National: Cyber attacks and electronic voting errors threaten 2020 outcome, experts warn | Peter Stone/The Guardian

Potential electronic voting equipment failures and cyber attacks from Russia and other countries pose persistent threats to the 2020 elections, election security analysts and key Democrats warn. In November significant electronic voting equipment problems occurred in an election in the vital battleground state of Pennsylvania, sparking a lawsuit by advocacy groups charging the state is using insecure electronic voting machines. Other key states like Florida and North Carolina which experienced voting problems in 2016 and Georgia which had serious equipment problems in 2018, are being urged to take precautions to curb new difficulties in 2020, say election analysts. The Brennan Center’s electoral reform program last month released a study that stressed testing backup systems and electronic voting equipment before the primaries and next November’s general election was needed to reduce risks of cyber attacks and equipment failures, and offered guidance about ways to recover from attacks or malfunctions. In response to these and other threats, Congress in December added $425m for election related spending, including security measures, to a massive $1.4tn spending bill for 2020.

National: Election Security At The Chip Level | Andy Patrizio/Semiconductor Engineering

Technological advances have changed every facet of our lives, from reading to driving to cooking, but one task remains firmly rooted in 20th-century technology — voting. Electronic voting remains doggedly unavailable to most, and almost always unusable to those who have it. For more than a decade, it seems every election is accompanied by numerous reports of voting machine problems. The most common issue involves machines changing votes. It has happened in numerous states, and even to Ellen Swenson, chief analyst for the Election Integrity Project, a non-partisan California group seeking to preserve election integrity. It’s not easy when two separate voting machines in Riverside County, where Swenson resides, recorded incorrect votes. At least that machine worked. “So many have said they’ve gone to polls and the machines break down. That’s another thing that hurt the subject. There were so many broken machines across [Los Angeles] County in 2018 and none were fixed, so LA had to use paper ballots,” she said. For some people, the old paper punch ballot is actually preferable, said Swenson. “There is a whole set of challenges, philosophically and psychologically. The idea of connecting to the Internet scares some people, their fear of the privacy of their vote being compromised, or hacking it and changing the results. There’s a real psychological wall to climb,” she said.

National: America Won’t Give Up Its Hackable Wireless Voting Machines | Kartikay Mehrotra/Bloomberg

After Russian hackers made extensive efforts to infiltrate the American voting apparatus in 2016, some states moved to restrict internet access to their vote-counting systems. Colorado got rid of barcodes used to electronically read ballots. California tightened its rules for electronic voting machines that can go online. Ohio bought new voting machines that deliberately excluded wireless capabilities. Michigan went in a different direction, authorizing as much as $82 million for machines that rely on wireless modems to connect to the internet. State officials justified the move by saying it is the best way to satisfy an impatient public that craves instantaneous results. The problem is, connecting election machines to the public internet, especially wirelessly, leaves the whole system vulnerable, according to cybersecurity experts. So Michigan’s new secretary of state is considering using some of the state’s $10 million in federal election funds to rip out those modems before the March presidential primary. “The system we inherited is not optimal for security since our election equipment can and has connected to the internet,” said Jocelyn Benson, who won election as secretary of state and took office in January 2019. She convened a committee of cybersecurity experts to evaluate the state election system’s vulnerabilities. “If that’s what the committee recommends, we’ll take them out.”

National: Election Infrastructure Remains Vulnerable to Attacks | Diane Ritchey/Security Magazine

In 10 months, U.S. citizens will elect a new president (or re-elect a current one). As the race heats up and election day nears, a key component of the U.S. election infrastructure remains vulnerable to attack. Only five percent of the country’s largest counties are protecting their election officials from impersonation, according to an analysis by Valimail. The rest are vulnerable to impersonation, meaning their domains could become the vectors for cyberattacks and misinformation campaigns. According to Seth Blank, director of industry initiatives for Valimail, “This is a problem because the overwhelming majority of cyberattacks can be traced to impersonation-based phishing emails. In the corporate world, these cyberattacks result in the loss of funds or proprietary data. But when it comes to elections, the bedrock of democracy – free and fair elections – is at stake.” An August 2019 report from Valimail noted that most presidential candidates’ campaigns are not protected from email impersonation. An earlier report found a similar situation across the thousands of domains that are used by state and local governments. “And we’re not just talking about voting machines being vulnerable,” Blank says. “While most voting machines are isolated from the Internet (they are often air-gapped for security), the same cannot be said for other elements of the election process. The electronic pollbooks that voters use to sign in on election day and the machines that tabulate votes may be connected to the Internet for software updates or to receive or transmit voting information. This makes them potential targets for email-based attacks aimed at other users of the same networks.”

National: Paralysis Grips Federal Election Commission While Complaints Pile Up | Kenneth P. Doyle/Bloomberg Government

The agency charged with enforcing campaign finance law begins the presidential election year paralyzed by the lack of a board quorum and unable to dispense with hundreds of complaints. As Republican Caroline Hunter assumes the rotating chairmanship of the Federal Election Commission, she inherits a growing backlog of more than 300 pending campaign finance complaints, nearly 70 of which may never be resolved because they are close to the expiration of a five-year statute of limitations. FEC analysts continue to review campaign finance reports filed by candidates, and staff lawyers can interview witnesses and collect documents in more than two dozen investigations approved by the commissioners before the loss of a quorum at the end of August. However, none of these probes can conclude and no new investigations can begin until a quorum is restored.

Editorials: You could be disenfranchised in California’s presidential primary if you’ve registered nonpartisan | Jessica A. Levinson/Los Angeles Times

California is at risk of disenfranchising hundreds of thousands of voters in the March 2020 presidential primary election. The problem is so large it could impact who becomes the Democratic nominee. Voters in the Golden State are accustomed to seeing candidates from of all parties on the same ballot. This, of course, is how we vote for governor, and members of the state Legislature and the U.S. Congress. We have every reason to believe that if we are registered to vote, we will be able to weigh in on the presidential primary contest without doing more. But voting for president is different. The rules for presidential primaries are set by the national political parties — not California’s secretary of state or local county officials. And the national parties have divined a process sure to trip up millions of nonpartisan voters. If you are a nonpartisan voter, there is a different process for how you vote in the presidential primary versus any other election. If you registered as “no party preference” — previously known as “decline to state” — your ballot will not include any presidential candidates unless you take an extra step. The same applies to those registered with a party so small it isn’t officially recognized. (For instance, maybe you wrote in “Whig party” on your voter registration.)

New Jersey: Murphy undecided on measure allowing early mail ballot counting | Nikita Biryukov/New Jersey Globe

Gov. Phil Murphy isn’t backing or opposing a bill that would allow mail-in ballots to be counted in the week preceding election day. “I don’t think we’ve taken a position on that,” the governor said. The measure’s primary stated goal is moving the filing deadline for candidates back from April to March to avoid overtime bills at county clerks’ offices. The bill’s language appears to have been written with the intent that only ballots cast in the 2020 primaries be counted a week before polls open. Some activists and Republican lawmakers have raised alarms over the measure, claiming political insiders could leak early returns to better inform campaign strategy in the closing week of the election. Under the measure, results are not to be disclosed until after polls close, but leaks aren’t exactly uncommon in New Jersey politics.

North Carolina: Election probe finds security flaws in key North Carolina county but no signs of Russian hacking | Kim Zetter/Politico

A long-awaited report this week from the Department of Homeland Security found security problems with the computer systems that a North Carolina county used to handle voter data during the 2016 election — but no evidence that Russian hackers had breached them. Still, the review is unlikely to totally resolve questions surrounding the county’s use of software provided by the Florida company VR Systems, which — as POLITICO reported last week — have added to broader doubts about the security of election technology that Americans will use at the polls in 2020. Experts contacted by POLITICO said the new DHS analysis has its share of holes — for instance, failing to examine all the computer systems the Russians could have targeted. And they noted that officials in Durham County, N.C., had waited until about a week after Election Day to preserve some potentially important evidence. “I think [the investigation is] incomplete,” says Jake Williams a former NSA hacker who is founder of the security firm Rendition Infosec and trains forensic analysts. “It’s the best investigation that can be conducted under the circumstances. We can’t investigate what we don’t have, [and] a lot of the crucial evidence is missing.” Among other security issues, the heavily redacted DHS report indicates that someone had used a “high value” desktop computer handling Durham County’s voter-registration data to access a personal Gmail account on Election Day. The report provides a lengthy list of suggestions — all blacked out — for how the county can improve the security of its election infrastructure.

Ohio: Delaware County voting machine concerns addressed | D. Anthony Botkin/Delaware Gazette

Delaware County Board of Elections officials addressed Commissioner Gary Merrell’s concerns that he had encountered with the new voting equipment while working the polls during the Nov. 5 general election. “The machines didn’t work at the last election and what is the vendor doing to correct it?” Merrell declared in the commissioners’ Dec. 12 regularly scheduled session. “I realize we may not have all the answers until we actually use them in the spring, but all the more reason we need to have the understanding to hold the vendor responsible if they fail to perform.” Board of Elections Deputy Director Anthony Saadey said the problem the commissioner was talking about specifically was the barcode reader. “The scanners had issues on election day,” he said. “In the field technician logs, we found that 24 total out of the 844 deployed ballot marking devices had the same issue. Two of them happen to be at the commissioner’s location.”

Pennsylvania: Every county will have new voting machines — with paper trails — in 2020 | Jonathan Lai/Philadelphia Inquirer

With Dauphin County’s decision this week to end its standoff with the state and buy new voting machines, all 67 Pennsylvania counties met the year-end deadline to comply with a state order that they implement election systems capable of leaving a paper trail of votes that can be manually audited and recounted. Experts say this is a major step for election security ahead of the November presidential election, ensuring ballots can be accurately tallied even in the face of a cyber attack or a mishap. “The shift from paperless [electronic] machines to having individual paper ballots is a sea change,” said Christopher R. Deluzio, policy director of the University of Pittsburgh Institute for Cyber Law, Policy, and Security. “It’s great, it’s huge, it was necessary.” As recently as 2018, most voters in Pennsylvania used paperless machines that recorded votes in electronic memory. In addition to concerns that computers can be hacked, electronic systems can fail and wipe out all records of votes cast. In April 2018, Gov. Tom Wolf ordered every county to select paper-based machines and implement them in time for the April 28, 2020, presidential primary. Dauphin County, after a weeks-long game of chicken with the state, selected its new systems Monday. The machines will cost $120 million to implement in 58 counties, according to data provided by the Pennsylvania Department of State, with no details available for the other nine counties. Not all contracts are finalized, and the figure does not include increased operating costs over the life of the machines.

International: Hackers will be the weapon of choice for governments in 2020 | Patrick Howell O’Neill/MIT Technology Review

When Russia was recently banned from the Olympics for another four years in a unanimous decision from the World Anti-Doping Agency (WADA), the instant reaction from Moscow was anger and dismissal. Now the rest of the world is waiting to see how Russia will retaliate this time. In the history books, 2016 will forever be known for unprecedented Russian interference into an American presidential election, but until that transpired, one of the most aggressive cyber campaigns that year centered on the Olympics. In the run-up to the summer games in Brazil, WADA had uncovered a national Russian doping conspiracy and recommended a ban. In response, Moscow’s most notorious hackers targeted an array of international officials and then leaked both real and doctored documents in a propaganda push meant to undermine the recommendation. The International Olympic Committee rejected a blanket ban and allowed each sport to rule individually. Next, the opening ceremony of the 2018 winter games in South Korea kicked off with all the traditional optimism, bright lights, and pageantry—plus a targeted cyberattack known as Olympic Destroyer that was designed to sabotage the networks and devices at the event. The attack’s origins were obfuscated, with breadcrumbs in the malware pointing to North Korea and China—but after investigators untangled the attempts to mislead them, it became apparent that some of the Russian government’s most experienced hackers were behind it. In a series of angry blog posts, the hackers charged that “on the pretext of defending clean sport,” what they described as “the Anglo-Saxon Illuminati” were fighting for “power and cash in the sports world.” It was clear that the Russians viewed the Olympics as one part of a larger world power competition, and looked to hacking as a weapon of choice. Almost nothing has been done to hold anyone responsible.