National: Chinese parts, hidden ownership, growing scrutiny: Inside America’s biggest maker of voting machines | Ben Popken, Cynthia McFadden and Kevin Monahan/NBC

Just off a bustling interstate near the border between Nebraska and Iowa, a 2,800-square-foot American flag flies over the squat office park that is home to Election Systems & Software LLC. The nondescript name and building match the relative anonymity of the company, more commonly known as ES&S, which has operated in obscurity for years despite its central role in U.S. elections. Nearly half of all Americans who vote in the 2020 election will use one of its devices. That’s starting to change. A new level of scrutiny of the election system, spurred by Russia’s interference in the 2016 election, has put ES&S in the political spotlight. The source of the nation’s voting machines has become an urgent issue because of real fears that hackers, whether foreign or domestic, might tamper with the mechanics of the voting system. That has led to calls for ES&S and its competitors, Denver-based Dominion Voting Systems and Austin, Texas-based Hart Intercivic, to reveal details about their ownership and the origins of the parts, some of which come from China, that make up their machines. But ES&S still faces questions about the company’s supply chain and the identities of its investors, although it has said it is entirely owned by Americans. And the results of its government penetration tests, in which authorized hackers try to break in so vulnerabilities can be identified and fixed, have yet to be revealed. The secrecy of ES&S and its competitors has pushed politicians to seek information on security, oversight, finances and ownership. This month, a group of Democratic politicians sent the private equity firms that own the major election vendors a letter asking them to disclose a range of such information, including ownership, finances and research investments.

National: EAC advisers to consider draft voting system standards | Eric Geller/Politico

The EAC’s Technical Guidelines Development Committee meets today by phone to review the latest draft of version 2.0 of the Voluntary Voting System Guidelines. Public working groups have been meeting for months to revise different aspects of the widely cited federal standards, including its security provisions. In October, the cybersecurity working group added a ban on internet and wireless connectivity, which prompted some consternation and confusion at a TGDC meeting in November. Input from the TGDC — a body that includes technical experts and election officials — marks one of the first steps in the process of approving a new VVSG. But more work remains to be done on VVSG 2.0, and the TGDC isn’t likely to give the draft its final seal of approval at today’s meeting. “We anticipate continuing the discussion of the requirements with the TGDC on the next call,” NIST staffer Gema Howell wrote in an email to members of the cyber working group.

National: Limited election security funds pose risk for 2020 | Kimberly Adams/Marketplace

As presidential candidates vie for voters’ attention, there’s another group getting ready for 2020: state and local election officials. Congress sent $380 million to states after attempts, some successful, to hack voter lists and election machines in the 2016 election. But elections security experts say that’s unlikely to be enough to fix the patchwork of voting machines, voter lists, and state or county computer systems that make up America’s voting infrastructure. Efforts to shore up that infrastructure happen in quiet offices like that of Chris Piper, commissioner for the Virginia Department of Elections. “The irony of being an election official is that if you’ve done your job right, nobody notices,” he said. Virginia was among the states probed by foreign hackers in 2016, and Piper said the commonwealth is working to ensure that doesn’t happen again. “Virginia was obviously one of the states that was scanned, but we were not breached,” Piper said. “We’ve taken an incredible number of steps to improve that security posture.”

National: More election security funds headed to states as 2020 looms | Christina A. Cassidy/NPR

Congress is giving states a last-minute infusion of federal funds to help boost election security with voting in early caucus and primary states slated to begin in February. Under a huge spending bill, states would receive $425 million for upgrading voting equipment, conducting post-election audits, cybersecurity training and other steps to secure elections. To receive the funds, states must match 20% of their allocation. The Senate approved the bill Thursday, sending it to President Donald Trump for his signature. States have been scrambling to shore up their systems ahead of the 2020 election. The nation’s intelligence chiefs have warned that Russia and others remain interested in attempting to interfere in U.S. elections and undermine democracy. For many who have been advocating for more congressional action on election security, the money is welcome, but they say more must still be done to ensure elections are secure. Sen. Ron Wyden, a Democrat from Oregon, has been among those pushing Congress to require states to implement rigorous post-election audits and use paper ballots in exchange for federal funds. “I’m afraid this bill will widen the gulf between states with good election security and those with perilously weak election security,” Wyden said in a statement. “I appreciate the intent behind this provision, but until Congress takes steps to secure the entire election system, our democracy will continue to be vulnerable to foreign interference.”

National: 2019’s top cybersecurity story is still what Russia did in 2016 | Joseph Marks/The Washington Post

The historic House vote to impeach President Trump last night also marked the most recent turn in a cybersecurity saga that’s gripped the nation since 2016 and consumed much of the past year. Russia’s hacking and disinformation operation in 2016 has occupied lawmakers, election officials and cybersecurity pros for three years now as they try to hold the Kremlin accountable and to prevent a repeat in 2020. It was also Trump’s obsession with poking holes in the official narrative about that operation – by urging Ukraine’s president to investigate a baseless conspiracy theory about Russia’s Democratic National Committee hack and the cybersecurity firm CrowdStrike — that helped spark an impeachment trial that promises to grip the nation for weeks to come. “This impeachment is, to a great degree, a cyber story,” Jon Bateman, a Cyber Policy Initiative fellow at the Carnegie Endowment for International Peace and a former Pentagon cybersecurity official, told me. “It’s the president’s inability to grasp what really happened in a series of cyber incidents that’s led to our current political crisis.” Election hacking was a key battleground for lawmakers this year as Democrats demanded Congress provide $600 million for states and localities to secure their voting machines and impose strict mandates to ensure elections are as secure as possible. They also pummeled Republicans who blocked those efforts, accusing them of being complicit with Russia, and even branding Senate Majority Leader Mitch McConnell (R-Ky.) as “Moscow Mitch” before he relented this week and endorsed sending $425 million to states. Homeland Security Department officials, meanwhile, crisscrossed the country vetting election equipment and running cybersecurity training for local officials. But they were regularly undermined by the president’s wavering on whether Russia was actually responsible for the 2016 interference, helping spark concern the Kremlin will do it again.

Editorials: Congress waited too long to start securing the 2020 elections | Justin Rohrlich/Quartz

After the US House and Senate passed a $1.4 trillion spending package this week, lawmakers on both sides of the aisle congratulated themselves, which funds the federal government through September. It adds nearly $2 billion in additional funding for fighting wildfires, sets aside $25 million for gun violence research, and apportions $7.6 billion for the 2020 Census. Under the terms of the deal, all 50 states will also receive funding to improve election security. But according to Lawrence Norden, director of the Election Reform Program at the Brennan Center for Justice at New York University School of Law, securing the 2020 elections from top to bottom require more time and money than what has been allocated thus far. “Congress has been completely absent when it comes to funding for election security,” Norden told Quartz. “For the most part, Congress has said, ‘States, it’s up to you,’ and states have said, ‘Counties, it’s up to you,’ and election security has been neglected.” Congress voted to distribute $425 million among the states. A provision calls for states to match an additional 20% of the amount received within two years, bringing the eventual funding for election security to about $500 million nationwide. Last year, Congress also earmarked $380 million for states to strengthen election security. State governments have until October 2023 to spend it all.

Editorials: Cybersecurity Experts Are Leaving the Federal Government. That’s a Problem. | Josephine Wolff/The New York Times

At the end of 2019, with less than a year to go until the presidential election, the government official who has been leading efforts to secure voting systems in the United States will leave the Department of Homeland Security to join Google. The impending departure of Jeanette Manfra, the assistant director for cybersecurity at the department’s Cybersecurity and Infrastructure Security Agency, is a major loss for the federal government’s civilian cybersecurity efforts, and it comes at the end of a year that saw a series of departures by key cybersecurity personnel. In August, the White House chief information security officer, Joe Schatz, left government to join a consulting firm, TechCentrics. A few months later, in October, Dimitrios Vastakis, the branch chief of White House computer network defense, resigned as well, explaining his reasons in a memo, obtained by Axios, with the subject line “cybersecurity personnel leaving office of the administration at an alarming rate.” Mr. Vastakis’s memo stated that the majority of the high-level cybersecurity personnel at the White House had already resigned because of the administration’s “habitually being hostile” to them, including using tactics such as “revocation of incentives, reducing the scope of duties, reducing access to programs, revoking access to buildings and revoking positions with strategic and tactical decision making authorities.” Through these tactics, in combination with a structural reorganization this summer, the White House effectively dismantled the Office of the Chief Information Security Officer, which was established by President Barack Obama in 2014 following the discovery that Russian hackers had infiltrated White House networks.

Voting Blogs: Preparing for Cyberattacks and Technical Failures: A Guide for Election Officials | Brennan Center for Justice

America’s intelligence agencies have unanimously concluded that the risk of cyberattacks on election infrastructure is clear and present — and likely to grow. 1 While officials have long strengthened election security by creating resiliency plans, 2 the evolving nature of cyber threats makes it critical that they constantly work to improve their preparedness. It is not possible to build an election system that is 100 percent secure against technology failures and cyberattacks, but effective resiliency plans nonetheless ensure that eligible voters are able to exercise their right to vote and have their votes accurately counted. This document seeks to assist officials as they revise and expand their plans to counter cybersecurity risks. Many state and local election jurisdictions are implementing paper-based voting equipment, risk-limiting audits, and other crucial preventive measures to improve overall election security. In the months remaining before the election, it is at least as important to ensure that adequate preparations are made to enable quick and effective recovery from an attack if prevention efforts are unsuccessful. While existing plans often focus on how to respond to physical or structural failures, these recommendations spotlight how to prevent and recover from technological errors, failures, and attacks. Advocates and policymakers working to ensure that election offices are prepared to manage technology issues should review these steps and discuss them with local and state election officials.

Georgia: State Elections Board seeks public comment on paper ballot rules | Albany Herald

The State Elections Board voted Tuesday to post for public comment updated rules for county officials to run elections on Georgia’s new paper ballot system, another key step in the implementation of the largest voting system rollout in U.S. history. An important aspect of the rules are procedures for maintaining the integrity of the touchscreen ballot-marking devises, known as BMDs. The rules require county poll managers to test each BMD before every election to ensure that voters’ selections will be accurately printed on the ballots. “These rules, and the verification procedures they contemplate, are critical in assuring voters that their choices will be recorded faithfully and counted accurately,” Secretary of State Brad Raffensperger, chairman of the five-member State Elections Board, said in a news release. The proposed rules reflect best practices recommended by election-security experts and House Bill 316 passed earlier this year by the Georgia General Assembly. They also incorporate comments from the American Civil Liberties Union, the Democratic Party of Georgia, the Brennan Center for Justice, and a working group of local election officials. The proposed rules are posted at here.

North Carolina: Elections officials anxious over software upgrade | Brooke Conrad/Carolina Journal

A voting software company the N.C. State Board of Elections certified earlier this year wants approval for a last-minute technology update. But some board members are asking whether the company, Election Systems and Security, should have been certified in the first place. In September, ES&S asked the BOE to approve changes to equipment already certified by the state. The timing of the request would require the BOE to circumvent its normal, thorough certification process. Problem was, the company told the board it didn’t have enough of the originally certified equipment to meet the state’s needs, forcing a vote. On Dec. 13, the board, in a 3-2 vote, approved the upgrade, with Democratic Chairman Damon Circosta and Republicans Kenneth Raymond and David Black voting in favor of the update. Democrats Stella Anderson and Jeff Carmon opposed the move. State Board Secretary Stella Anderson, along with several election security advocates across the state, had raised concerns about ES&S during earlier discussions about certification.   “The vendor will have done exactly what it wanted to do: put our backs up against the wall,” Anderson said during the meeting.

Rhode Island: Board of Elections votes to purchase new modems to enhance security | Mark Reynolds/Providence Journal

The Rhode Island Board of Elections voted unanimously Tuesday afternoon to enhance the security of the voting system by acquiring new modems for the machines that tabulate votes and embracing other recommendations of a recent security assessment. The board took action after releasing a public copy of the security assessment and taking input from Rhode Island National Guard Col. R. Michael Tetreault, who was part of a team that helped draft the assessment. The state Division of Information Technology and the Rhode Island Guard Defensive Operations Element looked at “technology enhancements” made to the state’s election management system, according to a report obtained Tuesday by The Providence Journal. The initiative also reviewed efforts to reduce risk based on recommendations made last year.

Pennsylvania: No confidence: Northampton County election board calls for new voting machines for 2020 | Tom Shortell/The Morning Call

A month after widespread problems plagued the general election, the Northampton County Election Commission Board voted 4-0 to express no confidence in its new election machines. At the same meeting Thursday evening, representatives of the county’s Democratic and Republican committees called on the county to move away from the machines and perform an independent analysis of the results. “We believe the problems the machines exhibited this year will make it virtually impossible to restore voters’ confidence heading into 2020. We’d recommend avoiding that by not using them again,” said Democratic Chair Matthew Munsey. Despite the bipartisan condemnation of the machines, it’s unclear how county residents will cast their vote in the upcoming presidential elections. Richard Santee, the board’s solicitor, said the decision to reject these machines must be made in conjunction with Northampton County Council and Executive Lamont McClure. Some council members have demanded a refund on the machines, though McClure has continued to stand by them. Even if there was universal agreement, it would be logistically difficult to swap systems in time for the April 28 primary. The board, council and McClure’s administration would have to reach a consensus on getting rid of the machines, selecting a new system, purchasing it, training staff and delivering the machines to the polls in less than four months. “I can’t imagine what we are going to do between now and April,” said Council President Ron Heckman, who attended the meeting as a member of the public. “What’s the alternative?”

Pennsylvania: State officials break silence on controversial ExpressVote XL voting machine | Emily Previti/PA Post

After weeks of silence, state officials have shed some light on their stance that the ExpressVote XL voting machine should remain in use, despite a shaky debut in Pa. during the last election and legal challenges over its shortcomings. In their first public comments about the XL, they laid out their position in 418 pages filed last week in response to plaintiffs’ claims in a federal lawsuit over Pennsylvania’s election system. That case was settled more than a year ago, but plaintiffs led by ex-Green Party presidential candidate Jill Stein recently asked a federal judge to enforce the settlement terms. They claim the Pa. Department of State hasn’t upheld the agreement’s parameters for upgrading voting systems statewide by the end of the year. And they’ve asked U.S District Court Judge Paul S. Diamond to order DoS to decertify the ExpressVote XL voting machine, the pick in three Pa. jurisdictions (Philadelphia, Northampton and Cumberland counties).

United Kingdom: Leaked NHS dossier inquiry focuses on personal Gmail accounts | Dan Sabbagh/The Guardian

Britain’s security agencies are investigating whether hackers from a hostile state successfully targeted a personal Gmail account to access an explosive cache of correspondence that was seized on by Labour during the election campaign. The leak inquiry into how the 451-page dossier got into the public domain is focused on the Department for International Trade. Jeremy Corbyn said during the campaign that the documents proved the NHS was “on the table” in future US trade talks. Dominic Cummings, the prime minister’s chief adviser, warned ministerial special advisers at a meeting on Tuesday not to use personal Gmail accounts because “foreign powers” were targeting them. Special advisers are not supposed to use personal accounts for government business but, in practice, some communications are conducted via private accounts, where security may be weaker because they are outside official networks. It is not clear which country – if any – is behind the alleged hack, but independent analysts have already suggested that the cache was originally disseminated online by a Russian operation known as Secondary Infektion.