For more than a decade Verified Voting has supported and encouraged respectful public observation of the election process consistent with a state or jurisdiction’s regulations governing observers, and promoted transparency as a key element of reliable, evidence-based elections. Election observers should be free from harassment and intimidation. Observation enables parties, candidates, citizen groups and independent…
National: Report: Election Assistance Commission Grapples With Staffing, Budget Cuts | Alexa Corse/Wall Street Journal
The federal agency responsible for setting election security standards is grappling with key leadership vacancies and inadequate funding, a new report by a government watchdog office has found. The U.S. Election Assistance Commission, which is focused exclusively on the voting process, is struggling to help state and local officials bolster the security of their voting systems, the agency’s inspector general said in a report released Wednesday. The commission has sought to promote cybersecurity best practices and to serve as a central resource for state and local governments, which have the primary responsibility for administering elections. But the inspector general’s report says that the commission’s efforts are faltering amid staffing shortages and years of budget cuts. Two of the agency’s most senior officials—the executive director and general counsel—stepped down last month, and the agency has begun looking for their successors, the report said. The agency’s acting executive director and chief information officer, Mona Harrington, said in a letter to the inspector general dated Monday that the agency “concurs” with the findings about its troubles.
National: CISA and VotingWorks release open source post-election auditing tool | Catalin Cimpanu/ZDNet
The US Cybersecurity and Infrastructure Security Agency (CISA) and VotingWorks, a non-partisan, non-profit organization, have open-sourced today a tool for the post-election auditing process. Developed by VotingWorks and named Arlo, the tool is available on GitHub. It’s a web-based app designed specifically for the US election process where votes are tallied electronically using software or special machines. To safeguard the election process against hacked or faulty voting systems, the US government mandates that all counted votes go through a post-election audit to verify the results, in a process called a Risk-Limiting Audit (RLA). Arlo is designed to automate this auditing process by automatically selecting random voter ballots for the RLA process, providing auditors with the information they need to find those ballots in storage, helping officials compare audited votes to tabulated votes, and providing monitoring & reporting capabilities so that election officials and public observers can follow the audit’s progress and outcome. “The tool supports numerous types of post-election audits across various types of voting systems including all major vendors,” CISA said in a press release today. CISA did not develop Arlo — created by VotingWorks on its own — but the agency has adopted the tool and is currently working on convincing state election officials to deploy it before next year’s presidential election.
With election security firmly in place as the popular policy de jour on Capitol Hill in the ramp-up to the 2020 election cycle, House members from both sides of the aisle voiced support at a Nov. 19 hearing for more focus on cyberattacks targeting election infrastructure, with a particular focus on ransomware exploits. The hearing of the House Homeland Security Committee subcommittee on Cybersecurity, Infrastructure Protection, and Innovation featured testimony from officials in the Federal government, academia, and the private sector, but mainly targeted efforts the private sector is making to protect U.S. elections infrastructure and political campaigns from malicious actors. Subcommittee Chairman Cedric Richards, D-La., began the hearing by highlighting Russia’s malicious cyber activity in the 2016 elections, saying, “The Russian government’s covert malicious foreign interference campaign attacked every aspect of our elections.” He further pointed to two new countries he said are working towards attacking U.S. elections – Iran and China. Rep. Richards said those countries are “weaponizing new technologies to disrupt our democracy, distort the daily news, and compromise our election security.”
Expert witnesses warned Congress that the U.S. government has largely failed to address known security shortfalls leading up to 2020 and future elections.Much of the election security debate in Washington since 2016 has focused on improving baseline protections for voting machines, but witnesses at a Nov. 19 House Homeland Security Committee hearing noted that similar deficiencies also exist when it comes to protecting political campaigns from compromise by foreign intelligence services and preventing foreign and domestic disinformation. In his opening statement, Georgetown University professor Matthew Blaze noted that the current generation of voting machines used in U.S. elections were never designed to combat attacks or threats from adversarial foreign governments with the resources to penetrate the global supply chain or obtain software source code before it’s even shipped to election officials. “The intelligence services of even small nations can marshal far greater financial, technical and operational resources than would be available to even highly sophisticated criminal conspiracies,” Blaze said.
National: DHS cyber agency invests in election auditing tool to secure 2020 elections | Maggie Miller/The Hill
The Department of Homeland Security’s (DHS) cybersecurity agency announced Thursday it would partner with election officials and private sector groups to develop an election auditing tool that can be used to help ensure the accuracy of votes in 2020. DHS’s Cybersecurity and Infrastructure Security Agency (CISA) is partnering with non-profit group VotingWorks on an open-source software tool known as Arlo, which is provided to state and local election officials for free. According to CISA, Arlo conducts an audit of votes by selecting how many ballots and which ballots to audit and comparing the audited votes to the original count. The tool has already been used to conduct post-election audits across the country, including during the recent 2019 elections. Election officials in Pennsylvania, Michigan, Virginia, Ohio and Georgia have signed on to partner with CISA on Arlo, with more officials expected to join.
Jeanette Manfra, a senior cybersecurity official at the Department of Homeland Security, plans to step down from her position, according to multiple sources familiar with the matter. DHS officials are preparing an internal announcement about Manfra’s departure that could come as soon as this week, two sources told CyberScoop. Manfra has been a key liaison for the agency, speaking about cyberthreats to U.S. supply chains, election infrastructure, and industrial control systems to both the private sector and Congress. She has also represented DHS at top cybersecurity conferences like RSA and DEF CON. Over the course of her tenure, Manfra took on increasingly senior and cybersecurity-focused roles, culminating in her becoming assistant director at DHS’s Cybersecurity and Infrastructure Security Agency (CISA) last year. In a speech last year, she likened supply-chain vulnerabilities to a “digital public health crisis.” It was not immediately clear who would replace her. One source told CyberScoop that officials had a replacement in mind, but declined to say who that was.
Colorado: County clerks ask federal, state officials for cash | Charles Ashby/Grand Junction Sentinel
Colorado’s county clerks are asking state and federal lawmakers to send money, lots of it. In a letter Wednesday to the state’s two U.S. senators — Democrat Michael Bennet and Republican Cory Gardner — the Colorado County Clerks Association asked them to ask U.S. Senate leaders to make sure they include funding to ensure the state’s and nation’s election systems are protected from cyber attacks, among other things. “Despite extraordinary progress by state and local election officials to improve election security, upgrade equipment and implement audit procedures, critical vulnerabilities remain,” wrote Janice Vos Caudill, Pitkin County clerk and current association president. “Although Colorado leads the nation in secure election practices — for example, Colorado is the first U.S. state to require risk-limiting audits after each election — there is much more Colorado can do with additional federal money,” she added. “This funding needs to be earmarked specifically to harden local government systems in a comprehensive way.”
Iowa: 2012 election problem a window into ongoing voter dysfunction, county auditor contends | Jason Clayworth/Des Moines Register
An Iowa election reporting delay that occurred the night President Barack Obama won a second term underscores longtime and ongoing dysfunction in the state’s voter system, says a county auditor who has filed an elections complaint against the state. A spokesman for Iowa Secretary of State Paul Pate, a Republican, disputed the contention by Linn County Auditor Joel Miller, a Democrat. “It’s totally irrelevant to anything this office has done,” spokesman Kevin Hall said this week. The 2012 delay was the result of a glitch in free computer software Iowa received from South Dakota, records the Des Moines Register obtained last week from the Iowa Secretary of State’s Office show. Because of a software crash, results from 126 Statehouse races were delayed and the balance of power in the Iowa Legislature remained unclear until the day after the election. BPro — a South Dakota company that designed the software and was hired via a no-bid contract to customize the system for Iowa — agreed to pay the state $150,000 in “liquidated damages” for the problem in its election night reporting system and its related work, according to an August 2014 termination agreement and a company spokesman.
Louisiana: Louisiana was hit by Ryuk, triggering another cyber-emergency | Sean Gallagher/Ars Technica
In October, the Federal Bureau of Investigation issued a warning of increased targeting by ransomware operators of “big game”—targets with deep pockets and critical data that were more likely to pay ransoms to restore their systems. The past week has shown that warning was for good reason. On November 18, a ransomware attack caused Louisiana’s Office of Technology Services to shut down parts of its network, including the systems of several major state agencies. These included the governor’s office, the Department of Health (including Medicare systems), the Department of Children and Family Services, the Department of Motor Vehicles, and the Department of Transportation. Louisiana Governor John Bel Edwards activated the state’s cybersecurity response team. While some services have been brought back online—in some cases, within hours—others are still in the process of being restored. Most of the interrupted services were caused by “our aggressive actions to combat the attack,” according to Louisiana Commissioner of Administration Jay Dardenne. “We are confident we did not have any lost data, and we appreciate the public’s patience as we continue to bring services online over the next few days.”
Editorials: Averting a voting-machine disaster: New York must stay far away from election devices with a proven record of failure | Ritchie Torres/New York Daily News
Imagine spending millions of taxpayer dollars for brand-new voting technology. Then imagine the first time the machines are used in an election, they fail catastrophically. That’s what happened this month across the state line in one Pennsylvania county. How bad was it? Widespread and alarming were failures of this machine, an Election Systems & Software (ES&S) product called ExpressVote XL. Hypersensitive touchscreens picked candidates without voters actually touching the screens. Tick-marks next to selected candidates randomly disappeared. Some machines were unable to tabulate “yes/no” questions at all. In some races, there were “severe undercounts,” including one judicial candidate who received an implausible zero votes, according to the machine’s false reporting. Another candidate won by roughly 1,000 votes, but the ExpressVote XL machine reported 15 votes cast total. Amid the chaos that ensued in this low-turnout election, poll workers were forced to physically pry open the machines, pull out ballot papers and wait for scanners to arrive from outside the state to recount the votes. Weeks later, ES&S has still “has not determined root cause” of the malfunctions, and now reports indicate that lawsuits are likely to be filed against the company and the county. If this sounds like a nightmarish but distant scenario with no practical relevance to us, think again. In fact, if New York City Board of Elections Executive Director Mike Ryan gets his way, the voting technology that catastrophically failed in Pennsylvania will be heading to polling places in the five boroughs for next year’s presidential elections, when turnout will be through the roof.
Pennsylvania’s elections overhaul isn’t limited to deploying new voting machines and making sweeping changes to absentee voting and registration deadlines. Officials also are working on new post-election auditing procedures that employ statistical modeling. Test runs occurred earlier this week in Mercer County and are scheduled for Thursday in Philadelphia. Post-election audits already happen in Pennsylvania. State law requires counties to audit 2 percent of ballots cast – or 2,000, whichever is less – in each race. Other auditing criteria – such as sample ballot selection – are largely left up to county election officials. That’s expected to change in 2022. The state agreed to implement a more robust post-election audit system — called risk-limiting audits — as part of the settlement of a lawsuit brought by 2016 Green Party presidential candidate Jill Stein. “The process that’s in place now is practically meaningless,” Stein’s spokesman Dave Schwab wrote in an email Tuesday. “In contrast, risk-limiting audits are designed to use the paper records to ensure that the machine count didn’t produce the wrong winner.”
Pennsylvania: Northampton County voters want refund for ExpressVote XL voting machines | Jeff Ward/WFMZ
Northampton County should get back the $2.88 million it spent on voting machines, residents told County Council on Thursday night. The ExpressVote XL machines used for the Nov. 5 election had touch screens that were too sensitive, did not record all votes electronically, and the backup paper ballots that were displayed to voters to confirm their choices were hard to read. The county bought machines from Election Systems & Software after Pennsylvania required voting machines that would thwart hacking and provide a paper backup to electronic tallies. “We really need to get our money back,” Gail Preuninger of Bethlehem Township said. Deborah Hunter, who served on the county’s election commission and opposed selection of Election Systems & Software’s machines, said the vendor broke its contract. “I will not use this machine,” said Roger Dreisbach-Williams of Williams Township. He said he will vote via a paper ballot next time, perhaps as an absentee voter.
Editorials: Hand-marked Paper Ballots: How this Tried-and-True Method Makes Us More Secure | Bennie J. Smith/Memphis Commercial Appeal
In 2016, Facebook CEO Mark Zuckerberg shared a photo on Instagram (owned by Facebook) to celebrate Instagram’s historic milestone of reaching 500 million users. Though Zuckerberg was excited to share his company’s success, headlines instead focused on the unintended revelation that his laptop’s webcam and mic were covered with tape. As one of the greatest high-tech inventors, he knows the dangers of modern technology and reveals his simple low-tech method of protection from hackers. One thing is clear, he doesn’t blindly trust technology, and neither should you.We’ve blindly trusted voting technology until it recently came under intense scrutiny. Many technologists, concerned citizens and others now want to replace voting machines with hand-marked paper ballots to record our votes. Combined with post-election audits, these low-tech methods provide evidence that voters’ choices were counted correctly when tabulated. If you think about it, paper marked by a human is immune to any virus since no computer is involved. It’s your starting line in an election, with its most important fact (true voter intent) undeniably created by you. Your available choices and who you chose are both verifiable and documented. Voters unable to mark a ballot by hand will need ballot-marking device choices.
Virginia: State Board of Elections Approves 2020 Election Cybersecurity Standards | The Fredericksburg Free Lance-Star
The Virginia State Board of Elections on Monday unanimously passed minimum security standards for all Virginia elections administrators to follow beginning next year. In 2019, the General Assembly passed HB 2178, calling for new, modern cyber security standards that must be met throughout the Commonwealth before systems are allowed to access Virginia’s election database, according to a news release from the state board. Since July, the Department of Elections along with a workgroup comprised of local government IT professionals and general registrars have met to compose a list of standards that will help to ensure the integrity of Virginia’s voter registration system. These new minimum security requirements for election administrators include, but are not limited to: setting new standards for creating secure passwords, requiring an increased emphasis on utilizing anti-virus protection on their election systems, and developing and training on incident response plans, the release stated.