National: EAC rattles the cup on Capitol Hill | Derek B. Johnson/FCW

For the first time in nearly a decade, the Election Assistance Commission has a full slate of commissioners in place. Now, with the agency sitting at the center of several key election security debates, they’re asking Congress to make their budget whole too. At a May 15 Senate Rules Committee hearing, Christy McCormick, who chairs the EAC, said the commission is at “a critical crossroads with regard to having sufficient resources necessary to better support state and local election administrators and the voters they serve” and asked members of Congress for more funding. “With additional resources, the EAC would have the opportunity to fund additional election security activities within its election technology program,” said McCormick. There is no shortage of ambition at EAC when it comes to supporting this work, but there is a stark shortage of funds for such activities.”

National: EAC hires 2 tech experts for testing and certification program | Sean Lyngaas/CyberScoop

The U.S. Election Assistance Commission has added two experienced hands to its voting system certification program amid concerns it had a shortage of technical experts overseeing election infrastructure. The agency is staffing up its crucial certification program by hiring Jessica Bowers, a former executive at Dominion Voting Systems, one of the country’s three largest voting system vendors, and Paul Aumayr, a former Maryland election official. Both new hires will work as senior election technology specialists. In an email announcement to staff obtained by CyberScoop, EAC Executive Director Brian Newby touted Bowers and Aumayr’s technical acumen. Bowers has “over 18 years of software development and product support experience,” while Aumayr is a “Microsoft-certified systems engineer,” Newby wrote.

National: Here’s how the military’s hacking arm is gearing up to protect the 2020 election |The Washington Post

Russia viewed the midterm elections as a “warm-up” for 2020. The U.S. military’s hacking division is treating it that way, too. In the run-up to the presidential election, U.S. Cyber Command is surging election defense efforts that proved useful during the midterms, officials told reporters Tuesday — including probing allies’ computer networks to glean insights about Russian threats. Cybercom is also working more closely with election defense teams at the Department of Homeland Security and the FBI, and with industry sectors that are targeted by Kremlin hackers and might have early warnings about threats facing the election, my colleague Ellen Nakashima reported from that briefing. “Our goal is to have no interference in our elections,” said Maj. Gen. Tim Haugh, who heads the command’s cyber national mission force. “Ideally, no foreign actor is going to target our electoral process.” Cybercom is the only outfit among the myriad federal state and local government agencies tasked with protecting the 2020 election that is allowed to punch back against Russian hackers — and it’s using its new authorities granted during the Trump administration to be more aggressive in cyberspace.

Florida: Florida lawmakers rail against FBI for secrecy on voter breaches | Joseph Marks/The Washington Post

Florida lawmakers are railing against the FBI for taking more than two years to acknowledge Russian hackers penetrated some of the state’s voter files — and for remaining mum about which voters were affected. The long delay signals to voters in Florida and elsewhere that the government won’t level with them if and when their votes are manipulated, the lawmakers say. And that lack of public faith could do just as much damage as the Russian hacking and disinformation operation that upended the 2016 election and cast doubts on the legitimacy of President Trump’s victory. “This lack of transparency is counterproductive,” Rep. Stephanie Murphy (D) told me. “I’m really concerned that it can erode public confidence in the integrity of our elections almost as much as the actual hacking did.”

Florida: Which Florida counties were hacked? Maybe these non-denial denials are a clue. | David Smiley/Tampa Bay Times

Ever since a leaked classified intelligence document revealed that Russian hackers had tried to access Florida’s elections networks in 2016 by crafting malware-laced emails made to look like they came from a software vendor, reporters all over the country have been searching for electronic correspondence sent three years ago to the state’s 67 elections offices. But could emails crafted by the elections offices themselves hold the clue to determining which two jurisdictions were in fact hacked? This week, in response to hacking questions sent to every supervisor of elections in the state by the Tampa Bay Times and Miami Herald, two offices issued the same legalistic non-denial. Almost word-for-word, they gave the same response when asked if their voter registration networks were hacked in 2016, explaining that they could not answer questions because to do so could “directly or indirectly” help determine the answer — which has been deemed classified by the FBI. It now turns out that at least one of those two offices was, in fact, hacked.

Louisiana: States Explore Opportunities at National Summit on Cybersecurity | Dan Lohrmann/Government Technology

The National Governors Association Center for Best Practices held their third National Summit on State Cybersecurity from May 14-15, 2019 at the Shreveport Convention Center. The unique event convened state homeland security advisors, chief information officers, chief information security officers, governors’ policy advisors, National Guard leaders, and others from all 55 states and territories to explore cybersecurity challenges and promising practices. Over the course of two days, participants engaged in a series of interactive sessions and breakouts to discuss countering the newest threats, disruption response planning, workforce development, and much more. … The sessions were packed with best practices, case studies, opportunities for improving cybersecurity in different areas and much more.

Maryland: Baltimore creates cybersecurity review panel following ransomware attack | Maggie Miller/The Hill

Baltimore City Council President Brandon Scott announced the creation of a Committee on Cybersecurity and Emergency Preparedness on Thursday, as the city works to restore the systems taken down by a debilitating ransomware attack last week. “This cyber attack against Baltimore City government is a crisis of the utmost urgency,” Scott said. “That is why I will convene a select committee, co-chaired by Councilman Eric Costello and Councilman Isaac ‘Yitzy’ Schleifer, to examine the City’s coordination of cybersecurity efforts, including the Administration’s response to the cybersecurity attack and testimony from cybersecurity experts.” A type of ransomware known as “RobinHood” took down several of the city’s services last week, including some of the capabilities of the Baltimore City Department of Transportation, the Department of Public Works, and the Department of Finance. The city is also currently unable to send or receive email.

National: Congress focuses on money and staffing in election security | Derek B. Johnson/FCW

The Election Assistance Commission and the Cybersecurity and Infrastructure Security Agency were sharply questioned in hearings this week by lawmakers about human resource decisions. The EAC has just a small handful of employees dedicated to testing and certification of voting machines, and the acting director of testing and certification stepped down earlier this month. While the agency quickly hired a new director and has worked to bring on more personnel, there’s concern that EAC staff could be under-resourced heading into the 2020 election cycle and beyond. The agency had nearly 50 full-time employees and a budget of $17 million budget in 2009. Today they have a headcount in the low twenties and a budget of $10 million despite an expanded role in election cybersecurity. Chair Christy McCormick and other commissioners were questioned over a host of perceived staffing and management failures at a May 21 House Administration committee hearing.

Editorials: Don’t nickel & dime Pennsylvania’s democracy | David Hickton/Pittsburgh Tribune-Review

The front lines of today’s cyberwarfare battles are not just at Fort Meade. They are in Allegheny County’s Elections Division. And in Erie County. And Butler County. And Indiana County. And all across Pennsylvania. Our elections — and the integrity of your vote — are under threat from nation-state adversaries. As of today, Pennsylvania is not prepared to defend against what will almost certainly be unprecedented attacks in the next presidential election cycle. But there is still time to secure the 2020 election. The General Assembly, however, needs to help counties secure this most critical of battlegrounds. The Blue Ribbon Commission on Pennsylvania’s Election Security spent much of the past year studying current and future cyber-based threats to Pennsylvania’s elections. What we found was sobering. In the 2016 and 2018 elections, more than 80 percent of Pennsylvania voters were registered to vote in precincts that did not use paper-based voting systems, meaning that most of Pennsylvania’s counties would be unable to even detect the hack of a voting system, let alone recover from it.

International: Cyber-enabled election interference occurs in one-fifth of democracies | Fergus Hanson and Elise Thomas/The Strategist

Cyber-enabled election interference has already changed the course of history. Whether or not the Russian interference campaign during the US 2016 federal election was enough to swing the result, the discovery and investigation of the campaign and its negative effects on public trust in the democratic process have irrevocably shaped the path of Donald Trump’s presidency. Covert foreign interference presents a clear threat to fundamental democratic values. As nations around the world begin to wake up to this threat, new research by ASPI’s International Cyber Policy Centre has identified the key challenges democracies face from cyber-enabled election interference, and makes five core recommendations about how to guard against it. ICPC researchers studied 97 national elections which took place between 8 November 2016 and 30 April 2019. The 97 were chosen out of the 194 national-level elections that occurred during the time period because they were held in countries ranked as ‘free’ or ‘partly free’ in Freedom House’s Freedom in the world report. #url#

Europe: EU Agrees Powers to Sanction, Freeze Assets Over Cyber-Attacks | Natalia Drozdiak/Bloomberg

The European Union on Friday agreed to new rules that will grant it authority to impose travel bans and asset freezes against individuals responsible for cyber-attacks that pose a significant threat to the bloc. The new rules come amid concerns by European and U.S. officials over cyber-attacks related to election meddling or intellectual property theft by actors linked to Russia and China. The measures, which aim to “deter and respond to cyber-attacks which constitute an external threat to the EU,” would apply to actors responsible for attacks originating outside the bloc, the Council of EU member states said in a statement. The bloc said it would also consider measures in response to attacks targeted at countries outside the EU or international organizations.

Indonesia: Hacktivists, Bots, Elections: Indonesia Stepping Up Its Cybersecurity | Nur Yasmin/Jakarta Globe

The government should be thanked for their role in improving cybersecurity in Indonesia in the past five years, including during elections, an expert has said. “I’m seeing really good progress in Indonesian cybersecurity. A few years ago, it wasn’t as strong,” Fernando Serto, director of security technology and strategy at Akamai APJ said on the sidelines of the Akamai Security Summit in Jakarta at the end of last month. … Serto said cybercrimes often happen during elections all over the world.  “This is not unique to Indonesia; every time a country holds an election, we see a lot of hacking activity. We’ve seen it happen during elections in the Philippines and the US,” he said. “We see a lot of hacktivists, people who disagree with the policies of a particular candidate, trying to hack into their official website and put very aggressive messages on it,” Serto said.

National: Foreign election hacking inevitable, say US officials | Eric Tucker and Colleen Long/Associated Press

The hacking of U.S. election systems, including by foreign adversaries, is inevitable, and the real challenge is ensuring the country is resilient enough to withstand catastrophic problems from cyber breaches, government officials said Wednesday. The comments by representatives from the departments of Justice and Homeland Security underscored the challenges for federal and state governments in trying to ward off interference from Russia and other countries in the 2020 election. Special counsel Robert Mueller has documented a sweeping effort by Moscow to meddle in the 2016 election in Donald Trump’s favor by hacking Democrats and spreading disinformation online, and FBI Director Chris Wray said in April that the government regarded last November’s midterm election was “as just kind of a dress rehearsal for the big show in 2020.”

Verified Voting Blog: Counting Votes: Paper Ballots and Audits in Congress, Crisis at the EAC?, Florida’s Mystery Counties

In her testimony at an election security hearing before the Committee on House Administration last week, Verified Voting President Marian Schneider joined advocates and election officials in calling on Congress to help states and local jurisdictions replace aging voting systems, conduct risk-limiting audits and enhance election infrastructure security. In order to prepare for 2020, Congress…

Florida: Hacked Florida counties could disclose their identities — if they wanted to | Marc Caputo/Politico

Local election officials in the two unnamed Florida counties where Russian agents hacked voter rolls in 2016 are able to publicly disclose whether they had been attacked. But the bureaucrats are clamming up instead. And voters in those counties have no right to know that information, according to the FBI. Nor is the state’s governor or its congressional delegation allowed to tell the public the names of those counties. That’s because the FBI made the governor sign a non-disclosure agreement in order to receive a classified briefing about the hack, along with the members of Congress. Some lawmakers are outraged at what they see as bizarre reasoning from the agency. For now, the information about the two counties is being kept officially secret — even though the identity of one of the hacking “victims,” Washington County’s election office, has leaked out.

Florida: Wyden seeks answers in Florida election hacking allegations | Politico

Sen. Ron Wyden (D-Ore.) has questions that a lot of people are still asking three years after the 2016 presidential race — what exactly happened with VR Systems, the Florida voter-registration software maker that the FBI apparently believes Russia hacked. The redacted version of special counsel Robert Mueller’s report indicated that in 2016 Russian hackers infiltrated a US maker of voter-registration software and installed malware on its network — information that was based on an FBI investigation. Furthermore, the 2017 indictment of Russian military officers for hacking Democratic computer systems that was based on the FBI investigation as well also asserted that a company fitting VR Systems’ description was hacked in 2016 and had malware installed on its network.. VR Systems, however, has long insisted it wasn’t hacked, though the company has never produced evidence showing it wasn’t compromised. Wyden wants to know whether the company ever engaged a third party to conduct a forensic examination of its computer networks and systems since the hacking assertions first came to light after the 2016 election and has asked to see a copy of a report from any such investigation, according to a letter he sent last week to VR Systems that his office shared with POLITICO.

National: Report: U.S. political parties need to shore up cyber | Derek B. Johnson/FCW

Three years after the 2016 election, major political parties in the U.S. are still displaying sloppy digital security practices, according to a report from Security Scorecard. In new research released May 21, the company found vulnerabilities for the public facing, internet-connected digital assets of two major political parties. The Green Party and the Libertarian Party websites also displayed weaknesses. Vulnerabilities range from smaller sins like serving expired security certificates and sending unencrypted data to larger ones like leaking personally identifiable information and failing to put in place anti-spoofing protocols. In one case, an unnamed U.S. party was caught leaking data from a voting validation application containing the names, dates of birth and addresses of voters to the internet.

California: California tech official rushed Motor Voter, despite testing issues | Bryan Anderson/The Sacramento Bee

The California government technology officials who developed an automatic voter registration program for the Department of Motor Vehicles last year raced to the finish line even though they acknowledged they should have slowed down. In April 2018, the state delayed the launch of its Motor Voter program by one week because of technical errors, inadequate testing and infrastructure concerns, according to records obtained by The Sacramento Bee. Amy Tong, director of the California Department of Technology, told colleagues working on the project the morning of the scheduled launch that, “In some strange way, this maybe (sic) a sign that we need to slow down in order to go fast again.” The one-week delay may not have been enough time.

National: The vote-by-phone tech trend is scaring the life out of security experts | Eric Halper/Los Angeles Times

With their playbook for pushing government boundaries as a guide, some Silicon Valley investors are nudging election officials toward an innovation that prominent coders and cryptographers warn is downright dangerous for democracy. Voting by phone could be coming soon to an election near you. As seasoned disruptors of the status quo, tech pioneers have proven persuasive in selling the idea, even as the National Academies of Science, Engineering and Medicine specifically warn against any such experiment. The fight over mobile voting pits technologists who warn about the risks of entrusting voting to apps and cellphones against others who see internet voting as the only hope for getting most Americans to consistently participate on election day. “There are so many things that could go wrong,” said Marian Schneider, president of Verified Voting, a coalition of computer scientists and government transparency advocates pushing for more-secure elections. “It is an odd time for this to be gaining momentum.”

National: In Congressional Hearing, Election Officials Appear United Yet Divided on Security | Graham Vyse/Governing

Jocelyn Benson and John Merrill are a political odd couple. She’s a Michigan Democrat who backed Hillary Clinton, and he’s a Donald Trump supporter who represents Alabama. But both are secretaries of state, and when they testified side-by-side before Congress on Wednesday — she in a blue dress and he in a red tie — they repeatedly insisted they were friends ready to work together to strengthen the nation’s voting system. Benson and Merrill called on the federal government to provide more funding and resources for states and localities to address the issue. This weekend, they’re leading 18 other secretaries of state on a voting-rights history tour of Alabama with the hope of inspiring further bipartisan collaboration. “It’s the first time in our country’s history where you’ve got the chief election officers collectively, Democrats and Republicans, going to Selma to walk across the Edmund Pettus Bridge together,” Benson told Governing. The question is whether the secretaries can bridge enough of their differences to unite around federal legislation to improve election security. Benson and Merrill appeared alongside cybersecurity experts before the U.S. Committee on House Administration this week, more than two years after Russia’s cyberattack on American election systems during the 2016 presidential campaign.

National: After Russian Election Interference, Americans Are Losing Faith in Elections | Susan Milligan/US News

As lawmakers, state elections officials and social media executives work to limit intervention in the 2020 elections by Russia and other foreign operatives, an unsettling truth is emerging. Vladimir Putin may already be succeeding. The troubling disclosures of Russian meddling in the 2016 campaign – “sweeping and systematic,” special counsel Robert Mueller concluded in his report on the matter – have policymakers on guard for what intelligence officials say is a continuing campaign by Russia to influence American elections. But even if voting machines in all jurisdictions are secured against hacking and social media sites are scrubbed of fake stories posted by Russian bots, the damage may already have been done, experts warn, as Americans’ faith in the credibility of the nation’s elections falters.

National: House Democrats reintroduce bill to protect elections from cyberattacks | Maggie Miller/The Hill

House Democratic chairmen on Friday reintroduced a bill to protect U.S. election systems against cyberattacks, including requiring President Trump to produce a “national strategy for protecting democratic institutions.” The Election Security Act is aimed at reducing risks posed by cyberattacks by foreign entities or other actors against U.S. election systems. The national strategy from President Trump would “protect against cyber attacks, influence operations, disinformation campaigns, and other activities that could undermine the security and integrity of United States democratic institutions.”

National: House Administration Committee to make election security a 'primary focus' | TRegina Zilbermintshe Hill

The secretaries of state of Michigan and Alabama went before the House Administration Committee Wednesday to advocate for more federal resources to secure election systems against cyber attacks and committee leaders vowed to make the issue a “primary focus.” “Federal action is needed now to grasp the scope of the problem and to innovate concrete solutions that can be implemented before the next federal election cycle in 2020,” House Administration Committee Chairwoman Zoe Lofgren (D-Calif.) said at the hearing on election security. 

National: Election commission names new lead for testing and certifying voting systems | Sean Lyngaas/CyberScoop

The federal Election Assistance Commission has appointed Jerome Lovato, a former Colorado state election official, as head of the commission’s program for testing and certifying voting systems, according to a commission email obtained by CyberScoop. Lovato replaces Ryan Macias, who was filling the role in an acting capacity and will step down this month. The crucial EAC program works with the country’s top voting equipment vendors to certify and decertify voting system hardware and software. 

Verified Voting Blog: Verified Voting Letter in Support of Congressional Election Cybersecurity Legislation

This letter was sent to Senators Cory Gardner (R-CO), Mark Warner (D-VA) and Representatives Derek Kilmer (D-WA) and Michael McCaul (R-TX) on May 14, 2019. Download the PDF.

Thank you for introducing legislation aimed at increasing cybersecurity at the state and local levels of government. We recognize the need for this important legislation, which is aimed at hardening cyber resiliency efforts and preventing vulnerabilities from becoming nightmare realities. For the states that would respond to the proposed grants in H.R. 2130 and S.1065, and for the protection of the citizens who live in them, we applaud your support in the battle against cyberattacks.

At the same time that you are bolstering cybersecurity defenses, we encourage you to add provisions specifically prohibiting these funds from being used for internet-based voting. Cybersecurity experts agree that internet return of marked ballots lacks sufficient safeguards for security and privacy. We urge you to specifically name internet voting as a threat and prohibit the funding provided by your legislation from being used to support internet voting programs and pilots.

Cybersecurity experts agree that no current technology, including blockchain voting, can guarantee the secure, verifiable, and private return of voted ballots over the internet. Both because vote-rigging malware could already be present on the voter’s computer and because electronically returned ballots could be intercepted and changed or discarded en route, local elections officials would be unable to verify that the voter’s ballot accurately reflects the voter’s intent. Furthermore, even if the voter’s selections were to arrive intact, the voted ballot could be traceable back to the individual voter, violating voter privacy.

Florida: Ron DeSantis ‘not allowed’ to disclose which two Florida counties were hacked by Russians | Emily L. Mahoney/Tampa Bay Times

Gov. Ron DeSantis met with the FBI and the U.S. Department of Homeland Security last week to discuss the revelation in the Mueller report that “at least one” Florida county had its election information accessed by Russian hackers in 2016. On Tuesday, DeSantis told reporters that he had been briefed on that breach — which actually happened in two counties in Florida — but that he couldn’t share which counties had been the target. “I’m not allowed to name the counties. I signed a (non)disclosure agreement,” DeSantis said, emphasizing that he “would be willing to name it” but “they asked me to sign it so I’m going to respect their wishes.”

Florida: Russian government hackers targeted small county in Florida panhandle in 2016 | Ellen Nakashima and Karoun Demirjian/The Washington Post

The voter registration database of a small county in the Florida panhandle was breached by Russian government hackers in 2016, according to two U.S. officials. The Russian military spy agency, the GRU, was responsible for the penetration of Washington County’s database, according to the two officials, who spoke on the condition of anonymity to discuss a sensitive matter. The county has a population of about 25,000. Carol F. Rudd, county elections supervisor, declined to comment on the breach but said it’s important for federal, state and local officials to be able to communicate confidentially. “If each agency gets suspicious of the other’s ability to follow the rules of confidentiality, then those tenuous lines of communication quickly break down,” she said in an email. “That would set our security capabilities back years and severely compromise our ability to protect our elections. THAT would be a big win for the Russians going into 2020.”

Florida: Even Without Russian Hacking, Florida’s Voting System Is ‘Not Secure,’ Says Election Expert | WJCT

The FBI will brief Florida’s congressional members this week on Russian attempts to hack the 2016 election, after the Mueller report revealed last month that the election system of at least one Florida county was compromised. But even before details emerge, a former supervisor of elections in Florida is saying he is not surprised that the state’s system was compromised. Ion Sancho, the longtime former supervisor of elections of Leon County, said Friday on The Florida Roundup that Florida’s election infrastructure is, frankly, “not secure.” “It’s been clear to me that the election infrastructure, not only in Florida but in the country, is not secure,” he said.

Georgia: High court to hear appeal in election challenge | Kate Brumback/Associated Press

Georgia’s outdated voting machines are in the spotlight as election integrity advocates try to convince the state’s highest court that a judge shouldn’t have dismissed a lawsuit challenging the outcome of November’s race for lieutenant governor. The lawsuit says tens of thousands of votes were never recorded in the race and the contest was “so defective and marred by material irregularities” as to place the result in doubt. It contends an unexplained undervote in the race was likely caused by problems with the state’s paperless touchscreen voting machines. Republican Geoff Duncan beat Democrat Sarah Riggs Amico by 123,172 votes to become lieutenant governor.

North Carolina: Karen Brinson Bell new North Carolina elections director, replaces Kim Strach | Will Doran/Raleigh News & Observer

Kim Strach, who has led the North Carolina Board of Elections since 2013, was dismissed by the board Monday. She will be replaced by Karen Brinson Bell. The vote was split along party lines, with the five-member elections board voting 3-2 in favor of replacing Strach with Brinson Bell. The board’s Democrats voted for Brinson Bell, while the board’s Republicans voted against her. “Our top priorities will be promoting voter confidence in elections and assisting the 100 county boards, the boots on the ground in every election,” Brinson Bell said in a written statement after the vote Monday. “I plan to roll up my sleeves and work with State Board staff to prepare for the important elections ahead.” She will start June 1.