Pennsylvania: How Pennsylvania’s election security lawsuit settlement led to the last minute challenge of the state’s top-selling touchscreen voting machine | Emily Previti/PA Post

Three Pennsylvania counties could end up scrambling to replace brand new voting machines before the 2020 election – a situation stemming largely from the loose terms of the 2018 legal settlement that mandates new voting machines across the state. Plaintiffs led by former Green Party presidential candidate Jill Stein say one system in particular never should have been certified in the first place and are asking a federal judge to force the state to decertify it. The ExpressVote XL doesn’t meet the agreement’s requirements for paper-based systems that produce auditable results and let voters verify ballots before they are cast, they claim. The Stein plaintiffs made their move about a month ahead of the year-end deadline for Pennsylvania counties to buy new machines, and well after most counties already spent or committed more than $150 million to buy machines certified by the Pennsylvania Department of State. It also comes amid Northampton County’s investigation into why the XL tabulated results incorrectly in some races in the Nov. 5 general election. Philadelphia debuted the machines that day, too, with comparatively minor issues. Stein spokesman Dave Schwab says they’re acting at this juncture, in part, because the settlement requires the parties to attempt to resolve any differences among themselves before seeking court intervention.

National: Several election security provisions are in the massive defense bill | Andrew Eversden/The Fifth Domain

The National Defense Authorization Act released Dec. 9 contains several provisions aimed at securing U.S. election infrastructure months before presidential primary season is in full-swing. The provisions in the compromised conference report mandate a broad range of election-related steps, from an assessment of foreign intelligence threats to U.S. elections to allowing top state election officials to receive Top Secret security clearances. The security clearance language is good news for the information-sharing relationship between the the federal government and state election officials, who don’t have proper clearance to view high-level intelligence related to election infrastructure cyberthreats. Throughout the 2016 election, the Department of Homeland Security and the FBI had a fraught information-sharing relationship with the states. In the years since, top federal election officials have consistently said information sharing needed to be improved, and while officials say it has been, the clearance problem was still a hindrance.

National: RNC, DNC bank on Duo authentication ahead 2020 election | Shannon Vavra/CyberScoop

The Republican National Committee is relying on authentication tools and careful social media behavior in order to avoid a devastating data breach like the kind that derailed its Democratic counterparts in 2016. The RNC, which develops and promotes the party’s platform and currently supports President Donald Trump’s re-election campaign, is banking on Duo Security, which specializes in multi-factor authentication, to keep state-sponsored hackers out of party accounts, according to recent Federal Election Commission filings. Even if a user’s password credentials are stolen, an extra layer of authentication can ensure that only the legitimate account holder could access his or her communications. Since March of this year, the RNC has paid just over $1,000 per month to Duo, according to FEC filings. The RNC started using Duo in 2016, just days before the election. And it’s not just email account access the RNC is trying to protect — the RNC uses multiple layers of authentication to protect other user accounts, both personal and professional, too, according to Mike Gilding, the deputy director of information technology at the RNC. The approach reflects the urgency with which both major political U.S. parties must adopt even basic cybersecurity measures after Russian hackers accessed email accounts belonging to key members of the Democratic National Committee in 2016. Another similar attack against either party could disrupt what is shaping up to be a particularly contentious U.S. election season, as impeachment proceedings against the president move forward. The DNC and RNC have a lot to safeguard, including polling data, candidate research, campaign funding, and election strategies.

National: Russia’s efforts to target U.K. elections a stark warning for 2020 | Joseph Marks/The Washington Post

An alleged Russian influence campaign to undermine this week’s British elections shows how tough it will be to keep foreign influence out of the 2020 U.S. contest. Russian-backed accounts on Reddit actively worked to boost the trove of documents appearing to detail key U.S.-U.K. trade negotiations that have been gaining traction over the internet for months, the social sharing site revealed Saturday. It’s not clear whether the documents were leaked or hacked, but Britain’s opposition Labour Party, has been using the seemingly genuine documents to slam the ruling conservative party for considering giving U.S. companies far more influence over Britain’s popular state-run National Health Service as part of a post-Brexit trade deal. It’s yet another example of Russia’s powerful digital army allegedly seeking to influence the outcome of a Western election — and it offers a stark reminder of how influence operations can be highly effective even before they’re identified. This dramatically undermines government and industry efforts to blunt their power or hold off their spread.

National: Multistate voter database suspended in lawsuit settlement | Roxana Hegeman/Associated Press

A much-criticized database that checks whether voters are registered in multiple states has been suspended “for the foreseeable future” until security safeguards are put in place as part of a settlement of a federal lawsuit, a civil rights group said Tuesday. The Interstate Crosscheck program was the subject a class-action lawsuit by the American Civil Liberties Union of Kansas on behalf of 945 voters whose partial Social Security numbers were exposed by Florida officials through an open records request. Kansas has operated the multistate program since 2005, although the program hasn’t been used since 2017 when a Homeland Security audit discovered security vulnerabilities. The settlement includes a list of safeguards the state has agreed to implement to protect voter’s personal information before the program can resume, the ACLU said in a news release.

Editorials: Election security: Oversight of vendors is lacking | Pittsburgh Post-Gazette

Well-documented Russian meddling in U.S. elections demands keen concern for the protection of election integrity. This concern should rise to the level of immediate action in light of a new report verifying the lack of federal oversight of the private companies that make voting equipment. The Brennan Center for Justice, which is based at New York University School of Law, reported that three companies provide more than 80% of the voting systems in the U.S., yet they lack meaningful oversight, leaving the electoral process vulnerable to attack. A cyberattack against any of these companies could have deep consequences for elections across the country. Other systems that are essential for free and fair elections, such as voter registration databases and electronic pollbooks, also are supplied and serviced by private companies. Yet these vendors, unlike those in other sectors that the federal government has designated as critical infrastructure, receive little or no federal review, the Brennan Center found. Oversight is needed. Federal standards must be set. Congress should establish a framework for certification of election vendors.

Kentucky: Officials Say Online Voting Not Coming Soon | Jacob Mulliken/Government Technology

The discussion about a digitized polling system has election officials and experts throughout the nation stepping up to avoid a potentially crippling move for the American electoral system, said Kentucky Secretary of State-elect Michael Adams. “I think concerns, especially surrounding hacking, are well-founded right now,” he said. “People want to confirm that their vote can’t be hacked and that the machine tallies the votes offline and that they are collected and processed, offline. The most secure elections are cast in person because there are checks and balances requiring some sort of identification and oversight. When you see fraud, and we have it, it most often happens outside of the purview of election officials. “An online method system out west may work where there is less history of election fraud, but not in places like Kentucky where fraud is still endemic. Internet voting in Kentucky is not anywhere near ready for primetime.”

Pennsylvania: What went wrong with Northampton County’s voting machines? The analysis is done. | Kurt Bresswein/Lehigh Valley Live

Election night, Nov. 5, came and went in Northampton County without any word on who had won and who had lost. County elections officials had to count ballots through the night, after apparent problems with electronic tabulation on the new Election Systems & Software (ES&S) ExpressVote XL machines in use for the first time. ES&S has now completed its analysis into what went wrong, and the results are set for release during a news conference Thursday afternoon at the county courthouse in Easton, county officials said Tuesday. County Executive Lamont McClure and Adam Carbullido, senior vice president of product development at Omaha-Nebraska-based ES&S, are scheduled to discuss the analysis. McClure’s administration and a representative of ES&S declined to detail any of the findings in advance of Thursday. “A team of experts from ES&S began examining Northampton County voting machines on Dec. 5 after the court-ordered impoundment was lifted,” ES&S said in a statement Tuesday. “During this examination, ES&S applied to Northampton machines the work it conducted at its main facility over the last several weeks to replicate and correct the human errors that caused the Northampton issues. After having the opportunity to review the machines in person, we look forward to sharing our diagnoses on the Election Day issues during Thursday’s meeting.”

Pennsylvania: State warns Dauphin County over defying voting machine edict | Marc Levy/Associated Press

A Pennsylvania county is being told it would lose out on millions of dollars in aid and almost certainly be sued by the state if it refuses to take action to buy new voting machines before Dec. 31, county officials said Monday. Dauphin County Commissioner Mike Pries said that was the message delivered to him during a meeting with Gov. Tom Wolf’s top elections officials last week, a message strong enough to change his mind. “Certainly the message from the state has been received loud and clear,” Pries said. In addition to the threat of a state lawsuit, Dauphin County would be unable to share in state and federal aid to help with a purchase that could exceed $5 million, county officials said. That aid could account for roughly 70% of each county’s tab. As a result, Pries said he has decided to vote to buy new voting machines, seeing it as the best option for the county’s residents and taxpayers. It is just a question of settling on which machine to buy, he said. A spokeswoman for Wolf’s Department of State declined comment Monday. Dauphin County’s other two commissioners have yet to meet with Department of State officials.

Rhode Island: Elections board discusses voter-system security | Katherine Gregg/Providence Journal

Voting by email. Upgrading the modems used to transmit election-day vote tallies.  Unmasking the donors hiding behind names like “The Coalition to Make Our Voices Heard” who pour money into campaigns. On a day Russian interference in past U.S. elections again made news, Rhode Island election officials waded into this quagmire without making any final decisions on what to do next. For example, they briefly weighed the pros and cons of allowing overseas voters — such as members of the military — to cast their R.I. election ballots from afar by email. The idea was shelved — at least for now — pending more study, after one member after another of the state Board of Elections voiced concern about the security of ballots cast in this fashion, despite assurances the ballots would be sent to a dedicated “address.” “I think we need to look very carefully at the security issues,” said the vice chairman, Stephen P. Erickson. It was unclear who authored the email-voting proposal that appeared on the board’s agenda, alongside a proposal to upgrade from 3G to 4G the modems the state uses on election-day to transmit results to state Board of Elections headquarters. That proposal too was put on hold — until next week — amid warnings from Brian Tardiff, the information security officer for the state’s Division of Information Technology, that making public all of the findings of a cybersecurity analysis of Rhode Island’s election system could put the system at risk.

Texas: Ahead Of 2020, Voting Group Warns Most County Election Websites In Texas Are Not Secure | Ashley Lopez/KUT

Almost 80 percent of county election websites in Texas are not secure ahead of the 2020 presidential primary, according to a report from the League of Women Voters of Texas. Before every major election, the nonpartisan voting group says, it looks through the state’s 254 county election websites to make sure they have the information they are legally required to have, that the information is easy to find and that it’s easy to read. League of Women Voters of Texas President Grace Chimene said as the group conducted this review, it found a glaring issue. “One of things that stood out to us is that there is a definite problem with website security,” she said. “I was really surprised. I was totally shocked that this is a problem.” In particular, Chimene said, 201 of the 254 sites don’t have https in their URLs, signaling the website is secure. “This is just the most simple thing to fix and it hasn’t been fixed,” she said.

New Zealand: Much awaited report on combatting foreign interference in elections delivered | Charlie Dreaver/Radio New Zealand

Parliament’s Justice Select Committee has released its results of its inquiry into the 2017 General and 2016 Local elections. The report covers a number of areas including allowing spy agencies to vet potential political candidates. Ahead of the 2017 general election the GCSB and the SIS drew up a protocol for managing foreign and cyber-security threats but they didn’t need to use it. But the Justice Select Committee said that was no reason to be complacent. It’s suggesting intelligence agencies should give advice about a particular candidate if the party asks for it. It wanted the agencies to be giving more advice in general about possible foreign interference. The committee’s deputy chairperson, National MP Nick Smith, pointed to the risks of what’s called “astroturfing” on social media.

Nigeria: National Electoral Commission says electronic voting not yet feasible | Eric Ikhilae/The Nation Newspaper

The National Electoral Commission (INEC) has said electronic voting systems could only be introduced into the nation’s electoral process when the nation was sure of the appropriate technologies, provide infrastructure, to address cyber security, among other challenges. According to INEC Chairman, Prof Mahmood Yakubu, the country was not there yet. He was however confident that his agency could achieve electronic collation of results (e-collation) and electronic transmission of results (e-transmission) during the next election circle in 2023. Mahmood spoke in Abuja on Monday at the Nigeria Civil Society Situation Room (NCSSR) stakeholders’ forum on elections. NCSSR is a coalition of civil society organisations, led by Clement Nwankwo, the Executive Director, Policy and Legal Advocacy Centre (PLAC). The INEC Chairmen, Deputy Senate President, Snetor Ovie Omo-Agege and the Minister of Justice and Attorney General of the Federation (AGF), Abubakar Malami were unanimous on the need to review the nation’s Electoral Act before the next election season and particularly, the importance of creating the much-requested Electoral Offences Commission.

United Kingdom: Britain’s Spies Probe Russian Election Meddling | Jamie Dettmer/VoA News

Britain’s cybersecurity agency is investigating whether state-sponsored Russian hackers were behind the leaks of British government documents used by opposition politicians to embarrass Boris Johnson’s ruling Conservative Party ahead of Thursday’s general election. The official probe into the origin of the leaked material — which included documents detailing discussions between British and U.S. negotiators on a possible post-Brexit transatlantic trade deal — comes days after the social media site Reddit announced it had blocked 61 accounts linked to the dissemination of the documents after investigating suspect activity bearing similarities to previous Russian online influence operations. The leaked documents were used by Jeremy Corbyn, leader of Britain’s main opposition Labour Party, as “evidence” that the Conservatives might include the country’s public health service in any future trade deal with the United States — a claim firmly denied by British Prime Minister Johnson. Corbyn, other Labour leaders, as well as Scottish nationalists, have contended that the Conservatives will “sell off” the National Health Service to American companies in order to secure a trade deal.

United Kingdom: Poll Hacks: How Cybercriminals Aim To Disrupt Elections | David Warburton/Information Security Buzz

The UK general election is almost upon us, and it is already turning into one of the most divisive and analysed political events in the country’s history. Discourse and debate are reaching fever pitch, from parliamentary benches and constituency doorsteps, to every conceivable media platform in play. It is no surprise then that an air of online volatility persists more than usual. At this moment in time, every new election is likely the most tech-enabled and at risk addled yet. Labour was most recently under the cybersecurity cosh, enduring what it termed as “sophisticated and large-scale” attempt to knock out its digital systems earlier in the month (it turned out to be a set of distributed denial-of-service (DDoS) attacks). Just the other day, Labour candidate Ben Bradshaw also claimed to be a victim of a suspected cyber-attack when he received an email with sophisticated malware attachments. These are politically unprecedented times and the UK’s National Cyber Security Centre knows it. Last year, the government-backed organisation issued a direct warning ahead of local elections, citing potential “insider activity” attempting to “manipulate or compromise electoral information.” Similar warnings are in place for 2019. There are many ways to knock an election off course. Below are some of the main existing and emerging cyber threats to bear in mind as we head to the polls this week.  It is, however, worth noting that variations of these methods are possible throughout the year as hackers opportunistically hijack political developments in real-time.