Editorials: There’s no excuse for failing to secure election systems from Russian meddling | St. Louis Post-Dispatch

More than a dozen states are still using electronic ballot systems that leave no paper trail — an invitation to Russia and anyone else who wants to hack into and disrupt America’s next national election. This gaping security hole is being blamed on lack of money in state and local budgets, and a lack of urgency among some Republican officials. Both reasons are unacceptable. Americans may be divided about the veracity of some aspects of the report and testimony from special counsel Robert Mueller, but those who think that renders debatable his conclusions about Russian election interference are simply not paying attention. Mueller’s unambiguous warning that Russia hacked into the election systems of all 50 states in 2016 and is planning to do so again next year has been confirmed on both sides of the aisle. U.S. intelligence agencies have long insisted it happened and will happen again. Even the Republican-controlled Senate Intelligence Committee reached the same conclusion in a recent report. “Russian activities demand renewed attention to vulnerabilities in U.S. voting infrastructure,” the report found. “In 2016, cybersecurity for electoral infrastructure at the state and local level was sorely lacking. … Aging voting equipment, particularly voting machines that had no paper record of votes, were vulnerable to exploitation by a committed adversary.”

Georgia: Judge blasts Georgia officials’ handling of election system | Kate Brumback/Associated Press

Georgia election officials have for years ignored, downplayed and failed to address serious problems with the state’s election management system and voting machines, a federal judge said in a scathing order this week. U.S. District Judge Amy Totenberg said those problems place a burden on citizens’ rights to cast a vote and have it reliably counted. She called Georgia’s voting system “antiquated, seriously flawed, and vulnerable to failure, breach, contamination, and attack.” Despite those findings, Totenberg ruled Thursday that Georgia voters will use that same election system this fall because of concerns about the state’s capacity to make an interim switch while also implementing a new system. Plaintiffs in a lawsuit challenging Georgia’s system had asked Totenberg to order an immediate switch to hand-marked paper ballots for special and municipal elections this fall. But she declined, citing worries about the state’s capacity to manage an interim switch while also implementing a new system that is supposed to be in place for the March 24 presidential primaries. ″(T)he totality of evidence in this case reveals that the Secretary of State’s efforts in monitoring the security of its voting systems have been lax at best — a clear indication that Georgia’s computerized election system is vulnerable in actual use,” Totenberg wrote in a 153-page ruling that devotes considerable space to chronicling those shortcomings.

Pennsylvania: Most Pennsylvania counties pick paper ballots | John Finnerty/CHNI

Counties buying voting machines that allow voters to fill out paper ballots are paying half what counties buying tablet-based voting technology are paying, according to an analysis released Thursday by the University of Pittsburgh. Researchers examined the costs paid by 31 counties for voting machines, as counties across the state move to replace their election equipment before the 2020 presidential election. In total, the counties are calculated to spend $69 million on those systems. The state has told the counties to replace their voting machines with new equipment that provide a paper record of votes cast before the 2020 presidential election. That move was prompted by a settlement to a lawsuit filed by former Green Party presidential candidate Jill Stein after the 2016 election.

Wisconsin: Election security threats and the proposed solution | WXOW

Outdated Windows systems could impact election security in Wisconsin. Officials say the Wisconsin Elections Commission (WEC) has started a pilot program to address concerns. The proposal, prepared by Election Security Lead Tony Bridges, cites concerns over aging computer systems. He states, “the strength or weakness of any one work station could affect the security of the entire state’s elections infrastructure.” Bridge then explained at least a handful of computers that access WisVote no longer receive security updates; that includes Windows XP which hasn’t been updated since 2014. WEC won’t specify which users are vulnerable due to privacy concerns. “We always want to be careful when we’re talking about elections security,” said WEC PIO Reid Magney. “We don’t want to divulge where there might be vulnerabilities in the system.”

Belarus: Belarus to use semitransparent ballot boxes, e-voting | BelTA

Belarus plans to use semitransparent ballot boxes and electronic voting in the future, Chairperson of the Central Election Commission (CEC) of Belarus Lidia Yermoshina said in an interview to the STV channel, BelTA has learned. “We are gradually introducing different standards. Some things we have not introduced yet are no longer used in other countries. For example, we have always been pressurized to use transparent ballot boxes everywhere. I can say that this is no longer in fashion. Moreover, it contradicts the international standards. Transparent ballot boxes do not secure the secret expression of voters’ will. Today’s trend is to use semitransparent boxes and apply e-voting. I believe we will be introducing this in the future,” Lidia Yermoshina said. Speaking about the rotation of the parliament, the CEC chair said that the head of state insists on some one third of MPs to stay for the second term. At the same time, the term of office for every MP should not exceed two terms in a row. “We support and select future candidates taking into consideration all the proportions,” she stressed.

Russia: Blockchain Voting System in Moscow Municipal Elections Vulnerable to Hacking: Research Report | Trevor Holman/CryptoNewsZ

A recent research report by a French cryptographer demonstrates that a blockchain voting framework utilized in Moscow’s municipal elections is susceptible to hacking. The researcher at the French government research establishment CNRS, Pierrick Gaudry, have examined the open code of the e-voting platform dependent on Ethereum in his paper. Gaudry inferred that the encryption plan utilized by a portion of the code is “totally insecure.” The research report titled, “Breaking the encryption scheme of the Moscow internet voting system” by Pierrick Gaudry, a researcher from CNRS, French governmental scientific institution had examined the encryption plan used to verify the open code of the Moscow city government’s Ethereum-based platform for e-voting. Gaudry concluded that the encryption scheme utilized by a portion of the code is entirely insecure by clarifying –

We will show in this note that the encryption scheme used in this part of the code is completely insecure. It can be broken in about 20 minutes using a standard personal computer and using only free software that is publicly available. More precisely, it is possible to compute the private keys from the public keys. Once these are known, any encrypted data can be decrypted as quickly as they are created.

United Kingdom: Subcontractor’s track record under spotlight as London Mayoral e-counting costs spiral | Kat Hall/The Register

Concerns have been raised over a key supplier of an e-counting system for the London Mayoral elections in 2020. The contract, split between Canadaian integrator CGI and Venezuelan-owned Smartmatic, will cost nearly £9m – more than double the procurement cost of £4.1m for the system at the last election in 2016. During a July hearing about the 2020 elections at the London Assembly Oversight Committee, members heard that Smartmatic, which builds and sells electronic voting tech, had worked on the Scottish elections. However, the London Assembly has since confirmed to The Register that Smartmatic was not involved. The company was also recently blamed for a number of technical glitches in the Philippine elections. The London Assembly was told costs had increased because the new vote-counting system offered better functionality than the previous procurement.

Pennsylvania: ‘It’s disappointing’ Elections Board reaffirms $29M voting machine contract over objections, violations | Michael D’Onofrio/ Philadelphia Tribune

Objections from an official and activists did not prevent Philadelphia City Commissioners on Thursday from reaffirming a $29 million city contract with a voting system vendor that violated anti-pay-to-play laws. The three-member commission voted 2-0-1 to continue a city contract with Election System & Software (ES&S) to supply new voting machines for the November election.…

National: Election officials want security money, flexible standards | Dean DeChiaro/Roll Call

State officials from Louisiana and Connecticut on Thursday asked for more money and clear standards from the federal government to help secure voting systems before the 2020 elections. But the officials, Louisiana Secretary of State Kyle Ardoin and Connecticut Secretary of State Denise Merrill, stressed the differences between their election systems and asked for leeway from the federal government in deciding how to spend any future funding. “The cultures are different and the voters have different expectations,” Ardoin told commissioners from the federal Election Assistance Commission, or EAC, at a public forum. Both states received federal funds to upgrade cyber and physical security of their voting systems after Congress approved $380 million for election security in 2018. They spent their share of those funds differently. Connecticut has put much of its funding toward training, Merrill said, while Louisiana is scrambling to upgrade systems running Windows 7 to Windows 10 before Microsoft stops offering support for the older operating system in January. Ginny Badanes, the director of Microsoft’s Defending Democracy Program, which is working to help both states and companies that build voting machines and software to prepare for the switch in operating systems, said the company “will do whatever it takes to make sure these customers have access to updates that are straightforward and affordable.” Both the state officials and private sector witnesses urged the commission to adopt and publish standards that would set the best practices for election security.

National: States Struggle to Update Election Systems Ahead of 2020 | Alyza Sebenius and Kartikay Mehrotra/Bloomberg

U.S. states operating outdated and insecure voting machines face major hurdles in protecting them in time for the 2020 presidential election, officials said at a meeting of elections experts. Budgets are strained, decision-making authority is diffuse and standards put in place years ago haven’t kept up with today’s cyberthreats, according to testimony Thursday to the Election Assistance Commission in Silver Spring, Maryland. The Senate Intelligence Committee reported last month that Russia engaged in “extensive” efforts to manipulate elections systems throughout the U.S. from 2014 through “at least 2017.” The Brennan Center for Justice reported Thursday that states will have to spend more than $2 billion to protect their election systems in the next five years, including replacing outdated machines or purchasing the software improvements necessary to help harden existing equipment against hackers. Updating software is a “regular and important part” of cybersecurity, the Center for Democracy & Technology warned in a statement. But even when a software patch is available, states can’t compel “severely under-resourced” local elections officials to buy and implement the improvement, said Jared Dearing, executive director of the Kentucky State Board of Elections. On top of those hurdles, Dearing said, the process of certifying elections equipment to federal standards leaves machines in “a time capsule of when that system was developed.”

National: Hackers can easily break into voting machines used across the U.S.; play Doom, Nirvana | Igor Derysh/Salon

Voting machines used in states across the United States were easily penetrated by hackers at the Def Con conference in Las Vegas on Friday. Participants at Def Con, a large annual hacker conference, were asked to try their skills on voting machines to help expose weaknesses that could be used by hostile actors. A video published by CNN shows a hacker break into a Diebold machine, which is used in 18 different states, in a matter of minutes, using no special tools, to gain administrator-level access. Hackers also quickly discovered that many of the voting machines had internet connections, which could allow hackers to break into machines remotely, the Washington Post reported. Motherboard recently reported that election security experts found that election systems used in 10 different states have connected to the internet over the last year, despite assurances from voting machine vendors that they are never connected to the internet and therefore cannot be hacked. The websites where states post election results are even more susceptible. The event had 40 child hackers between the ages of 6 and 17 attempt to break into a mock version of the sites. Most were able to alter vote tallies and even change the candidates’ names to things like “Bob Da Builder,” CNNreported. “Unfortunately, it’s so easy to hack the websites that report election results that we couldn’t do it in this room because [adult hackers] would find it boring,” event organizer Jake Braun told CNN.

National: Election Assistance Commission Urged to Finalize 2020 Security Standards | Jack Rodgers/Courthouse News

During a forum on election security Thursday, Connecticut’s secretary of state urged a federal agency in charge of the process to act quickly in issuing new security standards for voting systems so states can update software in time for the 2020 election. The U.S. Election Assistance Commission hosted three panels of witnesses, all of whom testified on ways to improve the security of the nation’s election systems during a three-hour forum in Washington, D.C. Last year, Congress appropriated $380 million under the Help America Vote Act, which makes funds available for states to update election security measures and voter registration methods. However, the federal funds, coupled with a state-required match, were not enough to completely update voting equipment across the country. During Thursday’s first panel, the secretaries of state for Connecticut and Louisiana, Denise Merrill and Kyle Ardoin, respectively, both spoke to the benefits of this funding. Merrill said that with the $5 million in HAVA funds appropriated to her state last year, Connecticut had implemented a virtual system that allows those in election advisory roles to view every desktop used for counting and reporting votes in the state. In most of the state’s 169 towns, methods of recording votes differ depending on the area, Merrill said, also noting that some towns don’t use computers.

National: States and localities are on the front lines of fighting cyber-crimes in elections | Elaine Kamarck/Brookings

When it comes to fighting illegal intrusions into American elections, the states and localities are where the rubber meets the road—that is where American elections are administered. This authority is grounded in more than tradition; it derives from Article I, Section 4 of the Constitution. That section notes that while Congress has the authority to intervene in the setting of elections, election administration is largely a function of state and local government. Given this situation, election law and practice vary considerably from state to state, which leads to a number of ramifications. On the one hand, this decentralization makes it hard for a single cyberattack to take down the entire American election system. But having a fragmented system poses some disadvantages as well. Some states and localities are simply better equipped to protect against cyber intrusions than others, and an adversary seeking to sow doubt and confusion about the integrity of an election needs to compromise only a few parts of the entire system in order to undermine public confidence. The vulnerabilities in election administration exist at every step of the process, from the registration of voters, to the recruitment of poll workers for election day, to the books of registered voters at polling places, to the devices that capture and tally the vote, to the transmission of that data to a central place on election night and to the ability to execute an accurate recount. Every state and locality wants to run a fair election but they are limited by inadequate funding, the absence of trained personnel, and outdated technology.

National: Ex-CIA chief worries campaigns falling short on cybersecurity | Maggie Miller/The Hill

Democratic 2020 presidential campaigns say they are working to boost their cybersecurity, but experts worry those efforts may not be enough. Former acting CIA Director Michael Morell told The Hill he worries there is a “void” and that campaigns need outside help to fully address the issue. “There is not a lot of initial thought given to cybersecurity,” Morell said about the campaigns. Several campaigns insist they have prioritized the issue. Chris Meagher, the spokesman for South Bend, Ind., Mayor Pete Buttigieg’s campaign, told The Hill that “our campaign is committed to digital security,” noting the hiring of a full-time chief information security officer (CISO), Mick Baccio, last week. “Hiring a full-time CISO is one way we are protecting against cyberattacks,” Meagher added. A spokesperson for the presidential campaign of former Rep. Beto O’Rourke (D-Texas) told The Hill they are “actively engaged in defending our operation from disinformation and other cyberattacks.” The spokesperson emphasized that “whether it’s training staff as a part of our onboarding process, requiring staff to use complex passwords to protect mobile devices, or using secure messaging services, this campaign understands that protecting our information requires a comprehensive approach to prepare for and manage attacks.”

Editorials: Trump is holding election security hostage | Brian Klaas/The Washington Post

President Trump is holding American election security hostage in a bid to suppress votes in his reelection campaign. On Tuesday, Trump tweeted that “No debate on Election Security should go forward without first agreeing that Voter ID (Identification) must play a very strong part in any final agreement. Without Voter ID, it is all so meaningless!” In other words, he is explicitly acknowledging that he will allow known vulnerabilities in American election security infrastructure to remain as inviting targets to foreign adversaries of the United States — unless he gets his way on a long-standing Republican priority. But the evidence is clear: Foreign attacks on American democracy are an urgent, ongoing threat to national security that could result in the entire democratic process being rigged or hacked. On the other hand, voter fraud — the problem that voter ID legislation is ostensibly trying to solve — has already been solved. It’s a minuscule problem that poses virtually no threat to American elections.

Connecticut: Chief elections official says Connecticut’s electronic voting machines are ‘coming to the end of their useful life’ | Mark Pazniokas/CT Mirror

Connecticut’s current system of casting and counting votes has its roots in the chaotic presidential election of 2000. With the winner unclear for a month, it was a frightening moment in U.S. politics that led to a bipartisan consensus about the need to maintain confidence in the integrity of elections. Passage of the federal Help Americans Vote Act in 2002 established broad standards for the conduct of elections and provided funding for new hardware, leading Connecticut in 2006 to abandon its old mechanical lever voting machines for a mix of the old and new — paper ballots counted by computer-driven tabulators. “We fortunately made the right choice,” Secretary of the State Denise Merrill said Wednesday. A proposed Voter Empowerment Act now before Congress would make hybrid systems like Connecticut’s the new federal standard: Using computers to quickly count votes, while maintaining paper ballots as a check on computer hacking and other forms of cyber fraud. President Trump recently endorsed paper ballots on Twitter. But as Merrill and U.S. Sen. Richard Blumenthal made clear Wednesday at a press conference on elections security, the technical and political challenges in protecting U.S. elections are far more complex today than in the aftermath of the Florida recount in the Bush-Gore campaign of 2000. Blumenthal arrived at Merrill’s state Capitol office with his right arm in a sling. He had surgery last week for a torn rotator cuff.

Florida: Broward County elections chief says military adversary could hack US elections. ‘There are forces bigger than us.’ | Anthony Man/South Florida Sun-Sentinel

Broward Supervisor of Elections Peter Antonacci said Wednesday that a determined effort to hack elections — if it’s undertaken by the military of a significant foreign adversary — could prove successful. Antonacci said in an interview he was acknowledging the obvious reality, even though it’s something many people don’t want to recognize. “If the military organizations of our adversaries around the world decide to do something, technically they have the capability to do it,” he said. “There are forces bigger than us and people much bigger than us that may wish us wrong. If they have the intent and capacity, bad things can happen.” Antonacci said publicly offering the assessment isn’t the kind of thing that will endear him to the broad universe of people who run elections, including other county elections supervisors. “My fellow supervisors will probably drum me out of the club,” he said. “The general thing people in my business like to say is ‘Everything’s OK.’” Antonacci, who oversees elections in Florida’s second-largest county, said his job is to make sure that Broward County has as many safeguards as it can and to have systems in place that can detect if and when something happens. “What we can do as little people in that drama is make sure our system is protected as much as possible.”

Georgia: Judge Says Georgia To Use Old Electronic Voting Machines For 2019 Elections | Stephen Fowler/NPR

A federal judge has denied a request to move all of this fall’s municipal elections in Georgia away from “unsecure, unreliable and grossly outdated technology” and toward hand-marked paper ballots that are optically scanned and counted. The order from U.S. District Court Judge Amy Totenberg Thursday also requires the state to cease using its direct-recording electronic voting machines after 2019 and expresses doubts about the state’s ability to roll out its new ballot-marking device system in time for the March 24, 2020, presidential primary election. In the decision, Totenberg also directs the Georgia secretary of state’s office to develop a plan to “address errors and discrepancies in the voter registration database” and have paper copies of poll books at each voting precinct. The state must also create a contingency plan for the 2020 elections in case the new system is not completely rolled out. That includes designating several pilot jurisdictions that will use hand-marked paper ballots with optical scanners in their elections this fall. A group of election integrity advocates and Georgia voters sued the secretary of state’s office in 2017 alleging that the current DRE system is not secure and is vulnerable to hacking. Last year, Totenberg denied a similar motion for preliminary injunction that would have blocked the DREs from being used in the 2018 midterm election. The current motion sought to prevent the machines from being used this fall in several hundred local elections.

Georgia: Judge denies paper ballots in Georgia this year but requires them in 2020 | Mark Niesse/The Atlanta Journal-Constitution

A federal judge ruled Thursday that Georgia voters can cast ballots on the state’s “unsecure, unreliable and grossly outdated” electronic voting machines one last time, deciding it would be too disruptive to switch to paper ballots before this fall’s elections. But starting with next year’s presidential primary election, paper ballots will be required, according to the ruling by U.S. District Judge Amy Totenberg. Her order barred the state from using its current electronic voting machines after this year’s elections.Election officials are already planning to upgrade the state’s voting system by buying $107 million in new equipment that will use a combination of touchscreens and printed-out paper ballots to check the accuracy of election results.If the state’s new voting system isn’t completely rolled out to all 159 counties in time for the March 24 presidential primary, Totenberg ruled that voters must use paper ballots filled out by hand. “Georgia’s current voting equipment, software, election and voter databases are antiquated, seriously flawed and vulnerable to failure, breach, contamination and attack,” Totenberg wrote. Totenberg wrote it would be “unwise” to immediately discard the state’s 17-year-old voting machines, which lack paper ballots that could be used to check the accuracy of election results. She wrote that it could be “a recipe for disaster” to force resistant election officials to switch to hand-marked paper ballots this year while they’re also transitioning to the state’s new voting system. Her 153-page ruling clears the way for 386 local elections to move forward as planned this fall, including votes for the Atlanta school board, the Fulton County Commission and city councils across the state.

Kentucky: Election official says counties can’t upgrade cybersecurity because they’re ‘severely under resourced’ | Kevin Collier/CNN

A top Kentucky election official said Thursday that counties there are “severely under resourced,” affecting their abilities to provide adequate cybersecurity. “Most of us cannot compel our local election jurisdictions to update their equipment,” said Jared Dearing, executive director of the Kentucky State Board of Elections, before an Elections Assistance Commission panel in Silver Spring. The comments came a week after the annual Def Con hacking conference in Las Vegas, where the three lawmakers who attended — all Democrats — blamed Kentucky Republican Mitch McConnell, the Senate majority leader, for the Congress’ stagnation on any election security bill. At Def Con, a group of election security researchers host a Voting Village, now in its third year, where independent hackers try to break into decommissioned voting equipment. While no system can be guaranteed safe from hackers, election security experts — including ones consulted for the bipartisan Senate Intelligence Committee report on the subject — resoundingly say that machines need to be routinely updated and use paper ballots so results can be audited.

Pennsylvania: More-secure hand-marked ballots are also cheaper for Pennsylvania counties | Christopher Huffaker/Pittsburgh Post-Gazette

Election security experts told the Allegheny County Board of Elections in June that the best choice for secure elections is a voting system where most voters make their selections with a pen on paper — while those who need them have access to ballot-marking devices. A new analysis shows that for Pennsylvania counties that have already selected new systems, that is also the cheaper option. The analysis, from Citizens for Better Elections and the University of Pittsburgh Institute for Cyber Law, Policy and Security, looks at voting systems selected by 31 Pennsylvania counties, as required by a post-2016 election state lawsuit settlement. The remaining 36 counties, including Allegheny County, had yet to make the decision by Aug. 5, when the analysis was done. A voting machine search committee, composed of county employees, is expected to make a recommendation to the Allegheny County Board of Elections by the end of the summer. “Counties that selected exclusively ballot marking device configurations are spending more than two times as much as counties selecting primarily hand-marked paper ballot,” said the University of Pittsburgh’s Chris Deluzio, one of the study’s authors and also one of the experts who appeared before the Board of Elections in June.

Pennsylvania: Philladelphia’s voting-machine contract will move forward despite vendor’s failure to disclose its use of lobbyists | Jonathan Lai/Philadelphia Inquirer

Philadelphia’s acting board of elections voted Thursday to keep its current contract for new voting machines, days after the city’s legal department notified elections officials that the vendor had failed to disclose its lobbying activities. “In my opinion, the continued implementation of ES&S’s voting system … is the right decision for the city,” Judge Giovanni Campbell said at a meeting in City Hall, reading from a piece of paper. His comments, before voting to keep the contract, drew hisses and jeers of protest from dozens of people, many of whom had spoken during the meeting to urge him and the two other sitting board members to scrap the deal. “What’s the point of public comment?” one shouted. Another followed: “This is a charade!” Campbell, unmoved, stuck with his decision. “I do not believe that this process should be overturned or restarted,” he said, despite the revelation that Election Systems & Software (ES&S) had bid for the city contract without disclosing its use of lobbyists and those lobbyists’ donations, including to elections officials’ reelection campaigns. In a meeting and letter, the city solicitor told the elections board that the contract was now voidable and that ES&S is liable for a $2.9 million fine, equal to 10% of the contract. But the city’s procurement commissioner also warned in a letter that the process was far along and going smoothly, and that restarting would risk not having new voting machines in place by the April 2020 presidential primary election. On Thursday, the two judges serving on the board of elections agreed.

Editorials: Security improvements for South Carolina elections are welcome news | Charleston| Post and Courier

South Carolina’s new voting machines that leave a paper trail for audits and cannot be hacked remotely get their first workout Oct. 1 in a special election in Aiken County, and will be operable in all precincts around the state by November. But that’s not the only welcome improvement in the state’s election security. Others address training in cybersecurity for election workers and include frequent tests of the vulnerability of state systems to intrusion. These upgrades, a response to the ongoing threat posed by Russia and other foreign adversaries, are the product of a fruitful collaboration between the federal government and the states. The federal Election Assistance Commission provides an information clearinghouse for best practices and also certifies voting machines and associated hardware and software. The Department of Homeland Security keeps states up to date on the latest security threats. The states receive federal grants to help defray the added costs of enhanced security.

National: At Def Con, hackers and lawmakers came together to tackle holes in election security | Taylor Telford/The Washington Post

As Sen. Ron Wyden (D-Ore.) toured the Voting Village on Friday at Def Con, the world’s hacker conference extraordinaire, a roomful of hackers applied their skills to voting equipment in an enthusiastic effort to comply with the instructions they had been given: “Please break things.” Armed with lock-pick kits to crack into locked hardware, Ethernet cables and inquiring minds, they had come for a rare chance to interrogate the machines that conduct U.S. democracy. By laying siege to electronic poll books and ballot printers, the friendly hackers aimed to expose weaknesses that could be exploited by less friendly hands looking to interfere in elections. Wyden nodded along as Harri Hursti, the founder of Nordic Innovation Labs and one of the event’s organizers, explained that the almost all of the machines in the room were still used in elections across the United States, despite having well-known vulnerabilities that have been more or less ignored by the companies that sell them. Many had Internet connections, Hursti said, a weakness savvy attackers could abuse in several ways. Wyden shook his head in disbelief. “We need paper ballots, guys,” Wyden said. After Wyden walked away, a few hackers exchanged confused expressions before figuring out who he was. “I wasn’t expecting to see any senators here,” one said with a laugh.

Pennsylvania: Philadelphia’s new voting-machine contract in jeopardy because vendor failed to disclose use of lobbyists, campaign contributions | Andrew Seidman/Philadelphia Inquirer

Six months after Philadelphia picked a vendor for its new voting machines, the contract is suddenly in jeopardy. City Solicitor Marcel S. Pratt notified the acting board of elections Monday that Election Systems & Software (ES&S) violated the city code by failing to disclose its use of lobbyists and the lobbyists’ campaign contributions, including to the two city commissioners who selected the system. The board of elections, normally composed of the city commissioners, will meet Thursday to decide whether to move forward with the contract. ES&S will be liable for a $2.9 million fine, Pratt wrote in his letter to the board, adding that it has agreed to pay the fine if the contract proceeds. Deputy City Commissioner Nick Custodio, the board’s spokesperson, said he would not comment until after Thursday’s meeting. Pratt also included a letter from the city’s procurement commissioner, Monique Nesmith-Joyner, who appeared to urge the commissioners to continue with the contract.

National: Voting machine companies balk at taking part in hacking event | Kevin Collier/CNN

At the country’s biggest election security bonanza, the US government is happy to let hackers try to break into its equipment. The private companies that make the machines America votes on, not so much. The Def Con Voting Village, a now-annual event at the US’s largest hacking conference, gives hackers free rein to try to break into a wide variety of decommissioned election equipment, some of which is still in use today. As in the previous two years, they found a host of new flaws. The hunt for vulnerabilities in US election systems has underscored tensions between the Voting Village organizers, who argue that it’s a valuable exercise, and the manufacturers of voting equipment, who didn’t have a formal presence at the convention. Supporters of the Voting Village say it’s the best way draw attention to problems with an industry that otherwise doesn’t face much public accountability, even in the wake of Russia’s foreign interference in the 2016 election. Their work has attracted the notice of several lawmakers, who are calling for new legislation to strengthen the integrity of US elections.

National: DEF CON Voting Village: It’s About ‘Risk’ | Kelly Jackson Higgins/Dark Reading

DHS, security experts worry about nation-state or other actors waging a disruptive or other attack on the 2020 election to sow distrust of the election process. When DEF CON debuted its first-ever Voting Village in 2017, it took just minutes for researcher Carsten Schürmann to crack into a decommissioned WinVote voting system machine via WiFi and take control of the machine such that he could run malware, change votes in the database, or even shut down the machine remotely. Several other researchers were able to break into other voting machines and equipment by pulling apart the guts and finding flaws by hand that year, and then again on other machines in the 2018 event. The novelty of the live hacking of decommissioned voting machines has worn off a bit now and there weren’t many surprises – nor did the organizers expect many – at this year’s Voting Village, held at DEF CON in Las Vegas last week. But once again the event shone a white hot light on blatant security weaknesses in decommissioned voting machine equipment and systems. “DEF CON is not about proving that voting machines can be hacked. They all can be hacked and 30 years from now, those can be hacked, too. It’s about making sure we understand the risk,” Harri Hursti, Nordic Innovation Labs, one of the founders of the Voting Village, told attendees last week. Hursti as well as other security experts, government officials, and hackers at this year’s event doubled down on how best to secure the 2020 US presidential election: ensuring there’s an audit trail with paper ballots; employing so-called risk-limiting audits (manually checking paper ballots with electronic machine results); and proper security hygiene in voting equipment, systems, and applications.

National: Democrats stump for election security, blast McConnell at hacker conference | Eric Geller/Politico

Democratic lawmakers emerged from the world’s largest hacker conference this weekend with a clear message: Congress must pass legislation to mandate better U.S. election security. In panels and interviews at DEF CON in Las Vegas, where a roomful of hackers demonstrated ways to breach insecure voting machines, those lawmakers focused their fury on the man proudly blocking their bills. “Why hasn’t Congress fixed the problem? Two words: Mitch McConnell,” Sen. Ron Wyden (D-Ore.) said during a Friday keynote address to a packed and largely supportive room at DEF CON’s Voting Village. Rep. Ted Lieu (D-Calif.), one of a handful of computer scientists in Congress, told POLITICO that when it came to his biggest election security concern, “I have two words: Mitch McConnell.” The Senate majority leader has repeatedly blocked votes in the upper chamber on two House Democratic bills that would require voting machines to produce paper records, mandate post-election audits and impose security requirements on election technology companies.

National: Here’s the political bind Democrats face when talking about election security | Joseph Marks/The Washington Post

Rep. Eric Swalwell (D-Calif.) applauded the crowd of cybersecurity researchers uncovering dangerous bugs in voting machines and other election systems at a security conference here — but he’s in a bind about how to talk about election security with constituents. Swalwell, who recently ended a long-shot presidential bid, believes chances are almost nil that Republicans will join Democrats to pass legislation mandating fixes to improve election security before the 2020 contest. By continuing to bang the drum about potential security weaknesses, he worries Democrats risk inadvertently convincing citizens that the election is bound to be hacked — and that there’s no point in voting. “If we tell voters the ballot box is not secure and that we have all these vulnerabilities … if we say that over and over and over, is the result of that suppressing [the vote]?” Swalwell asked a room of researchers this weekend at the Def Con cybersecurity conference’s Voting Village, which focuses exclusively on the security of election systems. This is a predicament that will only get harder for many Democrats who are coming to grips with the idea that they may have run out of time to require states to shift to paper ballots, post-election audits and other cybersecurity best practices before the 2020 contest. Swalwell believes these fixes will happen only if there’s a Democratic president and Congress in 2021 or later — even as intelligence officials warn the 2020 election is a major target for Russia and other adversaries looking to undermine the American political system.

National: Voting Machine Security: Where We Stand Six Months Before the New Hampshire Primary | Brennan Center for Justice

In late July, the Senate Select Committee on Intelligence released its report on the Russian government’s attacks on America’s election infrastructure. While the report offered dozens of recommendations related to vast and varied election systems in the United States (from voter registration databases to election night reporting), it pointedly noted that there was an urgent need to secure the nation’s voting systems in particular. Among the two most important recommendations made were that states should (1) replace outdated and vulnerable voting systems with “at minimum… a voter-verified paper trail,” and adopt statistically sound audits. These recommendations are not new and have been consistently made by experts since long before the 2016 election. Last year, Congress provided $380 million to states to help with upgrades, but it wasn’t enough. This analysis, six months ahead of the first primary for 2020, examines the significant progress we’ve made in these two areas since 2016, and it catalogs the important and necessary work that is left to be done.