National: Despite Concerns About Election Security, ‘Vulnerabilities Abound’ | Alan Greenblatt/Governing

Ten days after he lost his re-election bid, Kentucky GOP Gov. Matt Bevin conceded the election. Bevin admitted defeat on Thursday following a recanvass of the vote, which he had requested and didn’t change the outcome. Beginning Nov. 5 — the night of the election — Bevin had complained that his narrow loss to Democrat Andy Beshear was due to irregularities. Bevin’s unsubstantiated complaints showed that there is more than one way to undermine confidence in elections. Although election officials worry about hacking into voting machines and registration rolls, they also worry that claims about potential problems make it harder for the public to accept the outcome of elections — especially if their preferred candidate has lost. “If I wanted to undermine the democratic system, all I really need to do is create doubt in the mind of whatever team loses,” said Michael Miller, a political scientist at Barnard College. “It’s very concerning that we’ve begun to focus on which team do [hackers] hurt, Republican or Democrat. It could be your team today, but it could be the other team tomorrow.”

National: Election vendors should be vetted for security risks, says watchdog group | Joseph Marks/The Washington Post

The federal government should start vetting companies that sell election systems as seriously as it does defense contractors and energy firms, a top election security group argues in a proposal out this morning. Under the proposal from New York University’s Brennan Center for Justice, government auditors would verify election companies and their suppliers are following a raft of cybersecurity best practices. They would also have to run background checks to ensure employees aren’t likely to sabotage machines to help Russia or other U.S. adversaries. The suggestion comes as Congress continues to fight over whether to tighten election security as candidates ramp up for the 2020 election. Senate Republicans, especially, have stalled further security measures, even as observers warn that the next election is ripe for hacking by foreign adversaries such as Russia, which interfered in the 2016 contest. Vendors of voting machines, however, have traditionally been exempt from close review by federal regulators. “These vendors are a critical part of securing our elections, but we haven’t really focused on them at all,” Lawrence Norden, director of Brennan’s election reform program and one of the authors, told me. “We need to understand that they’re critically important but also represent a vulnerability that there needs to be oversight for.”

National: Arming agencies for ransomware attacks in an election year | Stephen Moore/GCN

In the past few months, we have seen just how imperative it is to stop ransomware attacks. Ransomware has the power to rob state and local governments of thousands — or hundreds of thousands — of budget dollars and grind productivity to a halt. Recovery can cost tens of millions, as Atlanta and Baltimore discovered. Just two months ago, a coordinated attack hit 22 local Texas governments simultaneously, forcing many municipalities to rely on backup systems. Fortunately, none of the demanded $2.5 million ransom was paid, but that does not mean the event was without consequence. Cities and their elected officials have learned that failing to protect networks housing taxpayer data risks losing the trust of constituents. While ransomware attacks can happen at any time, an election year is an opportune time for adversaries to conduct attacks — on voter registration systems, for example. In an attempt to prevent a ransomware attack affecting upcoming elections, the Department of Homeland Security recently  announced a program to provide state election officials with guidance and support, as well as pen testing and vulnerability scanning of their voting systems. The rollout of this program, and future programs, serves as a major step in helping local governments protect their networks ahead of the 2020 elections and beyond.

National: Bipartisan bill to secure election tech advances to House floor | Maggie Miller/TheHill

The House Science, Space and Technology Committee on Thursday unanimously approved legislation intended to secure voting technology against cyberattacks. The Election Technology Research Act would authorize the National Institute of Standards and Technology and the National Science Foundation to conduct research on ways to secure voting technology. The legislation would also establish a Center of Excellence in Election Systems that would test the security and accessibility of voting machines and research methods to certify voting system technology. The bill is sponsored by Reps. Anthony Gonzalez (R-Ohio) and Mikie Sherrill (D-N.J.), along with committee Chairwoman Eddie Bernice Johnson (D-Texas) and ranking member Frank Lucas (R-Okla.). All four sponsors enthusiastically praised the bill during the committee markup on Thursday, with Johnson saying that “transparent, fair, and secure elections are the bedrock of our democracy,” and that attacks in 2016 on online voter registration databases “have increased Americans’ concerns about the integrity of our elections.”

National: Election Assistance Commission Needs More Authority In Face of 2020 Threats, Report Finds | Courtney Bublé/Government Executive

With less than a year until the 2020 presidential election, a new report calls on Congress to bolster the authority of the agency that serves as the nation’s elections clearinghouse and devote more funding and resources to it. The Brennan Center for Justice, a nonpartisan law and public policy institute, released a report on Tuesday that proposes a new framework for protecting election systems. Its recommendations focus on the oversight and internal operations of the Election Assistance Commission, the understaffed and underfunded federal agency responsible for promoting election administration best practices and voting machine security standards. “The federal government regulates colored pencils, which are subject to mandatory standards promulgated by the Consumer Product Safety Commission, more strictly than it does America’s election infrastructure,” said the report. Although the Homeland Security Department designated election systems as critical infrastructure in 2017 following revelations of Russian interference in the 2016 presidential election, election systems don’t receive the same type of oversight as other sectors with the critical infrastructure classification.  “While voting systems are subject to some functional requirements under a voluntary federal testing and certification regime, the vendors themselves are largely free from federal oversight,” the report said. “Under our proposal, the EAC would extend its existing certification regime from voting systems to include all vendors that manufacture or service key parts of the nation’s election infrastructure.”

National: State, local elections officials agree no ‘one-size-fits-all-approach’ exists for cybersecurity | Jory Heckman/Federal News Network

Less than a year out from the 2020 election, state and local election security personnel are gearing up to defend against cyber threats. But while these officials work directly with the Department of Homeland Security to protect this critical infrastructure, in many cases they face limited resources on a scale not seen in the federal government. More than 40 states have a secretary of state that serves as the chief election official, but in Wisconsin, an administrator is appointed by a bipartisan commission to serve in that role. Meagan Wolfe, the administrator of the Wisconsin Elections Commission, said Wisconsin is the most decentralized election administration system in the country. The state runs elections at the municipal level, whereas most other states run elections at the county level. However, resources for these offices can run thin and two-thirds of Wisconsin’s election officials work part-time. “A lot of them don’t have any type of IT support at the local level, which is very different than some of the county-based systems. The clerk might be the sole employee of that jurisdiction,” Wolfe said at the Cybersecurity Coalition’s CyberNext D.C. conference.

Editorials: Restoring Trust And Security In U.S. Elections | Earl Matthews/Forbes

There was a time when we didn’t think twice about the security of our election systems. We trusted that when we cast our votes, they would be accurately counted. That has changed. During the 2016 election, a powerful threat appeared from outside our own borders – the shadow of other governments hacking and attempting to unduly influence our election systems. If we care about voting and election security, and if we still believe that every voter and every vote counts, then there is a big existential question that we must be willing to address: Is cybersecurity fundamental to the health, if not the very existence, of a democracy today? I say absolutely yes. The issue is not significantly different from the challenges that businesses face as they try to protect their data and digital assets. It’s the ramifications that are so much bigger.

Arizona: County recorders falling short on web security, expert says | Andrew Oxford/Arizona Republic

Arizonans still vote on paper but much of an election unfolds online, from finding a polling place to requesting a mail ballot.

Cyber security experts worry election officials in some of the state’s counties are not doing enough to secure their websites and prevent fraudsters from sowing disinformation or spreading confusion. Most of the county recorders in Arizona are not using one of two basic safety measures that cyber security firm McAfee is encouraging local governments adopt. The company is urging election officials to use web addresses ending in .gov as well as secure sockets layer — encryption commonly used on websites that handle passwords, credit card information and other sensitive data. Without these measures, it could be easier for saboteurs to hijack a website and steal users’ data or provide false information, particularly heading into an election that experts anticipate will be targeted with disinformation.

California: As Power Shut Offs Increase, California Counties Are Making Plans For Elections Without Electricity | Scott Rodd/California Public Radio

After California utilities cut power to millions of customers in October, county election officials are wasting little time making sure polling places are prepared in the case of an outage during an election.  Counties are using pre-election surveys to make sure polling places and vote-counting centers have equipment needed to mitigate the impact of power shutoffs. That includes back-up generators, flashlights, lanterns and portable power equipment. Some county election offices are also developing multitiered plans to ensure every vote is counted if an outage occurs. In Placer County, election officials are already preparing precincts ahead of next year’s primary in March and general election in November.  “We continually survey our polling places,” said Ryan Ronco, Placer County’s registrar of voters. That typically includes measuring doorway thresholds and installing ramps to increase accessibility. “And now, we’re also mitigating power [outages],” he said.

Georgia: Voting machine critics investigated by Georgia election officials | Mark Niesse/The Atlanta Journal-Constitution

Georgia election officials are investigating two prominent critics for allegedly intruding into voting areas during a test run of the state’s new voting machines. The two people under investigation said the investigation is an intimidation tactic by Secretary of State Brad Raffensperger’s office. Marilyn Marks, a plaintiff in a lawsuit demanding that Georgia switch to hand-marked paper ballots, and Richard DeMillo, a Georgia Tech cybersecurity expert, are accused of “interfering with voters by being in an unauthorized area” during the Nov. 5 election, said Walter Jones, a spokesman for Raffensperger. “The secretary of state takes voters’ reports that individuals are violating election law and undermining the integrity of our state and local elections seriously,” Jones said in a statement. Marks said Raffensperger is attempting to marginalize skeptics of the state’s new voting system, which combines touchscreens and printed ballots. The system is scheduled to be rolled out to voters statewide during the March 24 presidential primary.

Georgia: Paper ballots recounted to check election results in Georgia | Mark Niesse/The Atlanta Journal-Constitution

A recount of ballots printed out by Georgia’s new voting system confirmed the accuracy of electronically counted election results, state election officials said Wednesday. But critics say the state’s audit proved nothing, and they believe ballots created by computers remain vulnerable to tampering and inaccuracies. Election workers on Tuesday reviewed a sample of paper ballots printed by touchscreens during last week’s election in Bartow County, one of six counties that tested the state’s $107 million voting system. Voters in the rest of the state will switch to the new system starting with the March 24 presidential primary. “An important part of the new voting system is the ability to audit with the use of paper ballots. This feature provides the confidence voters deserve,” Secretary of State Brad Raffensperger said. During the audit, four teams of two election workers each pulled a random sample of 80 ballots out of 1,550 cast in Cartersville. The teams read the printed-out text on the ballots and tallied the results in the race for mayor and a referendum on Sunday morning alcohol sales.

Georgia: Election officials investigate prominent critics | Ben Nadler/Associated Press

Georgia election officials have opened an investigation into two prominent critics of the state’s new touchscreen voting machines, secretary of state Brad Raffensperger’s office confirmed Wednesday. Those critics called the investigation an attempt to intimidate detractors of the new machines. Marilyn Marks, executive director of the nonprofit Coalition for Good Governance, and Richard DeMillo, a cybersecurity expert and Georgia Tech professor, are accused of “interfering with voters by being in unauthorized areas” of voting locations while observing pilot elections conducted on the new machines on Nov. 5. Raffensperger spokesman Walter Jones says the investigation was launched after complaints from “poll workers and voters” and that Marks and DeMillo were “in an area of the polling place where only voters and election officials are allowed to be.” Marks responded, “I have absolutely no idea what this could be about other than just an effort to try to discredit us, because much of what we observed was not pretty.” Marks said they worked with local election officials that day and hadn’t heard any concerns at the time. She said Raffensperger should be promoting open and transparent elections rather than “trying to make examples of people who want to exercise their right to learn more, who want to observe, who want to promote transparency.”

Hawaii: How The Counties Are Preparing For All-Mail Voting | John Burnett/Hawaii Tribune-Herald

Hawaii County Clerk Jon Henricks told state legislators Wednesday that the county will have a high-speed ballot sorting machine by February, which he said will give Hawaii Island elections workers “plenty of time” to prepare for the new voting-by-mail system that will be in place for the 2020 primary and general elections. “It’s a very good machine. We had staff come to view the City and County of Honolulu’s machine, and they were sold on it,” Henricks said during a joint informational briefing of the state Senate and House Judiciary committees in Honolulu. “They’re essential, I believe, when you move to voting by mail because of the number of ballots.” The vote-by-mail law, passed by the Legislature and signed June 25 by Gov. David Ige, is aimed at improving voter participation and ballot security. Officials also think the new system will save money in the long run. “We wrote this bill to expand voting hours and access, and make it easier for everyone to vote. We hope to see voter participation rise this coming election,” said Rep. Chris Lee, an Oahu Democrat and chairman of the House Judiciary Committee.

Indiana: St. Joseph County Election Board recanvasses ballots after finding discrepancies | Monica Murphy/WNDU

The St. Joseph County Election Board, along with its attorney and election consultants, recanvassed ballots after finding discrepancies in the number of ballots cast. They noticed a 41-ballot difference and found discrepancies in 32 polling places. “So, this is just giving us a little more breathing room, since there weren’t that many discrepancies. It wasn’t affecting any races. It was sporadic all over,” St. Joseph Circuit Court Clerk Rita Glenn said. Glenn said it could have been a lot worse, making clear the recanvass will not impact election results. Here is what happened: They said there were no issues with the election equipment itself; rather, the majority of issues came from ballot jams. When there is a jam, the machine will give a message to poll workers saying “ballot cast,” so that would have meant not to reinsert the ballot. The board chair said some poll workers probably misunderstood the message and may have reinserted the paper, counting it twice.

Missouri: Greene County experiments with process for verifying elections | KOLR

Greene County Clerk Shane Schoeller says election security is a top priority, which is why his team is double-checking the accuracy of its vote-counting machines. His office does this after every local election. This time though, they’re doing things differently. People from around Greene County witnessed and participated in the debut of a new election-auditing process: the risk-limiting audit. It’s a new election accuracy test using 20 multi-sided dice and real ballots from the most recent Greene County election. Schoeller says this method is much better than the state’s current post-audit process. He says when Greene County post-audits, no less than five percent of the polling locations of the casted ballots that day are evaluated. His new risk-limiting audit, however, looks at a much wider range of polling locations. He says this ensures the accuracy and election security he’s looking for.

North Carolina: Election security debate affects voters with disabilities | Jordan Wilkie/Raleigh News & Observer

When Damon Circosta, chairman of the state board of elections, voted in August to certify an elections equipment system opposed by local election security advocates, he said conversations with disability rights groups helped him make that decision. Circosta, whose vote broke a 2-2 tie, was in his first meeting as board chair. Carolina Public Press first asked Circosta on Aug. 23, the date of the meeting, about which disability rights groups he had talked with in making up his mind. A response, emailed by Board of Elections public information officer Pat Gannon, did not answer CPP’s question. Neither did records requests for communications between Circosta and any disability rights group or advocate. The records showed that one person, Lawrence Carter, president of the Raleigh/Wake Council of the Blind, submitted a written statement and made public comment, but his views were in opposition to the voting system Circosta voted to certify.

Pennsylvania: 2020 election votes are at stake as a Pennsylvania county plays a game of chicken with Gov. Tom Wolf | Jonathan Lai/Philadelphia Inquirer

Dauphin County, home of the Pennsylvania capital of Harrisburg, is starting a high-stakes game of chicken with the state. Republican county commissioners decided Wednesday not to buy new voting machines, defying an order from Gov. Tom Wolf, a Democrat, and all but daring him to take action against the county ahead of the 2020 election. Dauphin has been one of several counties that have resisted buying new voting machines, with its elections director saying the electronic machines used for more than three decades remain secure and usable. The two Republican county commissioners agreed Wednesday not to buy machines. (A third commissionerm a Democrat, did not attend the meeting.) Wolf said he ordered the statewide upgrade to make the voting machines more secure and tabulations verifiable.

Pennsylvania: Dauphin County resists Pennsylvania’s push for new voting machines | Marc Levy/Associated Press

A Pennsylvania county is signaling that it won’t go along with Gov. Tom Wolf’s insistence that counties buy new voting systems as a security measure in 2020’s election, when the state is expected to be a premier presidential battleground. Dauphin County Commissioner Mike Pries, a Republican, said Wednesday that he’s comfortable with the county’s old machines, particularly after hearing about paper jams, long lines and other problems in other counties that debuted new machines in last week’s election. Some of those new machines were under consideration by Dauphin County. “There’s an old saying: ‘If it’s not broken, don’t fix it,’” Pries said in an interview. “Our machines work, they’re fundamentally sound, we trust our machines, you cannot hack our machines.” Thus far, no other county in Pennsylvania has taken such a hard line against getting new voting machines, now seven weeks before the Dec. 31 deadline that Wolf gave counties to select new machines that have an auditable paper backup. Pennsylvania’s presidential primary election is April 28, and Wolf’s administration has warned lawmakers and county officials that it will decertify the counties’ old voting systems Dec. 31. His administration reiterated Wednesday it has not reconsidered that decision, although it is making exceptions for special elections to fill legislative vacancies before April.

Pennsylvania: ‘You should be pretty worried’: Fixing York County’s election system before 2020 votes | Logan Hullinger/York Dispatch

The maker of York County’s new voting machines pledged to have support on hand for all of next year’s elections after a tumultuous rollout of the system earlier this month that delayed election results for days. A representative for Dominion Voting Systems made the announcement Thursday, Nov. 14, during a debriefing that included the county commissioners, nearly all of the county’s state lawmakers, poll workers and election officials. Kay Stimson, the company’s vice president of government affairs, said Dominion also would work with county officials to reevaluate the number of machines needed in each of the 159 precincts. Based of the problems during the Nov. 5 municipal election, Lawmakers were particularly concerned about the 2020 voting — which includes a special election in January, the primary in April and the presidential contest in November. “If you voted in York, you should be pretty worried,” state Rep. Seth Grove, R-Dover Township, said after the meeting.

Australia: Flaws found in New South Wales iVote system yet again | Stilgherrian/ZDNet

The “Days since last vulnerability found” indicator for the iVote system used in New South Wales’ elections was reset to zero on Wednesday thanks to a new research note from University of Melbourne cryptographer Dr Vanessa Teague. Or rather, the software vendor was notified 45 days earlier to keep with the terms of the source code access agreement while the rest of us found out today. iVote was purchased from Scytl Australia, a subsidiary of Barcelona-based election technology vendor Scytl Secure Electronic Voting, and is based on the system used by SwissPost. In March this year, Teague and her colleagues Sarah Jamie Lewis and Olivier Pereira found a flaw in the proof used by SwissPost system to prevent electoral fraud. Later that month, they detailed a second flaw that could be exploited to result in a tampered election outcome. NSWEC claimed it was safe from the second flaw, and had patched the first. In July, NSWEC ordered Scytl to release parts of the source code in a bid to prove it contained no further vulnerabilities. Vulnerabilities have now been found. “I examined the decryption proof and, surprise, it can easily be faked while passing verification,” Teague tweeted on Wednesday morning. “This exposes NSW elections to undetectable electoral fraud by trusted insiders & suppliers, people who guessed the passwords of the trusted insiders, people who successfully phished the trusted insiders, etc.” Teague’s analysis is detailed in the 8-page Faking an iVote decryption proof [PDF]

United Kingdom: Hackers hit UK political parties with back-to-back cyberattacks | Jack Stubbs/Reuters

Hackers hit Britain’s two main political parties with back-to-back cyberattacks on Tuesday, sources told Reuters, attempting to force political websites offline with a flood of malicious traffic just weeks ahead of a national election. The attacks come after Britain’s security agencies have warned that Russia and other countries may attempt to disrupt the Dec. 12 vote with cyberattacks or divisive political messages on social media, a charge Moscow denies. The opposition Labour Party said on Tuesday morning it had “experienced a sophisticated and large-scale cyberattack on Labour digital platforms,” but that the attack was repelled and no data was compromised. Just hours later, the party’s website and other online services came under a second digital bombardment, followed by a third attack on the website of the governing Conservative Party shortly before 1600 GMT, according to two people with knowledge of the matter and documents seen by Reuters. The sources said there was currently nothing to link the attacks on either party to a foreign state. One of sources said the attack on the Conservatives was larger and appeared to be conducted by different hackers, but did not take down any party websites.