International: US could learn how to improve election protection from other nations | Scott Shackelford/The Conversation

Hacking into voting machines remains far too easy. It is too soon to say for sure what role cybersecurity played in the 2020 Iowa caucuses, but the problems, which are still unfolding and being investigated, show how easily systemic failures can lead to delays and undermine trust in democratic processes. That’s particularly true when new technology – in this case, a reporting app – is introduced, even if there’s no targeted attack on the system. The vulnerabilities are not just theoretical. They have been exploited around the world, such as in South Africa, Ukraine, Bulgaria and the Philippines. Successful attacks don’t need the resources and expertise of national governments – even kids have managed it. Congress and election officials around the U.S. are struggling to figure out what to do to protect the integrity of Americans’ votes in 2020 and beyond. The Iowa caucuses are run by political parties, not state officials, but many of the concepts and processes are comparable. A look at similar problems – and some attempts at solutions – around the world offers some ideas that U.S. officials could use to ensure everyone’s vote is recorded and counted accurately, and that any necessary audits and recounts will confirm that election results are correct.

Editorials: The internet and elections don’t mix. So why do we keep trying? | Jack Morse/Mashable

When it comes to conducting secure elections, keeping things old-fashioned is often the best bet. This simple reality can be broken down into two digestible nuggets of security wisdom: The internet and voting don’t mix. And auditable paper trails beat fancy digital recording devices every time. Security experts beat us over the head with these admonitions time and time again. And yet, as yesterday’s Iowa caucus screwup shows, we still have a lot of listening left to do. The Iowa caucuses — trending on Twitter at the time of this writing as the “#IowaCaucusDisaster” — represent a spectacular failure in modern day election reporting. According to numerous reports, a shoddily tested app was employed to relay caucus results to party officials. That app failed to properly function, throwing presidential candidates’ campaigns — and the country — into a brief fit.  Importantly, we should be clear that Iowa caucus-goers did not vote using the app. Rather, the caucus results — which were recorded on paper cards like the one shown above — were, after being tallied, reported to Democratic party officials via the app. Or, at least they were supposed to be. It was in this reporting phase that things took a turn for the terrible, with reports that the app had malfunctioned and perhaps tabulated results incorrectly.

National: Caucus Meltdown Tied to Democrats’ Little-Tested Mobile App | Michaela Ross, Kartikay Mehrotra and Chris Strohm/Bloomberg

The breakdown in reporting results from Iowa’s Democratic caucuses appears tied to failures in a mobile application that wasn’t ready for the load of a statewide election and which the head of the Homeland Security Department said wasn’t subjected to a cybersecurity test by his agency. “This is more of a stress or load issue as well as a reporting issue that we’re seeing in Iowa,” acting Department of Homeland Security Secretary Chad Wolf said in a Fox News interview Tuesday. Wolf said there’s little evidence of hacking of the app, which precinct officials struggled to use on Monday night. He said that his department’s cyber division had offered to test the software for vulnerabilities but was declined.… But the failure spotlights the need for hard-copy backups across election systems, as a handful of states are still using voting machines that don’t produce a paper receipt, according to Marian Schneider, president of the voting advocacy group Verified Voting and former deputy secretary for elections of Pennsylvania. “It’s clear that mobile apps are not ready for prime time, but thankfully Iowa has paper records of their vote totals and will be able to release the results from those records,” Schneider said.

National: Iowa’s Lesson: Political Parties Are Not as Good as Government Officials at Counting Votes | Jessica Huseman, Jack Gillum and Derek Willis/ProPublica

Here’s the takeaway from the Iowa fiasco: Beware of caucuses run by political parties. But don’t panic about the integrity of most primaries and the general election, which are run by state and county election administrators. As Tuesday morning wore on without results from Iowa’s Democratic caucuses, the long-awaited first test of the strength of President Donald Trump’s would-be challengers, both public officials and enraged commentators stoked fears that Iowa was a harbinger of chaos for the rest of the 2020 campaign. Some said it raises alarms about the broader condition of election security and the reliability of computer systems that record, tally and publish the votes. Trump campaign manager Brad Parscale even suggested on Twitter Monday, without evidence, that the process was “rigged.” But there’s a marked difference between the Iowa caucuses and the upcoming primaries in New Hampshire and South Carolina, as well as the 14 state primaries on Super Tuesday. The Iowa Democratic Party ran the caucuses, much as its counterparts in Nevada, Wyoming and several territories will do in the next few months. Party officials have less training and experience in administering the vote than do state and local election administrators who oversee most of the primaries.

National: After Iowa Democrats’ caucus app mess, election officials distance themselves | Benjamin Freed/StateScoop

The meltdown Monday night of a new app that the Iowa Democratic Party intended to use to tally the results of its presidential nominating caucuses has famously mucked up the beginning of the race to determine the Democrats’ presidential nominee. But as the candidates wait for the first batch of results to finally be released Tuesday afternoon, election officials around the country are taking pains to distance a political party’s technological bungling from the work that they do on behalf of state and local governments. Iowa Democrats headed into their first-in-the-nation caucuses saying the app — designed by a software firm called Shadow Inc. — would help on-the-ground volunteers report results and the complicated math that determines how many delegates each candidate won. But after not releasing caucus results as expected, the party late Monday night said there were “inconsistencies” in how precinct-level results were reported. And since then, several county party leaders have said that they never received any training on the app from either the state party or Shadow. While caucus-goers’ preferences were recorded on paper, which the Iowa Democrats said Tuesday is being used to verify the data collected by the app, election officials have said this episode may throw a wrench in the public perception of their jobs. “We have a term we call the ‘cicada voter’,” Dave Bjerke, the elections director in Falls Church, Virginia, told StateScoop, referring to the ground-dwelling insects that only emerge once every several years. “The cicada voter is only going to vote in presidential elections. There’s always elections going on, but the presidential is the Super Bowl of our process.”

National: Why 2020 could be a year of election malfunctions | Steven Overly and Eric Geller/Politico

Monday’s caucus app meltdown is just a taste of what may await the rest of America. Iowa wasn’t alone in adopting new technology to run elections in 2020, and the odds are it may not be the last state to suffer the consequences. Counties with tens of millions of people have rolled out new voting machines in recent years to replace hack-prone paperless devices. But new technologies inevitably bring their own hiccups, some more damaging than others. And as the debacle surrounding the Iowa Democrats’ vote-reporting app showed, any confusion can feed divisions and conspiracy theories, fueled by social media, that undermine Americans’ faith in democracy. Marian Schneider, the president of the advocacy group Verified Voting, said technology will always carry some risk, particularly when it’s connected to the internet — noting that even large companies with deep pockets get hacked. She said the problems in Iowa reinforce her organization’s argument that voting and reporting should not be done via mobile app. Another lesson: At least the Iowa caucuses had paper records to back up all of the electronic information. And so should other elections, she said. “So, the takeaway is that having a low-tech backup is really important whenever you’re deploying technology in elections,” she said.

National: Iowa Caucus chaos likely to set back mobile voting | Lucas Mearian/Computerworld

A coding flaw and lack of sufficient testing of an application to record votes in Monday’s Iowa Democratic Presidential Caucus will likely hurt the advancement and uptake of online voting. While there have been hundreds of tests of mobile and online voting platforms in recent years – mostly in small municipal or corporate shareholder and university student elections – online voting technology has yet to be tested for widespread use by the general public in a national election. “This is one of the cases where we narrowly dodged a bullet,” said Jeremy Epstein, vice chair of the Association for Computing Machinery’s US Technology Policy Committee (USTPC). “The Iowa Democratic Party had planned to allow voters to vote in the caucus using their phones; if this sort of meltdown had happened with actual votes, it would have been an actual disaster. In this case, it’s just delayed results and egg on the face of the people who built and purchased the technology.” The vote tallying app used Monday in the Iowa Caucus was created by a small Washington-based vendor called Shadow Inc.; the app was funded in part by a nonprofit progressive digital strategy firm named Acronym. Today, Acronyn strived to make it clear through a tweet it did not supply the technology for the Iowa Caucus, and it is no more than an investor.

National: DHS creates ‘tabletop in a box’ for local election security drills | Benjamin Freed/StateScoop

For the past few years, the Department of Homeland Security has convened exercises for state election officials to test how they’d respond to a cyberattack against voting systems. At a National Association of Secretaries of State meeting in Washington last weekend, a DHS official introduced a new product that could make it easier for local officials to run those exercises. The tabletop exercises, as the events are known, are designed to give secretaries of state, election directors, IT leaders and other officials a war game-like environment simulating the threats posed by foreign governments and other adversaries that might try to disrupt a real election. And while the exercises have included representatives of some local governments, one of the biggest challenges statewide election officials say they have is making sure new cybersecurity tools and procedures trickle down to even the smallest, most resource-strapped jurisdictions involved in the democratic process. The Cybersecurity and Infrastructure Security Agency on Friday published its “Elections Cyber Tabletop Exercise Package,” a 58-page guide for state and local officials to hold their own drills simulating ransomware, data breaches, disinformation campaigns and attempts to corrupt voting equipment. Matt Masterson, a senior adviser at CISA, described the document as a “tabletop in a box.”

National: Majority of Election Websites in Battleground States Failing in Cybersecurity | Security Magazine

A large majority of election-related websites operated by local governments in battleground states lack a key feature that would help them be more cybersecure — a site that ends in .gov as opposed to .com or other extensions. Research by McAfee found that as many as 83.3 percent of county websites lacked .GOV validation across these states, and 88.9 percent and 90 percent of websites lacked such certification in Iowa and New Hampshire respectively. Such shortcomings could make it possible for malicious actors to establish false government websites and use them to spread false election information that could influence voter behavior and even impact final election results. “Without a governing body validating whether websites truly belong to the government entities they claim, it’s possible to spoof legitimate government sites with fraudulent ones,” said Steve Grobman, McAfee Senior Vice President and Chief Technology Officer. “An adversary can use fake election websites for misinformation and voter suppression by targeting specific voters in swing states with misleading information on candidates, or inaccurate information on the voting process such as poll location and times. In this way, this malicious actor could impact election results without ever physically or digitally interacting with voting machines or systems.”

Editorials: Donald Trump’s jokes about defying election results could create chaos | Rick Hasen and Dahlia Lithwick/Slate

As President Donald Trump plans a triumphant State of the Union address anticipating his likely acquittal by the Senate, the White House is reportedly awash in a sense of invincibility. Trump’s certainty that he simply cannot lose could have a real impact on this year’s election. Since assuming office in January 2017, Trump has made at least 27 references to staying in office beyond the constitutional limit of two terms. He often follows up with a remark indicating he is “joking,” “kidding,” or saying it to drive the “fake” news media “crazy.” Even if Trump thinks that he’s only “joking,” the comments fit a broader pattern that raises the prospect that Trump may not leave office quietly in the event he’s on the losing end of a very close election. And unfortunately this possibility is only one of a number of potential election meltdowns we may face in November.

Iowa: Caucus debacle shakes public confidence in 2020 security | Joseph Marks/The Washington Post

The biggest security lesson from last night’s Iowa caucuses: It doesn’t take a hack for technology to undermine confidence in an election. The spectacular failure of a mobile app that was supposed to forward caucus results last night — which are still not out, as of this morning — is a striking example of how faulty technology can spark questions about election results and create an opening for misinformation and conspiracy theories. “These kinds of technical issues and operational delays play right into the game plan of malicious actors,” Maurice Turner, an election security expert at the Center for Democracy and Technology, told me. “[They] can leverage these small facts and turn them into viral misinformation messages speculating about hacking or corruption being behind the irregularities.”  The Democratic Party have surged its focus on cybersecurity to combat foreign interference by Russia or other actors that U.S. intelligence officials warn may seek a repeat of 2016. While an Iowa Democratic Party spokeswoman insisted the app “did not go down and this is not a hack or an intrusion,” the technical snags largely achieved the effects officials have long sought to avoid. Even candidates questioned whether the results were tainted: Vice President Joe Biden’s campaign complained about “considerable flaws” in the reporting system and demanded an explanation of the app’s quality controls before any results were released publicly.

Iowa: Democrats Should Have Known Better Than To Use An App | Kaleigh Rogers/FiveThirtyEight

More than 14 hours after the Iowa caucuses began, we still don’t have any official results, and it’s becoming clear that an app is at least partly to blame. An app designed to let caucus leaders report results seems to have had problems including user error, lack of connectivity and an insufficient backup plan, demonstrating exactly why it’s so difficult — and risky — to introduce new technology into elections. “Right now, a lot of the election security community is trying to, as nicely as possible, say ‘We told you so,’” said Maggie MacAlpine, a co-founder of Nordic Innovation Labs, a firm of security consultants whose specialties include safeguarding elections. This year, the Iowa Democratic Party, which runs the state’s Democratic caucuses, introduced a smartphone app that local precinct chairs could use to send in tallies from their caucus sites. Immediately, election security experts raised concerns because the party wouldn’t reveal who built the app, what testing had been done, or who they had consulted to make sure it was secure. The party insisted, however, that thorough security measures had been put in place, and besides, precinct chairs could always fall back on the reporting technology they’ve been using for decades: a phone-in hotline. One problem: Multiple precinct chairs reported hours-long wait times, and even getting cut off, when they tried to use that hotline.

Iowa: DHS chief says offer to vet Iowa caucus app was declined | Maggie Miller/The Hill

Acting Homeland Security Secretary Chad Wolf said Tuesday that an offer to vet the app used by the Iowa Democratic Party to tabulate votes during the Iowa caucuses was turned down. “Our Cybersecurity and Infrastructure Security Agency has offered to test that app from a hacking perspective,” Wolf said during an appearance on Fox News’s “Fox & Friends.” Wolf said the offer was “declined” and noted that “we’re seeing a couple of issues with it.” “I would say right now, we don’t see any malicious cyber activity going on,” he added. The Iowa Democratic Party said Tuesday morning that the app used to tabulate votes as part of the first-in-the-nation caucuses, which CNN confirmed was built by the firm Shadow, had a “coding issue in the reporting system” that slowed down the reporting of vote totals.

Nevada: Democrats won’t use app that caused Iowa caucus fiasco | Adam Edelman/NBC

Nevada’s Democratic Party said Tuesday it will not use the trouble-plagued app that has contributed to ongoing delays in the reporting of results in the Iowa Democratic caucuses. Democrats in Nevada had planned to use the app for their caucus on Feb. 22. The same company developed the app for both states. But the state’s Democratic Party said Tuesday that it had previously created backup plans for its reporting systems and was in the process of “evaluating the best path forward.” “NV Dems can confidently say that what happened in the Iowa caucus last night will not happen in Nevada on February 22nd. We will not be employing the same app or vendor used in the Iowa caucus,” Nevada State Democratic Party Chair William McCurdy II said in a statement.

Nevada: Democrats won’t use app at center of Iowa delays | Chris Mills Rodrigo/The Hill

The Nevada Democratic Party on Tuesday announced that it will not use the election results app that has been blamed for the delay in results from the Iowa caucuses. “NV Dems can confidently say that what happened in the Iowa caucus last night will not happen in Nevada on February 22nd. We will not be employing the same app or vendor used in the Iowa caucus,” Nevada State Democratic Party Chairman William McCurdy said in a statement. “We had already developed a series of backups and redundant reporting systems, and are currently evaluating the best path forward.” The announcement comes after the results of the Iowa caucuses, which began on Monday at 8 p.m. EST, have yet to be released amid confusion over the app used to transmit results, triggering uproar from supporters and political pundits. The slow rollout has lead many to question Iowa’s first-in-the-nation status. Price told campaigns early Tuesday afternoon that presidential campaigns should expect that a “majority” of the caucus results will be released at 5 p.m. EST, a source on the call told The Hill.

New York: State senator calls for public hearing on ExpressVote XL voting machines | Cayla Harris/Times Union

As the state Board of Elections continues its certification process to adopt controversial touch-screen voting machines, the head of the Senate elections committee is urging the board’s commissioners to hit pause while lawmakers gather feedback about the new technology. The board is currently testing the “ExpressVote XL” voting system, designed by the Nebraska-based company Election Systems & Software, as part of a growing nationwide interest in ballot-marking devices — hybrid machines that allow voters to cast their ballots using a touch screen. The system spits out a paper record of the votes as a secondary measure to ensure an accurate count – but advocates have questioned the precision of the machines and whether they are vulnerable to hackers. In addition, the machines were at the center of a botched November election in Northampton County, Pennsylvania, where a judiciary race was undercounted by thousands of ballots. “Everything is always good until it’s not,” said state Sen. Zellnor Myrie, D-Brooklyn, who chairs the Senate Committee on Elections. “Everything is shiny and cutting-edge until it’s not.”

Ohio: State to ramp up election security with new federal funds | Maggie Miller/The Hill

Ohio is moving to implement a string of election security measures with new funding from Washington as the state races against the clock to guard against foreign hacking and disinformation campaigns. Ohio Secretary of State Frank LaRose (R), speaking on the sidelines of last week’s National Association of Secretaries of State (NASS) meeting in Washington, said there has been a seismic shift at the state level following the 2016 Russian election interference.  “From what I’ve observed, there is definitely a pre-2016, post-2016 mentality,” said LaRose, who characterized the coordination between the federal government, states and county officials as improving “exponentially.” Congress appropriated $380 million in 2018 to help states boost their election security. That was followed by an additional $425 million in December.  “I don’t think you’re ever going to hear a secretary of State or any state official say, ‘Turn off the tap, we’ve got enough federal funding,’” LaRose said. “I’m a fiscal conservative and I believe that we should be smart with our taxpayers’ dollars, but the demand is huge.”

West Virginia: Security dangers of online voting don’t deter West Virginia | The Fulcrum

West Virginia is looking to become the first state to allow disabled people to vote using their smartphones. Republican Gov. Jim Justice is expected to sign legislation, which breezed through the GOP-controlled Legislature last month, requiring all counties to provide an online balloting option to anyone who cannot use a regular voting machine because of physical disability. The new law puts West Virginia more firmly on one side of the ease-versus-security divide in the debate over modernizing voting systems. In the wake of hacking attempts by Russian operatives during the 2016 election, almost all the experts on ways to prevent such interference are opposed to online voting of any sort. At the same time, advocates are pushing hard for methods making voting plausible for the one in eight Americans with a disability. In 2018 West Virginia became the first state to create a mobile application for voting, but it was only available to members of the military stationed abroad. It was used by 147 West Virginians with homes in 24 countries to cast their midterm ballots for Congress and state offices.