National: Nielsen departure could deal a blow to Trump administration’s cybersecurity efforts | The Washington Post

Kirstjen Nielsen’s resignation as secretary of homeland security could deal a blow to the Trump administration’s cybersecurity efforts — as she was one of the last civilians in its top ranks with extensive cybersecurity expertise. That’s a dangerous position, experts say, as the nation barrels toward a 2020 election that will likely be targeted by Russian hackers and the Homeland Security Department launches a major campaign to get government and industry to stop buying technology from China’s Huawei and other companies deemed national security threats. “Hopefully whoever runs DHS will prioritize its vital cybersecurity mission, but it makes a difference if the person at the top has a background in cyber and knows from experience how important it is rather than just being told,” former State Department cyber coordinator Chris Painter told me. “DHS is spread thin among multiple priorities as it is, and without a clear mandate from department leadership that cybersecurity is a prime mission, their efforts risk being sidelined.” Nielsen – who The Post reported was forced to step down because Trump was dissatisfied with her handling of the border — had, by far, the longest cybersecurity resume of any DHS secretary in history. She advised President George W. Bush on cybersecurity and homeland security issues, founded a consulting group called Sunesis Consulting focused on cybersecurity and critical infrastructure, and served as a senior fellow at George Washington University’s Center for Cyber and Homeland Security. Her acting successor, U.S. Customs and Border Protection Commissioner Kevin K. McAleenan, by contrast, has no substantial background in the field.

National: Scrutiny and suspicion as Mueller report undergoes redaction | The Washington Post

The escalating political battle over special counsel Robert S. Mueller III’s report centers on redactions — a lawyerly editing process that has angered distrustful Democrats eager to see the all evidence and conclusions from his 22-month investigation of President Trump’s conduct and Russia’s elaborate interference operation during the 2016 campaign. Attorney General William P. Barr is redacting at least four categories of information from the report, which spans nearly 400 pages, before issuing it to Congress and the public. Legal experts say he has wide discretion to determine what should not be revealed, meaning the fight over blacked-out boxes is likely to spawn months of fights between Congress and the Justice Department, and it may end up in the courts. The first public confrontation is imminent, with Barr scheduled to appear Tuesday and Wednesday before the House and Senate Appropriations committees for hearings ostensibly about the Justice Department’s budget. He is expected to face extensive questioning about the Mueller report and his ongoing redaction process, though, and his testimony will be scrutinized for any sign he is trying to protect the president. “There’s a lot of pressure all pointing in the direction of doing a robust release,” said John Bies, who held senior roles in the Justice Department during the Obama administration and now works at American Oversight, a liberal watchdog group. “We are very hopeful the attorney general will do the right thing here and make everything public that can lawfully be made public.”

National: States slow to spend funds to enhance election security, report finds | CNN

US states and territories given $380 million in combined federal funds for election upgrades last year only spent 8.1% of that money in the first six months it was available, the agency responsible for distributing the funds said on Thursday. That money was distributed as part of a 2018 bill, which was passed after Homeland Security secretary Kirstjen Nielsen warned it is a “national security concern” that US elections can’t be audited with paper ballots.
Security experts have in recent years called for major elections to have a physical paper trail so a trustworthy audit can be performed. However, brands and types of voting equipment vary by state. Many states use some machines that don’t leave a paper trail, and five states are entirely paperless for the general population. The report from the US Election Assistance Commission only tracked spending through September 2018, and many states have since spent or plan to spend some of their money on cybersecurity features or staff or upgraded equipment that badly needs replacing.

National: States spent just a fraction of $380 million in election security money before midterms | The Washington Post

Congress scrambled in early 2018 to deliver a surge in election security money before the midterms. But it turns out that states only spent about 8 percent of the $380 million Congress approved by the time the elections rolled around. That’s the bad news in a spending report released Thursday by the Election Assistance Commission, which is responsible for disbursing the money. The good news is that states are on track to spend the majority of the money before the 2020 elections — which intelligence officials say are far likelier than the midterms to be a hacking target for Russia and other U.S. adversaries. The report highlights the lengthy process of investigations and reviews that are necessary before states can make major upgrades to specialized election equipment. Given the tight time frame — Congress approved the money in March and the EAC began disbursing it to states in June — EAC Chairwoman Christy McCormick told me that 8 percent is a reasonable amount to have spent and about what the commission expected. It’s also a warning to Congress that the clock is ticking if it wants to deliver more election security money that will make a meaningful difference in 2020.

National: States’ spending on election security expected to pick up in 2019 | StateScoop

States and territories spent just 8 percent of the $380 million in federal election-security grants in the six months after they were distributed last year, according to the U.S. Election Assistance Commission. But in a report Thursday, the commission said it expects the bulk of that funding to be spent before the 2020 presidential election. The report follows states’ spending on new voting equipment, cybersecurity resources and personnel between last April and Sept. 30, when the federal government’s 2018 fiscal year ended. But the EAC said it expects spending to pick up this year as more grant money is transferred to states and as legislatures approve spending plans. “There hasn’t been a lot of money spent, but there is a lot of activity,” Mark Abbott, the commission’s grants director, told StateScoop. Of the $31.4 million states spent through last September, more than half — $18.3 million — went toward cybersecurity, including hiring new personnel dedicated to network security, implementing risk assessments and vulnerability scans and putting up stronger firewalls around statewide voter registration systems, which were infamously targeted by Russian hackers during the 2016 presidential election.

National: Blockchain Voting: Unwelcome Disruption or Senseless Distraction? | U.S. Vote Foundation

It really gets old being a guinea pig. Not because of the cagey confines, but for the insistence of those who try their ideas out on you. Overseas and military voters continue to be the guinea pigs for unvetted online voting ideas, the new one being “blockchain voting”. We have been here before. Overseas and military voters do need continued meaningful reforms across all states, and it is good when people truly care enough to examine and invest in solutions. What we do not need is a distraction that introduces new threats to overseas and military ballot integrity. The cliché “disruption model” doesn’t belong in our elections. Particularly in light of Russia’s cyber-interference in elections in Ukraine in 2014 and the US in 2016, we should consider with extra caution the idea of putting the entire voting process online. Russia itself is pushing to use this same technology for voting. Maybe it is worth a deeper look at it before we rush to its implementation? Perhaps investment in a threat detection system, which most state election offices cannot yet afford, would, at minimum, be a wise first course of action. Typically election systems must undergo formal testing and certification. Public access and examination is crucial. With a fully online system, that requirement is far more serious. Internet voting is not the same sort of simple transaction as is online banking; it is far more complex due to the fact that there must be a separation of the transaction from the identity of the person executing it. Just because there is a “blockchain” for the transaction doesn’t make the total voting system secure. The bottom line: it should not be possible to implement these systems in real elections without full and complete public examination. It is not sufficient to declare a technology as “tested” when it is used only in private elections and by outside companies hired to do “security audits”.

National: Democrats in Congress authorize subpoenas for Trump-Russia report, legal battle looms | Reuters

U.S. congressional Democrats on Wednesday authorized a powerful committee chairman to subpoena Special Counsel Robert Mueller’s full report on Russia’s role in the 2016 election, moving closer to a legal clash with President Donald Trump’s administration. The Democratic-led House of Representatives Judiciary Committee voted to enable its chairman, Jerrold Nadler, to subpoena the Justice Department to obtain Mueller’s unredacted report and all underlying evidence as well as documents and testimony from five former Trump aides including political strategist Steve Bannon. Nadler has not yet exercised that authority, with the timing of any such move uncertain. The committee vote was 24-17 along party lines, with Democrats in favor and Trump’s fellow Republicans opposed. Attorney General William Barr, a Trump appointee, issued a four-page summary of Mueller’s main conclusions last month including that the special counsel did not establish that the Trump campaign conspired with Russia during the election.

National: U.S. senators want stiff sanctions to deter Russia election meddling | Reuters

U.S. Republican and Democratic senators will introduce legislation on Wednesday seeking to deter Russia from meddling in U.S. elections by threatening stiff sanctions on its banking, energy and defense industries and sovereign debt. Known as the “Deter Act,” the legislation is the latest effort by U.S. lawmakers to ratchet up pressure on Moscow over what they see as a range of bad behavior, from its aggression in Ukraine and involvement in Syria’s civil war to attempts to influence U.S. elections. The measure will be introduced by Senators Chris Van Hollen, a Democrat, and Marco Rubio, a Republican. They offered a similar measure last year, when it also had bipartisan support but was never brought up for a vote by the Senate’s Republican leaders, who have close ties to President Donald Trump. Trump has gone along with some previous congressional efforts to increase sanctions on Russia, although sometimes reluctantly. According to details of the legislation seen by Reuters, it would require the U.S. Director of National Intelligence (DNI) to determine, within 30 days of any federal election, whether Russia or any other foreign government, or anyone acting as an agent of that government, had engaged in election interference.

National: 2020 Census likely target of hacking, disinformation campaigns, officials say | The Washington Post

With just a year to go before the 2020 Census, the U.S. government is urgently working to safeguard against hacking and disinformation campaigns as it perfects a plan to count about 330 million people largely online for the first time. Going digital is intended to cut costs. But cybersecurity experts say it may also put the survey at unprecedented risk in a nation embroiled in fallout from Russian interference in the 2016 election. Any outside attempt to discredit or manipulate the decennial survey could drive down response rates, imperiling the integrity of data that help determine a decade’s worth of federal funding, congressional apportionment and redistricting throughout the country. “Just as with voting, completing the census is a powerful exercise in our democracy, and there are always people who want to prevent others from exercising their power,” said Indivar Dutta-Gupta, co-executive director of the Georgetown Center on Poverty and Inequality and an expert on the census. “I think there will be lots of attempts. We should be concerned.”

National: American Security Requires a Cyber-Savvy Congress | The National Interest

On March 13, Arkansas Sen. Tom Cotton and Oregon Sen. Ron Wyden submitted a bipartisan letter to the Senate sergeant-at-arms asking for an annual report tallying the number of times Senate computers have been hacked. The letter also requests the SAA adopt a policy of informing Senate leadership within five days of any new data breaches that occur. Cotton and Wyden should be lauded for requesting greater clarity regarding government cybersecurity. Yet this important and reasonable petition reveals an unfortunate reality: We expect our lawmakers to enact policy protecting our nation from cyberattacks when they don’t even know whether their own computers have been hacked. For the sake of national security, this must change. Government agencies, in general, are legally required to disclose breaches, but Congress is under no similar obligation. According to the letter, the last time there was a publicly disclosed report of a congressional data breach was in 2009. Indeed, the two examples of cyberattacks on Senate computers that Cotton and Wyden cite (one against former Virginia representative Frank Wolf in 2006 and one against former Florida senator Bill Nelson in 2009) are both at least a decade old. But a lack of data for the years since then doesn’t mean that hackers haven’t been active. In fact, in 2018, both the Democratic National Committee and the National Republican Congressional Committee lost emails in data breaches. Moreover, the Department of Defense wards off approximately thirty-six million attempted data breaches each day. 

National: Voting Machine Firms Add Lobbyists Amid Election Hacker Concerns | Bloomberg

Voting machine manufacturers are increasing their Capitol Hill presence as lawmakers demand they do more to protect U.S. elections against foreign hackers. Dominion Voting Systems — which commands more than a third of the voting-machine market without having Washington lobbyists — has hired its first, a high-powered firm that includes a longtime aide to Speaker Nancy Pelosi. The No. 1 vendor, Election Systems & Software, added two new lobbying firms last fall. Members of Congress have criticized those and other companies for their security methods and business practices.

National: Bill Seeks to Aid Senators in Protecting Personal Devices | GovInfo Security

Legislation introduced last week would give the U.S. Senate’s sergeant at arms responsibility to help secure the personal devices and online accounts used by senators and their staff to help ward off cyberattacks and other threats. The bill, known as the “Senate Cybersecurity Protection Act of 2019,” was introduced by senators Ron Wyden, D-Ore., and Tom Cotton, R-Ark., who both serve on the Intelligence Committee. While there is not yet a similar bill pending in the House to provide members with similar services, backers of the Senate bill are urging the House to take up a similar measure. The Senate bill would allow the sergeant at arms, who is already responsible for cybersecurity within the Senate, to provide voluntary cybersecurity assistance for personal accounts and devices to senators and certain staff members. This could include assistance with security for personal hardware, such as laptops, desktops, cell phones, tablets and other internet-connected devices, as well as personal accounts, including email, text messaging, cloud computing and social media as well as residential internet, healthcare and financial services, according to a summary.

National: US ripe for Russian meddling in 2020 vote, experts warn | Financial Times

In the wake of Robert Mueller’s investigation into Russian interference in the US electoral system, experts warn the nation is just as exposed as it was in 2016, raising new concerns about the 2020 presidential election. More than two years after intelligence agencies exposed Moscow’s efforts to exploit weaknesses in the US democratic system, technology companies and state governments have yet to come to terms with a foreign power’s meddling in domestic affairs of state. When it comes to the 2020 presidential vote, the US faces many of the same vulnerabilities that made its electoral system a prime target In 2016 — and perhaps some new ones, said Doug Lute, a former American ambassador to Nato and retired Army lieutenant-general who has taken up the cause of US election security. “We are more prepared in the sense that we are more aware. But we are little better prepared in terms of actual security,” said Mr Lute. He noted that Russia’s strategy in 2016 resembled an age-old Russian military doctrine: to attack on a broad front, assess strengths and weaknesses, then prepare to reattack vulnerabilities — a potentially dangerous scenario for 2020. 

National: Feds Seek To Up Their Cybersecurity Game | Forbes

The idea that the U.S. federal government could play a dominant and effective role in protecting the nation from malicious cyberattacks on everything from Internet of Things (IoT) devices to critical infrastructure to election voting systems might strike some people as absurd. Its catastrophic security failures are well known.

– The Office of Personnel Management (OPM) couldn’t protect the personally identifiable information (PII) of more than 22 million current and former federal employees.

– The National Security Agency (NSA) couldn’t protect its own stash of so-called zero-day vulnerabilities that it hoped to use to spy on, or attack, hostile nation states or terrorist groups. Instead, the stash ended up in the hands of Wikileaks.

National: Senate Democrats push to match House’s ethics and election reforms | The Washington Post

Responding to action in the House, Senate Democrats unveiled their own version of a sweeping election and ethics reform bill Wednesday — one that Senate Majority Leader Mitch McConnell has vowed never to bring to a vote. Dubbed, like the House bill, the For the People Act, the Senate legislation includes a vast suite of proposals — including measures meant to expand voting, provisions aimed at unmasking and diluting the power of moneyed interests, new ethical strictures for federal officials and a new public financing system for congressional campaigns. The bill, according to its lead author, Sen. Tom Udall (D-N.M.), has the support of all 47 senators in the Democratic caucus. The House bill passed 234 to 193 this month with unanimous Democratic support, meaning every congressional Democrat is on record in support of the bill. “Today we are seizing their momentum and the momentum of the American people,” Udall said at a news conference Wednesday. “Now the ball is in Senator McConnell’s court. . . . This should not be about Democrats versus Republicans, this is about people versus special interests.”

National: Voting-machine vendors have some serious questions to answer, senators say | CyberScoop

While the security of the 2020 election remains a prominent topic in Washington, a group of Democratic senators is raising alarms about longer-term issues that will resonate after voters are done choosing a president about 20 months from now. The three companies that make most of the voting technology used in the U.S. must be more transparent about their plans to improve their products to meet current expectations about security and performance, says a letter Wednesday by Sen. Amy Klobuchar of Minnesota and three other top Democrats. In particular, the senators say every machine should reliably produce paper records, and the companies should do far more to upgrade their products. “The integrity of our elections is directly tied to the machines we vote on — the products that you make,” says the letter from Klobuchar, Mark Warner of Virginia, Jack Reed of Rhode Island and Gary Peters of Michigan. “Despite shouldering such a massive responsibility, there has been a lack of meaningful innovation in the election vendor industry and our democracy is paying the price.”

National: Former CIA leaders give ‘briefing book’ to 2020 candidates to counteract ‘fake news’ and ‘foreign election interference’ | The Washington Post

Two former top CIA officials have compiled an unclassified report on the major national security challenges facing the United States, which they are distributing to every candidate running for president. The report, which former acting CIA directors Michael Morell and John McLaughlin call a “briefing book,” is modeled on the classified oral briefing that the intelligence community provides to the nominees of each major political party running for president, usually after the nominating conventions. The former officials said they’re distributing their briefing now, more than a year before nominees are selected, in response to “the recent rise and abundance of fake news and foreign election interference,” according to a copy reviewed by The Washington Post. The 37-page document, which has not been previously reported, was sent this month to nearly every announced candidate and will soon be sent to President Trump, the former officials said. Intelligence agencies have usually viewed their discussions with nominees as a chance to prepare a potential president for the kinds of issues that he or she will have to grapple with, and to give them a sense of the kind of capabilities and expertise that the U.S. government can bring to bear.

National: States Need Way More Money to Fix Crumbling Voting Machines | WIRED

THE 2018 MIDTERM elections were hardly a glowing reflection on the state of America’s voting technology. Even after Congress set aside millions of dollars for state election infrastructure last year, voters across the country still waited in hours-long lines to cast their ballots on their precincts’ finicky, outdated voting machines. Now, a new report published by New York University’s Brennan Center for Justice finds that unless state governments and Congress come up with additional funding this year, the situation may not be much better when millions more Americans cast their vote for president in 2020. In a survey that the center disseminated across the country this winter, 121 election officials in 31 states said they need to upgrade their voting machines before 2020—but only about a third of them have enough money to do so. That’s a considerable threat to election security given that 40 states are using machines that are at least a decade old, and 45 states are using equipment that’s not even manufactured anymore. This creates security vulnerabilities that can’t be patched and leads to machines breaking down when the pressure’s on. The faultier these machines are, the more voters are potentially disenfranchised by prohibitively long lines on election day. “We are driving the same car in 2019 that we were driving in 2004, and the maintenance costs are mounting up,” one South Carolina election official told the Brennan Center’s researchers, noting that he feels “lucky” to be able to find spare parts.

National: Senate Democrats investigate cybersecurity of election machines, introduce version of H.R. 1 | InsideCyberSecurity.com

A group of senior Senate Democrats is seeking information on what the three largest manufacturers of U.S. voting machines are doing to secure the systems ahead of the 2020 elections, while the entire Democratic Caucus on Wednesday signed on to sponsor the Senate version of House-passed H.R. 1, the “For the People Act,” which includes language on securing election machines. A letter — signed by Senate Rules ranking member Amy Klobuchar (D-MN), Intelligence ranking member Mark Warner (D-VA), Homeland Security and Governmental Affairs ranking member Gary Peters (D-MI), and Armed Services ranking member Jack Reed (D-RI) — was sent Tuesday to voting machine vendors Hart InterCivic, Dominion Voting Systems, and Election Systems and Software, or ES&S. “Despite the progress that has been made, election security experts and federal and state government officials continue to warn that more must be done to fortify our election systems,” the senators wrote. “Of particular concern is the fact that many of the machines that Americans use to vote have not been meaningfully updated in nearly two decades. Although each of your companies has a combination of older legacy machines and newer systems, vulnerabilities in each present a problem for the security of our democracy and they must be addressed.” The senators posed questions on steps the companies are taking to secure their machines ahead of 2020, and how Congress can assist in these efforts; what the plans are for updating “legacy” voting machines; whether the companies would support legislation requiring “expanded use of post-election audits”; if the companies have vulnerability disclosure programs; and if they employ full-time cybersecurity experts.

National: Wyden lambastes voting machine makers as ‘accountable to nobody’ | Politico

Sen. Ron Wyden (D-Ore.) on Thursday attacked the small but powerful group of companies that controls the production of most voting equipment used in the U.S. “The maintenance of our constitutional rights should not depend on the sketchy ethics of these well-connected corporations that stonewall the Congress, lie to public officials, and have repeatedly gouged taxpayers, in my view, selling all of this stuff,” Wyden said during the Election Verification Network conference, a gathering of voting integrity advocates and election security experts in Washington. Wyden has been a leading voice among lawmakers who have criticized the voting machine industry as too opaque and not subject to enough oversight from Washington, especially as concerns grow among U.S. intelligence officials that elections will once again be a prime hacking target in 2020. “We’re up against some really entrenched, powerful interests, who have really just figured out a way to be above the law,” he said. “There is no other way to characterize it.” Furthermore, Wyden said, voting machine vendors have “been able to hotwire the political system in certain parts of the country.” He noted that newly elected Georgia Gov. Brian Kemp picked the top lobbyist for the voting giant Election Systems & Software as his deputy chief of staff. The companies, he said, “are accountable to nobody.”

National: Election security in 2020 means a focus on county officials, DHS says | CNET

As special counsel Robert Mueller’s investigation on Russian hacking and collusion with the Trump campaign ends, the Department of Homeland Security is gearing up to prevent a repeat for the 2020 US presidential election. The federal agency, which formed the Cybersecurity and Infrastructure Security Agency last November, said that it’s “doubling down” on its efforts, calling election security for 2020 a top priority. It hopes to do that by focusing on local election officials, Matt Masterson, a DHS senior adviser on election security, said in an interview with CNET. The emphasis on local represents a new tact as the DHS tries to shut down foreign interference in the US elections. While the agency worked with all 50 states during the 2018 midterm elections, security experts said the outreach needs to zoom in on a county level. There are about 8,800 county election officials across the US, and they are the people responsible for your voting machines, your polling place’s security and handling vote auditing.

National: What Will Mueller’s Russia Report Mean For Election Security In 2020? | WMOT

The release of special counsel Robert Mueller’s report may provide Americans with the best playbook yet on how to defend democracy in the lead-up to the 2020 presidential election. In the days since Attorney General William Barr’s letter to Congress, much of the focus has boiled down to one line from President Trump: “No Collusion, No Obstruction.” But judging by Barr’s language and the details that have come to light through indictments filed by Mueller’s team over the past two years, the report may also reveal more about how Russia attacked the 2016 U.S. presidential election. The report’s first section, according to Barr, focuses on Russian “computer hacking operations,” which included the theft of emails from the Democratic National Committee and Hillary Clinton’s campaign, as well as agitation online to try to exacerbate divisions among Americans. Barr’s summary didn’t address an aspect of the interference that Mueller has described elsewhere, including the cyberattacks that targeted state elections infrastructure.

National: ‘Russian playbook’ remains after Mueller report wraps up | Associated Press

The collusion question now answered, another one looms ahead of 2020: Will U.S. elections be secure from more Russian interference? The 22-month-long special counsel investigation underscored how vulnerable the U.S. was to a foreign adversary seeking to sow discord on social media, spread misinformation and exploit security gaps in state election systems. With the presidential primaries less than a year away, security experts and elected officials wonder whether the federal government and the states have done enough since 2016 to fend off another attack by Russia or other hostile foreign actors. “Although we believe that Russia didn’t succeed in changing any vote totals, the Russian playbook is out there for other adversaries to use,” said Virginia Sen. Mark Warner, a Democrat and vice chairman of the Senate Committee on Intelligence. “As we head towards the 2020 presidential elections, we’ve got to be more proactive in protecting our democratic process.” Special counsel Robert Mueller detailed the sweeping conspiracy by the Kremlin to meddle in the 2016 election in an indictment last year, charging 12 Russian military intelligence officers with hacking the email accounts of Clinton campaign officials and breaching the networks of the Democratic Party. The indictment also included allegations the Russians conspired to hack state election systems and stole information on about 500,000 voters from one state board of elections’ computers.

National: DARPA Is Building a $10 Million, Open Source, Secure Voting System | Motherboard

For years security professionals and election integrity activists have been pushing voting machine vendors to build more secure and verifiable election systems, so voters and candidates can be assured election outcomes haven’t been manipulated. Now they might finally get this thanks to a new $10 million contract the Defense Department’s Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking.

The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and verifiable systems. The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA. The voting system will also be designed to create fully verifiable and transparent results so that voters don’t have to blindly trust that the machines and election officials delivered correct results.

National: Voting tech creates growing concern for local officials | The Hill

Some voters in Johnson County, Ind., found themselves waiting for hours to cast their ballots in last year’s midterm elections, but not because of a massive surge in turnout or malfunctioning voting machines. What struggled to work were the electronic poll books used to check a voter’s registration, triggering long lines at polling stations. A state investigation determined that the vendor for the e-poll books, Election Systems & Software (ES&S), was responsible for the technical issue, and the Johnson County election board ultimately voted to terminate the contract. ES&S is one of the biggest voting machine vendors in the country. And despite the report’s findings, other counties in Indiana have continued to work with it, including some that recently signed new contracts. Experts told The Hill that the scenario underscores the new issues that local election officials have to consider as they juggle the benefits and security risks of voting technology, particularly in light of heightened concerns over election hacking.

National: State election officials opt for 2020 voting machines vulnerable to hacking | Politico

Election officials in some states and cities are planning to replace their insecure voting machines with technology that is still vulnerable to hacking. The machines that Georgia, Delaware, Philadelphia and perhaps many other jurisdictions will buy before 2020 are an improvement over the totally paperless devices that have generated controversy for more than 15 years, election security experts and voting integrity advocates say. But they warn that these new machines still pose unacceptable risks in an election that U.S. intelligence officials expect to be a prime target for disruption by countries such as Russia and China. The new machines, like the ones they’re replacing, allow voters to use a touchscreen to select their choices. But they also print out a slip of paper with the vote both displayed in plain text and embedded in a barcode — a hard copy that, in theory, would make it harder for hackers to silently manipulate the results. Security experts warn, however, that hackers could still manipulate the barcodes without voters noticing. The National Academies of Sciences, Engineering and Medicine has also warned against trusting the barcode-based devices without more research, saying they “raise security and verifiability concerns.”

National: I Bought Used Voting Machines on eBay for $100 Apiece. What I Found Was Alarming | WIRED

In 2016, I bought two voting machines online for less than $100 apiece. I didn’t even have to search the dark web. I found them on eBay. Surely, I thought, these machines would have strict guidelines for lifecycle control like other sensitive equipment, like medical devices. I was wrong. I was able to purchase a pair of direct-recording electronic voting machines and have them delivered to my home in just a few days. I did this again just a few months ago. Alarmingly, they are still available to buy online. If getting voting machines delivered to my door was shockingly easy, getting inside them proved to be simpler still. The tamper-proof screws didn’t work, all the computing equipment was still intact, and the hard drives had not been wiped. The information I found on the drives, including candidates, precincts, and the number of votes cast on the machine, were not encrypted. Worse, the “Property Of” government labels were still attached, meaning someone had sold government property filled with voter information and location data online, at a low cost, with no consequences. It would be the equivalent of buying a surplus police car with the logos still on it.

National: U.S. Military Steps Up Cyberwarfare Effort | Govenment Technology

The U.S. military has the capability, the willingness and, perhaps for the first time, the official permission to preemptively engage in active cyberwarfare against foreign targets. The first known action happened as the 2018 midterm elections approached: U.S. Cyber Command, the part of the military that oversees cyber operations, waged a covert campaign to deter Russian interference in the democratic process. It started with texts in October 2018. Russian hackers operating in the Internet Research Agency – the infamous “troll factory” linked to Russian intelligence, Russian private military contractors and Putin-friendly oligarchs – received warnings via pop-ups, texts and emails not to interfere with U.S. interests. Then, during the day of the election, the servers that connected the troll factory to the outside world went down.

National: Election security threats loom as presidential campaigns begin | TechTarget

Never has it been more important to have a mechanism to audit U.S. voting results, but experts say election security risks combined with the weaponization of social media make the task more difficult than ever. The electronic voting systems used in a number of states are a concern for security experts who have seen serious flaws in these systems. If the 2020 U.S. election results are disputed by a candidate, there must be a clear way to show voting results are accurate to ensure a peaceful transition of government, said Avi Rubin a computer science professor at Johns Hopkins University, during an RSA Conference 2019 session on election hacking. … Ronald Rivest, a professor in MIT’s Cryptography and Information Security research group, said during a separate session at RSA Conference that “keeping it simple with low-tech paper ballots” is the lesson learned over the past decade. We still need to know that the tabulation of those ballots is accurate, via audits, and states like Colorado and Rhode Island are piloting new risk-limiting audit systems, Rivest said.

National: New ‘Hybrid’ Voting System Can Change Paper Ballot After It’s Been Cast | WhoWhatWhy

For years, election security experts have assured us that, if properly implemented, paper ballots and routine manual audits can catch electronic vote tally manipulation. Unfortunately, there is no universal definition of “paper ballot,” which has enabled vendors and their surrogates to characterize machine-marked paper printouts from hackable ballot marking devices (BMDs) as “paper ballots.” Unlike hand-marked paper ballots, voters must print and inspect these machine-marked “paper ballots” to try to detect any fraudulent or erroneous votes that might have been marked by the BMD. The machine-marked ballot is then counted on a separate scanner.

Most independent cybersecurity election experts caution against putting these insecure BMDs between voters and their ballots and instead recommend hand-marked paper ballots as a primary voting system (reserving BMDs only for those who are unable to hand mark their ballots). But vendors and many election officials haven’t listened and are now pushing even more controversial “hybrid” systems that combine both a BMD and a scanner into a single unit. These too are now sold for use as a primary voting system.

Unlike hand-marked paper ballots counted on scanners and regular non-hybrid BMDs,  these new hybrid systems can add fake votes to the machine-marked “paper ballot” after it’s been cast, experts warn. Any manual audit based on such fraudulent “paper ballots” would falsely approve an illegitimate electronic outcome. According to experts, the hybrid voting systems with this alarming capability include the ExpressVote hybrid by Election Systems & Software, LLC (ES&S), the ExpressVote XL hybrid by ES&S, and the Image Cast Evolution hybrid by Dominion Voting.