National: DHS cyber agency to prioritize election security, Chinese threats | Maggie Miller/The Hill

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) plans to prioritize election security, cybersecurity at federal agencies, and the “persistent threat” posed by China, among its many goals. The agency laid out its key priorities in a new “strategic intent” document released on Thursday, which CISA Director Christopher Krebs described in the introduction as the “keystone” for the agency. Among Krebs’s operational priorities is addressing Chinese threats to U.S. supply chains and to the rollout of 5G networks, bolstering election security efforts at the state and local level, and protecting the cybersecurity of industrial control systems. Other priorities are protecting federal networks against cyber attacks, such as ransomware incidents that have increasingly spread across the country, and defending “soft targets” and crowded venues from physical threats. CISA is the primary agency responsible for assisting state and local governments with securing elections, replacing the former National Protection and Programs Directorate in a law that took effect last year.

National: Internet-Connected Election Systems Found in 10 U.S. States | Scott Ikeda/CPO Magazine

There has been much talk in the media about interference in United States presidential elections, but most of it has centered around the use of media and disinformation to influence votes. There is a widespread assumption that the voting machines themselves are safe from hacking; though many are electronic, these election systems are not supposed to be connected to the internet. A new report from Vice’s Motherboard indicates that these systems are not nearly as secure as anyone thought they were, including election officials. Researchers told Motherboard that a particular type of election system that is only supposed to connect to the internet for several minutes to transfer votes has been found to sometimes stay connected for months, and in some cases these machines were constantly connected and were exposed for at least a year. The election systems found to be vulnerable are made by a specific manufacturer: Election Systems & Software (ESS). ESS is the largest voting systems company in the country, with at least 260,000 machines in place in 21 states including in some swing states. Security researchers found backend systems that were connected to the internet when they were not supposed to be, distributed across a number of states including the key “battleground” centers of Florida, Michigan and Wisconsin.

National: IT Security Pros: Encryption Backdoors Would Be Election Hacking Risk | Phil Muncaster/Infosecurity Magazine

The IT security community overwhelmingly believes that government-mandated encryption backdoors will put countries at a greater risk of election hacking, according to new Venafi research. The security vendor polled over 380 security professionals at Black Hat USA 2019 in Las Vegas earlier this month, following recent comments by attorney general, William Barr. Like his predecessors, Barr last month claimed that strong data encryption in tech products is effectively creating a “law-free zone” exploited by terrorists and criminals as it “seriously degrades” the ability of law enforcement to detect and prevent crimes. Also like many others, he argued that government-mandated backdoor access “can and must be done,” claiming that if they only tried hard enough, tech firms could find a solution which could enable lawful access to data without undermining security for all users. This argument has been repeatedly shot down, not only by the tech firms themselves, but also world-renowned cryptography experts. Last year they backed senator Ron Wyden’s demands that the FBI explain the technical basis for its repeated claims that encryption backdoors can be engineered without impacting user security.

National: Election Security Lessons from DEFCON 27 | Ciara Torres-Spelliscy/Brennan Center for Justice

Given the extent of foreign interference in the 2016 election, every American should be concerned about election security in 2020. But what can computer hackers teach us about it? To find out, I went to Las Vegas earlier this month to attend DEFCON 27, the largest annual hacking conference in the United States, knowing this was probably my last chance to see a legal election hacking. Voting machines are protected from reverse engineering under the Digital Millennium Copyright Act. But the Library of Congress, which has certain authorities under the law, set a three-year window to allow third parties access to voting machines to test their security. Barring an extension by the Library of Congress, 2019 is the third and last year these hacks are legal. DEFCON is a huge event, and I saw fellow conference-goers all over Las Vegas with their distinctive glowing badges. I was only interested in the DEFCON Voting Village, which included a large assortment of voting equipment for participants to test, hack, and break.

National: Democrats call for a Senate vote on elections reform package | Jennifer McDermott/Associated Press

Democratic congressmen held an event Thursday in Rhode Island to try to pressure Republican Senate Majority Leader Mitch McConnell into allowing a vote on a comprehensive elections and ethics reform package. Maryland Democratic Rep. John Sarbanes, who is the bill’s main author, met with Rhode Island Rep. David Cicilline and Sen. Sheldon Whitehouse in North Providence. The influence of big money in politics is impeding efforts to address climate change, gun violence and prescription drug costs, they said. Activists working on those issues attended the event. “This isn’t just some theory, like wouldn’t it be good to reform government because good government is an abstract idea,” Cicilline said. “It has a direct effect on people’s lives. The corrupting influence of money and its impact on public policy is hurting the American people.”

National: Microsoft ElectionGuard aims to fix America’s broken voting | Mark Wilson/Fast Company

Voting is broken. From the hanging chad debacle of 2000 to the 2018 midterms when decade-old touchscreen computers cast the wrong votes, to long lines outside polling places, our democratic right to elect our own officials is constantly at odds with unreliable equipment and balloting policies that vary from one district to the next. And this is all not to mention that voting machines are absurdly hackable. It’s enough to make people not want to vote at all. But what if you could vote however you wanted to vote? Which could mean at home or, if you’re a person with a disability, with the assistance of specialized hardware? What if you could go online later and ensure your vote was your vote, and that it counted? What if you could write your own piece of software to do a recount of, or audit, your small town’s mayoral election instantly? That’s the vision of ElectionGuard, a new project by Microsoft, which debuted this summer at the Aspen Security Forum. ElectionGuard is an open code standard, that anyone can audit, freely use, and plug into, to create secure digital voting machines that remove many of the barriers of voting. Microsoft teamed up with Tucker Viemeister, a renowned industrial designer who spent years at prestigious firms including Frog, Smart Design, and Rockwell Group designing devices like hair dryers and coffee makers, to build something of a concept car for the future of voting—mostly out of off-the-shelf parts.

Georgia: Voters raise concerns about new voting system to state board | Mark Niesse/The Atlanta Journal-Constitution

Voters told Georgia’s election board Wednesday they’re deeply worried about the security and accuracy of the state’s new voting system and they urged the board to enact strong rules that ensure vote counts are correct.
The Secretary of State’s office announced it has started creating standards for recounts, audits and security of paper ballots that will be printed out by voting machines, which are scheduled to be used by Georgia voters statewide during the March 24 presidential primary.The 10 voters who spoke to the State Election Board, which is responsible for making election rules and investigating violations, said they distrust the $107 million voting system that Georgia bought from Denver-based Dominion this month. They doubted that computer-printed ballots will safeguard elections.“If a voter cannot recall every race and choice, she cannot identify whether the machine printout accurately reflects her intentions, or instead added, dropped or changed one of her choices,” said Rhonda Martin, a Fulton County voter. “No valid audit can be conducted on the basis of unverifiable source documents.”

North Carolina: Election officials closely watching state vote on voting systems Friday as 2019, 2020 races loom | Emily Featherston/WECT

Along with everything else it takes to prepare for the upcoming 2019 municipal elections, and the 2020 primaries close on their heels, election officials in southeastern North Carolina are also waiting to see what kind of equipment they will be able to use. On Friday, the North Carolina State Board of Elections is expected to finally make a decision that will dictate what machines voters use to cast a ballot. Most of the attention has been focused on the state’s move away from touchscreen equipment that only generates an electronic ballot, as counties across North Carolina wait to see what equipment will be approved for them to buy. New Hanover County is also waiting for the state’s stamp of approval for the replacement of its outdated voting equipment. New Hanover County last purchased ballot tabulators in 2006, explained county board of elections director Rae Hunter-Havens. Those machines typically have a lifespan of just 10 years — and they are starting to show their age. “We’ve exceeded that end-of-life projection,” Hunter-Havens said, and that means increasing mechanical issues.

Rhode Island: Security expert offers solution to prevent hacking of election computers in Rhode Island next year | Edward Fitzpatrick/The Boston Globe

A computer security expert is proposing a solution that would let the state Board of Elections bolster its cybersecurity on Election Day without having to rip out modems that make the state’s election system vulnerable to cyberattacks. On Aug. 2, the Board of Elections asked Tony Adams, an information security professional who lives in Providence, to write a memo suggesting ways to reduce the risk of hacking on election night, when modems are used to quickly report unofficial results. In an Aug. 14 memo, Adams suggests having the modems report unofficial results to computers that are separate from the state’s core election computer system, which configures ballots and tabulates official results. That way, if hackers did penetrate the system on election night, they couldn’t change the official results or hold the whole system hostage with ransomware, for example, he said. “This idea is so elegant you have to ask: Why didn’t I think of that?” Board of Elections Vice Chairman Stephen P. Erickson said this week. “Because you don’t have to spend a lot of money, it’s relatively simple to implement, and it will substantially increase the level of security — and the perceived security, which is important.”

Texas: Palo Pinto County to Block State Network Access for Security | David May/Mineral Wells Index

If state officials want to perform a security or other audits of the local elections office, they may have to come to Palo Pinto to do it. Joey Fenley, head of Palo Pinto County’s Information Technology department, said allowing remote access to the county’s network through an offsite connection – such as software using a virtual private network – puts the county’s network at risk of receiving a virus or, worse, ransomware. He said it is a breach of the county’s network security protocols. Fenley questions why the state would perform a network security audit using an insecure method. “It’s done by a third party and you don’t know who they are,” Fenley told the Index.

International: Intel, IBM, Google, Microsoft & others join new security-focused industry group | Catalin Cimpanu/ZDNet

Some of the biggest names in the cloud and hardware ecosystem have agreed to join a new industry group focused on promoting safe computing practices. Founding members include Alibaba, Arm, Baidu, Google Cloud, IBM, Intel, Microsoft, Red Hat, Swisscom, and Tencent. Named the Confidential Computing Consortium, this industry group’s goals will be to come up with strategies and tools to accelerate the adoption of “confidential computing.” By confidential computing, the group is referring to hardware and software-based technical solutions for isolating user data inside a computer’s memory while it’s being processed, to avoid exposing it to other applications, the operating system, or other cloud server tenants. The easiest way of supporting confidential computing practices is through the use of trusted execution environments (TEEs), also known as enclaves. These are hardware and/or software-enforced private regions of a computer’s CPU memory where only certain apps can write and read data.

Argentina: Hackers Leaked Sensitive Government Data in Argentina—and Nobody Cares | Eugenia Lostri/Lawfare

On Monday, Aug. 12, hackers leaked 700 GB of data obtained from the government of Argentina, including confidential documents, wiretaps and biometric information from the Argentine Federal Police, along with the personal data of police officers. The Twitter account of the Argentine Naval Prefecture was hacked as well, and used not only to share links to the stolen information but also to spread fake news about a nonexistent British attack on Argentine ships. An operation combining the hacking of law enforcement agencies, an attempt to spread misinformation through social media and the leaking of large amounts of sensitive data on the “Deep Web” would seem to check all the boxes for a major news story. But you most likely have not heard about any of this.

India: VVPAT-auditing data and credibility of electronic voting machines | Atanu Biswas/The Tribune

Even as some top politicians are raising doubts and have made references to the alleged manipulation of EVMs (electronic voting machines), millions of voters in the country are getting confused. Common people don’t understand the mechanism of a complicated machine like the EVM. Rather, they depend on the institutions and/or their leaders to frame their opinions. However, there was a VVPAT-auditing of the EVMs — five per Assembly constituency of the country — as directed by the Supreme Court. One obvious, yet important, question is how the opinion on EVMs will be reframed with the VVPAT-auditing data. A voter verifiable paper audit trail (VVPAT) slip is nothing but a machine-generated ballot paper, verified by the voter himself/herself. And if the VVPAT counts are further tallied with the corresponding EVM counts, that would give a double-check. The objective of tallying VVPAT counts with the corresponding EVM counts is to check whether the EVMs are tampered with or not. If there is no mismatch for a machine, one can safely conclude that there is no tampering in that EVM, at least.

Russia: Prominent journalist Alexey Venediktov has accused ‘Meduza’ of cheating to prove Moscow’s online voting system is hackable. He’s wrong. | Mikhail Zelenskiy/Meduza

This September’s elections for the Moscow City Duma have already gained renown for inspiring regular mass protests, but they are also remarkable for another reason: In three of the Russian capital’s districts, voters will be able to use an online system to select their new representatives. Moscow’s Information Technology Department held intrusion tests on GitHub in late July to verify the integrity of the system: Officials gave programmers several opportunities to attempt to decrypt mock voting data, and each round of data was subsequently published so that it could be compared to the results of those hacking attempts. On August 16, Meduza reported on French cryptographer Pierrick Gaudry’s successful attempt to break through the system’s encryption. To confirm that the encryption keys used in the system are too weak, we also implemented Gaudry’s program ourselves. City Hall officials responded to the successful hackings by refusing to post its private keys and data, thereby preventing outsiders from confirming that the system had indeed been hacked. Instead, Ekho Moskvy Editor-in-Chief Alexey Venediktov, who is also leading the citizens’ board responsible for the elections, accused Meduza of abusing the testing process. Here’s why he’s wrong.

Switzerland: Swiss post rolls out more secure version of e-voting platform | SWI

The publicly-owned company Swiss Post, which had abandoned its electronic voting system in July over security concerns, has developed a new version. “We have already proposed a solution” to cantons, said general manager Roberto Cirillo in an interview published by the La Liberté newspaper on Friday. According to Cirillo, the company is in the process of defining the rules for testing the new system with cantons. He stressed that the new version will “contain universal verifiability”. At the beginning of July, Swiss Post abandoned its electronic voting system, which means it now cannot be used for the October federal parliamentary elections. The decision was made after subjecting the e-voting system to an intrusion test by thousands of hackers last spring. According to Swiss Post, they were unable to penetrate the electronic ballot box, but found serious errors in the source code, which had to be corrected. The cantons of Neuchâtel, Fribourg, Thurgau and Basel City had adopted this e-voting system, which only offered individual verifiability. Three of them already plan to demand compensation from Swiss Post for failure to deliver.

California: Sweeping change is coming for Los Angeles County voters. If things go wrong, he’ll get the blame | Matt Stiles/Los Angeles Times

Long before Dean Logan was the elections chief for the most populous county in California, he was an administrator for the most populous county in Washington state — and he was dealing with a crisis. It was the fall of 2004, four years after the contested Bush-versus-Gore presidential election, and voters had just produced one of the closest gubernatorial contests in American history. Fewer than 300 votes separated the candidates. Then things got worse. Logan realized that his staff had misfiled a batch of uncounted mail-in ballots — enough to sway the election. Under pressure, Logan insisted that the ballots be counted, making him a target of critics, including the state’s Republican Party chairman who insisted that the election was being “stolen.” A judge eventually validated Logan’s decision. Fifteen years later, the experience still haunts him. But it has informed and inspired his years-long personal quest to overhaul the way elections are conducted in Los Angeles County. Starting next year, some 5.2 million residents — a figure that eclipses the number of registered voters in most states — will change the way they cast ballots. If the process goes awry — either in the earlier-than-normal presidential primary in March or in the crucial November general election, in which President Trump will probably be on the ballot — blame could fall on Logan yet again.

National: State Election Infrastructure Is Still Vulnerable, Report Finds | by Phil Goldstein/StateTech Magazine

The 2020 presidential election is more than 14 months away, but some experts are warning that state governments face an uphill battle in defending election infrastructure from cyberattacks. According to a recent report, “Defending Elections: Federal Funding Needs for State Election Security,” many election security projects at the state level are either unfunded or underfunded. The report calls on the federal government to provide more funding for state-level election security measures ahead of next year’s election. “In administering our elections, states face security challenges of unprecedented magnitude,” the report concludes. “They are, in many cases, ill-equipped to defend themselves against the sophisticated, well-resourced intelligence agencies of foreign governments. States should not be expected to defend against such attacks alone. Our federal government should work to provide the states with the resources they need to harden their infrastructure against cybersecurity threats.” The paper was authored by a bipartisan group of organizations including the Brennan Center for Justice, the Alliance for Securing Democracy, the R Street Institute and the University of Pittsburgh Institute for Cyber Law, Policy, and Security.

National: 2020 election security to face same vulnerabilities as in 2016 | Michael Heller/TechTarget

For the third year running, the Voting Village at DEF CON shined a light on election security and one thing was made clear: no one agrees on what to expect in 2020. In opening remarks at DEF CON, founders Harri Hursti, Matt Blaze and Jake Braun laid out the long road the Voting Village has traveled to raise awareness of election security issues. Blaze, who serves as the McDevitt Chair of Computer Science and Law at Georgetown University, pointed out the troubles began with the Help America Vote Act (HAVA), which passed in 2002 as an effort to modernize and improve election administration. “They didn’t understand as much at the time as we do now about building voting machines and almost everything produced to comply with the Help America Vote Act has terrible vulnerabilities associated with it,” Blaze said. “That’s partly because we’ve taken these systems that weren’t dependent on software before and made them dependent on software. And, as everybody here in Las Vegas can tell you, software is utterly terrible. So we essentially took a problem that was hard and we added software to it.” A new initiative at this year’s Voting Village was to connect security researchers and hackers directly to election officials to provide pro bono work to help secure the 2020 election. Braun, an executive director for the University of Chicago Harris School of Public Policy’s Cyber Policy Initiative, noted the past work of the Voting Village had been corroborated. “The Mueller report reinforced a lot of what we identified last year, like you can hack a website with a SQL injection and get into a voter registration database, which is exactly what Mueller said the Russians did in 2016,” Braun said. “And frankly, they didn’t even go as far as we said was possible [in last year’s election.]”

National: Civilians, military abroad may find it more expensive to vote | Bill Theobald/The Fulcrum

Election officials are growing increasingly concerned that the Trump administration’s trade war with China could make it more difficult and expensive for overseas voters — including those in the military — to cast ballots in the 2019 and 2020 local, state and federal elections. The issue is the pending withdrawal in October by the U.S. from the Universal Postal Union, a group of 192 nations that has governed international postal service and rates for 145 years. Last October, the U.S. gave the required one-year notice stating it would leave the UPU unless changes were made to the discounted fees that China pays for shipping small packages to the United States. The subsidized fees — established years ago to help poor, developing countries — place American businesses at a disadvantage and don’t cover costs incurred by the U.S. Postal Service. With the U.S.-imposed deadline for withdrawal or new rates fast approaching, states officials are running out of time to prepare for overseas mail-in voting. Last week, Kentucky elections director Jared Dearing pleaded for help from the Election Assistance Commission — for himself and his peers in other states. The deadline for his state and most others to send out absentee ballots for the fall elections, Dearing said, falls a few days before a Sept. 24-25 UPU meeting in Geneva, Switzerland, to discuss the U.S. proposal to revise the rate system. That makes it difficult to provide voters with guidance about how to return their ballots. If the United States ends up withdrawing from the UPU, overseas citizens may not be able to return their ballots using regular mail service and could have to pay upward of $60 to use one of the commercial shipping services, Dearing said.

National: Republicans use McConnell allies to try and force his hand on election security | Lesley Clark/McClatchy

A conservative group is increasing pressure on Senate Majority Leader Mitch McConnell to put election security legislation up for a vote in the Senate by airing ads that target the Kentucky Republican and four other Republican senators in their home states. Republicans for the Rule of Law is unveiling new spots that urge Sens. Marco Rubio, R-Florida, Roy Blunt, R-Missouri, Lindsey Graham, R-South Carolina, and James Lankford, R-Oklahoma, to push McConnell for a vote, urging them “don’t let Mitch McConnell stand in your way.” The group is also re-airing a 60-second ad that calls on McConnell to act. The 30-second spots will air nearly daily on Fox & Friends starting Wednesday. They’ll also run on Fox News Sunday and NBC’s Meet the Press in the senators’ home cities on Sunday as part of a $400,000 ad buy that includes digital ads. The ads note the senators’ support for election security legislation. “McConnell and all Republican Senators have no greater responsibility than protecting our elections from foreign enemies like Russia and Iran,” said Republicans for the Rule of Law legal advisor and spokesman Chris Truax.

Editorials: The malware election: Returning to paper ballots only way to prevent hacking | Lulu Friesdat/The Hill

The key takeaway of special counsel Robert S. Mueller’s report on Russian interference in the 2016 election was that “There were multiple, systematic efforts to interfere in our election … and that allegation deserves the attention of every American.” But with so much attention on what happened in 2016, we have lost much of the time available to protect the 2020 election. This was immediately apparent recently at DEF CON, one of the largest hacker conventions on the planet. The conference, where tens of thousands of hackers descend on the pseudo-glamourous “pleasure pit” that is Las Vegas, includes the Voting Village, a pop-up research lab with an array of U.S. voting equipment available for security researchers to compromise. They were terrifyingly successful. High school hackers and security professionals united to take control of almost every voting system in the room, most of it currently in use around the U.S. They found systems with no passwords, no encryption, and operating systems so old that young hackers often had no previous experience with them. That did not prevent them from completely dominating the machines. They accessed USB, compact flash and ethernet ports that were glaringly unprotected, and then proceeded to play video games and run pink cat graphics across the screens of ballot-marking devices and voter registration database systems.

California: New Los Angeles County voting system highlights trade offs between security and accessibility | Joseph Marks/The Washington Post

Starting in 2020, Los Angeles County’s 5.2 million voters will cast their ballots on new machines that the county had custom built over a decade to be highly accessible to citizens with all manner of disabilities and who speak 13 different languages. The new machines mark the biggest challenge in years to the highly consolidated voting machine industry in the United States in which just three companies control more than 90 percent of the market. The dominant players have faced withering criticism from security advocates and lawmakers since the 2016 election for being too slow to adapt to election hacking threats from Russia and other adversaries and not transparent enough about their security. The plan is for the machines to be piloted at some voting locations during local elections in November and then to be used by all voters for the first time in the March 3, 2020 primaries. The challenge is even bigger because Los Angeles plans to make the computer code its machines are running on freely available to be used or modified by other voting jurisdictions who similarly want to go it alone. But the new systems are also likely to add fire to a battle between cybersecurity hawks and advocates for voters with disabilities that’s already playing out in Congress and among state election boards.

Georgia: Voters challenge legality of new election system | Kate Brumback/Associated Press

Georgia voters who want hand-marked paper ballots are challenging the new election system state officials are rushing to implement in time for next year’s presidential primaries, saying the new touchscreen machines remain vulnerable and their results unverifiable, even though they produce paper records. Secretary of State Brad Raffensperger announced the state’s purchase of a $106 million election system from Denver-based Dominion Voting Systems last month, with plans to replace the outdated election management system and paperless touchscreen voting machines in use since 2002. He then certified the new system on Aug. 9, and said it will be in place in time for the March 24 primaries. The voters’ petition, seeking a withdrawal of the certification and a re-examination of the Dominion system, was submitted Monday to Raffensperger’s office. It says the system doesn’t meet Georgia’s voting system certification requirements and doesn’t comply with the state election code. Georgia law allows voters to request that the secretary of state “reexamine any such device previously examined and approved by him or her” as long as at least 10 voters sign onto the request. The petition submitted Monday includes signatures of more than 1,450 registered voters from 100 counties, including some elected officials, and was filed by voting integrity advocates and the state Libertarian Party. Additionally, some of the plaintiffs in a lawsuit challenging the state’s outdated voting system filed an amended complaint on Friday asking U.S. District Judge Amy Totenberg to prohibit the state from using the new Dominion system, calling it “illegal and unreliable.”

Illinois: ‘Iranian Hackers’ Claim Hack on Macon County Website | Kennedy Nolan/Decatur Herald & Review

Macon County, Ill., is the latest government entity to be targeted by hackers who hijacked a web page and disabled access. The Circuit Clerk’s Office main web page on Sunday night was overtaken by an image of a Guy Fawkes mask, Iranian flag and the text: “Hacked by Iranian Hackers. Hacked by Mamad Warning. We are always closer to you. Your identity is known to us. Your information is for us 😉 take care.” Circuit Clerk Lois Durbin said the county Information Technology department restored the page by 10 a.m. Monday. The office handles all records of traffic, civil and criminal cases in the county, but Durbin said personal identification information is stored on a separate system and wasn’t in danger of being accessed. “The firewall went up, and everything was protected and nothing was compromised,” she said. The county joins a growing list of government entities that are the victims of hacking attempts. Another technique involves disabling a website with malware and demanding money to restore it.

New Jersey: State’s Department of Homeland Security warned Russians could interfere in our elections next year. Trump’s not worried. | Jonathan D. Salant/NJ.com

New Jersey’s Department of Homeland Security has warned state and county elections officials that Russia or another foreign actor could hijack their websites or social media accounts, “severely impacting and eroding confidence in the election results.” The warning, which went to elections officials on the state level and in all 21 counties, was contained in a bulletin sent earlier this month by the state Cybersecurity and Communications Integration Cell. The state agency acted after the Senate Intelligence Committee warned about “Russian intentions to undermine the credibility of the election process” and a civil grand jury in San Mateo County, California, warned of hackers using government accounts to report false election results or issue false voting instructions. “The threat of foreign interference in our elections is a pressing national security issue,” said Rep. Mikie Sherrill, D-11th Dist., chairwoman of the House Science subcommittee on investigations and oversight, which held a hearing last month to highlight problems with state elections systems.

North Carolina: Vote security on the line in Board of Elections meeting | Jordan Wilkie/Carolina Public Press

When the NC Board of Elections meets Friday, it will make decisions about voting equipment for 2020 elections that could determine the security of the state’s election process and how much confidence voters can have that the system records and tabulates their votes as they intended. Security experts, federal research agencies and the US Senate agree on best practices for secure election equipment. They recommend that most voters use hand-marked paper ballots, count the ballots using digital scanners and audit the paper ballots for correctness before election results are made official. Most North Carolinians already vote this way. However, 23 of the state’s 100 counties use touch screens to cast their ballots, a system that experts consider insecure and outdated because it cannot be effectively audited. For that reason, North Carolina is set to decertify those systems by Dec. 1. This week, the state board of elections will consider certifying replacement systems. The decisions the board makes will have a domino effect of consequences for the security, privacy and accessibility of elections across the state.

Editorials: Rage against the voting machines | Philadelphia Inquirer

The latest controversy over the city’s ongoing voting machines saga presents multiple choices of questions and concerns. Last week, City Controller Rebecca Rhynhart, while investigating the contract for new voting machines, found that the company, Election Systems & Software, failed to disclose that it had hired lobbyists and made campaign contributions to the reelection campaigns of two city commissioners who were in charge of selecting the vendor. These mistakes, which ES&S says were inadvertent, made the contract “voidable.” But so far the contract is moving ahead — 3,700 voting machines have already been delivered. ES&S has agreed to pay a $2.9 million fine for its failure to disclose. The Controller’s Office is withholding payment on the contract until it completes its investigation sometime next month. The choices for questions are multiple: Are the resulting disclosures (and fines) proof that the system is working, or A. An indictment of the city’s new best value procurement policy, initiated in 2017 when voters approved a change that allowed the city to award contracts on factors other than the lowest price? While overwhelmingly approved by voters, others (including this board) had concerns that the new policy opened the door to granting contracts to insiders and encouraging a pay-to-play culture, as well as more expensive contracts. The $30 million machine contract is the first major test of the new policy.

Editorials: Guess which ballot costs less and is more secure– paper or electronic? | Kevin Skoglund and Christopher Deluzio/PennLive

Pennsylvania’s counties are choosing new voting systems, with implications for the security, reliability, and auditability of elections across the commonwealth and beyond. Our organizations’ analysis of county selections reveals that several have decided to purchase expensive electronic machines with security challenges over the better option: hand-marked paper ballots. Pennsylvania—where vulnerable paperless machines have been the norm—needs new paper-based voting systems. But not all systems are the same. The main choice counties face is the style of voting and polling place configuration. They can have most voters mark a paper ballot with a pen and offer a touchscreen computer to assist some voters (a ballot-marking device or “BMD”). Or they can have all voters use touchscreen computers to generate a ballot (an all-BMD configuration). The hardware in each configuration is often the same, but this fundamental choice creates significant differences. In fact, our analysis shows that many counties have chosen the all-BMD configuration and are paying a hefty sum for it—twice as much per voter as counties that selected systems that rely principally on voters hand-marking their ballots. Pricier electronic systems also carry greater security risks and make it harder for voters to verify their ballots before casting.

Texas: Ransomware Attack Hits 22 Texas Towns, Authorities Say | Manny Fernandez, Mihir Zaveri and Emily S. Rueb/The New York Times

Computer systems in 22 small Texas towns have been hacked, seized and held for ransom in a widespread, coordinated cyberattack that has sent state emergency-management officials scrambling and prompted a federal investigation, the authorities said. The Texas Department of Information Resources said Monday that it was racing to bring systems back online after the “ransomware attack,” in which hackers remotely block access to important data until a ransom is paid. Such attacks are a growing problem for city, county and state governments, court systems and school districts nationwide. By Tuesday afternoon, Texas officials had lowered the number of towns affected to 22 from 23 and said several government agencies whose systems were attacked were back to “operations as usual.” The ransomware virus appeared to affect certain agencies in the 22 towns, not entire government computer systems. Officials said that there were common threads among the 22 entities and that the attacks appeared not to be random, but they declined to elaborate, citing a federal investigation. It was unclear who was responsible. The state described the attacker only as “one single threat actor.”

Vermont: Ethical Hackers Breach Vermont Voting Machines, But Officials Say No Need To Panic | Peter Hirschfeld/Vermont Public Radio

Elections security experts have discovered new ways to manipulate the type of voting machine used in Vermont, but local elections officials say it’s unlikely that bad actors could exploit those vulnerabilities to change the results of an election. At a recent technology conference in Las Vegas, ethical hackers from across the country tried to infiltrate some of the voting machines used in U.S. elections. Probing for vulnerabilities in ballot tabulators is an annual tradition at the DEF CON Hacking Conference. This year, however, hackers tried to gain access to the same type of voting machine used by 135 towns in Vermont. Montpelier City Clerk John Odum retrieved one of the machines from a vault last week and placed it on a desk in his office. It’s a pretty ancient-looking piece of technology — like something you might have seen in a middle school computer room in the early 1990s. “As I understand it, the memory cards that we use, the technology was originally developed for the original Tandy laptops,” Odum said, “so this is some old stuff.” The machine is called an AccuVote, and its name is clearly meant to inspire confidence in the results it spits out. But when white-hat hackers set to work on this tabulator at DEF CON earlier this month, they quickly found all kinds of ways to manipulate results.