While the security of the 2020 election remains a prominent topic in Washington, a group of Democratic senators is raising alarms about longer-term issues that will resonate after voters are done choosing a president about 20 months from now. The three companies that make most of the voting technology used in the U.S. must be more transparent about their plans to improve their products to meet current expectations about security and performance, says a letter Wednesday by Sen. Amy Klobuchar of Minnesota and three other top Democrats. In particular, the senators say every machine should reliably produce paper records, and the companies should do far more to upgrade their products. “The integrity of our elections is directly tied to the machines we vote on — the products that you make,” says the letter from Klobuchar, Mark Warner of Virginia, Jack Reed of Rhode Island and Gary Peters of Michigan. “Despite shouldering such a massive responsibility, there has been a lack of meaningful innovation in the election vendor industry and our democracy is paying the price.”
National: Former CIA leaders give ‘briefing book’ to 2020 candidates to counteract ‘fake news’ and ‘foreign election interference’ | The Washington Post
Two former top CIA officials have compiled an unclassified report on the major national security challenges facing the United States, which they are distributing to every candidate running for president. The report, which former acting CIA directors Michael Morell and John McLaughlin call a “briefing book,” is modeled on the classified oral briefing that the intelligence community provides to the nominees of each major political party running for president, usually after the nominating conventions. The former officials said they’re distributing their briefing now, more than a year before nominees are selected, in response to “the recent rise and abundance of fake news and foreign election interference,” according to a copy reviewed by The Washington Post. The 37-page document, which has not been previously reported, was sent this month to nearly every announced candidate and will soon be sent to President Trump, the former officials said. Intelligence agencies have usually viewed their discussions with nominees as a chance to prepare a potential president for the kinds of issues that he or she will have to grapple with, and to give them a sense of the kind of capabilities and expertise that the U.S. government can bring to bear.
THE 2018 MIDTERM elections were hardly a glowing reflection on the state of America’s voting technology. Even after Congress set aside millions of dollars for state election infrastructure last year, voters across the country still waited in hours-long lines to cast their ballots on their precincts’ finicky, outdated voting machines. Now, a new report published by New York University’s Brennan Center for Justice finds that unless state governments and Congress come up with additional funding this year, the situation may not be much better when millions more Americans cast their vote for president in 2020. In a survey that the center disseminated across the country this winter, 121 election officials in 31 states said they need to upgrade their voting machines before 2020—but only about a third of them have enough money to do so. That’s a considerable threat to election security given that 40 states are using machines that are at least a decade old, and 45 states are using equipment that’s not even manufactured anymore. This creates security vulnerabilities that can’t be patched and leads to machines breaking down when the pressure’s on. The faultier these machines are, the more voters are potentially disenfranchised by prohibitively long lines on election day. “We are driving the same car in 2019 that we were driving in 2004, and the maintenance costs are mounting up,” one South Carolina election official told the Brennan Center’s researchers, noting that he feels “lucky” to be able to find spare parts.
National: Senate Democrats investigate cybersecurity of election machines, introduce version of H.R. 1 | InsideCyberSecurity.com
A group of senior Senate Democrats is seeking information on what the three largest manufacturers of U.S. voting machines are doing to secure the systems ahead of the 2020 elections, while the entire Democratic Caucus on Wednesday signed on to sponsor the Senate version of House-passed H.R. 1, the “For the People Act,” which includes language on securing election machines. A letter — signed by Senate Rules ranking member Amy Klobuchar (D-MN), Intelligence ranking member Mark Warner (D-VA), Homeland Security and Governmental Affairs ranking member Gary Peters (D-MI), and Armed Services ranking member Jack Reed (D-RI) — was sent Tuesday to voting machine vendors Hart InterCivic, Dominion Voting Systems, and Election Systems and Software, or ES&S. “Despite the progress that has been made, election security experts and federal and state government officials continue to warn that more must be done to fortify our election systems,” the senators wrote. “Of particular concern is the fact that many of the machines that Americans use to vote have not been meaningfully updated in nearly two decades. Although each of your companies has a combination of older legacy machines and newer systems, vulnerabilities in each present a problem for the security of our democracy and they must be addressed.” The senators posed questions on steps the companies are taking to secure their machines ahead of 2020, and how Congress can assist in these efforts; what the plans are for updating “legacy” voting machines; whether the companies would support legislation requiring “expanded use of post-election audits”; if the companies have vulnerability disclosure programs; and if they employ full-time cybersecurity experts.
Sen. Ron Wyden (D-Ore.) on Thursday attacked the small but powerful group of companies that controls the production of most voting equipment used in the U.S. “The maintenance of our constitutional rights should not depend on the sketchy ethics of these well-connected corporations that stonewall the Congress, lie to public officials, and have repeatedly gouged taxpayers, in my view, selling all of this stuff,” Wyden said during the Election Verification Network conference, a gathering of voting integrity advocates and election security experts in Washington. Wyden has been a leading voice among lawmakers who have criticized the voting machine industry as too opaque and not subject to enough oversight from Washington, especially as concerns grow among U.S. intelligence officials that elections will once again be a prime hacking target in 2020. “We’re up against some really entrenched, powerful interests, who have really just figured out a way to be above the law,” he said. “There is no other way to characterize it.” Furthermore, Wyden said, voting machine vendors have “been able to hotwire the political system in certain parts of the country.” He noted that newly elected Georgia Gov. Brian Kemp picked the top lobbyist for the voting giant Election Systems & Software as his deputy chief of staff. The companies, he said, “are accountable to nobody.”
As special counsel Robert Mueller’s investigation on Russian hacking and collusion with the Trump campaign ends, the Department of Homeland Security is gearing up to prevent a repeat for the 2020 US presidential election. The federal agency, which formed the Cybersecurity and Infrastructure Security Agency last November, said that it’s “doubling down” on its efforts, calling election security for 2020 a top priority. It hopes to do that by focusing on local election officials, Matt Masterson, a DHS senior adviser on election security, said in an interview with CNET. The emphasis on local represents a new tact as the DHS tries to shut down foreign interference in the US elections. While the agency worked with all 50 states during the 2018 midterm elections, security experts said the outreach needs to zoom in on a county level. There are about 8,800 county election officials across the US, and they are the people responsible for your voting machines, your polling place’s security and handling vote auditing.
The release of special counsel Robert Mueller’s report may provide Americans with the best playbook yet on how to defend democracy in the lead-up to the 2020 presidential election. In the days since Attorney General William Barr’s letter to Congress, much of the focus has boiled down to one line from President Trump: “No Collusion, No Obstruction.” But judging by Barr’s language and the details that have come to light through indictments filed by Mueller’s team over the past two years, the report may also reveal more about how Russia attacked the 2016 U.S. presidential election. The report’s first section, according to Barr, focuses on Russian “computer hacking operations,” which included the theft of emails from the Democratic National Committee and Hillary Clinton’s campaign, as well as agitation online to try to exacerbate divisions among Americans. Barr’s summary didn’t address an aspect of the interference that Mueller has described elsewhere, including the cyberattacks that targeted state elections infrastructure.
The collusion question now answered, another one looms ahead of 2020: Will U.S. elections be secure from more Russian interference? The 22-month-long special counsel investigation underscored how vulnerable the U.S. was to a foreign adversary seeking to sow discord on social media, spread misinformation and exploit security gaps in state election systems. With the presidential primaries less than a year away, security experts and elected officials wonder whether the federal government and the states have done enough since 2016 to fend off another attack by Russia or other hostile foreign actors. “Although we believe that Russia didn’t succeed in changing any vote totals, the Russian playbook is out there for other adversaries to use,” said Virginia Sen. Mark Warner, a Democrat and vice chairman of the Senate Committee on Intelligence. “As we head towards the 2020 presidential elections, we’ve got to be more proactive in protecting our democratic process.” Special counsel Robert Mueller detailed the sweeping conspiracy by the Kremlin to meddle in the 2016 election in an indictment last year, charging 12 Russian military intelligence officers with hacking the email accounts of Clinton campaign officials and breaching the networks of the Democratic Party. The indictment also included allegations the Russians conspired to hack state election systems and stole information on about 500,000 voters from one state board of elections’ computers.
For years security professionals and election integrity activists have been pushing voting machine vendors to build more secure and verifiable election systems, so voters and candidates can be assured election outcomes haven’t been manipulated. Now they might finally get this thanks to a new $10 million contract the Defense Department’s Defense Advanced Research Projects Agency (DARPA) has launched to design and build a secure voting system that it hopes will be impervious to hacking.
The first-of-its-kind system will be designed by an Oregon-based firm called Galois, a longtime government contractor with experience in designing secure and verifiable systems. The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA. The voting system will also be designed to create fully verifiable and transparent results so that voters don’t have to blindly trust that the machines and election officials delivered correct results.
Some voters in Johnson County, Ind., found themselves waiting for hours to cast their ballots in last year’s midterm elections, but not because of a massive surge in turnout or malfunctioning voting machines. What struggled to work were the electronic poll books used to check a voter’s registration, triggering long lines at polling stations. A state investigation determined that the vendor for the e-poll books, Election Systems & Software (ES&S), was responsible for the technical issue, and the Johnson County election board ultimately voted to terminate the contract. ES&S is one of the biggest voting machine vendors in the country. And despite the report’s findings, other counties in Indiana have continued to work with it, including some that recently signed new contracts. Experts told The Hill that the scenario underscores the new issues that local election officials have to consider as they juggle the benefits and security risks of voting technology, particularly in light of heightened concerns over election hacking.
Election officials in some states and cities are planning to replace their insecure voting machines with technology that is still vulnerable to hacking. The machines that Georgia, Delaware, Philadelphia and perhaps many other jurisdictions will buy before 2020 are an improvement over the totally paperless devices that have generated controversy for more than 15 years, election security experts and voting integrity advocates say. But they warn that these new machines still pose unacceptable risks in an election that U.S. intelligence officials expect to be a prime target for disruption by countries such as Russia and China. The new machines, like the ones they’re replacing, allow voters to use a touchscreen to select their choices. But they also print out a slip of paper with the vote both displayed in plain text and embedded in a barcode — a hard copy that, in theory, would make it harder for hackers to silently manipulate the results. Security experts warn, however, that hackers could still manipulate the barcodes without voters noticing. The National Academies of Sciences, Engineering and Medicine has also warned against trusting the barcode-based devices without more research, saying they “raise security and verifiability concerns.”
In 2016, I bought two voting machines online for less than $100 apiece. I didn’t even have to search the dark web. I found them on eBay. Surely, I thought, these machines would have strict guidelines for lifecycle control like other sensitive equipment, like medical devices. I was wrong. I was able to purchase a pair of direct-recording electronic voting machines and have them delivered to my home in just a few days. I did this again just a few months ago. Alarmingly, they are still available to buy online. If getting voting machines delivered to my door was shockingly easy, getting inside them proved to be simpler still. The tamper-proof screws didn’t work, all the computing equipment was still intact, and the hard drives had not been wiped. The information I found on the drives, including candidates, precincts, and the number of votes cast on the machine, were not encrypted. Worse, the “Property Of” government labels were still attached, meaning someone had sold government property filled with voter information and location data online, at a low cost, with no consequences. It would be the equivalent of buying a surplus police car with the logos still on it.
The U.S. military has the capability, the willingness and, perhaps for the first time, the official permission to preemptively engage in active cyberwarfare against foreign targets. The first known action happened as the 2018 midterm elections approached: U.S. Cyber Command, the part of the military that oversees cyber operations, waged a covert campaign to deter Russian interference in the democratic process. It started with texts in October 2018. Russian hackers operating in the Internet Research Agency – the infamous “troll factory” linked to Russian intelligence, Russian private military contractors and Putin-friendly oligarchs – received warnings via pop-ups, texts and emails not to interfere with U.S. interests. Then, during the day of the election, the servers that connected the troll factory to the outside world went down.
Never has it been more important to have a mechanism to audit U.S. voting results, but experts say election security risks combined with the weaponization of social media make the task more difficult than ever. The electronic voting systems used in a number of states are a concern for security experts who have seen serious flaws in these systems. If the 2020 U.S. election results are disputed by a candidate, there must be a clear way to show voting results are accurate to ensure a peaceful transition of government, said Avi Rubin a computer science professor at Johns Hopkins University, during an RSA Conference 2019 session on election hacking. … Ronald Rivest, a professor in MIT’s Cryptography and Information Security research group, said during a separate session at RSA Conference that “keeping it simple with low-tech paper ballots” is the lesson learned over the past decade. We still need to know that the tabulation of those ballots is accurate, via audits, and states like Colorado and Rhode Island are piloting new risk-limiting audit systems, Rivest said.
For years, election security experts have assured us that, if properly implemented, paper ballots and routine manual audits can catch electronic vote tally manipulation. Unfortunately, there is no universal definition of “paper ballot,” which has enabled vendors and their surrogates to characterize machine-marked paper printouts from hackable ballot marking devices (BMDs) as “paper ballots.” Unlike hand-marked paper ballots, voters must print and inspect these machine-marked “paper ballots” to try to detect any fraudulent or erroneous votes that might have been marked by the BMD. The machine-marked ballot is then counted on a separate scanner.
Most independent cybersecurity election experts caution against putting these insecure BMDs between voters and their ballots and instead recommend hand-marked paper ballots as a primary voting system (reserving BMDs only for those who are unable to hand mark their ballots). But vendors and many election officials haven’t listened and are now pushing even more controversial “hybrid” systems that combine both a BMD and a scanner into a single unit. These too are now sold for use as a primary voting system.
Unlike hand-marked paper ballots counted on scanners and regular non-hybrid BMDs, these new hybrid systems can add fake votes to the machine-marked “paper ballot” after it’s been cast, experts warn. Any manual audit based on such fraudulent “paper ballots” would falsely approve an illegitimate electronic outcome. According to experts, the hybrid voting systems with this alarming capability include the ExpressVote hybrid by Election Systems & Software, LLC (ES&S), the ExpressVote XL hybrid by ES&S, and the Image Cast Evolution hybrid by Dominion Voting.
National: ‘We’re doubling down.’ DHS insists it’s not reducing election security efforts | The Washington Post
The Homeland Security Department is actually surging its efforts to protect elections against foreign hackers during the two years leading up to the 2020 elections — not winding them down, the agency’s top cybersecurity official insists. Chris Krebs, who leads DHS’s Cybersecurity and Infrastructure Security Agency, was punching back Thursday against a Daily Beast report citing anonymous staffers who said the department was reducing its election security efforts following the midterms to invest more in border security and other Trump administration priorities. “The department’s election security and countering foreign influence security-related efforts are not going anywhere,” Krebs said. “In fact, we’re doubling down.” The article made waves in the security community because even a perception that the government isn’t serious about securing elections against Russian hackers could damage trust in the result in the 2020 election. Federal officials — including Krebs himself — have warned Russia may have viewed the midterms as merely a “warm-up” for 2020 when more Americans will be looking for signs of foreign influence. That stakes for officials such as Krebs are especially high because President Trump has wavered on whether he believes Russia was responsible for its hacking and disinformation campaign to influence the 2016 presidential contest.
The head of the Department of Homeland Security’s cybersecurity wing is pushing back on a media report that the agency has scaled back personnel and resources from its combatting foreign election interference. Cybersecurity and Infrastructure Security Agency Director Chris Krebs hosted a conference call with reporters less than 24 hours after The Daily Beast published a story that quoted multiple anonymous DHS officials who said two CISA task forces focused on coordinating the department’s response to foreign influence in U.S. elections were significantly downsized shortly after the mid-terms. Krebs didn’t deny that personnel levels for the task forces were reduced. He characterized the task forces as temporary vehicles to address an emerging threat while CISA worked to hire staff and build more permanent institutional capacity to tackle the issue.
Two teams of federal officials assembled to fight foreign election interference are being dramatically downsized, according to three current and former Department of Homeland Security officials. And now, those sources say they fear the department won’t prepare adequately for election threats in 2020. “The clear assessment from the intelligence community is that 2020 is going to be the perfect storm,” said a DHS official familiar with the teams. “We know Russia is going to be engaged. Other state actors have seen the success of Russia and realize the value of disinformation operations. So it’s very curious why the task forces were demoted in the bureaucracy and the leadership has not committed resources to prepare for the 2020 election.”
Lawmakers questioned federal officials Wednesday about the importance of passing election security measures ahead of the 2020 contests, pressing witnesses on the threat posed by foreign actors to influence U.S. elections. Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security (DHS), testified during the House Homeland Security Committee hearing Wednesday that the federal government is “lightyears ahead” of where it was in 2016 when it came to communicating with state and local officials. But he said improving outreach and communication with those officials is a top priority for his department ahead of 2020. Krebs also said that being able to audit elections is a pressing issue for his agency, and that records of votes, like paper trails, will help officials confirm election results. The DHS official added that basic cybersecurity remains a crucial issue, saying he fears any gaps could expose vulnerabilities in systems that could be abused by hackers.
National: This key House Republican is open to mandates on states for election security | The Washington Post
As the House Homeland Security Committee meets for the first election security hearing of 2019 today, Congress is still far away from a grand bargain to help protect state election systems from foreign hackers. But the goalposts may be changing with Democrats in charge of the House. The new top Republican on the committee, Rep. Mike Rogers (Ala.), tells me he’s ready to impose requirements on states to secure their election systems against hackers. He called for a baseline of security states must meet before receiving money from the government to upgrade outdated and vulnerable voting machines and secure other election infrastructure. “We want to get some minimum standards that have to be adhered to,” Rogers tells me. And he says he’s willing to work with Democrats to get it done.
Democrats and Republicans have clashed before over H.R. 1, the House Dems’ sweeping package of democracy and governance proposals, but today the fight goes directly to the election security provisions of the bill. The House Homeland Security panel holds a hearing today on the measure with testimony from DHS’s top cyber official, Cybersecurity and Infrastructure Security Agency Director Chris Krebs, Election Assistance Commission Chairman Thomas Hicks and others. A CISA official told MC: “Director Krebs will confirm election security remains a priority for CISA in the run up to 2020, laying out the Agency’s plan to work with State and local election officials on broader engagement, better defining risk to election systems, and understanding the resources to manage that risk.” At least one witness — Jake Braun, a former Obama administration official who now works as executive director of the University of Chicago’s Cyber Policy Initiative and an organizer of DEF CON’s Voting Village — endorses the bill’s election security ideas in his prepared testimony. He praises the provisions mandating auditable paper trails and authorizing voting infrastructure research and development funds.
With the 2020 national election cycle on the horizon, House Homeland Security Committee Chairman Bennie Thompson, D-Miss., convened a hearing Wednesday to examine the how the United States was working to secure its elections. The hearing, broken into two panels, heard from senior Federal election officials, as well as state and local election officials. During the first half of the hearing Christopher Krebs, director of the newly minted Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security (DHS), stressed that election cybersecurity is on the upswing. However, the second half of the hearing held a slightly different tone, with California Secretary of State Alex Padilla declaring that “our democracy is under attack.”
The nation’s top cybersecurity official told Congress that the ability to audit voting machines after elections is critical for ballot security. “The area that I think we need to invest the most in the nation is ensuring auditability across infrastructure,” Christopher Krebs, head of the Cybersecurity and Infrastructure Security Agency said at a Feb. 13 hearing of the House Homeland Security Committee. “If you don’t know what’s happening and you can’t check back at what’s happening in the system — you don’t have security.” While 34 states and the District of Columbia have some laws mandating post-election audits, according to the National Conference of State Legislatures, Congress has been unable to agree on how hard or soft to make such language in legislation. Krebs and Election Assistance Commission (EAC) Chair Thomas Hicks endorsed the need for greater auditability, though both deferred to states on the question of whether it should be done digitally or by hand.
National: Manafort Found to Have Lied to Prosecutors While Under a Cooperation Agreement | The New York Times
A federal judge ruled on Wednesday that Paul Manafort, President Trump’s former campaign chairman, had breached his plea agreement by lying multiple times to prosecutors after pledging to cooperate with the special counsel’s investigation into Russia’s interference in the 2016 election. The decision by Judge Amy Berman Jackson of United States District Court in Washington may affect the severity of punishment that awaits Mr. Manafort. Judge Jackson is scheduled to sentence him next month on two conspiracy counts, and he is also awaiting sentencing for eight other counts in a related fraud case. After Mr. Manafort agreed in September to cooperate with the office of the special counsel, Robert S. Mueller III, the judge found, he lied about his contacts with a Russian associate during the campaign and after the election. Prosecutors claim that the associate, Konstantin V. Kilimnik, has ties to Russian intelligence, and have been investigating whether he was involved in Russia’s covert campaign to influence the election results.
Responsibility for the nation’s cybersecurity is spread piecemeal throughout the government without a single person or agency in charge. That creates dangerous gaps that U.S. adversaries could exploit to hack the government or critical infrastructure, two prominent Senate Republicans told me. Homeland Security Chairman Ron Johnson (Wis.) and Mike Rounds (S.D.), chair of the Armed Services Committee’s cyber panel, are mulling how they might create a centralized government authority for cybersecurity issues. The goal would be an office that could make sure the Homeland Security, Defense and Justice departments are effectively sharing information and working toward common goals, the senators said. For example, the Defense Department, which is authorized to conduct clandestine military activities in cyberspace, might not be as clued in as DHS is to how some of those activities could prompt retaliation against U.S. businesses. Rounds also noted that some parts of the government were concerned for several years that Chinese telecom giant Huawei could use its position inside global telecommunications infrastructure to spy on behalf of the Chinese government — but the U.S. did not act until recently.
Wisconsin Republican Sen. Ron Johnson leads the committee with broad oversight over the nation’s most important cybersecurity issues, including protecting consumers and U.S. elections from hackers. But he’s also a major reason little legislation on these topics ever passes, according to lobbyists, cybersecurity policy experts, lawmakers and congressional aides from both parties who spoke with POLITICO. Johnson or members of his staff have derailed many of the most significant cybersecurity-related bills in the past four years, including legislation to secure elections, study whether the growing use of encrypted apps hampers law enforcement, and hold companies accountable for the proliferation of insecure connected devices, people who track the legislation told POLITICO.
Moving with unusual speed, the Supreme Court on Monday set the stage for acting soon – probably on Friday – on the constitutional controversy over asking everyone living in America about their citizenship, as part of the 2020 census. At issue at this point is whether the Justices will take up directly, without waiting for further action in lower courts, the dispute over the contents of the questionnaire that will go to every household across the nation next year. The outcome of the controversy may have a major influence on dividing up seats in the U.S. House of Representatives, on drawing up new election district maps at all levels of government, and about the distribution of billions of dollars in federal money. Although there is a clear dispute among the two sides in the controversy about the legality of adding the citizenship question, everyone involved has now agreed that an answer needs to be forthcoming before the Supreme Court finishes its current term, probably in late June.
Cautious about the government’s efforts to safeguard the 2020 presidential race, election-security experts worry that the job is too formidable to finish in the time that remains. One issue at stake is outdated voting machines and technology, but Maurice Turner, a senior technologist with the Center for Democracy and Technology, warned that equipment updates require legislatures to make funding appropriations. With the first 2020 primaries scheduled for February, the process of issuing, receiving and evaluating proposals along can take months. After that comes testing and configuration, another months-long process, before the machines can be delivered on a large scale. “No election official wants to be rolling out new equipment 30 or 60 days before the general election,” Turner said in a phone interview, “so they’re going to need to identify other races, other contests they can test this equipment on.”
The House Intelligence Committee on Wednesday began a broad inquiry into whether Russia and other foreign powers may be exercising influence over President Trump, acting only hours after a defiant Speaker Nancy Pelosi declared that the House would not be cowed by the president’s “all-out threat” to drop its investigations of his administration. Other committees were zeroing in on similarly sensitive oversight targets. On Thursday, Democrats will begin their quest to secure the president’s long-suppressed tax returns. The chairman of the Judiciary Committee readied a subpoena for the acting attorney general, Matthew G. Whitaker, in case he tried to avoid Democratic questioning. And a House Appropriations subcommittee chairwoman began an inquiry into administration rule-bending during the 35-day partial government shutdown.
In her response to President Trump’s State of the Union, Stacey Abrams went through some of the top issues for the Democratic Party. Health care. Climate change. Gun safety. Then she brought up a topic Democrats are planning to spend a lot of time on over next two years: voting. “Let’s be clear. Voter suppression is real,” Abrams said. “From making it harder to register and staying on the rolls, to moving and closing polling places, to rejecting lawful ballots, we can no longer ignore these threats to democracy.” The past two federal elections seem to have been a tipping point.