National: Election security groups warn of cyber vulnerabilities for emailed ballots | The Hill

Election security groups are sounding the alarm about emailed ballots ahead of the November midterm elections, warning in a new report that PDF and JPEG ballot attachments sent to election officials could be exploited by hackers. The organizations, including watchdog group Common Cause, issued a report Wednesday that found election workers who receive emailed ballots are at risk of clicking on unsafe attachments, sent from unknown sources, that could contain malware. “In jurisdictions that receive ballots by PDF or JPEG attachment, election workers must routinely click on documents from unknown sources to process emailed or faxed ballots, exposing the computer receiving the ballots — and any other devices on the same network — to a host of cyberattacks that could be launched from a false ballot laden with malicious software,” the report says. “An infected false ballot would enter the server like any other ballot, but once opened, it would download malware that could give attackers backdoor access to the elections office’s network.”

National: Can Elections Be Hacked? Online Voting Threatens 32 States, Report Says | Newsweek

Voters cast a minimum of 100,000 ballots using insecure internet methods in the 2016 election, highlighting an overlooked threat to election integrity, according to a report released Wednesday. Thirty-two states permit some voters—primarily overseas military personnel—to return ballots by email, fax or internet, according to “Email and Internet Voting: The Overlooked Threat to Election Security,” a report produced by the Association for Computing Machinery, Common Cause, the National Election Defense Coalition and R Street. “There are two concerns with email voting,” in which ballots and voter identification information are typically attached as a PDF or JPEG. “One—the ballots can be intercepted and undetectably altered or deleted. This hack was performed at DEF CON in August. And it’s something academics have long known,” Susannah Goodman, one of the authors of the report, told Newsweek. “Second—emailed ballots can be easily spoofed in a spear phishing attack designed to put malware on a county election official’s computer.”

National: To Deter Foreign Hackers, Some States May Also Be Deterring Voters | NPR

A number of states are blocking web traffic from foreign countries to their voter registration websites, making the process harder for some U.S. citizens who live overseas to vote, despite the practice providing no real security benefits. On its face, the “geo-targeting” of foreign countries may seem like a solid plan: election officials around the country are concerned about foreign interference after Russia’s efforts leading up to the 2016 election, so blocking traffic to election websites from outside the United States might seem like an obvious defense starting point. But cybersecurity experts and voting rights advocates say it’s an ineffective solution that any hacker could easily sidestep using a virtual private network, or VPN, a commonly-used and easily-available service. Such networks allow for a computer user to use the Internet and appear in a different location than they actually are.

National: Can Paper Ballots Save Our Democracy? | Slate

In August at DEFCON, the annual hackers’ convention in Las Vegas, J. Alex Halderman, a professor of computer science and an expert in cybersecurity, brought along several of his Diebold Accuvote TSX voting machines. The Accuvote is a touch-screen voting device known as a direct-recording electronic voting machine, which, as the name suggests, records votes and stores them on a memory device. Halderman’s machines were set up as part of the Voting Village, an area dedicated to the cybersecurity of voting machines, where visitors were asked to cast votes in a mock presidential election between George Washington and Benedict Arnold. “Because this is DEFCON, of course almost everyone thought they were clever and voted for Benedict Arnold,” said Halderman. At the end of the mock election, with over 100 votes cast, the machine produced the totals and the winner of the two-man race: the Dark Tangent.

National: Why federal courts may become the next front in the battle to secure our elections | The Hill

Last week, a team of security researchers who run the DefCon hacking convention released a report on voting machines in use around the country that contain structural flaws ripe for exploitation by hackers. Among its dismaying findings, DefCon reported a flaw in one widely used voting tabulator that, if hacked, “could enable an attacker to flip the Electoral College and determine the outcome of a presidential election.” Though it’s been nearly two years since the 2016 election, there remains a startling gap between the well understood need to secure our elections against cyberattacks and the reality on the ground. Computer security experts and leading intelligence and law enforcement voices have sounded the alarm on the persistent and serious threats facing election systems. Yet the actors best positioned to take broad action — state governments, Congress, and election system vendors — have moved slowly, and in some cases stalled.

National: Measure seeks to protect election systems from foreign foes | Associated Press

Foreign nationals would be prohibited from owning or controlling companies that support U.S. election systems under legislation introduced by two senators from Maryland, where officials learned this summer that a Russian oligarch is heavily invested in a company that maintains key parts of their state’s election infrastructure. Democratic Sens. Chris Van Hollen and Ben Cardin are sponsoring the “Protect Our Elections Act,” along with Republican Sen. Susan Collins, of Maine. “We cannot allow Russia or any other foreign adversaries to own our elections systems,” Van Hollen said. “This isn’t just a hypothetical issue — it happened right here in my home state of Maryland.”

National: Voting Experts: Why the Heck Are People Still Voting Online? | Nextgov

The government’s all-hands effort to secure election systems after a Russian assault on the 2016 contest missed one glaring vulnerability: online ballots, according to a Wednesday report by voting security experts. Online voting is not common in the U.S., but Americans cast at least 100,000 online ballots in the 2016 election, according to the authors’ tally. Many of those ballots were cast by military members overseas taking advantage of state laws that allow them to return ballots by email or digital fax. In total, 32 states allow some subset of residents to return ballots by email, fax or through an internet portal, and Alaska and Hawaii offer electronic ballot return for all voters, according to the report from security experts at the Association for Computing Machinery US Technology Policy Committee, Common Cause Education Fund, the National Election Defense Coalition and the R Street Institute.

National: Senators Question Supermicro on Report of Chinese Hardware Hack | Bloomberg

Two U.S. senators sent a letter to Super Micro Computer Inc. asking if and when the company found evidence of tampering with hardware components after a Bloomberg Businessweek report described how China’s intelligence services used subcontractors to plant malicious chips in the company’s server motherboards. Florida Republican Marco Rubio and Connecticut Democrat Richard Blumenthal on Tuesday gave the company until Oct. 17 to respond to a list of questions that also includes whether the company investigated its supply chain and cooperated with U.S. law enforcement. In Bloomberg Businessweek’s report, one official said investigators found that the Chinese infiltration through Super Micro reached almost 30 companies, including Amazon.com Inc. and Apple Inc. Super Micro and both Amazon and Apple disputed the findings. The U.S. Department of Homeland Security said it has “no reason to doubt” the companies’ denials of Bloomberg Businessweek’s reporting.

National: Majority of disabled voters in U.S. faced challenges in casting ballots in ’16 | WHYY

When it comes to expanding voter access, most often the conversation centers around allowing early voting or establishing automatic voting registration. But a forum at the University of Delaware Tuesday focused instead on making voting more accessible for those with disabilities. “We still have this cultural lag where we don’t really expect people with disabilities to be voters,” said Rabia Belt, historian and assistant professor at Stanford Law School. “It’s still quite difficult for people to be able to access polling places, people to receive the accommodations that are legally mandated.” The forum organized by UD’s Center for Disabilities Studies looked at how people with disabilities are underrepresented at the polls.

National: How hackers could disrupt Election Day — and how the bad guys could be stopped | The Boston Globe

Election Day presents a tantalizing target for a malicious hacker. The complex, multifaceted US voting system is rife with technological weak spots, from problems with the electronic voting machines in use in some states to vulnerabilities in the websites government officials use to disseminate information. In an era where public trust in American institutions is at an ebb, and conspiracy theories threaten to metastasize online, public safety officials and cybersecurity experts say they have to be careful how they talk about the vulnerabilities. “If the people do not trust that it’s a fair system, then the whole thing is going to fall apart,” said Cris Thomas, a well-known hacker who often goes by the name “Space Rogue” and now works in security at IBM. … This November, 15 states — none of them in New England — will use at least some electronic voting machines that leave no paper trail, according to the Verified Voting Foundation.

National: Technology giants face big test in midterm elections | The Washington Post

With less than a month before the midterm elections, technology companies are fighting to prove they can adequately shore up their platforms and products against foreign influence. Their success may mean the difference between getting to police their own house and having lawmakers do it for them. Election Day could be a tipping point for Silicon Valley titans, who are increasingly in Washington’s harsh glare following revelations that disinformation campaigns linked to Russia were widely disseminated on their platforms ahead of the 2016 elections. Tech moguls like Facebook’s Mark Zuckerberg and Twitter’s Jack Dorsey were dragged to Capitol Hill to give mea culpas for their past practices and publicly pledge to do better next time. The companies contend they have learned from their missteps during the 2016 election and are improving their election-integrity efforts as other elections have taken place around the world. They’ve promised to do more to identify and stamp out fake accounts, and they have increased transparency around political ads. Facebook opened a 20-person war room on its Menlo Park campus aimed at quashing disinformation and deleting fake accounts. 

National: DNC builds a tech team with deep bench in wake of 2016 hack | McClatchy

The digital operations team at the Democratic National Committee hit some dark days after Russian hackers mauled their networks in 2016, hijacking dozens of computers and pilfering tens of thousands of emails to hand over to WikiLeaks and onto the internet. Remnants of that digital bruising linger. “I feel like everyone’s still feeling, like, the PTSD from ’16,” said Raffi Krikorian, who now is the chief technology officer for a newly beefed-up unit of the Democratic National Committee, referring to post-traumatic stress disorder. The mood today of the DNC’s tech security team is one of cautious vigilance. The unit has grown in size and now employs cybersecurity experts who have come from some of the biggest Silicon Valley companies. Every day, the security team spots anomalies and strange behavior that could indicate a new cyberattack.

National: Election security is a mess, and the cleanup wont arrive by the midterms | CNET

For many, the most intense race leading up to Election Day won’t be among politicians. It’ll be the mad, final scramble by county officials and tech companies to make sure your votes are safe from hackers. But with the slow pace of funding, unprepared campaigns and lack of cooperation among counties, many cybersecurity experts wonder if they’ll reach that finish line by the first Tuesday in November. An election director in Illinois, for instance, still hasn’t received any federal funding for cybersecurity. A security expert who traveled across the country to train campaigns found shockingly inadequate protection.  

National: Ahead of US election, angst over hacking threats | AFP

At a Boston technology conference last month, computer scientist Alex Halderman showed how easy it was to hack into an electronic voting machine and change the result, without leaving a trace. Halderman staged a mock election in which three conference attendees voted for George Washington, but an infected memory card switched the result to give a 2-1 victory to Benedict Arnold, the military officer who sold secrets during the Revolutionary War. Halderman’s demonstration was on a voting machine still in use in 20 US states, which had no paper ballots that could be compared to the electronic output, and thus no way to determine if vote totals had been altered. “What keeps me up at night is the threat that a hostile nation-state could probe every swing state or swing district (and) find the ones most weakly protected, to silently change the results of a national election,” the University of Michigan professor said.

National: Are wireless voting machines vulnerable? | McClatchy

Barely a month before midterm elections, voting integrity advocates and electronic voting experts want the federal government to issue an official warning to states that use voting machines with integrated cellular modems that the machines are vulnerable to hacks, potentially interfering with the ballot counting. Once seen as a useful tool to provide quick election results, voting machines with cellular modems are now subject to fierce debate over how easy it would be to break into them and change the results. Such machines are certified for use in Florida, Illinois, Michigan and Wisconsin. … But a number of voting machine researchers take issue with such assertions, saying that cellular networks increasingly overlap with the internet and open avenues for hackers to interfere with unofficial early results even when there are paper ballots that can be tallied for a slower official count. They say interfering with unofficial early results, even when corrected later, could increase mistrust among voters and add uncertainty immediately after elections conclude.

National: Keep calm and trust the feds on Election Day, national security officials tell states | The Washington Post

With midterm races in the home stretch and the 2020 presidential election on the horizon, a pair of top national security officials have a message for state election administrators: Trust us when we warn you about cyberthreats. William Evanina, director of the National Counterintelligence and Security Center, and Christopher Krebs, the Department of Homeland Security’s cybersecurity chief, urged state officials to keep their lines open to the feds as Election Day approaches and the possibility of an attack on their systems looms large. “At some point in your future, next month or 2020, there will be a piece of intelligence that comes so fast and furious in the community, the phone call will be made to Chris that will tell him, ‘Hey, this happened and we need to act,’ ” Evanina said Wednesday at an election security summit on Capitol Hill with state leaders and members of Congress. “Chris will pick up the phone and call a state and say, ‘You need to do something.’ And you have to trust Chris.” 

National: Overseas Voters Having Trouble Getting Ballots As States Try To Thwart Hacking | HuffPost

Thousands of U.S. voters living overseas have encountered difficulties requesting absentee ballots because of state restrictions on internet traffic as part of efforts to secure their election systems, according to a report in The Philadelphia Inquirer. Federal law requires states to provide eligible U.S. voters based in foreign countries with a chance to get an absentee ballot. But some of these voters are having problems accessing official election websites to get information and, in some cases, download ballots, the Inquirer reported. The snags are occurring because of the steps taken by states to restrict traffic from foreign countries or entities to prevent potential interference with the election process, including the vote count. The Inquirer identified five states where voters were unable to load websites this week: Georgia, New Mexico, Pennsylvania, Tennessee and Vermont. Wanda Murren, a spokeswoman for Pennsylvania Department of State, said her office first learned of the download problems experienced by overseas voters were on Sept. 25. Three days later, she said, the federal agency that helps overseas voters ― including military families ― cast ballots informed the office the problem was more widespread than previously believed.

National: Mike Pence accuses China of meddling in US elections despite lack of evidence | The Guardian

Mike Pence has claimed that Russian interference in US elections “pales in comparison” with Chinese meddling, which he said was aimed at ousting Donald Trump. The vice-president’s allegation echoes a similar claim made by the president at the UN last week, but it has been contradicted by cybersecurity experts and the administration has yet to provide any supporting evidence, other than to point to instances of overt lobbying. The administration’s own secretary of homeland security, Kirstjen Nielsen, said: “We currently have no indication that a foreign adversary intends to disrupt our election infrastructure. “We know they [the Chinese] have the capability and we know they have the will. So we’re constantly on alert to watch. But what we see with China right now are the influence campaigns, the more traditional, longstanding, holistic influence campaigns,” Nielsen said on Tuesday at a Washington Post cybersecurity conference.

National: Senate Punts on Beefed-Up Election Security Until After Midterms | Bloomberg

Legislation to increase protection of voting systems from foreign hackers is gaining support in the Senate. Just don’t expect the chamber to take it up before the November elections. Senate Rules and Administration Committee Chairman Roy Blunt (R-Mo.) said he supports the bill (S. 2593). It just isn’t needed to make sure the midterm elections are safe, Blunt told state and local election officials at a Capitol Hill conference sponsored by the U.S. Election Assistance Commission.“We’re not going to get anything in law between now and Election Day,” Blunt said. “Everything we want is basically happening, but I still would like to see it in law,” Blunt said. He said heightened awareness of security threats since 2016 would help protect voting this November, though it would still be worthwhile to enact changes to protect future elections.

National: Planning to Vote in the November Election? Why Most Americans Probably Won’t | The New York Times

Lula Hill voted in just about every election once she became old enough in 1952. Her coal mining family of registered Democrats believed that elections were like church services: You didn’t skip them. But over time, her sense of civic obligation faded. Mines started laying people off. Opioids started poisoning her neighbors. As her town lost its vigor, Ms. Hill watched as smiling politicians kept making promises and, in her view, growing richer. By the late 1990s, when political leaders — Democrat or Republican — talked about the greater good, she no longer believed them. “I just got to the point, I said, ‘I’m not going do it anymore,’” said Ms. Hill, sitting on a couch in the lobby of the hotel she owns and runs, the Hotel Madison, 30 miles south of Charleston. “I just can’t vote for any of them in good conscience.” She has not voted since 1996 and said she has no intention of starting in November. Ms. Hill is hardly alone in West Virginia, a state with one of the lowest rates of voter turnout in the country and where the Democratic senator, Joe Manchin III, faces a tough race.

National: Secure Elections Act sponsors eye lame duck session | FCW

Meanwhile, Sen. Amy Klobuchar (D-Minn.), the primary Democratic sponsor, said she and other senators are working on refining the legislation, but noted that lawmakers have a short window of opportunity to pass the Secure Elections Act before the midterms reset the legislative calendar. “We have a new version [of the bill] coming out, and we just ask you to work with us; I would love to have it get passed in the lame duck,” Klobuchar said. “For people that want to delay it or stall it beyond that, well that’s up to you because then we’ll have a new Congress.” The Secure Elections Act looked poised for a floor vote in August or September before a Rules Committee markup was abruptly canceled. Blunt’s staff told FCW at the time that Republican senators were balking at some of the provisions after receiving complaints from state and local election officials, while Reuters reported that the White House came out against the bill at the last minute for similar reasons. Lankford and Klobuchar have continued to fight for the bill’s passage, but several prominent Democratic senators, including original co-sponsor Kamala Harris (D-Calif.), signed on to rival legislation spearheaded by Sen. Ron Wyden (D-Ore.).

National: Senators say midterms will inspire revived version of stalled election security bill | Washington Times

Senators supportive of the Secure Elections Act, a bipartisan bill to protect political contests from cyberattacks, said lessons learned from next month’s midterms could make their way into a revised version in the works. Sen. Roy Blunt, Missouri Republican, and Sen. Amy Klobuchar, Minnesota Democrat, addressed efforts to rekindle the stalled Secure Elections Act during an event held Wednesday by the U.S. Election Assistance Commission in Washington, D.C. The bill will not be passed prior to the Nov. 6 midterms, according to both Mr. Blunt and Ms. Klobuchar’s co-sponsor, Sen. James Lankford, Oklahoma Republican, meaning states are missing out on millions of dollars that would have otherwise been allocated toward upgrading and securing voting and election systems, neglecting a major vulnerability raised by Russian hackers meddling in the 2016 race.

National: Security Clearances Won’t Get in the Way of Responding to Election Cyber Threats, Officials Say | Nextgov

A lack of security clearances among some state and local election officials shouldn’t hinder the Homeland Security Department from responding speedily to Election Day cybersecurity threats, the department’s top cyber official said Wednesday. Even if state and local election officials don’t have the necessary authorizations to view a particular piece of threat information, Homeland Security Undersecretary Chris Krebs said he’s confident those officials will start trying to mitigate the threat if he asks them to. “I’m confident that if I had a piece of information right now …I could say: ‘Look, I’ve got something you need to see. You need to take action. It’s going to take me a day or two to get you the information, but, in the meantime, you need to take action,” Krebs during an election readiness summit hosted by the Election Assistance Commission.\ “We have trust established so there would be at least the beginning of an article of faith that they would do something,” he said.

National: ‘No indication’ China intends to interfere with election infrastructure, Homeland Security Secretary Nielsen says | The Washington Post

The Department of Homeland Security hasn’t seen signs that China seeks to interfere in the midterm elections by targeting election infrastructure, Homeland Security Secretary Kirstjen Nielsen said Tuesday — a statement that appears to be at odds with remarks President Trump made about Beijing last week. “We currently have no indication that a foreign adversary intends to disrupt our election infrastructure,” Nielsen told me at a cybersecurity summit hosted by The Washington Post. Nielsen did not endorse Trump’s alarming claim at the United Nations that China “has been attempting to interfere in our upcoming 2018 election.” Without offering evidence, Trump said China does not “want me or us to win because I am the first president to ever challenge China on trade” — an especially striking comment considering the president has repeatedly equivocated on his support for the intelligence community’s assessment that Russia interfered in the 2016 election to help him win. 

National: Activists Concerned About Counties Destroying Ballot Images | WhoWhatWhy

Election integrity activists are worried that various counties in the crucial state of Florida could defy federal law by destroying crucial documents required for election audits and recounts after the midterms. Specifically, Americans United for Democracy, Integrity, and Transparency in Elections (AUDIT-USA) believes that county supervisors of elections in Florida are either not retaining ballot images or are destroying ballot images that are required by law to be kept for 22 months after a state or federal election. “Most of the counties down there are destroying the ballot images,” said John Brakey, director of the nonpartisan group.

National: U.S. infrastructure vulnerable to cyberattacks designed to suppress voter turnout | CBS

Your voting booth might — or might not — be safe from hackers. But imagine a cyberattack that keeps you from going to your polling station in the first place. Security experts warn that critical infrastructure systems in the United States are vulnerable to crippling cyberattacks designed to suppress voter turnout by disrupting systems that cities and towns rely on. “If ransomware hits, what’s the backup plan to allow people to vote? Do we extend it a day? Do we hold off the tally of the votes? Do we take absentee ballots? What do we do?” said Fortalice Solutions CEO and former White House chief information officer Theresa Payton.

National: DHS says teamwork is improving election security | FCW

A month out from the 2018 midterms, all eyes are on the Department of Homeland Security as it approaches its first real test since being given a broader election security mandate in the wake of the 2016 presidential elections. Speaking at a cybersecurity event hosted by the Washington Post, DHS Secretary Kirstjen Nielsen highlighted improvements in information sharing across the federal government and with state and local officials as well as closer relationships with stakeholders that will lead to faster coordination in the wake of an emerging threat. “First of all, the information sharing is much stronger than it even has been before,” said Nielsen when asked what had changed in the department’s approach since 2016. “So [we’re] working very closely with the intel community, and the moment that we see something significant we are — in conjunction with the IC — sharing with our state and local partners. The sharing is quicker, faster, more tailored.”

National: The Government Isn’t Doing Enough to Protect Voting Systems from Hackers | VICE

For many, the most important question as the midterms approach isn’t whether the Democrats or Republicans will win control of Congress, but whether the elections themselves will be secure. In 2016, Russian hackers likely targeted election systems in many states and penetrated Illinois’s registration database; this year there is concern that hackers will go after both government and private systems. In March, Congress made $380 million available to states seeking to improve their election systems’ cybersecurity. But state officials and election security experts say this doesn’t even come close to addressing the nation’s electoral cybersecurity needs. So what exactly do states need to do in order to secure their election systems? Although experts largely agree on basic guidelines, there is no one playbook for how to beef up electoral cybersecurity. America’s elections infrastructure is highly decentralized, with every state managing its own system. This is a benefit in some ways, said Jim Condos, Vermont’s secretary of state and a prominent voice in election cybersecurity discussions. It means bad actors can’t just break into one centralized system. But it also means states employ a patchwork of approaches to elections cybersecurity. The contours of threats and their fixes are constantly shifting as well.

National: Voting Rights Activists Threatened with Lawsuit by ES&S Over Sharing Instruction Manual | Alternet

One the country’s most dogged vote-count transparency activists, John Brakey of Tucson, Arizona, and the small non-profit he leads, AUDIT-USA, have been told by one of America’s biggest voting machine makers to take down the instruction manuals for their firm’s paper-ballot scanners from their website by Monday—or face a lawsuit, according to a September 27, 2018, letter from Timothy J. Hallett, Associate General Counsel for Election Systems & Software, or ES&S. Brakey, a barrel-chested grandfather who sees verifying vote counts as nothing less than a moral crusade to save American democracy from the dark forces that have colonized and privatized the ballot box, posted various ES&S manuals on AUDIT-USA’s website for a simple reason. The latest generation of high-speed scanners used to tally paper ballots has a built-in feature that he wants all precincts and counting centers to use: making an electronic image of every paper ballot cast. The digitized ballot images can be used to verify close counts, which has occurred in a handful of recent races across the U.S.

National: A Record 800,000 People Registered to Vote on National Voter Registration Day | Time

A record number of people registered to vote in the midterm elections on National Voter Registration Day last week, surpassing the previous record set during the 2016 presidential campaign. More than 800,000 people registered to vote this year as part of National Voter Registration Day, which fell on Sept. 25. The corresponding campaign had aimed to register 300,000 people. “Some us were saying, ‘Hey, maybe we’ll hit 400 or 500,000,” says Brian Miller, who coordinates National Voter Registration Day in his role as executive director of Nonprofit VOTE. “No one that I know of thought we would surpass 800,000 voter registrations. That surprised all of us. But I think it’s a sign of the interest in the midterms and the interest in having this unified day of action.”