National: Why paper is considered state-of-the-art voting technology | Karan Gambhir and Jack Karsten/Brookings

On June 27, the House passed a bill that would bolster America’s high-tech voting infrastructure with a low-tech fix: paper. Introduced by Rep. Zoe Lofgren (D-CA-19), the SAFE Act requires that all voting machines involve “the use of an individual, durable, voter-verified paper ballot of the voter’s vote.” While the inclusion of paper ballots may seem like a technological step backward, the SAFE Act’s affinity for paper is not a quirk. Election security experts from Harvard, Stanford and the Brennan Center for Justice all recommend the phasing out of paperless voting, and twelve of the thirteen Democratic candidates who have declared a position on election security support mandating the use of paper ballots. Yet despite expert consensus, political activism, and availability of funding, opposition in the Republican-controlled Senate makes it unlikely that the SAFE Act or any paper ballot standard will be implemented by 2020. With no method to verify votes in the case of software or hardware failure, paperless voting machines represent a large vulnerability. Failure to act on election security risks not only a loss of trust in the next election, but in the democratic process as a whole.

National: Senate Intelligence Committee report shows how electronic voting systems are inherently vulnerable to hackers. Fred Kaplan/Slate

Just hours after Senate Republicans blocked a vote on a bill to make elections less vulnerable to cyberattacks, the Senate Intelligence Committee released a 67-page report, concluding that, leading up to the 2016 election, Russians hacked voting machines and registration rolls in all 50 states, and they are likely still doing so. The heavily redacted document, based on a two-year investigation, found no evidence that the hackers altered votes or vote tallies, though it says they could have if they’d wanted to. However, three former senior U.S. intelligence officials with backgrounds in cybersecurity told me that the absence of evidence isn’t the same as the evidence of an absence. One of them said, “I doubt very much that any changes would be detectable. Certainly, the hackers would be able to cover any tracks. The Russians aren’t stupid.” Hacking individual voting machines would be an inefficient way to throw an election. But J. Alex Halderman, a computer scientist who has tested vulnerabilities for more than a decade, testified to the Senate committee that he and his team “created attacks that can spread from machine to machine, like a computer virus, and silently change election outcomes.” They studied touch-screen and optical-scan systems, and “in every single case,” he said, “we found ways for attackers to sabotage machines and steal votes.” Another way to throw an election might be to attack systems that manage voter-registration lists, which the hackers also did in some states. Remove people from the lists—focusing on areas dominated by members of the party that the hacker wants to lose—and they won’t be able to vote.

National: Vulnerability Scanning and Tools for Election Security Description Vulnerability | Phil Goldstein/StateTech Magazine

With 2020 political campaigns in full swing, the conversion of election security has again come to the fore. How can state and county election officials help secure their voting systems ahead of the 2020 elections? Vulnerability scanning is a good place to start. Such scans are a Software as a Service function that helps discover weaknesses and allow for both authenticated and unauthenticated scans. In June, perennial swing state Florida announced a $5.1 million investment into election cybersecurity following disclosures in May that two counties in the state fell victim to a spear phishing attack by Russian hackers in 2016. How dangerous is the election security threat landscape? It’s complicated and it covers everything from outdated voting machines that may be vulnerable to hacking to the networks used to process and transfer voting totals and voter registration rolls. Vulnerability scans and assessments of election infrastructure are critical, because “from a cyber perspective, every part of the election process that involves some type of electronic device or software is vulnerable to exploitation or disruption,” as a 2018 Belfer Center for Science and International Affairs report notes.

National: US still ‘not prepared’ in event of a serious cyber attack and Congress can’t help if it happens | Iain Thomson/The Register

Despite some progress, the US is still massively underprepared for a serious cyber attack and the current administration isn’t helping matters, according to politicians visiting the DEF CON hacking conference. In an opening keynote, representatives Ted Lieu (D-CA) and James Langevin (D-IL) were joined by hackers Cris Thomas, aka Space Rogue, and Jen Ellis (Infosecjen) to discuss the current state of play in government preparedness. “No, we are not prepared,” said Lieu, one of only four trained computer scientists in Congress. “When a crisis hits, it’s too late for Congress to act. We are very weak on a federal level, nearly 20 years after Space Rogue warned us we’re still there.” Thomas testified before Congress 20 years ago about the dangers that the internet could pose if proper steps weren’t taken. At today’s conference he said there was much still to be done but that he was cautiously optimistic for the future, as long as hackers put aside their issues with legislators and worked with them. “As hackers we want things done now,” he said. “But Congress doesn’t work that way; it doesn’t work at the ‘speed of hack’. If you’re going to engage with it, you need to recognise this is an incremental journey and try not to be so absolutist.”

National: Schumer calls for $1 billion national investment in election security | David Lombardo/Times Union

Election cybersecurity has the potential to be a growth industry as federal lawmakers push a $1 billion investment in safeguarding next year’s elections. The proposed spending was highlighted Monday by U.S. Sen. Charles E. Schumer, D-N.Y., who stopped in East Greenbush for a tour of the Center for Internet Security, which helps government agencies prevent hacking of elections. The non-profit company also worked with the presidential campaigns of Donald Trump and Hillary Clinton to buttress their systems from cyber attacks in 2016. The money for cybersecurity grants is part of legislation that would also require states to collect paper ballots, set minimum cybersecurity standards, direct federal officials to craft preventative measures states can implement, and impose testing of voting system vulnerabilities. Paper ballots are already used as a safeguard for New York elections. The U.S. Constitution empowers states to administer elections, which has resulted in varying standards across the country.

National: Analysis shows 2020 votes still vulnerable to hacking | Mary Clare Jalonick/Associated Press

More than one in 10 voters could cast ballots on paperless voting machines in the 2020 general election, according to a new analysis, leaving their ballots more vulnerable to hacking. A study released by the Brennan Center for Justice at NYU School of Law on Tuesday evaluates the state of the country’s election security six months before the New Hampshire primary and concludes that much more needs to be done. While there has been significant progress by states and the federal government since Russian agents targeted U.S. state election systems ahead of the 2016 presidential election, the analysis notes that many states have not taken all of the steps needed to ensure that doesn’t happen again. The report also notes that around a third of all local election jurisdictions were using voting machines that are at least a decade old, despite recommendations they be replaced after 10 years. The Associated Press reported last month that many election systems are running on old Windows 7 software that will soon be outdated. “We should replace antiquated equipment, and paperless equipment in particular, as soon as possible,” the report recommends.

Editorials: Why Are Florida Republicans So Afraid of People Voting? | The New York Times

Coral Nichols will be eligible to vote when she’s 190. That’s assuming the 40-year-old Floridian — who served five years in prison for fraud and embezzlement, followed by nearly 10 years on probation — is able to keep up with her $100 monthly restitution payments. Jermaine Miller thought he had fully repaid the $223.80 he owed in restitution for a 2015 robbery and trespass conviction. In fact, he paid $18.20 more than that, but Florida says he still has a balance due of $1.11 because of a 4 percent surcharge on restitution payments. On top of that, Mr. Miller owes $1,221 in court costs and fines, which he doesn’t have the money to pay. Ms. Nichols and Mr. Miller are two of more than 1.4 million Floridians with criminal records who have spent the last year Ping-Ponging between hope and despair over whether they can exercise their most fundamental constitutional right — the right to vote. Last November, nearly two-thirds of the state’s voters approved Amendment 4, a ballot initiative that erased Florida’s 150-year ban on voting by people with felony convictions, except for those convicted of murder or sexual offenses. It was one of the nation’s biggest expansions of voting rights in decades. Florida, which was one of just four states that imposed a lifetime voting ban, bars a higher percentage of its citizens from voting than any other state. The state also accounts for more than one in four citizens disenfranchised nationwide. But Florida’s Republican lawmakers decided Amendment 4 was too much democracy for their taste. In June, after thousands of formerly incarcerated people — including Jermaine Miller — had registered to vote, Gov. Ron DeSantis signed a law passed on party lines that effectively reinstates the ban for most of them, and for hundreds of thousands more people who had not yet registered.

Georgia: Test results for Georgia new voting system released | Mark Niesse/The Atlanta Journal-Constitution

Georgia’s new voting system passed equipment tests by a company hired to evaluate it for the state. The certification test results, released Monday, indicated that touchscreens, election computers, ballot scanners and other machinery can handle the stresses of an election.The tests identified one issue, when a ballot scanner suffered a “memory lockup” after reading 4,500 ballots. The problem was resolved by restarting the scanner.The testing by Pro V&V evaluated the voting equipment’s functionality. It didn’t grade the security of the $107 million voting system by Denver-based Dominion Voting Systems. Starting with the presidential primary on March 24, all Georgia voters will use touchscreens attached to printers that produce paper ballots. Voters will then be able to review their ballots before inserting them into optical scanners for tabulation. Ballots will be stored for audits and recounts. Secretary of State Brad Raffensperger issued his certification that the Dominion system is reliable and accurate on Friday after receiving the Pro V&V test results.

North Carolina: Elections board to pick chair, key decision looms | Associated Press

The North Carolina elections board has a new leader ahead of a decision on what kind of voting machines are secure against efforts to alter ballots.
The state Board of Elections voted Tuesday to make nonprofit executive Damon Circosta of Raleigh its new chairman. Gov. Roy Cooper last week picked Circosta as the Democrat to replace former chairman Bob Cordle, who resigned after telling a crude joke. Circosta was politically unaffiliated last year when he was named chairman of a different version of the elections board. He now joins two other Democrats and two Republicans. The elections board later this month is expected to decide whether the next generation of voting machines should be required to furnish a paper printout so voters can read and confirm their ballots.

Pennsylvania: Under orders to replace voting machines, Pennsylvania counties wonder when they’ll see state money | Jonathan Lai/The Morning Call

As Pennsylvania county election officials replace the state’s voting machines in advance of the 2020 election — at an estimated cost of $150 million — they’re anxious for an end to a dispute between Gov. Tom Wolf and Republican lawmakers that has tied up state funding and forced counties to shoulder most of the financial burden. Wolf announced last month that he would seek $90 million for the machines. However, that prompted the threat of a lawsuit by Republicans in the Legislature, and the fate of the funding has become tied to partisan fights over the governor’s authority and significant changes to the electoral system. So 16 months after Wolf ordered the counties to replace the machines, the only funding available is $14.1 million in mostly federal dollars. No new funding has been secured. While Harrisburg bickers, county officials say they’re forced to move forward anyway, hoping for reimbursement later.

West Virginia: Cybersecurity, meddling the focus of state election officials conference | WV MetroNews

West Virginia Secretary of State Mac Warner and his office are getting local officials from all 55 counties in the state in gear for the 2020 elections. The Secretary of State’s office is hosting a 2019 Election Officials Training Conference in Lewis County this week that focuses on local officials knowing their resources, knowing cybersecurity and the threats that Russian meddling may bring. “This is time to get everyone’s head thinking elections,” Warner said on Monday’s MetroNews ‘Talkline’. “Taking care of all the security protocols, what do you do if and when something happens, and making sure everybody is current with the legislative changes. Then allow them to go back to their counties and start implementing.” Warner said the conference Tuesday, at Stonewall Resort, will feature national security and election officials for the 160 state leaders on hand to hear from.

Wisconsin: Elections Commission votes to boost election security spending | Briana Reilly/The Cap Times

The Wisconsin Elections Commission has moved to bolster local election security efforts in light of concerns that some clerks’ use of outdated computer operating systems could open up the state to cyberattacks in future election cycles. The efforts, approved unanimously by the panel on Tuesday, aim to address potential vulnerabilities across the state, where some clerks are using out-of-date computer systems or failing to install software patches and updates, according to a memo released ahead of the meeting.  Commission Chair Dean Knudson noted that while the panel has “hardened our defenses tremendously over recent years,” it’s important to continue identifying potential issues and addressing them. “This is about looking at what we can do to further strengthen our defenses,” the Republican appointee said. Commissioners Tuesday agreed to direct existing federal dollars to implement software to track the security levels of local elections officials’ computers, at a cost of up to $69,000, create a $30,000 emergency loan program to secure 25 devices that could be temporarily handed out to local clerks who aren’t able to comply with security protocols and take preliminary steps to hire a technical support position.  The action came after WEC’s election security lead Tony Bridges detailed in a memo his concerns about local clerks’ use of outdated operating systems to access the WisVote database, the statewide voter registration and election management system, including Windows XP, where security patches haven’t been supported since 2014. Meanwhile, the memo also noted others are using Windows 7 to utilize the database, and Microsoft won’t be providing free security updates for it after mid-January 2020. Not maintaining a current operating system, Bridges’ memo states, “exposes the user to tremendous risk.” He referenced a recent incident in Georgia in which hackers orchestrated a ransomware attack using Ryuk on Jackson County systems, causing officials to pay $400,000 to regain access to their information. If systems in Wisconsin are similarly attacked, the memo said, confidential information could be exposed, digital records could be destroyed, election night results may not be displayable and absentee ballot distribution and poll book printing could be impacted, among other things. 

National: Hackers Take on Darpa’s $10 Million Voting Machine | Lily Hay Newman/WIRED

For the last two years, hackers have come to the Voting Village at the DefCon security conference in Las Vegas to tear down voting machines and analyze them for vulnerabilities. But this year’s Village features a fancy new target: a prototype secure voting machine created through a $10 million project at the Defense Advanced Research Projects Agency. You know it better as Darpa, the government’s mad science wing. Announced in March, the initiative aims to develop an open source voting platform built on secure hardware. The Oregon-based verifiable systems firm Galois is designing the voting system. And Darpa wants you to know: its endgame goes way beyond securing the vote. The agency hopes to use voting machines as a model system for developing a secure hardware platform—meaning that the group is designing all the chips that go into a computer from the ground up, and isn’t using proprietary components from companies like Intel or AMD. “The goal of the program is to develop these tools to provide security against hardware vulnerabilities,” says Linton Salmon, the project’s program manager at Darpa. “Our goal is to protect against remote attacks.” Other voting machines in the Village are complete, deployed products that attendees can take apart and analyze. But the Darpa machines are prototypes, currently running on virtualized versions of the hardware platforms they will eventually use. A basic user interface is currently being provided by the secure voting firm VotingWorks.

National: Mayberry v. Moscow: How Local Officials Are Preparing to Defend the 2020 Elections | AJ Vicens/Mother Jones

In early June, the Allegheny County Board of Elections held a special meeting in downtown Pittsburgh, inviting a trio of election security experts to offer advice as the county selects new voting equipment. Marian Schneider, a former Pennsylvania state elections official and the current president of Verified Voting, an election security watchdog group, gave an opening statement framing the day’s conversation in stark terms. “Twenty sixteen demonstrated what many of us have long believed…the threat to our computerized voting system was not merely theoretical, but real and persistent,” she warned, reiterating that another nation had “conducted a well-orchestrated attack on American democracy.” The members of the board solemnly listened, took copious notes, and thanked the panel for their expertise as they assessed bids offering new and more secure equipment. After the meeting, Candice Hoke, a longtime election administration and security expert who’d also been invited to speak, described the gathering as an unusual bright spot, contrasting the attention Allegheny County had devoted to the issue to many places around the country where the state of election security lags. Efforts by federal agencies to work with states and jurisdictions to improve election security are helping, Hoke says, but the bureaucrats overseeing the country’s more than 10,000 election jurisdictions are still routinely outmatched.

National: Are States Taking Cybersecurity Seriously Enough? | Katherine Barrett & Richard Greene/Governing

A spike in cyberattacks in recent months has left state and local governments reeling. Baltimore faces more than $18 million in losses following a May ransomware attack. Several Florida cities were hit in June. And Los Angeles police data was hacked in late July. A 2018 report from the National Association of State Chief Information Officers (NASCIO) found one unidentified state undergoing 300 million attacks a day — up from 150 million two years before. Cybersecurity and risk management is at the top of CIOs’ list of 10 priorities for 2019, according to an annual NASCIO survey. Rhode Island was making it the biggest priority. In 2017, it became one of only two states with a cabinet-level cybersecurity position. (The other is Idaho, according to Meredith Ward, NASCIO’s director of policy and research.) But this pioneering approach wasn’t long-lived in Rhode Island. Last month, the position was removed from the state’s 2020 budget. High-level officials in the state, including its CIO, are confident that cybersecurity will continue to be a priority, but others worry it will receive less attention.

National: Senator: Status quo on voting machine security is a ‘danger to our democracy’ | Alfred Ng/CNET

In the aftermath of the 2016 US presidential election, lawmakers have seen little change in security for voters. But if voting machine security standards don’t change by the 2020 presidential election, Sen. Ron Wyden warns, the consequences could be far worse than the cyberattacks of 2016. The Democrat from Oregon, who is a member of the Senate Intelligence committee, told the Defcon hacking conference that US voting infrastructure is failing to keep elections secure from potential cyberattacks. He made the comments in a Friday speech at the Voting Village, a special section of the Las Vegas conference dedicated to election security. “If nothing happens, the kind of interference we will see form hostile foreign actors will make 2016 look like child’s play,” Wyden said. “We’re just not prepared, not even close, to stop it.”  Election security has been a major concern for lawmakers since the 2016 election, which saw unprecedented interference by the Russians. Though no votes are believed to have been changed, the Russians targeted election systems in all 50 states, according to the Senate Intelligence Committee. Legislation to protect elections has been trudged along in Congress. Multiple members of Congress were at Defcon to discuss the issue, as well as to learn about cybersecurity policy.

National: DARPA’s $10 million voting machine couldn’t be hacked at Defcon (for the wrong reasons) | Alfred Ng/CNET

For the majority of Defcon, hackers couldn’t crack the $10 million secure voting machine prototypes that DARPA had set up at the Voting Village. But it wasn’t because of the machine’s security features that the team had been working on for four months. The reason: technical difficulties during the machines’ setup. Eager hackers couldn’t find vulnerabilities in the DARPA-funded project during the security conference in Las Vegas because a bug in the machines didn’t allow hackers to access their systems over the first two days. (DARPA is the Defense Advanced Research Projects Agency.) Galois brought five machines, and each one had difficulties during the setup, said Joe Kiniry, a principal research scientist at the government contractor.  “They seemed to have had a myriad of different kinds of problems,” the Voting Village’s co-founder Harri Hursti said. “Unfortunately, when you’re pushing the envelope on technology, these kinds of things happen.” It wasn’t until the Voting Village opened on Sunday morning that hackers could finally get a chance to look for vulnerabilities on the machine. Kiniry said his team was able to solve the problem on three of them and was working to fix the last two before Defcon ended.

National: Why blockchain-based voting could threaten democracy | Lucas Mearian/Computerworld

Public tests of blockchain-based mobile voting are growing. Even as there’s been an uptick in pilot projects, security experts warn that blockchain-based mobile voting technology is innately insecure and potentially a danger to democracy through “wholesale fraud” or “manipulation tactics.” The topic of election security has been in the spotlight recently after Congress held classified…

National: Election Systems Are Even More Vulnerable Than We Thought | Louise Matsakis/WIRED

Hacker summer camp is here again! You know what that means: WIRED is back in Las Vegas for the annual Black Hat and Defcon security conferences, where we’re digging into the latest and greatest hacks on display. First, let’s talk about iPhones. A researcher found it’s possible to break into one just by sending a text message. To help uncover similar vulnerabilities in the future, Apple is handing out new, hacker-friendly iPhones to its favorite security researchers, and paying up to $1.5 million in bug bounties. Moving on to planes. Boeing’s 787 jets might not be very secure, it turns out—Andy Greenberg talked to a security researcher who found multiple serious flaws in the code for one of the plane’s components. (The 787 is distinct from the 737 MAX plane grounded earlier this year, although a recent test flight of that jet had its ups and downs, as WIRED’s transportation desk reports.) That’s not all that’s happening in Vegas. Safecrackers can unlock an ATM in minutes without leaving a trace. Apple pay buttons can make websites less safe. Have you heard of DDOS attacks? Kindly meet their cousin, the DOS attack. Lily Hay Newman also looked at two very old bugs that have continued to persist, one in desk phones and another in a ubiquitous encryption algorithm. Lastly, check out this very cool fake hospital, where real medical devices get hacked on purpose.

National: Top DHS cyber official calls paper ballot backups necessary for 2020 election | Kevin Collier and Caroline Kelly/CNN

The top cybersecurity official at the Department of Homeland Security said Friday that backup paper ballots would be a necessary part of 2020 election security. “Ultimately when I look at 2020, the top priority for me is engaging as far and wide as possible, touching as many stakeholders as possible, and making sure we have auditability in the system,” Chris Krebs, DHS’ top cyber official, said at a DEFCON cyber conference Friday when discussing election security. “IT, key tenant, can’t audit the system, can’t look at the logs, you don’t know what happened,” he added. “Gotta get auditability, I’ll say it, gotta have a paper ballot backup.” Krebs said that he doesn’t “have all the answers” on election security, adding that “a lot of these policy suggestions are not my job to answer — Congress has a role here.” The cyber head also called for state legislatures to pick up the slack along with federal lawmakers in addressing a lack of much needed funds to update different states’ election systems. “I don’t know where, for instance, the state of New Jersey is going to get their money to update their systems,” Krebs said. “I don’t know where some of these other states that have (paperless machines) without a paper trail associated with it — I don’t know where they’re going to get the money, but they need it.”

Editorials: 2020 and the black-box ballot box | Jon Evans/TechCrunch

One of the scarier notions in the world today is the prospect of American voting machines being compromised at scale: voters thrown off rolls, votes disregarded, vote tallies edited, entire elections hacked. That’s why the nation’s lawmakers and civil servants flocked (relatively speaking) to Def Con in Las Vegas this week, where hackers at its Voting Village do their best to prove the potential vulnerabilities — including, in some cases, remote command and control — of voting systems. There are several ways to help secure voting. One, thankfully, is already in place; the decentralization of systems such that every state and county maintains its own, providing a bewildering panoply of varying targets, rather than a single tantalizing point of failure. A second, as security guru Bruce Schneier points out, is to eschew electronic voting machines altogether and stick with good old-fashioned paper ballots.

Georgia: New Georgia voting system certified by secretary of state | Mark Niesse/The Atlanta Journal-Constitution

Secretary of State Brad Raffensperger certified that Georgia’s new voting system is reliable and accurate Friday as state officials finalized a $107 million contract with Dominion Voting Systems. The certification of the new voting system, which combines touchscreens and paper ballots, was required before it could be used in Georgia elections. The state had announced last week that Dominion won the state’s voting contract, before certification testing had been completed.Raffensperger found that the Dominion system “has been thoroughly examined and tested,” according to his certification, filed in federal court Friday.His office didn’t release the results of certification testing Friday, which was conducted by a Huntsville, Ala.-based company called Pro V&V. But state rules give the secretary of state broad discretion to certify the voting system.

Georgia: New voting machines certified by the state | Kate Brumback/Associated Press

Georgia’s secretary of state certified new touchscreen voting machines as election-safe in court documents Friday, bidding to put behind the acrimonious 2018 electoral season marred by reports of malfunctioning voting equipment, hourslong wait times and criticism that the state’s outdated machines were vulnerable to hacking. Republican Brad Raffensperger’s office formally awarded a $106 million contract to a Denver-based company, Dominion Voting Systems, for machines it said met state law for election security after neither losing vendor challenged Dominion’s winning bid. The developments came in court documents filed by attorneys defending state election officials against a lawsuit challenging Georgia’s current voting system and seeking statewide use of hand-marked paper ballots.

Illinois: Hackers got info for 76,000 Illinois voters in 2016. Here’s what’s being done in Macon County. | Tony Reid/Herald-Review

The person in charge of safeguarding Macon County’s electoral system from Russian hacker attacks or other nefarious onslaughts said he’s confident local ballots are secure. Macon County Clerk Josh Tanner, recently returned from a cybersecurity conference, said much has been done to beef up system firewalls and protections in the three years since Russian hackers infiltrated the Illinois voter registration database. Tanner said state grant money — he’s not allowed to reveal how much, but it’s into the thousands — paid for consultants who tested the county’s voting system earlier this year by trying to hack into it. They weren’t successful, but Tanner said the exercise produced a detailed report highlighting areas that needed beefing up. He said county clerks like himself have to be aware of defending against other threats. “There are other ways of causing mischief than just to penetrate the voting system,” said Tanner, a Republican elected in November. “There are denial of service attacks where they don’t actually penetrate your system but they can bombard it with traffic, slowing it down. The consultants help us focus on how to tie-down the system and protect it.”

Rhode Island: Voting machines had modems in 2016 and 2018. Now the state is assessing its hackability. | Patrick Anderson/Providence Journal

Before the 2016 election, the state bought voting machines equipped with Verizon modems that transmit preliminary election results to the state Board of Elections — speeding the state’s ability to declare winners on election night, but also exposing the system to potential meddling. The Providence Journal delivers accurate, timely news about the moments that matter most. To receive stories like this one in your inbox, sign up here. Election hacking fears rekindled by the federal Russia probe have prompted Rhode Island election officials to take a closer look into whether the state’s voting systems are vulnerable to attack. The new concerns relate to the state’s decision to buy voting machines before the 2016 election equipped with their own Verizon modems that transmit preliminary election results to the state Board of Elections after the polls close. The modems have helped shorten the time it takes the state to declare winners on election night. But because any internet connection exposes a system to potential cyberattack, the federal government never certified the modem-equipped machines for states to use. And this summer the U.S. Senate committee investigating Russian efforts to breach the 2016 election urged states to tighten their election security, use only federally approved voting machines and “remove (or render inert) any wireless networking capability” such as a modem.

Wisconsin: Election officials trying to address outdated equipment | Lawrence Andrea/Milwaukee Journal Sentinel

Wisconsin elections officials are considering spending more than $800,000 to replace outdated equipment, update software and further address computer security as the state prepares for the 2020 presidential election. Among the proposals in a Wisconsin Elections Commission plan is to establish a program that would lend new computers to municipalities with outdated operating systems. More than 500 state elections system users are on computer systems that have reached the end of their life or will do so in the next six months, according to a commission memo. Some of these users have plans to update their systems, but the commission is proposing lending 250 devices to municipalities unable to replace them. The loans will be free and distributed on a first-come, first-served basis. The equipment is expected to cost up to $300,000. The commission staff knows “that at least a handful” of clerks are logging into the WisVote voter registration and election management system with operating systems that are no longer receiving security updates, according to the memo. It also notes that hundreds of clerks are using Microsoft Windows 7, which will stop providing free updates in January.

Wisconsin: Expert: Many Wisconsin elections clerks use outdated systems | Todd Richmond/Associated Press

Hundreds of local clerks are using outdated computer systems or aren’t installing security patches, leaving Wisconsin’s election system vulnerable to potentially devastating cyberattacks, state elections officials fear. Election officials across the country have stepped up efforts to block hackers from wreaking havoc during the 2020 contests after Russians interfered with the 2016 presidential election. Congress has been warned that there could be more foreign interference next year, when Wisconsin is expected to be a presidential swing state again. But Wisconsin Elections Commission Election Security Lead Tony Bridges said in a memo to commissioners released Friday that some local clerks are still logging into the state election system using Windows XP or Windows 7. Microsoft stopped supporting Windows XP in 2014 and said it will stop providing free security updates for Windows 7 starting in January. Bridges wrote that it’s safe to assume a large percentage of clerks won’t upgrade before the deadline or pay for updates. Even clerks with current operating systems often fail to install security patches, he said. The failure to maintain current operating systems exposes state elections to tremendous risk, Bridges wrote. He pointed to an incident in March in which a ransomware variant called Ryuk shut down vital systems in Jackson County, Georgia, including computers supporting emergency dispatch. Ransomware is software designed to shut down computer systems or data until a ransom is paid.

National: Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials | Kim Zetter/Motherboard

For years, U.S. election officials and voting machine vendors have insisted that critical election systems are never connected to the internet and therefore can’t be hacked. But a group of election security experts have found what they believe to be nearly three dozen backend election systems in 10 states connected to the internet over the last year, including some in critical swing states. These include systems in nine Wisconsin counties, in four Michigan counties, and in seven Florida counties—all states that are perennial battlegrounds in presidential elections. Some of the systems have been online for a year and possibly longer. Some of them disappeared from the internet after the researchers notified an information-sharing group for election officials last year. But at least 19 of the systems, including one in Florida’s Miami-Dade County, were still connected to the internet this week, the researchers told Motherboard. The researchers and Motherboard have been able to verify that at least some of the systems in Wisconsin, Rhode Island, and Florida are in fact election systems. The rest are still unconfirmed, but the fact that some of them appeared to quickly drop offline after the researchers reported them suggests their findings are on the mark.

National: You can easily secure America’s e-voting systems tomorrow. Use paper – Bruce Schneier | The Register

While various high-tech solutions to secure electronic voting systems are being touted this week to election officials across the United States, according to infosec guru Bruce Schneier there is only one tried-and-tested approach that should be considered: pen and paper. It’s the only way to be sure hackers and spies haven’t delved in from across the web to screw with your vote. “Paper ballots are almost 100 per cent reliable and provide a voter-verifiable paper trail,” he told your humble Reg vulture and other hacks at Black Hat in Las Vegas on Thursday. “This isn’t hard or controversial. We use then all the time in Minnesota, and you make your vote and it’s easily tabulated.” The integrity of the election process depends on three key areas: the security of the voter databases that list who can vote; the electronic ballot boxes themselves, which Schneier opined were the hardest things to hack successfully; and the computers that tabulate votes and distribute this information.

National: Here’s how the Justice Department wants to befriend ethical hackers – The Washington Post

The Justice Department’s relationship with the cybersecurity research community has historically been tempestuous, but Leonard Bailey is on a mission to improve it. That’s what brings him here, to the BSides cybersecurity conference. The head of the cybersecurity unit of DOJ’s computer crimes division is extending an open invitation today to ethical hackers to air some grievances and offer policy advice, in a talk called: “Let’s Hear from the Hackers: What Should DOJ do Next?” Bailey wants to ensure hackers are willing to work with government on improving cybersecurity — instead of staying away because they’re suspicious of government. “It’s about figuring out how to make sure that their ability to help us improve [the nation’s] cybersecurity is not taken off the playing field,” Bailey tells me. “They have a valuable resource and they can be helping everyone.” This marks a drastic change — in terms of both outreach and attitude — from previous years. Tensions have soared as ethical hackers accused DOJ of being too quick to prosecute them for benign research aimed at improving cybersecurity — and of not being transparent enough about the rules for what constitutes a digital crime.