Glitchy paperless voting machines are affecting an untold number of early voting ballots in Texas and Georgia, raising the specter that two of the most closely watched races could be marred by questions about whether the vote count is accurate. Civil rights groups and voters in both states have filed complaints alleging that the ATM-style touchscreen machines inexplicably deleted some people’s votes for Democratic candidates or switched them to Republican votes. The errors — which experts have blamed on outdated software and old machines — would appear to work to the advantage of Republican Texas Sen. Ted Cruz over Democratic challenger Beto O’Rourke, and that of Georgia GOP gubernatorial candidate Brian Kemp over Democrat Stacey Abrams. It’s unclear how many times the errors have happened or whether they could be enough to change the outcome of either race, both of which appear to be tight. But the latest episodes come after at least a decade and a half of warnings from election security groups about the dangers of relying on voting machines that don’t produce a paper trail — saying they’re insecure and produce results that are impossible to audit.
There likely isn’t a quick fix for complex U.S. election integrity challenges such as social-engineering interference on Facebook. Experts say there is a straightforward response, however, to vulnerable voting-machine software. The problem is that it involves cooperation in Congress. When the Senate failed to move the Secure Elections Act forward in August because of White House concerns over states’ rights, coupled with funding concerns, the United States lost its best chance this year of taking steps toward patching voting machines. The most recent federal dollars devoted to improving elections came from the Help Americans Vote Act of 2002, which was itself flawed because its authors failed to predict cybersecurity standards for voting machines. The idea of hackers infiltrating computerized voting machines at the time was “completely ridiculous,” says Margaret MacAlpine, a voting-machine security researcher and a founding partner of cybersecurity consultancy Nordic Innovation Labs. “The cybersecurity threat was more than science fiction at that point,” she says. And even now, as knowledge that the machines are vulnerable to hackers spreads, there is still a lack of political will to allocate the funds needed to replace them and ensure that new machines are secured against attacks, she says.
Americans are now voting in the first major election since Russians launched a broad assault on the 2016 presidential campaign. And while election officials and security experts remain vigilant through Election Day, voters have a critical role in the fight to keep elections safe and accessible. The average voter shouldn’t be too concerned about foreign interference in elections, said Maurice Turner, a senior technologist at the nonprofit Center for Democracy and Technology in Washington, D.C. But, he said, that doesn’t mean she should be passive about secure elections. By understanding the system, its flaws and what needs changing, voters can call for accountability from election officials and state policymakers. “I’m hoping for a quiet Election Day,” Turner said. “I’m hoping that we can focus on the issues that are on the ballot versus how we’re going to count the ballot.” Malicious actors might attack the midterms by manipulating voter registration rolls. While a May report from the Senate Intelligence Committee said the “U.S. election infrastructure is fundamentally resilient,” it also outlined Russian attempts in 2016 to scan election systems in 21 states and aggressively try to infiltrate six of them.
A few weeks ago computer scientist J. Alex Halderman rolled an electronic voting machine onto a Massachusetts Institute of Technology stage and demonstrated how simple it is to hack an election. In a mock contest between George Washington and Benedict Arnold three volunteers each voted for Washington. But Halderman, whose research involves testing the security of election systems, had tampered with the ballot programming, infecting the machine’s memory card with malicious software. When he printed out the results, the receipt showed Arnold had won, 2 to 1. Without a paper trail of each vote, neither the voters nor a human auditor could check for discrepancies. In real elections, too, about 20 percent of voters nationally still cast electronic ballots only. As the U.S. midterm elections approach, Halderman, among others, has warned our “outmoded and under-tested” electronic voting systems are increasingly vulnerable to attacks. They can also lead to confusion. Some early voters in Texas have already reported votes they cast for Democratic U.S. Senate challenger Beto O’Rourke were switched on-screen to incumbent Republican Sen. Ted Cruz. There’s no evidence of hacking, and the particular machines in question are known to have software bugs, which could account for the errors.
Shane Huntley has seen every form of state-sponsored cyberattack, first as an Australian intelligence officer and now as director of Google’s most advanced team of threat detectors. So when he was asked what surprised him the most about the 2018 midterm elections, his response was a bit counterintuitive. “The answer is surprisingly little on the hacking front, at least compared to two years ago.” He paused, and added: “And that reassures some people, and it scares some people.” He is right. From the cyberwar room that the Department of Homeland Security runs round the clock in a bland office building in Arlington, Va., to Microsoft’s threat-assessment center at the other end of the country, in Redmond, Wash., every form of digital radar is being focused on Russia, especially its military-intelligence unit, formerly known as the G.R.U.
National: Campaign cybersecurity poses next major challenge for federal election officials | The Hill
Federal officials say they want to help political campaigns guard against against cyberattacks, but are struggling to figure out how. Election officials said this week that while much of the attention since 2016 has focused on protecting voting systems, campaigns remain highly susceptible to cyber intrusions. However, those same officials have no means of directly communicating with the hundreds, if not thousands, of candidates about how best to address cyber threats. Robert Kolasky, director of the Department of Homeland Security’s (DHS) National Risk Management Center, said DHS has resorted to contacting the Republican and Democratic national committees to try to reach campaigns. And even then federal officials aren’t able to reach everyone. Few campaigns reach out to DHS about cybersecurity issues, Kolasky told reporters on Tuesday, adding that candidates are more likely to contact the FBI or their national committees when they notice something has gone wrong.
Clemente Torres has proudly cast his vote in person at Dodge City’s lone polling place in every election since he became a naturalized citizen 20 years ago. This year is different. After Republican officials said in September they would move the Hispanic-majority city’s only polling place to a remote spot outside the city limits, across railroad tracks and away from bus lines, Torres decided to vote by mail. “I wanted to be sure I could vote,” said Torres, 57, who works at a meatpacking plant in this western Kansas city best known for its history as a Wild West outpost. “I didn’t want to take any chances.” Torres and other voters interviewed by Reuters said they were worried voting would be more difficult at the new location. Some were skeptical of the official explanation: that construction will hinder access to the usual site. The move sparked an outcry from voting rights groups that say Republicans are trying to limit Hispanic votes. The American Civil Liberties Union asked the courts to force Dodge City to open another polling site – a request denied by a judge on Thursday.
National: Mail-In Ballot Postage Becomes a Surprising (and Unnecessary) Cause of Voter Anxiety | ProPublica
At the absentee ballot parties organized by assistant professor Allison Rank and her political science students at the State University of New York at Oswego, young voters can sip apple cider and eat donuts as they fill out their ballots. But the main draw is the free stamps. “The stamp was actually the thing I was concerned about,” one freshman told Rank after she explained the process of completing and mailing in a ballot. According to Rank, only one store on the rural upstate campus sells postage. It has limited hours and only takes cash, which many students don’t carry. It’s not only students who may be short a stamp this election. An increasing number of Americans vote by mail in an age when fewer of us have a reason to keep postage on hand. But it’s long been an open secret among election officials: Even though the return envelopes on many mail-in ballots say “postage required,” the U.S. Postal Service will deliver even without a stamp.
National: In the South, an Aggressive Effort to Purge Former Felons From Voting Rolls | Pacific Standard
In many parts of the country, it’s becoming easier than ever for former felons to vote. A growing number of states have loosened restrictions, such as allowing people to cast ballots while still on parole or probation. But there is one region that still has a penchant for purging felons from the rolls: the South. An APM Reports/Pacific Standard analysis of federal data shows that, in the past decade, the number of registered voters removed from the rolls across the South due to a conviction has nearly doubled. That trend comes at a time when overall crime rates have been declining. States with the largest voting-aged, African-American populations tend to have some of the strictest laws. And that’s created a disproportionate impact on minority voters. In fact, the laws were initially designed 150 years ago to suppress African-American political influence.
You could call it buyer’s remorse. Five US states went all in on electronic voting machines, and four of those states are poised to get out. Delaware, Georgia, Louisiana, New Jersey and South Carolina are the only states relying solely on voting machines that produce no paper record of an individual voter’s ballot. All but Georgia are on the cusp of swapping those out for new machines that print out a paper record of each completed ballot — and Georgia is under pressure to do the same. None, though, will be ready for next week’s midterm elections. It’s the next step in voting systems since Florida’s infamous hanging chads and butterfly ballots determined the 2000 presidential election. … Hackers could also infiltrate the computers that tabulate results, as security experts found when they examined voting-related software at the annual Defcon hacking conference this year, and they could attack or alter the websites that announce winners. The Defcon experts also found half of US states are using voting machines that have known software vulnerabilities.
National: How Electronic-Voting-Machine Errors Reflect a Wider Crisis for American Democracy | The New Yorker
When reports began circulating last week that voting machines in Texas were flipping ballots cast for Beto O’Rourke over to Ted Cruz, and machines in Georgia were changing votes for the Democratic gubernatorial candidate Stacey Abrams to those for her Republican opponent, Brian Kemp, it would not have been unreasonable to suppose that those machines had been hacked. After all, their vulnerabilities have been known for nearly two decades. In September, J. Alex Halderman, a computer-science professor at the University of Michigan, demonstrated to members of Congress precisely how easy it is to surreptitiously manipulate the AccuVote TS, a variant of the direct-recording electronic (D.R.E.) voting machines used in Georgia. In addition, Halderman noted, it is impossible to verify that the votes cast were not the votes intended, since the AccuVote does not provide a physical record of the transaction.
National: Fewer than half of US states have undergone federal election security reviews ahead of midterms | ABC
With only a week left before the 2018 midterm elections, fewer than half of U.S. states have submitted to a Department of Homeland Security assessment of their vulnerabilities to vote hacking. Under the department’s National Protection and Programs Directorate, the agency branch that coordinates cyber protection of U.S. infrastructure, a team of DHS officials are prepared to examine statewide election systems. They can check for cybersecurity vulnerabilities and run in-person exercises like phishing tests to ensure election officials are prepared to guard against attempts to hack their email accounts. The Department of Homeland Security has already provided or is scheduled to provide the service, which is free for states that request it, to only 21 states, a department spokesman told ABC News, concerning election experts who fear some states may not be aware of potential vulnerabilities.
Just days before a pivotal midterm congressional election, dozens of jurisdictions around the country go to polls without a paper backup for electronic voting systems. The shortfall comes despite nearly two years of warnings from cybersecurity experts that in the absence of a paper backup system, voters’ intentions cannot be verified in case of a cyberattack that alters election databases. Fourteen states will conduct the midterm elections where voters will register their choices in an electronic form but will not leave behind any paper trail that could be used to audit and verify the outcome. Delaware, Georgia, Louisiana, New Jersey and South Carolina have no paper backup systems anywhere in the state. Nine other states have several jurisdictions without a physical alternative to electronic records — Arkansas, Florida, Indiana, Kansas, Kentucky, Mississippi, Pennsylvania, Tennessee and Texas. Experts have urged states to have backup systems after officials from U.S. intelligence agencies and the Department of Homeland Security said that Russian entities scanned election systems in at least 21 states before the 2016 election in an attempt to breach. Seven states had their computer systems breached to various degrees, officials have said. Illinois has said its voter registration system was breached. But officials have said no votes were altered.
Drawing on her years of military experience, Maureen Heard was careful to follow all the rules when she filled out an absentee ballot in 2016. She read the instructions thoroughly, signed where she was supposed to, put the ballot in its envelope and dropped it off at the clerk’s office in her New Hampshire town. She then left so she could return to a temporary federal work assignment in Washington, D.C. “I have learned over the years, many years in the military of filling out forms, how to fill out forms — and I was very intimidated by the process,” said Heard, who served in the Air Force and was a lieutenant in the U.S. Coast Guard. “I was like, ‘Oh my gosh, I have to make sure I get it absolutely right.’ And then it didn’t count.” Heard, 57, discovered last year that she was among roughly 319,000 voters across the country whose absentee ballots were rejected during the last presidential election. The reasons varied, ranging from missed deadlines to failure to sign the return envelope. Heard’s ballot was tossed out because her signature did not match the one on file at her local election office.
It was a mystery worthy of crime novelist Raymond Chandler. On 8 November 2016, African Americans did not show up. It was like a day of absence. African Americans had virtually boycotted the election because they “simply saw no affirmative reason to vote for Hillary”, as one reporter explained, before adding, with a hint of an old refrain, that “some saw her as corrupt”. As proof of blacks’ coolness toward her, journalists pointed to the much greater turnout for Obama in 2008 and 2012. It is true that, nationwide, black voter turnout had dropped by 7% overall. Moreover, less than half of Hispanic and Asian American voters came to the polls. This was, without question, a sea change. The tide of African American, Hispanic and Asian voters that had previously carried Barack Obama into the White House and kept him there had now visibly ebbed. Journalist Ari Berman called it the most underreported story of the 2016 campaign. But it’s more than that. The disappearing minority voter is the campaign’s most misunderstood story. Minority voters did not just refuse to show up; Republican legislatures and governors systematically blocked African Americans, Hispanics and Asian Americans from the polls.
To help shore up the nation’s election infrastructure, Congress repurposed $380 million of leftover funding from the 2002 Help America Vote Act into grant funding for states to improve election security. States collectively invested an additional $19 million in matching funds for the same purpose. States could use the grants to replace old voting machines, upgrade election-related computer systems to address vulnerabilities identified by the Department of Homeland Security, implement post-election audits, provide cybersecurity training for state and local election officials or other activities that are specifically tailored to addressing cybersecurity needs.According to the Election Assistance Commission, 41 states used 36.3 percent of those funds to directly improve election cybersecurity. An additional 27.8 percent of the funding went to purchase new voting equipment while another 13.7 percent went to upgrade voter registration systems. Only 5.6 percent of the funds were used to implement post-election audits. However, it’s important to understand that these upgrades and expenditures are expected to take place over the course of the next two to three years; relatively little of the work is being completed before the midterm elections.
National: Center for Internet Security looks to expand threat sharing program to political campaigns | CyberScoop
While hundreds of millions of dollars in federal money have been allocated for securing state election infrastructure this year, political campaigns are often cash-strapped operations short on cybersecurity expertise. “Especially in the early phases of the campaign, it is not staffed by professional IT and certainly not cybersecurity people,” said John Gilligan, the executive chairman of the nonprofit Center for Internet Security (CIS). When a candidate decides to run, the campaign might acquire a few computers and start building databases without prioritizing cybersecurity, Gilligan said Tuesday at the Center for Strategic and International Studies. CIS, which runs a center for sharing threat data with state and local officials, is looking to extend its information-sharing initiative to campaigns. The goal is to chip away at the security-resource deficit facing candidates, as numerous tech companies are trying to do by offering free security services to campaigns.
National: The Amazing Disappearing Voter: Voter purges have become the right’s new voter suppression tool of choice | TPM
Houston photographer Lynn Lane has voted in every general election and primary over the last five years. He hasn’t changed his address, so he was stunned this year to receive an official letter warning him that he might soon be erased from the rolls. Lane was one of 4,000 voters whose registrations were personally challenged by a single Republican, Alan Vera, who chairs the Harris County GOP’s “Ballot Security Committee.” This sort of individual challenge is illegal in some states, but Texas law permits it. Republicans blamed the county’s election registrar, a Democrat, for automatically suspending the registrations of 1,700 of those voters — but not before Vera boasted on his Facebook page about what he was up to: Voters whose registrations were suspended for failure to return a confirmation postcard would have to cast provisional ballots, which are “reviewed by the Ballot board,” he wrote, “and I appoint all Republican members of that board.” His “project,” he added, “could make a big difference in the November election results.” Stories like Lane’s are becoming all too familiar to a growing number of American voters, who are being dropped from the rolls at a rapid clip, particularly in states with histories of voter discrimination. Such purges are the new face of voter suppression, civil rights advocates say. Unlike the Jim Crow laws of yore, which blocked access to the rolls with tests and taxes, voter purges take registered voters — often, voters of color — and make them disappear. And unlike voter ID laws, which at least give voters advanced warning, purges can be sudden, silent, untraceable, and irremediable.
National: Native Americans Voting In 2018 Are Confronting Barriers — And It’s Not Just Voter ID | Bustle
Voting rights organizations are making a final push to get out the vote with just a week to go until the midterm elections. In North Dakota, those efforts have taken on greater urgency because a new voter ID law will be in effect come Nov. 6. Tribes and advocacy groups are on a mission to overcome longstanding obstacles that have hindered Native Americans’ right to vote and ensure their communities have access to the ballot box. Earlier this month, the Supreme Court decided that it would allow North Dakota’s voter ID law to stand. That means voters will be required to present identification showing their street addresses when they vote at their polling place. There’s one glaring problem with that requirement: Native Americans who live on reservations in North Dakota don’t necessarily have street addresses. They typically use P.O. boxes instead, which are listed on their IDs.
Thomas Hicks, commissioner of the U.S. Election Assistance Commission, said today that EAC has developed a set of voluntary voting system guidelines to aid local election authorities, but the commission currently lacks a quorum to vote on the standards and distribute the guidance to localities. EAC currently has two active commissioners of a possible four, but requires a quorum of three in order to vote. President Trump has nominated two people to serve on EAC, but there has been no movement in Congress to confirm the nominees. “I’m hoping the Senate Rules Committee and the Senate come together and vote those two folks up or down relatively soon,” Hicks said today at the Symantec Government Symposium.
The quarterly incident response (IR) threat report from Carbon Black isn’t usually such an exciting read, aggregating as it does data from across a number of partners in order to provide actionable intelligence for business leaders. The latest report, published today, is a politically charged exception. Not only does it reveal that nation-state politically motivated cyberattacks are on the up, with China and Russia responsible for 41.4% of all the reported attacks, but that voter databases from Alabama to Washington (and 18 others) are for sale on the dark web. These databases cover 21 states in all, with records for 81,534,624 voters that include voter IDs, names and addresses, phone numbers and citizenship status. Tom Kellerman, Carbon Black’s chief cybersecurity officer, describes the nation-state attackers as not “just committing simple burglary or even home invasion, they’re arsonists.” Nobody relishes their house burning down, even figuratively speaking. Which is why, according to another newly published report, this time from Unisys, suggests one in five voters may stay at home during the midterms as they fear their votes won’t count if systems suffer a cyberattack.
The future of voting should not involve your cellphone, according to a leading cybersecurity expert. In a first-of-its-kind pilot program, West Virginia will test blockchain encrypted mobile phone voting for members of the U.S. military. But Joe Hall, chief technologist and director of internet architecture at the Center for Democracy & Technology, warned that the plan presents a host of risks. “West Virginia has taken the ridiculous step of deciding that they’re going to not only vote on a mobile device, which in and of itself is just a bad idea, but use a blockchain mechanism, something associated with crypto-currency or bitcoin,” Hall told Grant Burningham, host of the Yahoo News podcast “Bots & Ballots.” In a September interview with Burningham, venture capitalist Bradley Tusk argued that his foundation’s plan to test cellphone voting was a way to boost voter participation in the U.S. However, Hall believes the risks outweigh the possible benefits.
Pop quiz: which part of the federal government is tasked with preventing cyber interference in our elections? Congress has refused to say. We have reached a point of a significant gap between an important federal need and existing federal power. And in the absence of that federal power, federal agencies have stepped into the gap and extended their authority into domains unanticipated by Congress. Of course, there is clear statutory guidance for some aspects of protecting election integrity. We can think about preventing campaign interference in our elections. Portions of that job fall squarely within the domain of the Federal Elections Commission, which enforces campaign finance laws. We can also think about prosecution or punishment of those who engage in either foreign campaign interference, like the Justice Department’s recent criminal indictment of a Russian woman with interference in the 2018 midterm elections, or foreign cyber interference, like actions from the Obama and Trump administrations to sanction those who interfere with election systems in the United States. But that’s focused on punishing election interference that has already occurred.
Just days before a pivotal midterm congressional election, dozens of jurisdictions around the country go to polls without a paper backup for electronic voting systems. The shortfall comes despite nearly two years of warnings from cybersecurity experts that in the absence of a paper backup system, voters’ intentions cannot be verified in case of a cyberattack that alters election databases. Fourteen states will conduct the midterm elections where voters will register their choices in an electronic form but will not leave behind any paper trail that could be used to audit and verify the outcome. Delaware, Georgia, Louisiana, New Jersey and South Carolina have no paper backup systems anywhere in the state. Nine other states have several jurisdictions without a physical alternative to electronic records — Arkansas, Florida, Indiana, Kansas, Kentucky, Mississippi, Pennsylvania, Tennessee and Texas.
The National Academy of Sciences report is blunt: “There is no realistic mechanism to fully secure vote casting and tabulation computer systems from cyber threats.” But election officials can and should audit votes — rather than performing time-consuming full recounts — before election results are certified to confirm their legitimacy, the report states. Risk-limiting audits are a relatively new way to double-check the results of an election after the fact. First implemented in Colorado in 2017, the audits examine a randomly chosen, statistically significant number of paper ballots and compare the results in those ballots to the actual result. They’re done no matter the margin of victory; suspicious results may trigger a full recount. “It’s an abbreviated recount, in a sense,” said Ronald Rivest, one of the inventors of the RSA public-key cryptosystem and a member of the NAS panel that wrote the report.
A group of security researchers and voting technology vendors trying to hash out cybersecurity requirements for voting systems once again butted heads over whether to require vendors to let anyone test their products. The subject arose during a teleconference late last week of the Voluntary Voting System Guidelines cyber working group. When election security consultant Neal McBurnett suggested that the new guidelines require vendors to make products available for open-ended vulnerability testing, Joel Franklin of voting giant Election Systems & Software shot back with a question: “Is there other software tied to critical infrastructure software that’s open to public OEVT?” Franklin said he wasn’t dismissing the value of OEVT. “I’m just wondering if we’re putting an undue burden on voting systems when there are computers in nuclear security and every other critical infrastructure industry” that aren’t available for OEVT.
lection officials across the US are inundated and confused by the plethora of free cyber-security offerings that the private sector has made available in the past months, a Department of Homeland Security official said last week. … But while the actions of these companies were driven by a desire to help, a DHS official says these free offerings have managed to create confusion with some election officials. “So what we’ve seen is a lot of the cyber-security companies and the IT companies offering free services, which I think is a great move forward,” said Christopher Krebs, Under Secretary for National Protection and Programs Directorate at the DHS, in an interview on the Cyberlaw Podcast, last week.
Election officials across the country have closed thousands of polling places and reduced the number of workers staffing them in recent years, citing cost savings and other new realities like increased early and absentee balloting. However, days from what many expect will be one of the busiest midterm elections in decades, the burden of Americans’ shrinking access to in-person voting options is falling more heavily on urban areas and minority voters, a USA TODAY analysis of national and state data shows. Voting rights advocates say the disappearance of polling sites could create confusion about where to vote, and thinner staffing of remaining sites could mean longer lines. Those problems, they fear, could shrink voter turnout in some neighborhoods.
Since the adoption of electronic voting machines in the 1990s, election experts have argued that paper records are critical for auditing elections and detecting potential tampering with vote tallies. The issue gained new prominence following the 2016 elections, which spurred multiple investigations into allegations of Russian interference in the electoral process. In a panel discussion hosted by Princeton’s Center for Information Technology Policy (CITP), experts examined the state of U.S. election security. The moderator Ed Felten, the Robert E. Kahn Professor of Computer Science and Public Affairs and director of CITP, opened the discussion by noting that “Princeton has quite a bit of expertise in this area.” He cited two faculty members working in election technology and policy, Andrew Appel and Jonathan Mayer. Appel, the Eugene Higgins Professor of Computer Science, recently served as a member of the National Academies’ Committee on the Future of Voting, while Mayer, assistant professor of computer science and public affairs, recently developed bipartisan election security legislation as a staffer in the United States Senate. Also on the panel was Marian Schneider, a former Pennsylvania elections official and the president of Verified Voting, a nonprofit organization that aims to improve election security practices.
Sometimes, it’s the scale. Hundreds of thousands of votes take longer to tally than just a few, so huge urban areas often lag behind smaller places. Other times, it’s the mail. California, for instance, where there are seven tight House races, is notoriously slow, in part because more than half of voters opt to use vote-by-mail ballots (a.k.a. “absentee” ballots in some places). California ballots postmarked on Election Day have three days to show up at county elections offices. A few other states allow a week or 10 days; Alaska will accept ballots from abroad up to 15 days later. “I’ve always speculated about a worst-case scenario where an Alaska Senate seat could determine control of the U.S. Senate, and there may still be ballots sitting at local ‘post offices,’” said Paul Gronke, director of the Early Voting Information Center at Reed College, in an email. “Post office,” he said, could actually mean a remote bait shop or grocery store from which ballots would need to be airlifted, validated and counted.