New Hampshire: Why did the primary go smoothly with record turnout? Low tech is good tech | Geoff Forester and David Brooks/Concord Monitor

A nationally known computer hacker, a term he wears proudly, helped keep an eye on New Hampshire’s primary Tuesday but says you didn’t need computer smarts to see that it went well. “One big thing is no lines. When you go around the United States, usually the first thing you see if there are problems are long lines of people who can’t get to vote,” said Harri Hursti, a cybersecurity analyst who founded DefCon, the nation’s best-known gathering of people interested in computer security. Hursti has worked with the New Hampshire Secretary of State’s office since about 2005, when he met Secretary of State Bill Gardner at a conference. His presence here for Tuesday’s primary was of particular importance because of the meltdown of the Iowa caucuses caused largely by the use of an untested app. During a discussion Wednesday morning as election officials completed counting votes from around the state he was almost effusive about how things went.

National: Voatz of no confidence: MIT boffins eviscerate US election app, claim fiends could exploit flaws to derail democracy | Thomas Claburn/The Register

Only a week after the mobile app meltdown in Iowa’s Democratic Caucus, computer scientists at MIT have revealed their analysis of the Voatz app used in West Virginia’s 2018 midterm election. They claim the Android app is vulnerable to attacks that could undermine election integrity in the US state. Based on their findings, published today in a paper [PDF] titled, “The Ballot is Busted Before the Blockchain: A Security Analysis of Voatz, the First Internet Voting Application Used in U.S. Federal Elections,” researchers Michael Specter, James Koppel, and Daniel Weitzner conclude that internet voting has yet to meet the security requirements of safe election systems. “We find that Voatz has vulnerabilities that allow different kinds of adversaries to alter, stop, or expose a user’s vote, including a side-channel attack in which a completely passive network adversary can potentially recover a user’s secret ballot,” their paper states. “We additionally find that Voatz has a number of privacy issues stemming from their use of third-party services for crucial app functionality.” Specifically, the researchers discovered that malware or some miscreant with root access to a voter’s mobile device can bypass the host protection provided by mobile security software known as the Zimperium SDK.

National: Researchers Find Security Flaws in Voatz Mobile Voting App | Andrea Noble/Route Fifty

A mobile voting app used by West Virginia and several local governments in the 2018 midterm elections contains vulnerabilities that could allow hackers to determine how someone voted or even change their vote, according to a report released Thursday by security researchers. Researchers from the Massachusetts Institute of Technology found the security flaws in the Voatz voting app, which was originally designed as a way for overseas service members to cast ballots. The researchers said their findings underscore prior security recommendations that the internet not be used for voting. “Perhaps most alarmingly, we found that a passive network adversary, like your internet service provider, or someone nearby you if you’re on unencrypted Wi-Fi, could detect which way you voted in some configurations of the election,” said Michael Specter, a graduate student in MIT’s Department of Electrical Engineering and Computer Science. “Worse, more aggressive attackers could potentially detect which way you’re going to vote and then stop the connection based on that alone.” In addition to West Virginia, several local governments, including ones in Washington state, Colorado, Utah and Oregon, have conducted their own pilots with the Voatz system. Additional states are also considering whether to use the app to assist absentee voters in upcoming elections.

National: MIT researchers find vulnerabilities in Voatz voting app used in multiple states | Maggie Miller/The Hill

A voting app used in multiple states during the 2018 midterms elections to allow for more accessible voting has cyber vulnerabilities that could allow for votes to be changed or exposed, researchers at the Massachusetts Institute of Technology (MIT) found. In a paper published Thursday, three MIT researchers found that Voatz had vulnerabilities that “allow different kinds of adversaries to alter, stop, or expose a user’s vote” and that the app also had several privacy issues due to the use of third-party services to ensure the app functioned. The researchers found that if an individual were able to gain remote access to the device used to vote on the Voatz app, vulnerabilities could have allowed that person to discover and change the votes cast. The researchers described their findings as being part of the first “public security analysis of Voatz” and noted that they used reverse engineering of the Android Voatz app to come to their conclusions. The Voatz app was used during the 2018 midterms in some municipal, state or federal elections in West Virginia, Colorado, Oregon and Utah. The company allows voters to cast their votes via an app and was rolled out in West Virginia as a way for overseas military personnel and other voters unable to physically go to the polls to cast their votes.

National: ‘Sloppy’ Mobile Voting App Used in Four States Has ‘Elementary’ Security Flaws | Kim Zetter/VICE

A mobile voting app being used in West Virginia and other states has elementary security flaws that would allow someone to see and intercept votes as they’re transmitted from mobile phones to the voting company’s server, new research reveals. An attacker would also be able to alter the user’s vote and trick the user into believing their vote was transmitted accurately, researchers from the Massachusetts Technology Institute write in a paper released Thursday. The app, called Voatz, also has problems with how it handles authentication between the voter’s mobile phone and the backend server, allowing an attacker to impersonate a user’s phone. Even more surprising, although the makers of Voatz have touted its use of blockchain technology to secure the transmission and storage of votes, the researchers found that the blockchain isn’t actually used in the way Voatz claims it is, thereby supplying no additional security to the system. The research was conducted by Michael Specter and James Koppel, two graduate students in MIT’s Computer Science and Artificial Intelligence Lab, and Daniel Weitzner, principal research scientist with the lab. Election security experts praised the research and said it shows that long-held concerns about mobile voting are well-founded.

National: Senate GOP blocks election security bills as intel report warns of Russian meddling in 2020 | Igor Derysh/Salon

en. Marsha Blackburn, R-Tenn., blocked Democratic efforts to unanimously pass three bills related to election security despite warnings that Russia will interfere in the 2020 election. Sen. Mark Warner, D-Va., and Sen. Richard Blumenthal, D-Conn., tried to pass a bill that would require campaigns to report offers of foreign election assistance to the FBI, and another that would require campaigns to report such offers to the Federal Election Commission. “The appropriate response is not to say thank you, the appropriate response is to call the FBI,” Warner said, according to The Hill. “There is no doubt that [Trump] will only be emboldened in his efforts to illegally enlist foreign governments in his reelection campaign,” Blumenthal added. Sen. Ron Wyden, D-Ore., also tried to pass the Securing America’s Federal Elections Act (SAFE Act), which would provide additional funding to the Election Assistance Commission and would ban voting machines from being connected to the internet as well as machines that were manufactured in foreign countries. “America is 266 days away from the 2020 election, and Majority Leader McConnell has yet to take any concrete steps to protect our foreign elections from hacking or foreign interference,” Wyden said.

National: CISA leans into facilitator role in election security plan | Derek B. Johnson/FCW

Officials from the Cybersecurity and Infrastructure Security Agency often describe their role in election security as helping to coordinate and advise the larger ecosystem of election stakeholders. In a newly released strategic plan, the agency lays out its strategy for protecting the 2020 elections by largely leaning into that facilitator role, breaking down its coordination activities across four lines of effort: elections infrastructure, campaigns and political infrastructure, the American electorate and warning and response. To help protect digital and physical elections infrastructure, such as voting machines, election software systems and polling places, CISA views its role as largely complementary to that of states and localities, vendors and others on the front lines of election administration. Thus, getting those organizations to adopt better security practices through outreach and offers of federal resources are its prime tools.

Editorials: Why Companies Need to Help Ensure Election Integrity | Daniel Dobrygowski/Harvard Business Review

The Iowa Democratic caucus, the first election of the 2020 cycle in the U.S., seems to have played into experts’ most dire concerns about election integrity. Rather than a harbinger of disaster to come, we need to recognize this as a warning that it’s all hands on deck to ensure election security. It’s well past time to activate everyone who has a stake in trustworthy elections — not only campaigns, government officials, and voters, but also private companies as well. To borrow a meme, the best time to work together on securing the vote was 2010, the second-best time is right now. Much of the conversation around election security to date has focused on hacking, and it remains a serious concern. In 2016, Russian hackers targeted election infrastructure in more than two dozen U.S. states and compromised the email servers of Hillary Clinton’s presidential campaign. Adversaries have already begun targeting the 2020 presidential campaigns. Personal information about voters has also leaked from campaigns and political parties who store and analyze it online.

Editorials: Election hacking: is it the end of democracy as we know it? | Nick Ismail/Information Age

Since the 2016 US election, there have been murmurs about hacking elections. There are reports of hacktivists trying to compromise the ballot and rogue governments trying to control the outcome. But in a post-truth world, how much of this is legitimate? How much can we brush aside as fake news? If the recent controversial Iowa caucuses are anything to go by, we are definitely at risk. Sometimes bad actors also hack other criminals to use their network and hide their true identity. Recently, this was the case when a group of hackers from Eastern Europe compromised the network of elite Iranian hackers. In this scenario, governments and private companies in the Middle East and Britain were attacked while Tehran was set up to take the blame. So it begs the question, in the current threat landscape, what does it mean to hack an election?

Colorado: MIT study: voting app that Denver used could be hacked | Matt Mauro/KDVR

An app that some Denver voters used in 2019 has significant security issues, according to a new study from the Massachusetts Institute of Technology. The study that was released Thursday said hackers could potentially block or change a vote and steal a voter’s personal information from the app Voatz. The Denver Elections Division used Voatz in the May and June municipal elections for about 300 military and overseas voters. The Division did not report any security issues. “We were very happy with it,” said Director of Elections Jocelyn Bucaro. Burcaro said voter turnout increased significantly with Voatz. Traditionally, military members and others who are overseas and vote electronically would have to print a ballot, sign an affidavit, scan the documents and email them. Voatz allowed the voters to submit their ballots by just using a smartphone. Also, the division used a three-step process to ensure the app and votes were secure. “We are really grateful for the MIT researchers and releasing that report because we’ve been wanting more security review of the Voatz application and other vendors in this space,” Bucaro said.

Florida: DHS preparing report on 2016 Palm Beach election ransomware | David Smiley and Nicholas Nehamas/Miami Herald

Less than five weeks before Florida’s March presidential primary, the Department of Homeland Security is investigating a previously unreported cyber attack on Palm Beach County’s elections office, according to Supervisor of Elections Wendy Sartory Link. Link, who was appointed last year by the governor to oversee the county’s beleaguered elections department, said she contacted the FBI in November after a veteran IT employee told her that the office had been infected by a ransomware virus only a few weeks prior to the 2016 election. The virus was not publicly disclosed in 2016. Link said the FBI referred her to DHS, which sent a team of a half-dozen employees to her office late last month to do a “deep dive” into her department’s network. She said a report of their findings and recommendations is expected shortly. “We’ve had the top experts in the country here and they spent a lot of time with our system. When we get the report, we’ll be able to take care of everything we can take care of,” Link said in an interview Thursday. “I wanted this done before March if at all possible.”

Florida: Key Florida Elections Office Endured Cyberattack Ahead of 2016 Election | Miles Parks/NPR

The elections office of Florida’s third-most populous county was breached by a crippling cyberattack in the weeks leading up to the 2016 election, NPR confirmed on Thursday. There is no indication that the ransomware attack was connected to Russian interference efforts leading up to the last presidential race, but the revelation about it now shows how election officials are preparing for this year’s election without knowing all the details of what happened before. The attack on Palm Beach County came to light during a Palm Beach Post editorial board interview with county elections supervisor Wendy Sartory Link. “Have we been hacked in Palm Beach County? Yeah, we have,” Link told the paper. A spokesperson for the elections office also confirmed the attack to NPR. “It was in 2016, and as soon as Wendy found out about it, we went and did the necessary precautions to make sure that we were going to be 100% secure and safe,” said Judy Lamey, an assistant public information officer for the elections office.

Iowa: Caucus Meltdown Proved Transparency Is Essential, Election-Watchers Say | Miles Parks/NPR

As the Democratic primary season rolls on, one big lesson already is sinking in from the party’s caucus-night meltdown in Iowa: Secrecy isn’t a strategy. State Democratic chair Troy Price declined to answer questions a month ago about what sorts of tests were conducted on the smartphone app the party was planning to use on caucus night or detail backup plans should it fail. But he did promise some sort of transparency. “We’ll be able to give a preview to the press of what the app will look like in the days leading up to the caucuses,” Price said in mid-January, in his first interview about the app, with NPR and Iowa Public Radio. That preview never happened. And the reporting system then failed in a major way. The state party announced over the weekend that it was still adjusting results for 3 percent of the state’s total precincts, and updating its projected national delegate allocations.

Iowa: What the Iowa Caucus Tells Us About Cavalier Approaches to Technology | Cillian Kieran/CPO Magazine

As details emerge about the tech issues that have delayed the results of the Iowa caucus and thrown the public into states of confusion and frustration, I marvel at the familiarity of the story to anyone who has spent long enough working on the front lines of enterprise technology. It should be noted that the dust is still settling on events in the Hawkeye State, and so it may be a few more days until we know with absolute certainty what transpired and how exactly, in 2020, the results of the caucus are taking longer to arrive than in pre-internet days. But reports so far focus on the haphazard roll-out of a new voting app designed to facilitate (ostensibly) the transmission of results from caucus locations to centralized election monitors. A number of problems appear to have occurred with this process – ranging from caucus-site volunteers being unable to log-in to report results to rumored compromising by outside parties to scramble the results-logging process. Whatever the final assessment, it’s certainly not too early to call this a disaster, with a bungled roll-out as catalyst.

Minnesota: Democrats seek to free up election security funds | Steve Karnowski/Associated Press

Minnesota House Democrats launched an attempt Thursday to prevent Republicans from blocking Secretary of State Steve Simon from spending $7.4 million in federal election security money, aiming to head off a repeat of partisan maneuvering from last year. Rep. Mike Freiberg, of Golden Valley, told a state government finance committee that Minnesota is one of only a handful of states that require the Legislature to sign off before elections officials can use federal money provided under the Help America Vote Act. His bill would eliminate the need for legislative approval. The latest round of federal funding was assigned in December. The federal government allocated Minnesota $6.6 million in the previous round in 2018 after Minnesota and other states’ election systems were targeted by foreign hackers in 2016. The Democratic-controlled House authorized spending it by a wide bipartisan margin last year.

Nevada: Volunteers and campaigns worry about results reporting ahead of Nevada caucuses | Holmes Lybrand, Dianne Gallagher, Pamela Kirkland and Dan Merica/CNN

With the Nevada Democratic caucuses only a week away, both caucus workers and presidential campaigns are worried about the lack of detail the state party is providing about how the results reporting process will work. The worries come after the state party stopped working with Shadow Inc., the company behind the app whose “coding errors” were at the heart of the chaos of the Iowa caucuses. Having scrapped plans to use a pair of Shadow’s apps, the parties will instead use a “caucus calculator,” as outlined in a new memo released by the Nevada State Democratic Party Thursday. Described as “user friendly,” the calculator will be used to add early voting data into each precinct and calculate totals on caucus day, February 22, along with paper work sheets. The tool, which the party does not consider an app, will be available on iPads owned by the party and “accessed through a secure Google web form.” A similar memo was sent to the presidential campaigns on Monday.

West Virginia: State Expands Online Voting as Security Worries Grow | Patrick Groves/Government Technology

West Virginia, which has become an early tester of blockchain voting, is expanding Internet voting to include those with physical disabilities. But the move comes just as researchers from the Massachusetts Institute of Technology (MIT) have published a paper asserting that Voatz — the app West Virginia has been using in its pilot tests — has serious flaws, including the ability of bad actors to change votes without voters’ knowledge. Gov. Jim Justice signed SB 94 into law last week giving the secretary of state permission to create a system that allows people with physical disabilities to vote electronically. The Office of the Secretary of State lauded its success with Boston-based vendor Voatz that tallied 144 ballots from uniformed and overseas citizens in 2018. The Secretary of State’s Office may choose the startup again to enact the new law’s mandate for the 2020 primary and general elections. But election security experts and computer scientists have grown increasingly skeptical of the cybersecurity surrounding voting apps, especially after a mobile app used during the Iowa Caucus recorded data accurately but only reported it partially due to a coding error.