe Sonka and Deborah Yetter/Louisville Courier Journal

Republican Senate President Robert Stivers believes Gov. Matt Bevin should concede his loss to Democrat Andy Beshear if next week’s recanvass doesn’t significantly change the vote totals. “It’s time to call it quits and go home, say he had a good four years and congratulate Gov.-elect Beshear,” Stivers said in a brief Friday interview at the Capitol. Bevin finished 5,189 votes behind Beshear in Tuesday’s gubernatorial election but has refused to concede the race, requesting a recanvass of the vote that will take place Nov. 14. The governor has also made allegations of widespread voting irregularities and fraud on Election Day, but hasn’t provided any evidence to back up those claims. Stivers said if Bevin chooses to contest the election by calling a special session of the General Assembly and making a case that there was illegal activity, lawmakers would have to hear the dispute under the state constitution.

Mississippi: The Way America Votes Is Broken. In One Rural County, a Nonprofit Showed a Way Forward. | Jessica Huseman/ProPublica

Choctaw County’s election centers opened at 7 a.m. last Tuesday, and voters were greeted by poll workers who’d just set up brand-new voting machines. “If you need any help, just holler,” poll worker Albert Friddle told a voter as he walked her through the new system. She didn’t holler. Using a machine the size of a briefcase, she selected her choices, printed and double-checked her ballot, and dropped it into a secured blue box provided by the county. Indeed, the day went without anyone hollering. “Everything went just fine,” said Amy Burdine, Choctaw County circuit clerk. “Just as expected.” The scene in Mississippi, if modest in its particulars, was seen by some as a telling moment at a time of great anxiety about the accuracy and security of the nation’s voting systems. Mississippi is one of only a few states in the country to allow the use of voting machines that have not been certified by federal authorities, and the state has no certification process of its own. As a result, the machines at work for the first time in Choctaw County last week were built by VotingWorks — a small nonprofit organization founded by Ben Adida and Matt Pasternack. Adida and Pasternack selected the state both for its regulatory environment and because many counties in the state continue to use paperless voting systems, allowing the company, Adida said, to “very quickly improve the security of voting in Mississippi by reintroducing paper.”

Pennsylvania: Monroe County Voters Voice Concern Over Elections Tech | Brian Myszkowski/Pocono Record

The ballots are in, the votes are counted, and the consensus is…there are still a few kinks to iron out before the next election. Last week’s municipal election saw the premier of the new ClearCast scanners, paper ballots and other changes in voting technology in Monroe County, Pa., and other areas across the state and nation. Gone are the electronic screens of the past, replaced with paper ballots and scanning devices meant to ensure the safety and security of citizens’ votes. Voters could simply fill in bubble next to the name of the candidate they wished to vote for, and once they completed the ballot, they fed it into the scanners, which checked for errors, asked for final approval and deposited the slip into a secure box. At least that was the idea. According to a Pocono Record poll, about 70% of voters were able to vote on Election Day without any issues. But when it came to the rest, several concerns tended to pop up rather frequently.

Editorials: Cities like Philadelphia are sitting ducks for cyber attacks | David Morris/The Philadelphia Inquirer

According to a new report, during President Donald Trump’s inauguration, Romanian hackers used ransomware to seize control of two-thirds of the Beltway’s police security cameras – a stunning feat only slightly diminished by the fact that they went on to order pizza from an email account linked to the attack, then used hijacked police computers to run an easily traceable Amazon scam. That combination – a successful, high-profile ransomware attack executed by thumb-fingered amateurs – shows the challenges now faced by local governments. It no longer takes a genius to hack municipal computer systems: Anyone can log onto the dark web and buy email lists and the malware needed to lock police officers, hospital workers, and government officials out of their computers. One ransomware program dubbed “Philadelphia,” available online for just $400, is specifically designed to help inexperienced hackers take victims’ data hostage. Such attacks are devastating. Without the hackers’ digital key, it’s impossible to unlock hacked files, leaving cities unable to access not just cameras, but 911 systems, hospital records, communication tools, and even water and power systems. That’s why cities make enticing targets: You can’t put public services on hold, so hackers can charge a premium when extorting government entities. Hacked companies pay an average of $36,295 to retrieve their data, but public entities pay an average of $338,700, or almost 10 times as much, according to a Coveware study.

Editorials: Northampton County voting system flunks a crucial first test | Rudy Miller/Lehigh Valley Live

What now? In the run-up to the most consequential election in modern American history — as counties throughout the U.S. are arming themselves with tamper-proof voting machines — Northampton County proved last week that you don’t need Russian interference to bungle an election, seriously damaging public confidence in the process. No, you can do it all by yourself. In Tuesday’s balloting, Northampton County’s all-new machines were plagued by hypersensitive push-buttons that confused voters, sometimes requiring them to go back and re-hit buttons to correct the machines. But that was just the beginning of the troubles. Incredibly, some of the electronic machines couldn’t handle registering simple “yes-no” voting on judge retentions, and displayed severe undercounts in contests with cross-filed candidates. Most incredibly, one judge candidate, Abe Kassis, ended up with zero votes at the end of the day. Some voters were confused by the paper readout they are asked to inspect before they leave the booth (voters don’t actually get a printout in hand), to make sure the electronic machine got it right. Long story short: Northampton County’s new ExpressVote XL machines failed their first crucial test in Tuesday’s election. The county paid $2.8 million for the voter-verifiable paper trail system, an upgrade required by state law.

Virginia: Registrar: Data glitch affected some Stafford ballots, but not enough to change election | James Scott Baron/The Free Lance-Star

Several Stafford County voters claim they were given the wrong ballot at the polls Tuesday, while others say their ballot was missing information. According to county voting officials, a precinct chief reported that some voters checking in at the polls were given incorrect ballots. “Our records reflect that 281 ballots were cast within the six affected precincts from the opening of the polls at 6 a.m. until the resolution of this issue by no later than 6:30 a.m.,” County Registrar Anna Rainey wrote in an email. Six precincts were affected: Hartwood, Simpson and College in the Hartwood District; Griffis and Barrett in the Griffis–Widewater District; and Whitson in the Garrisonville District. All of the precincts affected were split precincts, where voters are given different ballots based on which House of Delegates or state Senate district they live in. Rainey reports the number of affected ballots was between 66 and 281 in legislative races only. No local races were affected. The 30-minute glitch was caused by a data transfer issue to the polls’ computer printers. Those printers help voting officials identify which ballot matches the voter’s precinct.

Bolivia: President Evo Morales resigns after election result dispute | Ernesto Londoño/The New York Times

President Evo Morales of Bolivia, who came to power more than a decade ago as part of a leftist wave sweeping Latin America, resigned on Sunday after unrelenting protests by an infuriated population that accused him of undermining democracy to extend his rule. Mr. Morales and his vice president, Álvaro García Linera, who also resigned, said in a national address that they were stepping down in an effort to stop the bloodshed that has spread across the country in recent weeks. But they admitted no wrongdoing and instead insisted that they were victims of a coup. “The coup has been consummated,” Mr. García said. Mr. Morales was once widely popular, and stayed in the presidency longer than any other current head of state in Latin America. He was the first Indigenous president in a country that had been led by a tiny elite of European descent for centuries, and he shepherded Bolivia through an era of economic growth and shrinking inequality, winning support from Bolivians who saw him as their first true representative in the capital. “I want to tell you, brothers and sisters, that the fight does not end here,” Mr. Morales said on Sunday. “The poor, the social movements, will continue in this fight for equality and peace.” “It hurts a lot,” he added. Mr. Morales’s reluctance to give up power — first bending the country’s laws to stand for a fourth election, then insisting that he won despite widespread concerns about fraud — left him besieged by protests, abandoned by allies and unable to count on the police and the armed forces, which sided with the protesters and demanded he resign. As the country slipped into deeper turmoil over the weekend, protesters voiced their fear of Bolivia’s trajectory under Mr. Morales. “This is not Cuba. This is not Venezuela!” they chanted in La Paz, Bolivia’s main city, over the weekend. “This is Bolivia, and Bolivia will be respected.”

India: ECIL Directs Disclosure of Information About Electronic Voting Machines and VVPAT Deployment in 2019 Elections | Venkatesh Nayak/The Wire

In September 2019, Commonwealth Human Rights Initiative reported that the Bharat Electronics Ltd. (BEL) did a volte face under the Right to Information (RTI) Act about supplying information relating to Electronic Voting Machines (EVMs) and Voter Verified Paper Trail Units (VVPATs) deployed during the 2019 general elections. After demanding copying charges to provide the information I requested, the central public information officer (CPIO) returned the money, claiming that BEL did not hold some of the information and that disclosing names of engineers deputed to provide technical support for these machines at the constituency-level would endanger their lives. The CPIO also denied access to operational manuals relating to these machines. The CPIO of the Electronics Corporation Ltd (ECIL), which also supplied EVMs and VVPATs for use during the same elections, had also denied information sought in an identical RTI application. Now, in a welcome turnaround, the ECIL’s first appellate authority (FAA) has upheld my first appeal and directed its CPIO to provide access to all information which had been denied earlier. Meanwhile, the BEL’s FAA directed the CPIO to transfer the queries relating to the number of EVMs and VVPATs deployed during the 2019 Lok Sabha Elections to the Election Commission of India (ECI) but upheld his decision to reject information about engineers and operational manuals used.

United Kingdom: Tech companies rush to fight misinformation ahead of UK vote | David Klepper & Dabica Kirka/Associated Press

Facebook is opening up a war room to quickly respond to election hoaxes. Twitter is banning political ads. Google plans to crack down on bogus videos on YouTube. Social media platforms say they are mounting a vigorous campaign against misinformation in the lead up to next month’s general election in the United Kingdom. But digital misinformation experts believe British voters remain vulnerable to the same type of misleading ads and phony claims that played a role in the vote to leave the European Union three years ago. Government inaction on online misinformation and digital ad regulations have added to the pressure internet companies are under as they face growing criticism for amplifying false claims during the run up to the 2016 Brexit referendum and the 2016 election in the U.S. Prime Minister Boris Johnson pushed for the snap Dec. 12 election, in which voters will choose 650 representatives to the House of Commons, hoping his Conservative Party will gain enough seats to break a stalemate over his plan to take Britain out of the EU. And with campaigns barely under way, falsehoods are already spreading online.