National: The voting machine certification process is making it harder to secure elections | Chris Iovenko/Slate

A judicial election in Northampton County, Pennsylvania, in November produced a literally unbelievable result. About 55,000 votes were cast on newly purchased electronic voting machines, but only 164 votes were registered for the Democratic candidate. Luckily, the touch-screen machines produced a backup paper trail, which allowed for an accurate recount. Ultimately, the Democrat won by some 5,000 votes. The root cause of this systemic vote switching is still under investigation. Whatever the case, though, the mass malfunction of these machines highlights the reliability and security issues around electronic voting systems that are mostly already primed for use in the 2020 elections. As disturbing as the Northampton County miscount is in its own right, it throws into relief a grave general issue that applies to voting systems across the country. One would hope that whatever glitch or virus, once identified, that caused the massive malfunction will be quickly and easily fixed, patched, or updated so that those machines can be relied upon to work properly going forward. Further, one would also assume that other vulnerable voting systems around the country will be updated prophylactically to prevent similar malfunctions in next year’s elections. However, neither of those things is very likely to happen. Our current regimen for certifying electronic voting systems makes changing or updating election systems in the run-up to an election very difficult—and as Election Day 2020 gets closer, that maintenance becomes virtually impossible.

National: Just How Regulated Are Our Nation’s Elections? | Hadley Hitson/Fortune

The U.S. federal government subjects nearly every industry to a slew of operational rules and regulations. Defense contractors are prohibited from utilizing certain Chinese telecommunications companies like Huawei in order to prevent theft of the nation’s military technology. Power companies must abide by mandatory reliability standards and report any attempted or successful breaches of their systems to a federal commission. National banks implement federally required security procedures to prevent robberies. These sectors are meticulously managed with hundreds of requirements specifically because the Department of Homeland Security considers them so vital that their incapacitation would have a “debilitating effect” on the country as a whole.  But when it comes to elections, a cornerstone of American democracy, the vendors whose voting equipment is used throughout the country largely lack the level of federal oversight and direction that protect other critical infrastructure industries from domestic and foreign interference.

National: What Is Election Hacking, and Can It Change Who Wins? | Kartikay Mehrotra & Andrew Martin/Bloomberg

Americans have relied on computers to tally votes since at least 1964, when two Georgia counties used them to count punch-card ballots in a primary election. Over time, high-tech election systems largely supplanted paper ballots and gear-and-lever machinary, a trend hastened by the contested 2000 presidential election between George W. Bush and Al Gore. (Remember hanging chads?) But ever-greater reliance on digital voter registration, electronic voting and computerized tabulation have created the opportunity, at least, for hackers to sabotage elections, and Americans aren’t the only ones who are fearful.

1. What is meant by ‘election hacking’?

It’s sometimes used as a catch-all phrase to encompass all sorts of underhanded efforts to subvert elections, including the type of social media disinformation campaign undertaken by Russia to taint elections in the U.S., Europe and Africa. But in its most literal form, election hacking refers to computer breaches that are intended to manipulate voter data, change a vote tally or otherwise discredit tabulated results.

National: In a bid for better security, elections are going analog | Christian Buckler/Marketplace

ary Scott can tell you a lot about the internet. Or rather, how little of it his machines are connected to. “There’s always some barrier between these machines and any online systems,” said Scott, the general registrar and director of elections for Fairfax County, Virginia. Standing next to one of several DS200 voting machines set up for training purposes in the Office of Elections in Fairfax County, he emphasized that none of the fleet of voting machines he oversees have ever been connected to the internet. Neither have any of the computers used to program them, nor the machines that will receive the final vote count. The most surprising piece of technology involved in Fairfax’s voting approach might well be the oldest one: paper. “We got a lot of resistance from the public because they wanted to know why we were going ‘backwards’ to paper, but it’s a much more secure method of doing it,” Scott said.  Fairfax County initiated a move toward paper ballots years before Virginia decertified paperless voting machines across the state, aligning with the latest shifts in thinking about election security—both in the U.S. and abroad. The embrace of paper by districts like Fairfax marks a change in the nationwide trend toward electronic voting infrastructure that can be traced back to the Help America Vote Act of 2002.

National: Ukraine claims threaten Senate consensus on Russian hacking | Joseph Marks/The Washington Post

A tenuous Senate consensus on the dangers of Russian election hacking is being threatened by the GOP’s embrace of President Trump’s debunked argument that Ukraine also interfered in 2016. Numerous Senate Republicans promoted that argument this week, bucking the conclusion of U.S. intelligence officials and ignoring warnings the claims are part of a Kremlin-backed effort to muddy the waters on Russia’s own interference. “There’s no question in my mind Ukraine did try to influence the election,” Sen. John Neely Kennedy (R-La.), one of Trump’s most vocal supporters on the issue, said yesterday. Senate Democrats also struck back. “The only people who are advancing the discredited theory about Ukraine and intervention are part of the continuing Russian disinformation campaign,” Sen. Mark R. Warner (Va.), ranking Democrat on the Senate Intelligence Committee, said. The conflict is a sea change for the Senate, which has generally maintained a bipartisan consensus on the singular damage caused by Russia’s 2016 hacking and disinformation campaign and the danger of a repeat in 2020 — even as House GOP lawmakers have proved far more willing to follow Trump’s lead in questioning Russia’s role in the attacks and embrace conspiracy theories. The shift could prove especially damaging as the legislative clock ticks down to 2020. The Senate is still considering election security measures, including providing more money for states to upgrade their voting systems and to impose new transparency requirements on political advertisements.

National: Email Infrastructure Seen as Lingering Vulnerability for Elections | MeriTalk

New research shows that email is still a weak link in U.S. election infrastructure, with only five percent of the nation’s largest counties protecting election officials from impersonation attempts. The latest research from Valimail finds that an “overwhelming majority of cyberattacks can be traced to impersonation-based phishing emails,” with 90 percent of attacks involving phishing, and 89 percent of phishing involving impersonation. Valimail looked at Sender Privacy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC) status for 187 domains that were used by election officials in each state’s three largest counties. The researchers then sought to determine whether each domain is protected from impersonation attacks by a correctly configured DMARC record with a policy of enforcement.

Florida: Website hack could be as bad as vote attack, warns Florida official | Mary Ellen Klas/Tampa Bay Times

Florida’s top election official on Tuesday warned that attackers could attempt to disrupt elections without even breaking into the voting systems — by simply changing the results on election websites. Secretary of State Laurel Lee told the governor’s Cybersecurity Task Force that Florida’s elections tabulation system is secure, but state and county elections websites “are far more vulnerable to being attacked or defaced and pose a very real threat, not of changing election results, but of undermining voter confidence.” “If our website is defaced such that it reflects that the losing candidate won, and I have to go out the next morning and explain to the press and the public that the actual winner was the other candidate, we’ve lost critical public trust,’’ Lee told the group meeting at Florida International University in Miami. To address that possibility, Lee said the department is “working very hard to secure those sites and stay on top of evolving threats and tactics to keep them secure.”

Georgia: Groups warn of hidden costs of new Georgia voting machines | Mark Niesse/The Atlanta Journal-Constitution

Georgia taxpayers could be saddled with tens of millions of dollars in hidden costs for new voting machines, according to calculations released Wednesday by three groups critical of the state’s election spending. The groups, which span the political spectrum, said a $104 million contract for a new statewide voting system fails to provide enough money for voting machines, equipment, software and personnel, resulting in an estimated $82 million shortfall. The Georgia secretary of state’s office responded that the groups’ estimates are incorrect, the voting system is within its budget, and the state government has already ordered 3,000 additional machines to meet voters’ needs. The cost analysis was produced by Fair Fight Action, a voting rights group founded by former Democratic nominee for governor Stacey Abrams; FreedomWorks, which advocates for free markets and small government; and the National Election Defense Coalition, an election security organization. “By imposing this unfunded mandate, the secretary of state has put all 159 counties in a position of either enacting massive local tax hikes or facing widespread lawsuits at taxpayer expense,” said Jason Pye of FreedomWorks.

Ohio: Russian-owned company caught trying to hack Ohio voting systems on Election Day | Igor Derysh/Salon

A Russian-owned company tried to hack the Ohio office that oversees the state’s voting systems on Election Day, according to Ohio Secretary of State Frank LaRose. LaRose told the Columbus Dispatch that the state’s internal systems detected an “SQL injection” attack that attempted to insert malicious code onto his office’s website. LaRose said that the attack originated in Panama but was traced back to a Russian-owned company. He downplayed the attempted hack as “relatively unsophisticated.” “Some of these unsophisticated attacks are ways that they probe for vulnerabilities. They are poking around for soft spots,” LaRose explained. He went on to credit the state’s “Albert” alert system that quickly identified the attack. “The good guys won that day and the bad guys lost,” he said. LaRose said that similar attacks are designed to disrupt or undermine the credibility of elections but he is confident that hackers cannot access voting machines because they are not connected to the internet. LaRose’s announcement came several months after Florida Gov. Ron DeSantis revealed that Russian hackers had breached the voting systems of two counties in the state in 2016, though he said there was “nothing that affected the vote count.”

Pennsylvania: ES&S to report on Northampton County voting machine problems | Jeff Ward/WFMZ

Northampton County’s voting-machine vendor will report next week on what went wrong during the November election and how it can be fixed. The ExpressVote XL machines used Nov. 5 led to long lines and frustration at the polls because the touchscreens were too sensitive and the backup paper ballots were hard to read. Election Systems & Software (ES&S), maker of the machines, will be at Northampton County Council’s next meeting. “ES&S was in Northampton County today reviewing our voting systems,” County Executive Lamont McClure told the council at its Thursday meeting. “They will come next Thursday and tell you what they found and the fixes.” The next council meeting will be Dec. 12 at 4:30 p.m. at the government center. McClure and Council President Ronald Heckman have insisted that ES&S identify and fix what went wrong before the next election. The county paid $2.88 million for the machines after Gov. Tom Wolf required systems across Pennsylvania that would thwart hacking and provide a backup paper trail. Despite the problems, McClure has said the election was fair and accurate because the backup worked.

Pennsylvania: Misplaced votes mean new rules for Erie County poll workers, officials | Matthew Rink/GoErie

After the polls closed on Nov. 5, poll workers at Kury Hall in Millcreek Township suspected that something was amiss. Like all poll workers at the county’s 149 precincts, they were responsible for inserting a device called a PEB that records the votes from a flash drive on each machine and “closes out” the machine so that no additional votes can be recorded. When the PEB generated the results at Millcreek’s 4th Precinct, though, poll workers suspected that it had shown too few votes. “They had some sense that their number of total votes wasn’t correct,” Erie County Clerk Doug Smith said. “But they thought it would all come out in the wash. They didn’t think it was a serious thing and that we would catch it when we did the audit.” What followed was a perfect storm, Smith said, of poor communication between poll workers themselves and between poll workers and elections officials stationed at the Erie County Courthouse. It would result in roughly 400 votes not being tabulated on either Election Night or during the final audit, or count, conducted by elections officials days later. In fact, were it not for the razor-thin margin between Erie County Controller Mary Schaaf and her challenger, Erie County Councilman Kyle Foust, the controller-elect, the missing votes might never have been counted.

Tennessee: Voting Machines Challenged at Sixth Circuit | Kevin Koeninger/Couthouse News

An elections advocacy group urged a Sixth Circuit panel Tuesday to reinstate its case against the Tennessee Election Commission based on claims that one county’s electronic voting machines and software have created an inherently insecure system. Shelby County Advocates for Valid Elections, or SAVE, and several individual voters sued Tennessee Secretary of State Tre Hargett, the state’s election commission and the Shelby County Election Commission five days before early voting began in Shelby County for the November 2018 election. SAVE alleged the AccuVote-TSx R7 direct-recording electronic voting machines and Diebold GEMS voting software utilized by Shelby County fail to meet statutory requirements because they do not create a “voter verified paper audit trail,” and store votes solely on removable memory cards. The group’s complaint alleged election results are subject to manipulation because of their digital-only nature, which could result in the disenfranchisement of voters in the county with the state’s largest black population.

Tennessee: Likely no paper trail for voting in Memphis on Super Tuesday | Jonathan Mattise/Associated Press

Tennessee’s largest county probably won’t have new voting machines that create a voter-verifiable paper trail in place for the presidential primary election on March 3, an attorney for the state said Tuesday. Janet Kleinfelter of the Tennessee attorney general’s office discussed the timeline to implement the new machines in Memphis-anchored Shelby County during a federal appellate court hearing Tuesday. The hearing involved a lawsuit that has challenged the security of Shelby County’s voting machines. Kleinfelter said the machines will be in place by August, when state and federal primaries are held. Previously, Shelby County Elections Administrator Linda Phillips’ office said the goal was to start using the machines in the Super Tuesday elections. Shelby County commissioners have approved funding for the machines, which are expected to cost $10 million to $12 million. The county is now going through the procurement process, Kleinfelter said.

Wisconsin: Heading Into 2020, Election Security In Wisconsin Remains At Forefront | Maayan Silver/WUWM

In this tech-heavy world, it’s a new landscape when it comes to election security. Nation states like Russia could be poised to hack voting machines or systems. And Wisconsin clerks in small towns and municipalities — often with no information technology department — must make sure elections are secure. So, over the last few years, the Wisconsin Elections Commission has implemented more election security measures. They include: a cybersecurity training program, multifactor authentication for people who access the state election management system and voter list (WisVote), and a grant program where qualified election clerks get up to $1,200 in federal funding to buy new computers or update operating systems. At Monday’s meeting of the commission, administrator Meagan Wolfe summarized her staff’s efforts for election commissioners: “One of the major ones is alerting and educating clerks about the importance of having a .gov email address or an HTTPS website, especially for our county clerks,” she says.

Australia: Electoral hackers facing security blitz | Paul Osborne/Associated Press

Federal police and national intelligence agencies could monitor state and territory elections next year to ensure they aren’t hacked or hijacked by fake news. The Northern Territory goes to the polls on August 22 next year, followed by the ACT on October 17 and Queensland on October 31. An electoral integrity task force has so far overseen the NSW and federal elections and will turn its attention to future polls, a parliamentary committee heard on Friday. Jeff Pope, from the Australian Electoral Commission, told the hearing – when asked by Greens senator Larissa Waters whether the May federal poll was affected by hackers – nothing had affected the commission’s systems. However, the task force’s activities did result in AFP investigations and provided advice on social media posts which were not properly authorised, with subsequent action taken to take them down.

Russia: U.S. Targets Russian ‘Evil Corp’ Hacker Group With Sanctions, Indictments | Ian Talley & Sadie Gurman/Wall Street Journal

The Trump administration Thursday placed a $5 million bounty on the leader of a Russian hacker group called Evil Corp for his alleged work for Moscow’s intelligence agency, part of what U.S. officials say is a broader reprisal for a Kremlin-directed cyber offensive against the U.S. The State Department’s action against Maksim Yakubets coincides with Treasury Department sanctions and indictments by the Justice Department and the U.K.’s National Crime Agency against core members of the group, which is accused of orchestrating the theft of more than $100 million from more than 300 banks in the U.S. and dozens of other countries. The cyber theft, using malware that stole credentials and passwords, isn’t believed to be directed by Russian intelligence, though a senior administration official said the activities couldn’t have been carried out without the knowledge of the Russian government. But the Treasury Department said Mr. Yakubets was conducting separate work for Russia’s Federal Security Service as of 2017, and was seeking a license to handle classified intelligence with the agency in April of last year. The State Department bounty is for information that leads to the capture or conviction of Mr. Yakubets.

United Kingdom: Labour’s Ben Bradshaw claims he was target of Russian cyber-attack | Luke Harding/The Guardian

The Labour candidate Ben Bradshaw has said he has been the victim of a suspected Russian cyber-attack after he received an email from Moscow with attachments containing sophisticated malware. Bradshaw – who has repeatedly raised the subject of Kremlin interference in British politics, including in the EU referendum – received the email at his election gmail address. The sender – “Andrei” – claimed he was a whistleblower from inside Vladimir Putin’s presidential administration. The email contained several apparently genuine documents. They showed how the Kremlin has set up a secret “fake news unit” in Russia’s far east region which is used to suppress negative stories and to boost pro-government sentiment. However, two of the documents carried malicious code.