Yearly Archives: 2019

Some of the biggest names in the cloud and hardware ecosystem have agreed to join a new industry group focused on promoting safe computing practices. Founding members include Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom, and Tencent. Named the Confidential Computing Consortium, this industry group's goals will be to come up with strategies and tools to accelerate the adoption of "confidential computing." By confidential computing, the group is referring to hardware and software-based technical solutions for isolating user data inside a computer's memory while it's being processed, to avoid exposing it to other applications, the operating system, or other cloud server tenants. The easiest way of supporting confidential computing practices is through the use of trusted execution environments (TEEs), also known as enclaves. These are hardware and/or software-enforced private regions of a computer's CPU memory where only certain apps can write and read data.

Argentina: Hackers Leaked Sensitive Government Data in Argentina—and Nobody Cares | Eugenia Lostri/Lawfare

On Monday, Aug. 12, hackers leaked 700 GB of data obtained from the government of Argentina, including confidential documents, wiretaps and biometric information from the Argentine Federal Police, along with the personal data of police officers. The Twitter account of the Argentine Naval Prefecture was hacked as well, and used not only to share links to the stolen information but also to spread fake news about a nonexistent British attack on Argentine ships. An operation combining the hacking of law enforcement agencies, an attempt to spread misinformation through social media and the leaking of large amounts of sensitive data on the “Deep Web” would seem to check all the boxes for a major news story. But you most likely have not heard about any of this.

India: VVPAT-auditing data and credibility of electronic voting machines | Atanu Biswas/The Tribune

Even as some top politicians are raising doubts and have made references to the alleged manipulation of EVMs (electronic voting machines), millions of voters in the country are getting confused. Common people don’t understand the mechanism of a complicated machine like the EVM. Rather, they depend on the institutions and/or their leaders to frame their opinions. However, there was a VVPAT-auditing of the EVMs — five per Assembly constituency of the country — as directed by the Supreme Court. One obvious, yet important, question is how the opinion on EVMs will be reframed with the VVPAT-auditing data. A voter verifiable paper audit trail (VVPAT) slip is nothing but a machine-generated ballot paper, verified by the voter himself/herself. And if the VVPAT counts are further tallied with the corresponding EVM counts, that would give a double-check. The objective of tallying VVPAT counts with the corresponding EVM counts is to check whether the EVMs are tampered with or not. If there is no mismatch for a machine, one can safely conclude that there is no tampering in that EVM, at least.

Russia: Prominent journalist Alexey Venediktov has accused ‘Meduza’ of cheating to prove Moscow’s online voting system is hackable. He’s wrong. | Mikhail Zelenskiy/Meduza

This September’s elections for the Moscow City Duma have already gained renown for inspiring regular mass protests, but they are also remarkable for another reason: In three of the Russian capital’s districts, voters will be able to use an online system to select their new representatives. Moscow’s Information Technology Department held intrusion tests on GitHub in late July to verify the integrity of the system: Officials gave programmers several opportunities to attempt to decrypt mock voting data, and each round of data was subsequently published so that it could be compared to the results of those hacking attempts. On August 16, Meduza reported on French cryptographer Pierrick Gaudry’s successful attempt to break through the system’s encryption. To confirm that the encryption keys used in the system are too weak, we also implemented Gaudry’s program ourselves. City Hall officials responded to the successful hackings by refusing to post its private keys and data, thereby preventing outsiders from confirming that the system had indeed been hacked. Instead, Ekho Moskvy Editor-in-Chief Alexey Venediktov, who is also leading the citizens’ board responsible for the elections, accused Meduza of abusing the testing process. Here’s why he’s wrong.

Switzerland: Swiss post rolls out more secure version of e-voting platform | SWI

The publicly-owned company Swiss Post, which had abandoned its electronic voting system in July over security concerns, has developed a new version. "We have already proposed a solution" to cantons, said general manager Roberto Cirillo in an interview published by the La Liberté newspaper on Friday. According to Cirillo, the company is in the process of defining the rules for testing the new system with cantons. He stressed that the new version will "contain universal verifiability". At the beginning of July, Swiss Post abandoned its electronic voting system, which means it now cannot be used for the October federal parliamentary elections. The decision was made after subjecting the e-voting system to an intrusion test by thousands of hackers last spring. According to Swiss Post, they were unable to penetrate the electronic ballot box, but found serious errors in the source code, which had to be corrected. The cantons of Neuchâtel, Fribourg, Thurgau and Basel City had adopted this e-voting system, which only offered individual verifiability. Three of them already plan to demand compensation from Swiss Post for failure to deliver.

California: Sweeping change is coming for Los Angeles County voters. If things go wrong, he’ll get the blame | Matt Stiles/Los Angeles Times

Long before Dean Logan was the elections chief for the most populous county in California, he was an administrator for the most populous county in Washington state — and he was dealing with a crisis. It was the fall of 2004, four years after the contested Bush-versus-Gore presidential election, and voters had just produced one of the closest gubernatorial contests in American history. Fewer than 300 votes separated the candidates. Then things got worse. Logan realized that his staff had misfiled a batch of uncounted mail-in ballots — enough to sway the election. Under pressure, Logan insisted that the ballots be counted, making him a target of critics, including the state’s Republican Party chairman who insisted that the election was being “stolen.” A judge eventually validated Logan’s decision. Fifteen years later, the experience still haunts him. But it has informed and inspired his years-long personal quest to overhaul the way elections are conducted in Los Angeles County. Starting next year, some 5.2 million residents — a figure that eclipses the number of registered voters in most states — will change the way they cast ballots. If the process goes awry — either in the earlier-than-normal presidential primary in March or in the crucial November general election, in which President Trump will probably be on the ballot — blame could fall on Logan yet again.

National: State Election Infrastructure Is Still Vulnerable, Report Finds | by Phil Goldstein/StateTech Magazine

The 2020 presidential election is more than 14 months away, but some experts are warning that state governments face an uphill battle in defending election infrastructure from cyberattacks. According to a recent report, “Defending Elections: Federal Funding Needs for State Election Security,” many election security projects at the state level are either unfunded or underfunded. The report calls on the federal government to provide more funding for state-level election security measures ahead of next year’s election. “In administering our elections, states face security challenges of unprecedented magnitude,” the report concludes. “They are, in many cases, ill-equipped to defend themselves against the sophisticated, well-resourced intelligence agencies of foreign governments. States should not be expected to defend against such attacks alone. Our federal government should work to provide the states with the resources they need to harden their infrastructure against cybersecurity threats.” The paper was authored by a bipartisan group of organizations including the Brennan Center for Justice, the Alliance for Securing Democracy, the R Street Institute and the University of Pittsburgh Institute for Cyber Law, Policy, and Security.

National: 2020 election security to face same vulnerabilities as in 2016 | Michael Heller/TechTarget

For the third year running, the Voting Village at DEF CON shined a light on election security and one thing was made clear: no one agrees on what to expect in 2020. In opening remarks at DEF CON, founders Harri Hursti, Matt Blaze and Jake Braun laid out the long road the Voting Village has traveled to raise awareness of election security issues. Blaze, who serves as the McDevitt Chair of Computer Science and Law at Georgetown University, pointed out the troubles began with the Help America Vote Act (HAVA), which passed in 2002 as an effort to modernize and improve election administration. "They didn't understand as much at the time as we do now about building voting machines and almost everything produced to comply with the Help America Vote Act has terrible vulnerabilities associated with it," Blaze said. "That's partly because we've taken these systems that weren't dependent on software before and made them dependent on software. And, as everybody here in Las Vegas can tell you, software is utterly terrible. So we essentially took a problem that was hard and we added software to it." A new initiative at this year's Voting Village was to connect security researchers and hackers directly to election officials to provide pro bono work to help secure the 2020 election. Braun, an executive director for the University of Chicago Harris School of Public Policy's Cyber Policy Initiative, noted the past work of the Voting Village had been corroborated. "The Mueller report reinforced a lot of what we identified last year, like you can hack a website with a SQL injection and get into a voter registration database, which is exactly what Mueller said the Russians did in 2016," Braun said. "And frankly, they didn't even go as far as we said was possible [in last year's election.]"

National: Civilians, military abroad may find it more expensive to vote | Bill Theobald/The Fulcrum

Election officials are growing increasingly concerned that the Trump administration's trade war with China could make it more difficult and expensive for overseas voters — including those in the military — to cast ballots in the 2019 and 2020 local, state and federal elections. The issue is the pending withdrawal in October by the U.S. from the Universal Postal Union, a group of 192 nations that has governed international postal service and rates for 145 years. Last October, the U.S. gave the required one-year notice stating it would leave the UPU unless changes were made to the discounted fees that China pays for shipping small packages to the United States. The subsidized fees — established years ago to help poor, developing countries — place American businesses at a disadvantage and don't cover costs incurred by the U.S. Postal Service. With the U.S.-imposed deadline for withdrawal or new rates fast approaching, states officials are running out of time to prepare for overseas mail-in voting. Last week, Kentucky elections director Jared Dearing pleaded for help from the Election Assistance Commission — for himself and his peers in other states. The deadline for his state and most others to send out absentee ballots for the fall elections, Dearing said, falls a few days before a Sept. 24-25 UPU meeting in Geneva, Switzerland, to discuss the U.S. proposal to revise the rate system. That makes it difficult to provide voters with guidance about how to return their ballots. If the United States ends up withdrawing from the UPU, overseas citizens may not be able to return their ballots using regular mail service and could have to pay upward of $60 to use one of the commercial shipping services, Dearing said.

National: Republicans use McConnell allies to try and force his hand on election security | Lesley Clark/McClatchy

A conservative group is increasing pressure on Senate Majority Leader Mitch McConnell to put election security legislation up for a vote in the Senate by airing ads that target the Kentucky Republican and four other Republican senators in their home states. Republicans for the Rule of Law is unveiling new spots that urge Sens. Marco Rubio, R-Florida, Roy Blunt, R-Missouri, Lindsey Graham, R-South Carolina, and James Lankford, R-Oklahoma, to push McConnell for a vote, urging them “don’t let Mitch McConnell stand in your way.” The group is also re-airing a 60-second ad that calls on McConnell to act. The 30-second spots will air nearly daily on Fox & Friends starting Wednesday. They’ll also run on Fox News Sunday and NBC’s Meet the Press in the senators’ home cities on Sunday as part of a $400,000 ad buy that includes digital ads. The ads note the senators’ support for election security legislation. “McConnell and all Republican Senators have no greater responsibility than protecting our elections from foreign enemies like Russia and Iran,” said Republicans for the Rule of Law legal advisor and spokesman Chris Truax.

Editorials: The malware election: Returning to paper ballots only way to prevent hacking | Lulu Friesdat/The Hill

The key takeaway of special counsel Robert S. Mueller’s report on Russian interference in the 2016 election was that “There were multiple, systematic efforts to interfere in our election … and that allegation deserves the attention of every American.” But with so much attention on what happened in 2016, we have lost much of the time available to protect the 2020 election. This was immediately apparent recently at DEF CON, one of the largest hacker conventions on the planet. The conference, where tens of thousands of hackers descend on the pseudo-glamourous “pleasure pit” that is Las Vegas, includes the Voting Village, a pop-up research lab with an array of U.S. voting equipment available for security researchers to compromise. They were terrifyingly successful. High school hackers and security professionals united to take control of almost every voting system in the room, most of it currently in use around the U.S. They found systems with no passwords, no encryption, and operating systems so old that young hackers often had no previous experience with them. That did not prevent them from completely dominating the machines. They accessed USB, compact flash and ethernet ports that were glaringly unprotected, and then proceeded to play video games and run pink cat graphics across the screens of ballot-marking devices and voter registration database systems.

California: New Los Angeles County voting system highlights trade offs between security and accessibility | Joseph Marks/The Washington Post

Starting in 2020, Los Angeles County’s 5.2 million voters will cast their ballots on new machines that the county had custom built over a decade to be highly accessible to citizens with all manner of disabilities and who speak 13 different languages. The new machines mark the biggest challenge in years to the highly consolidated voting machine industry in the United States in which just three companies control more than 90 percent of the market. The dominant players have faced withering criticism from security advocates and lawmakers since the 2016 election for being too slow to adapt to election hacking threats from Russia and other adversaries and not transparent enough about their security. The plan is for the machines to be piloted at some voting locations during local elections in November and then to be used by all voters for the first time in the March 3, 2020 primaries. The challenge is even bigger because Los Angeles plans to make the computer code its machines are running on freely available to be used or modified by other voting jurisdictions who similarly want to go it alone. But the new systems are also likely to add fire to a battle between cybersecurity hawks and advocates for voters with disabilities that’s already playing out in Congress and among state election boards.

Georgia: Voters challenge legality of new election system | Kate Brumback/Associated Press

Georgia voters who want hand-marked paper ballots are challenging the new election system state officials are rushing to implement in time for next year's presidential primaries, saying the new touchscreen machines remain vulnerable and their results unverifiable, even though they produce paper records. Secretary of State Brad Raffensperger announced the state's purchase of a $106 million election system from Denver-based Dominion Voting Systems last month, with plans to replace the outdated election management system and paperless touchscreen voting machines in use since 2002. He then certified the new system on Aug. 9, and said it will be in place in time for the March 24 primaries. The voters' petition, seeking a withdrawal of the certification and a re-examination of the Dominion system, was submitted Monday to Raffensperger's office. It says the system doesn't meet Georgia's voting system certification requirements and doesn't comply with the state election code. Georgia law allows voters to request that the secretary of state "reexamine any such device previously examined and approved by him or her" as long as at least 10 voters sign onto the request. The petition submitted Monday includes signatures of more than 1,450 registered voters from 100 counties, including some elected officials, and was filed by voting integrity advocates and the state Libertarian Party. Additionally, some of the plaintiffs in a lawsuit challenging the state's outdated voting system filed an amended complaint on Friday asking U.S. District Judge Amy Totenberg to prohibit the state from using the new Dominion system, calling it "illegal and unreliable."

Illinois: ‘Iranian Hackers’ Claim Hack on Macon County Website | Kennedy Nolan/Decatur Herald & Review

Macon County, Ill., is the latest government entity to be targeted by hackers who hijacked a web page and disabled access. The Circuit Clerk's Office main web page on Sunday night was overtaken by an image of a Guy Fawkes mask, Iranian flag and the text: "Hacked by Iranian Hackers. Hacked by Mamad Warning. We are always closer to you. Your identity is known to us. Your information is for us ;) take care." Circuit Clerk Lois Durbin said the county Information Technology department restored the page by 10 a.m. Monday. The office handles all records of traffic, civil and criminal cases in the county, but Durbin said personal identification information is stored on a separate system and wasn't in danger of being accessed. "The firewall went up, and everything was protected and nothing was compromised," she said. The county joins a growing list of government entities that are the victims of hacking attempts. Another technique involves disabling a website with malware and demanding money to restore it.

New Jersey: State’s Department of Homeland Security warned Russians could interfere in our elections next year. Trump’s not worried. | Jonathan D. Salant/NJ.com

New Jersey’s Department of Homeland Security has warned state and county elections officials that Russia or another foreign actor could hijack their websites or social media accounts, “severely impacting and eroding confidence in the election results.” The warning, which went to elections officials on the state level and in all 21 counties, was contained in a bulletin sent earlier this month by the state Cybersecurity and Communications Integration Cell. The state agency acted after the Senate Intelligence Committee warned about “Russian intentions to undermine the credibility of the election process” and a civil grand jury in San Mateo County, California, warned of hackers using government accounts to report false election results or issue false voting instructions. “The threat of foreign interference in our elections is a pressing national security issue,” said Rep. Mikie Sherrill, D-11th Dist., chairwoman of the House Science subcommittee on investigations and oversight, which held a hearing last month to highlight problems with state elections systems.

North Carolina: Vote security on the line in Board of Elections meeting | Jordan Wilkie/Carolina Public Press

When the NC Board of Elections meets Friday, it will make decisions about voting equipment for 2020 elections that could determine the security of the state’s election process and how much confidence voters can have that the system records and tabulates their votes as they intended. Security experts, federal research agencies and the US Senate agree on best practices for secure election equipment. They recommend that most voters use hand-marked paper ballots, count the ballots using digital scanners and audit the paper ballots for correctness before election results are made official. Most North Carolinians already vote this way. However, 23 of the state’s 100 counties use touch screens to cast their ballots, a system that experts consider insecure and outdated because it cannot be effectively audited. For that reason, North Carolina is set to decertify those systems by Dec. 1. This week, the state board of elections will consider certifying replacement systems. The decisions the board makes will have a domino effect of consequences for the security, privacy and accessibility of elections across the state.

Editorials: Rage against the voting machines | Philadelphia Inquirer

The latest controversy over the city’s ongoing voting machines saga presents multiple choices of questions and concerns. Last week, City Controller Rebecca Rhynhart, while investigating the contract for new voting machines, found that the company, Election Systems & Software, failed to disclose that it had hired lobbyists and made campaign contributions to the reelection campaigns of two city commissioners who were in charge of selecting the vendor. These mistakes, which ES&S says were inadvertent, made the contract “voidable.” But so far the contract is moving ahead — 3,700 voting machines have already been delivered. ES&S has agreed to pay a $2.9 million fine for its failure to disclose. The Controller’s Office is withholding payment on the contract until it completes its investigation sometime next month. The choices for questions are multiple: Are the resulting disclosures (and fines) proof that the system is working, or A. An indictment of the city’s new best value procurement policy, initiated in 2017 when voters approved a change that allowed the city to award contracts on factors other than the lowest price? While overwhelmingly approved by voters, others (including this board) had concerns that the new policy opened the door to granting contracts to insiders and encouraging a pay-to-play culture, as well as more expensive contracts. The $30 million machine contract is the first major test of the new policy.

Editorials: Guess which ballot costs less and is more secure– paper or electronic? | Kevin Skoglund and Christopher Deluzio/PennLive

Pennsylvania’s counties are choosing new voting systems, with implications for the security, reliability, and auditability of elections across the commonwealth and beyond. Our organizations’ analysis of county selections reveals that several have decided to purchase expensive electronic machines with security challenges over the better option: hand-marked paper ballots. Pennsylvania—where vulnerable paperless machines have been the norm—needs new paper-based voting systems. But not all systems are the same. The main choice counties face is the style of voting and polling place configuration. They can have most voters mark a paper ballot with a pen and offer a touchscreen computer to assist some voters (a ballot-marking device or “BMD”). Or they can have all voters use touchscreen computers to generate a ballot (an all-BMD configuration). The hardware in each configuration is often the same, but this fundamental choice creates significant differences. In fact, our analysis shows that many counties have chosen the all-BMD configuration and are paying a hefty sum for it—twice as much per voter as counties that selected systems that rely principally on voters hand-marking their ballots. Pricier electronic systems also carry greater security risks and make it harder for voters to verify their ballots before casting.

Texas: Ransomware Attack Hits 22 Texas Towns, Authorities Say | Manny Fernandez, Mihir Zaveri and Emily S. Rueb/The New York Times

Computer systems in 22 small Texas towns have been hacked, seized and held for ransom in a widespread, coordinated cyberattack that has sent state emergency-management officials scrambling and prompted a federal investigation, the authorities said. The Texas Department of Information Resources said Monday that it was racing to bring systems back online after the “ransomware attack,” in which hackers remotely block access to important data until a ransom is paid. Such attacks are a growing problem for city, county and state governments, court systems and school districts nationwide. By Tuesday afternoon, Texas officials had lowered the number of towns affected to 22 from 23 and said several government agencies whose systems were attacked were back to “operations as usual.” The ransomware virus appeared to affect certain agencies in the 22 towns, not entire government computer systems. Officials said that there were common threads among the 22 entities and that the attacks appeared not to be random, but they declined to elaborate, citing a federal investigation. It was unclear who was responsible. The state described the attacker only as “one single threat actor.”

Vermont: Ethical Hackers Breach Vermont Voting Machines, But Officials Say No Need To Panic | Peter Hirschfeld/Vermont Public Radio

Elections security experts have discovered new ways to manipulate the type of voting machine used in Vermont, but local elections officials say it's unlikely that bad actors could exploit those vulnerabilities to change the results of an election. At a recent technology conference in Las Vegas, ethical hackers from across the country tried to infiltrate some of the voting machines used in U.S. elections. Probing for vulnerabilities in ballot tabulators is an annual tradition at the DEF CON Hacking Conference. This year, however, hackers tried to gain access to the same type of voting machine used by 135 towns in Vermont. Montpelier City Clerk John Odum retrieved one of the machines from a vault last week and placed it on a desk in his office. It's a pretty ancient-looking piece of technology — like something you might have seen in a middle school computer room in the early 1990s. "As I understand it, the memory cards that we use, the technology was originally developed for the original Tandy laptops," Odum said, "so this is some old stuff." The machine is called an AccuVote, and its name is clearly meant to inspire confidence in the results it spits out. But when white-hat hackers set to work on this tabulator at DEF CON earlier this month, they quickly found all kinds of ways to manipulate results.

Wisconsin: Outdated operating systems could affect Wisconsin elections | Capitol Report/HNG News

A Wisconsin Elections Commission security official is expressing concern that outdated operating systems are being used by local elections clerks across the state, raising the prospect of foreign interference in Wisconsin’s elections ahead of the 2020 presidential race. In a memo, Election Security Lead Tony Bridges details how a number of local clerks are using Windows XP or Windows 7 on office computers to access the WisVote voter database. According to Bridges, failure to maintain an up-to-date operating system poses “a tremendous risk.” Security patches on Windows XP have not been supported since 2014, while Windows 7 will reach its end-of-life cycle in January 2020, meaning Microsoft will no longer provide free security updates. Bridges pointed to a recent cyberattack in Georgia that brought down systems across Jackson County and warned a similar attack could “dramatically impact voter confidence in the electoral process” in Wisconsin. “It could, for example, expose confidential information, prevent the timely distribution of absentee ballots, prevent the timely printing of poll books, disrupt communications with voters, expose voters to potential cyberattack, destroy digital records, prevent the display of election night results,” he wrote recently.

Philippines: Clans in Congress want to go ‘hybrid’: Comelec line change: 7 Duterte appointees to run 2022 elections | Malou Mangahas and Karol Ilagan/MindaNews

Clean, honest, inclusive, and credible elections might well turn into just a pipedream when the votes for president, vice president, legislators, and local officials come up in May 2022. As it is, the Commission on Elections (Comelec) has already found itself confronted by big back and forward issues: unsettled flawed supplies contracts and weak project management systems that marked the May 2019 elections; five of its seven commissioners, and its executive director, retiring between January next year to February 2022; and an apparently concerted effort by politicians to write finish to its automated-election system or AES. Claiming fraud was triggered by defective vote-counting machines, politicians from old political clans led no less by President Rodrigo R. Duterte have urged Comelec and Congress to junk the AES and instead revert to a hybrid system of elections, or one that is partly manual and partly automated. But election observers worry that this hybrid system posits opportunities for ballot-box stuffing and snatching, and the dagdag-bawas system driven by the guns, goons, and gold of elections past. Complicating matters is the fact that the push for ‘hybrid’ elections is unfolding as Comelec prepares for impending major changes among its commissioners. In fact, by the time of the next synchronized presidential, legislative, and local elections in May 2022, the poll body will face a major topline change. Worse yet, the changing of guards could happen midway in the campaign period.

Russia: Moscow’s blockchain voting system cracked a month before election | Catalin Cimpanu/ZDNet

A French security researcher has found a critical vulnerability in the blockchain-based voting system Russian officials plan to use next month for the 2019 Moscow City Duma election. Pierrick Gaudry, an academic at Lorraine University and a researcher for INRIA, the French research institute for digital sciences, found that he could compute the voting system's private keys based on its public keys. This private keys are used together with the public keys to encrypt user votes cast in the election. Gaudry blamed the issue on Russian officials using a variant of the ElGamal encryption scheme that used encryption key sizes that were too small to be secure. This meant that modern computers could break the encryption scheme within minutes. "It can be broken in about 20 minutes using a standard personal computer, and using only free software that is publicly available," Gaudry said in a report published earlier this month. "Once these [private keys] are known, any encrypted data can be decrypted as quickly as they are created," he added.

Georgia: Lawsuit says new Georgia voting system should be stopped | Mark Niesse/The Atlanta Journal-Constitution

Voters who want paper ballots filled out by hand asked a federal judge late Friday to prevent Georgia from using the $107 million voting system the state just bought. The request comes a day after the judge ruled that voters must use some type of paper ballots next year, but her decision didn’t address the legality of the state’s new voting system.Election officials plan to replace Georgia's 17-year-old electronic voting machines with a system that combines touchscreens with paper ballots. Voters will pick their candidates on a 21.5-inch tablet that’s connected to a ballot printer starting with the March 24 presidential primary.The lawsuit, filed by voters and election integrity advocates, alleges the new voting machines will remain vulnerable to hacking, malware, bugs and misconfiguration.But state election officials have said that paper ballots will ensure the accuracy of results during recounts and audits.In addition, the lawsuit said the printed ballots aren’t truly verifiable. Although voters will be able to review ballots before casting them, the ballots embed voters’ choices in bar codes that are only readable by scanning machines.“No elector can visually review and confirm whether the bar code accurately conveys their intended selections,” according to the amended complaint.

National: America faces a voting security crisis in 2020. Here’s why – and what officials can do about it. | Emily Goldberg/Politico

Paperless voting machines are just waiting to be hacked in 2020. And “upgrading” to paper-based voting machines may sound like an oxymoron, but it’s something cybersecurity experts are urging election officials across the country to do. A POLITICO survey found that in 2018, hundreds of counties in 14 states used paperless voting machines — and almost half of the counties that responded to the survey said they don’t plan on changing that ahead of 2020. Security experts said paperless voting machines are vulnerable to hacking because they leave no paper trail and there’s no way to reliably audit the results when an error occurs. Thousands of Redditors joined us as cybersecurity reporter Eric Geller and voting security expert and University of Michigan professor J. Alex Halderman took on Reddit's most pressing questions about the weaknesses in America’s election systems. We chatted about voting methods in various countries from the U.S. to India, how much the transition to paper ballots would cost, and even "Star Wars."

National: Most states still aren’t set to audit paper ballots in 2020 – Despite expert recommendations | Colin Lecher/The Verge

Despite some progress on voting security since 2016, most states in the US aren’t set to require an audit of paper ballots in the November 2020 election, according to a new report out this week from the Brennan Center for Justice. The report notes that experts and government officials have spent years recommending states adopt verifiable paper ballots for elections, but a handful still use electronic methods potentially vulnerable to cyberattacks. In 2016, 14 states used paperless machines, although the number today is 11, and the report estimates that no more than eight will use them in the 2020 election. But the report also found that most states won’t require an audit of those paper records, in which officials review randomly selected ballots — another step experts recommend. Today, only 22 states and the District of Columbia have voter-verifiable paper records and require an audit of those ballots before an election is certified. The number will increase to at least 24 states by the 2020 elections, according to the report. “However,” the report notes, “there is nothing stopping most of these remaining states from conducting such audits if they have the resources and will to do so.”

National: Russian hackers, town budgets, Windows updates: Officials grapple with realities of election security | Ben Popken and Kenzi Abou-Sabe/NBC

The nation’s highest agency dedicated to election administration convened a security summit on Thursday to figure out how to confront a problem: The majority of the country's 10,000 voting jurisdictions still run outdated software. In July, Associated Press reported that many counties still use Windows 7, initially released in 2009, or even older software in their back office election management systems used by officials to administer elections, but not on the machines where voters cast their ballots. It's so old that Microsoft announced last year it will soon stop supporting it — shipping free updates to bugs or fixing security issues. After 2020, updates will require a fee. But inside a 21-seat conference room in Silver Spring, the discussion of the Election Assistance Commission — which included state election directors, secretaries of state and representatives from the Department of Homeland Security, election system manufacturers and testing laboratories — the hastily organized meeting also touched on broader frustrations over challenges local election officials face in trying to secure their voting systems as well as inaction from politicians in Washington. “We are talking about local communities having trouble funding roads and water bills, and now we want them to take part in defense against foreign and state actors,” said Kentucky State Election Director Jared Dearing.

National: Election Security in 2020 Comes Down to Money, and States Aren’t Ready | Kartikay Mehrotra and Alyza Sebenius/Bloomberg

The front line to protect the integrity of the U.S. presidential election is in a Springfield strip mall, next to a Chuck E. Cheese’s restaurant. There, inside the Illinois Board of Elections headquarters, a couple dozen bureaucrats, programmers, and security experts are furiously working to prevent a replay of 2016, when Russian hackers breached the state’s voter registration rolls. For 2020, Illinois is deploying new U.S. government software to detect malicious intrusions and dispatching technology experts to help local election officials. Even the National Guard, which started its own cyber unit several years ago, is on speed dial for election night if technicians needed to be rushed to a faraway county. Still, Illinois officials are nervous. The cash-strapped state remains far short of the resources needed to combat an increasing number of nations committing geopolitical breaches. “We’re in an unusual time, and yes, there is concern about whether we have enough to go into 2020 totally prepared for what the Chinese, Russians, or North Koreans or any enemy of the United States may do to influence our elections,” says Governor J.B. Pritzker, a Democrat. “We’re securing our elections with state resources, but there is a federal need. This is a national crisis.”

National: Only One Republican Supported That Divisive Election Security Bill. Here’s Why He Voted in Favor | Robert Hackett/Fortune

Last week we discussed election security. Let’s dig a little deeper into divisions provoked by one of the major pieces of proposed legislation, the Securing America’s Federal Elections Act. The bill has lately become a political flashpoint, blocked by Senate Majority Leader Mitch McConnell of Kentucky, who ostensibly fears further federalizing elections more than he fears the subversion of American democracy through hacking, foreign interference, or other hi-jinx. The bill primarily aims to require states to use voting machines that are up-to-date, not Internet-connected, made in America, and produce paper-based, voter-verifiable ballots. These are all sensible criteria, and it's hard to argue against their adoption. In addition, the bill would earmark federal funds to help states get the new gear in place by 2020—a more contentious component. (See also this Wall Street Journal editorial which lays out other gripes.) While the Democratic House passed the bill with 225 votes in June, only one Republican voted in favor: Representative Brain Mast of Florida. It's worth noting that Mast is not Republican in name only, as an analysis by the data junkie blog FiveThirtyEight makes clear. As of the end of last year, Mast had voted in line with President Donald Trump's policy initiatives 92.7% of the time.

National: Windows 7 woes crash into 2020 election cycle | Derek B. Johnson/FCW