With midterm elections right around the corner, election officials says they’re focused on putting contingency plans in place so voting can continue even if systems are disrupted. Edgardo Cortés, the former Virginia Commissioner of Elections and current Election Security Advisor at the Brennan Center for Justice, said he is focused on low-tech plans to ensure voting continues to take place. These plans include having enough provisional ballots and having a back-up paper poll book at each voting location — “things that will keep the process going and allow people to vote even if we end up with a worst-case situation,” Cortés said at a Sept. 24 Brennan Center event.
National: Risk Limiting Audits (RLAs) Gain Traction With State & Local Election Officials In Advance Of 2018 U.S. Midterm Elections | Free & Fair
To guard against the multitude of election security threats ahead of the 2018 U.S. midterms, state and local jurisdictions are turning to Risk Limiting Audits (RLAs). Two of the more notable RLA initiatives – State of Colorado and Orange County, Ca. – leverage software developed by election technology startup Free & Fair. A Risk Limiting Audit is an evidence-based method that checks the integrity of election tabulation outcomes by comparing a random manual recount sampling of paper ballots to their corresponding digital versions. RLAs are better and more efficient than the random post-election audits used by jurisdictions today, because they generally require a smaller number of ballots to be audited but still provide a much higher statistical probability that the outcome is correct. In November 2017, Colorado completed the first U.S. statewide set of risk-limiting post-election audits in binding elections – with all 56 Colorado counties that had a November election passing. State of Colorado recently earned the Government Innovation Award for its pioneering use of RLAs in binding elections. Free & Fair, which offers transparent, cyber secure and verifiable election systems, developed the software tools for this first U.S. statewide implementation of RLAs beginning with the November 2017 general election.
At a time when our nation seems so polarized by politics, National Voter Registration Day is something we can all get behind, no matter who we’re voting for. Ahead of the midterm elections, “Good Morning America” is highlighting some ways you can make sure your voice is heard, and how some organizations are stepping up to show there is no excuse to not hit the polls this November. … Stephanie Young, a spokesperson for the nonpartisan organization When We All Vote, which is co-chaired by former first lady Michelle Obama, told “GMA” that it is important to make voting a “collective” activity.
The good news is that the thousands of county and municipal governments that administer elections across the US have a variety of effective cybersecurity programs available to them, free of charge. The bad news is that the vast majority don’t use any of them. In the complex debate about US election security, the focus tends to be on campaigns, parties, states, voting equipment manufacturers, and national trends. But the literal administration of elections, like the printing of ballots, coordinating poll workers, and organizing polling places, falls to more than 10,000 county clerks and local municipalities, according to the nonprofit organization Verified Voting. And those are the people the Department of Homeland Security would like to sign up for its cybersecurity program.
National: Thousands at risk from rightwing push to purge eligible voters from US rolls | The Guardian
In June last year, Luis, a resident of Virginia, was astonished to discover that his name and personal details, including home address, had been posted on the internet by a group known as the Public Interest Legal Foundation (Pilf). Luis’s data had been released by the group, along with hundreds of other names, as an appendix to Pilf’s two-part report called “Alien Invasion”. The front cover showed a UFO hovering ominously over a billboard on which the famous tourism slogan “Virginia is for lovers” had been photoshopped to read: “Virginia is for aliens”. In lurid language, Pilf claimed that it had uncovered proof that “large numbers of ineligible aliens are registering to vote and casting ballots”. It warned its readers: “Your vote is at risk. New alien voters are being added to the rolls month after month, and swift changes must be made to ensure that only Americans are choosing American leaders.” The only problem was that Luis, in common with dozens of other Virginians on the list posted by Pilf, was not in fact an “alien”. He was born in Los Angeles and has always enjoyed US citizenship, with full rights to vote since the age of 18. He also happens to be a federal employee of the US immigration service. Yet here he was, his name attached to a report in which Pilf claimed to have discovered more than 5,000 non-citizens in Virginia who had cast 7,474 votes – every one a criminal act amounting to a felony.
It’s been a tough couple of years for the business of voting. There’s the state that discovered a Russian oligarch now finances the company that hosts its voting data. Then there’s the company that manufactures and services voter registration software in eight states that found itself hacked by Russian operatives leading up to the 2016 presidential election. And then there’s the largest voting machine company in the country, which initially denied and then admitted it had installed software on its systems considered by experts to be extremely vulnerable to hacking. Private companies play a crucial role in elections, from printing and designing ballots, to manufacturing voting machines, to hosting results websites. The industry exists because the local and state governments who run elections don’t have the resources or expertise to maintain all aspects of an election themselves.
Joseph Stalin, no friend of free elections, is credited with saying it was not the people who cast the votes that decide elections. It’s the people who count them. Since the 2016 presidential election, considerable thought — but not much money — has gone into seeing if he’s wrong. According to an expert interviewed by NPR, it would cost at most $400 million to make states with vulnerable systems more secure, but a bill to do that died in Congress last month. There have been some changes in voting procedures, but whether the changes will be enough to block foreign and domestic interference with the upcoming midterm elections is simply unknown.
It its latest report on minority voting rights in America, published this month, the bipartisan United States Commission on Civil Rights reports that a range of restrictive voting measures have been enacted by states in recent years. They range from laws demanding that voters produce specific forms of identification to reductions in the number of locations where people can cast their ballot. These laws have a disproportionate effect on the ability of minority groups to exercise their voting rights. And thanks to a 2013 Supreme Court decision that weakens federal authority to restrict such laws, they are remaining on the books. The 1965 Voting Rights Act and its extensions helped dismantle generations of rules and regulations that had disenfranchised minority voters—and in particular black Americans. One of the act’s major provisions mandated that jurisdictions with a history of voter rights discrimination, including Texas, North Carolina, and seven other states, had to “pre-clear” new voting requirements. This involved persuading the federal government or a three-judge panel that the requirements would not be discriminatory in impact. But in 2013, the Supreme Court struck down the pre-clearance process.
Sandwiched between Building 20 and Building 21 in the heart of Facebook’s campus, an approximately 25-foot-by-35-foot conference room is under construction. Thick cords of blue wiring hang from the ceiling, ready to be attached to window-size computer monitors on 16 desks. On one wall, a half-dozen televisions will be tuned to CNN, MSNBC, Fox News and other major networks. A small paper sign with orange lettering taped to the glass door describes what’s being built: “War Room.” Although it is not much to look at now, as of next week the space will be Facebook’s headquarters for safeguarding elections. More than 300 people across the company are working on the initiative, but the War Room will house a team of about 20 focused on rooting out disinformation, monitoring false news and deleting fake accounts that may be trying to influence voters before elections in the United States, Brazil and other countries.
A federal judge ruled this week that Georgia does not have to replace its electronic voting machines with machines that create paper records before the election in November. In her ruling, though, the judge noted she’s “gravely concerned” about Georgia’s slow pace in addressing electronic voting vulnerabilities. Here & Now’s Jeremy Hobson talks with Marian Schneider, president of Verified Voting, a nonpartisan nonprofit that advocates for accurate and verifiable elections, about those vulnerabilities and how secure electronic voting machines are.
On her opinion of the judge’s ruling in Georgia: “I do think that it’s a significant decision, but I think that the judge was concerned about the amount of time before the election, that there wasn’t enough time to smoothly implement paper ballots. “There’s only seven weeks between now and the election, and the early voting would start soon, too. So I think that was a greater concern for the court, but I think the judge made a lot of very significant findings about the vulnerabilities that are present in paperless computer systems that count our votes.”
On an October afternoon before the 2016 election, a huge banner was unfurled from the Manhattan Bridge in New York City: Vladimir V. Putin against a Russian-flag background, and the unlikely word “Peacemaker” below. It was a daredevil happy birthday to the Russian president, who was turning 64. In November, shortly after Donald J. Trump eked out a victory that Moscow had worked to assist, an even bigger banner appeared, this time on the Arlington Memorial Bridge in Washington: the face of President Barack Obama and “Goodbye Murderer” in big red letters. Police never identified who had hung the banners, but there were clues. The earliest promoters of the images on Twitter were American-sounding accounts, including @LeroyLovesUSA, later exposed as Russian fakes operated from St. Petersburg to influence American voters. The Kremlin, it appeared, had reached onto United States soil in New York and Washington. The banners may well have been intended as visual victory laps for the most effective foreign interference in an American election in history.
During the last election, Russian cyberattackers looking for vulnerabilities scanned 21 state election systems, including those in Illinois, over the 2016 campaigns. While the Department of Homeland Security says the scanning activity did not necessarily breach systems, some individual states have reported compromised data. This year, for instance, the Illinois State Board of Elections reported a 2016 breach of its voter registration system, detailing a SQL injection attack of unknown origin that exposed records in the state’s voter registration database. Since the attack, the Illinois board has worked with state IT experts as well as DHS cybersecurity professionals to keep the database of 18 million records and the servers on which it resides safe from attackers, says Matt Emmons, the agency’s IT director. And there are plenty of hackers out there.
The Defense Department’s newly released cyber strategy draws attention to election meddling, infrastructure protection and greater reliance on commercial technology to get ahead of the curve. A summary of the DOD’s cyber strategy released Sept. 18 boasted an assertive stance on election meddling and attribution, calling out cyber “challenges to [U.S.] democratic processes” as a means for Russia, China, North Korea and Iran to inflict damage without engaging in armed conflict. However, the Pentagon remained firm in its infrastructure protection role. DOD will partner with the private sector and other agencies on improved information sharing “to reduce the risk that malicious cyber activity targeting U.S. critical infrastructure could have catastrophic or cascading consequences,” the document indicated.
Investigations carried out by federal agencies showed that hackers exploited seemingly minor flaws in the electronic voting system to manipulate the vote tally in the last presidential election. The findings might not surprise Americans as much as it would have done a few years ago, because now we know a bigger threat is hanging over the election process. Skeletons of the illegal online campaign launched by Russian agencies a couple of years ago to rig the presidential election are still tumbling out of the closets of technology companies like Facebook (FB) and Google (GOOG). With the midterm polls around the corner, the security agencies are busy plugging all the loopholes in the system to ensure a free and fair election. That the attackers managed to hack important government websites and breached huge volumes of voter data show the severity of the campaign, and that justifies the extra alert this time. Reports show that hackers, with possible Russia connections, are already doing the groundwork to interfere in the November election.
Government officials and cybersecurity experts are arguing that companies need to embrace vulnerability disclosure programs to guard against hacking amid pushback from the largest voting machine company in the United States, which has portrayed efforts to test their systems as a tactic of foreign spy-craft. Vulnerability disclosure programs that invite hackers to test computer systems are a show of strength, participants in a Sept. 18 event at the Atlantic Council argued. “Not having a vulnerability disclosure program amounts to cybersecurity negligence,” said Marten Mickos, the head of Hacker One. It’s a myth that companies can test their systems on their own, said Chris Nims, chief information security officer at Oath, a cybersecurity company. Even large companies who perform penetration testing on their own products cannot catch all vulnerabilities, he argued. “The reality is that is simply not true.”
Russian hackers behind the 2016 Democratic National Committee hack appear to be targeting the personal email of senators and their staffers, according to Sen. Ron Wyden. In a letter today to Senate leaders, the Oregon Democrat urged support for legislation that would allow the Sergeant at Arms to protect those email systems. The letter from Wyden follows reports in January that the Russian hacking group Fancy Bear — which the U.S. intelligence community identified as one group that penetrated the DNC in the lead-up to the 2016 election — was going after Senate offices.
As Election Day gets closer, one issue looms large for voters and election officials alike: cybersecurity. Hoping to quell fears about foreign hackers and repel potential threats, many states and counties are beefing up their plans to deal with cyberattacks. They’re shoring up systems to protect their voter databases and hiring security experts to assess the strength of their defenses. They’re coordinating with social-media organizations to stamp out deliberately fraudulent messages that could mislead voters about how to cast a ballot. And they’re banding together to share information and simulating how to respond to potential emergencies. One simulation-based exercise, held by the Department of Homeland Security in mid-August, gathered officials from 44 states, the District of Columbia and multiple federal agencies, the DHS says. “There absolutely is more emphasis on contingency planning” since 2016, says J. Alex Halderman, a professor of computer science at the University of Michigan.
National: Election Equipment Vendors Play a Key, and Underexamined, Role in U.S. Democracy | Take Care
Every vote in the United States — for city council, state representative, or president — is cast using materials and equipment manufactured by third party vendors. There are vendors large and small, but the American election equipment industry is dominated by three vendors: ES&S, Hart, and Dominion. These vendors manufacture the machines that approximately 92% of eligible voters use on election day — and they wield extraordinary power with significant implications for our democracy. Because of this, it’s critical that elected officials and advocates pay attention to the role vendors play in the security and transparency of American election systems. Perhaps most concerning are vendor efforts to keep secret the technology upon which American elections rely while at the same time feteing state and local election officials with expensive trips and meals. Vendors have actively and increasingly pushed back on efforts to study and analyze the equipment that forms the basic foundation of our democratic processes.
Symantec is offering a free tool for US campaigns and election officials to fight fraudulent websites, the company announced Tuesday. The feature could help take away an important weapon in the election hacking arsenal: the spoof website. Lookalike websites could imitate official government sites and report false information about candidates or voting. What’s more, they’ve already been used to imitate a login page to trick campaign workers to enter their valuable usernames and passwords. That approach, called phishing, was key to letting hackers gain access to the emails and internal documents of important Democratic Party organizations and key figures in Hillary Clinton’s 2016 presidential campaign, according to an indictment of the Russian hackers alleged to have stolen and leaked emails from the groups.
National: Is There Voter Suppression In 2018? Here’s What It Could Look Like In The Midterms | Bustlea
Voter suppression is a serious issue that takes many forms — but it’s a lot more subtle than you might think. When it comes to voter suppression in the midterms, you might not even know it’s happening, but you can bet that a bunch of (strategically placed) red tape will end up blocking some people from voting this year. Basically, any action taken with the goal of preventing or dissuading you from voting is voter suppression. You often hear about voter suppression in the context of policies that have made it harder for certain groups of people, or for people who live in certain areas, to cast their ballots. These barriers are bureaucratic for the most part. Voting rights advocates point to voter ID requirements, decreased early voting opportunities, polling station closures, voter roll purges, and gerrymandering as means of voter suppression. Voting rights groups like the American Civil Liberties Union are challenging most of these obstacles in court, but there’s still the possibility you could run into difficulties at the polls. Don’t panic, though. There are a few simple steps you can take to make sure you (and the people you know) don’t encounter any barriers to voting this year. Let’s walk through some of the hurdles that could prevent you from voting, and then we’ll talk about what you can do about them.
In my community, we vote by filling in circles on a paper sheet that goes into a scanner — we have a paper trail. Can such a process still be hacked? Yes, though paperless voting machines can more easily be hacked. Professors Ronald Rivest of MIT and J. Alex Halderman of the University of Michigan explained on Sept. 13 in a session at EmTech MIT on how hackers can alter elections. According to Rivest, about 80% of voting jurisdictions in the U.S. have some sort of paper trail in the event of voting-machine hacks. If, however, you vote in Delaware, Georgia, Louisiana, New Jersey, South Carolina, or Nevada, there is no way to hand-count the votes should the need arise; votes are electronically recorded. The map below reveals that many other states use a mixture of paper and paperless voting systems.
From racial segregation to environmental destruction to voter suppression, the concepts of “federalism” and “states’ rights” have a long-running association with some of the worst outcomes of American conservatism. And we may soon add “endangering American democracy” to that list. These political philosophies are being invoked to sink a key election-security bill — at a time when midterm elections are being actively probed and prodded for weaknesses by potentially hostile nation-states. The Secure Elections Act (SEA), which seemed poised to become a rare bipartisan slam-dunk, may not even make it to a vote now that the bill has been pulled from committee, reportedly under order of the Trump White House.
When voters go to the polls in five states, a verified paper trail will not follow them. At a time of heightened concerns over election interference, election-security experts have called for that to change, suggesting paper results – visually confirmed by voters – would help state officials recover in the event of meddling or simple mistakes. “That presents a greater risk because there’s no way to detect if things have gone wrong,” said Marian Schneider, former deputy secretary of voting and administration in Pennsylvania and the president of the group Verified Voting. Paper ballots – or, at least, auditable paper trails, in which voters can see their choices recorded on a printed roll of paper – have been recommended by experts from Homeland Security Secretary Kirstjen Nielsen to the Brennan Center for Justice’s Democracy Program to the Defending Digital Democracy Project at Harvard’s Belfer Center. A large swath of Americans, however, will vote without them.
Advocates for immigrants and voting rights filed a federal lawsuit Monday demanding information from the U.S. Citizenship and Immigration Service. The groups believe that the Trump administration is engaged in deliberate foot-dragging to potentially slow new citizens from registering as Democrats. According to federal figures, 6.6 million people followed the process and became eligible to vote in the decade before 2012. Plaintiffs said the flow has since hit a roadblock. “They have at least doubled the amount of time it takes to become a citizen,” said Peter Schey, president of the Center for Human Rights and Constitutional Law.
National: Facebook pilots new political campaign security tools — just 50 days before Election Day | TechCrunch
Facebook has rolled out a “pilot” program of new security tools for political campaigns — just weeks before millions of Americans go to the polls for the midterm elections. The social networking giant said it’s targeting campaigns that “may be particularly vulnerable to targeting by hackers and foreign adversaries.” Once enrolled, Facebook said it’ll help campaigns adopt stronger security protections, “like two-factor authentication and monitor for potential hacking threats,” said Nathaniel Gleicher, Facebook’s head of cybersecurity policy, in a Monday blog post.
Paul Manafort, Donald Trump’s former campaign chairman, has agreed to cooperate with Robert Mueller’s inquiry into Russian interference in the 2016 election, in a move that could cause legal trouble for the president. The dramatic development in the Trump-Russia saga was announced at a court hearing in Washington DC on Friday morning, where Manafort confessed to two criminal charges as part of a plea deal. “I’m guilty,” he said. Manafort signed a 17-page plea agreement that said he would assist government prosecutors with “any and all” matters, and brief officials about “his participation in and knowledge of all criminal activities”. He also agreed to turn over documents and testify in other cases.
National: How to hack an election—and what states should do to prevent fake votes | MIT Technology Review
Donald Trump won the 2016 presidential election thanks to the votes of just 107,000 people in three states. The intricacies of the Electoral College help create situations where a relatively small number of US citizens can decide who wins the presidency. How susceptible could these votes be to tampering? The answer: a lot more than you might realize. In a live demonstration at MIT Technology Review’s EmTech conference today, J. Alex Halderman, professor of computer science and engineering at the University of Michigan, showed just how easy it would be to meddle with vote tallies to directly change election outcomes. Halderman brought an AccuVote TSX machine to the stage in a live demonstration of the dangers. He had three volunteers use the machine to vote in a mock election between George Washington and Benedict Arnold. Cameras pointing at the screen and projected above the stage showed the three voters casting their ballots for Washington. Yet when Halderman printed the returns from the machine, the reported result was a two-to-one victory for Arnold.
More than one-third of counties that are overseeing elections in some of the most contested congressional races this November run email systems that could make it easy for hackers to log in and steal potentially sensitive information. A ProPublica survey found that official email accounts used by 11 county election offices, which are in charge of tallying votes in 12 key U.S. House of Representatives races from California to Ohio, could be breached with only a user name and password – potentially allowing hackers to vacuum up confidential communications or impersonate election administrators. Cybersecurity experts recommend having a second means of verifying a user’s identity, such as typing in an additional code from a smartphone or card, to thwart intruders who have gained someone’s login credentials through trickery or theft. This system, known as two-factor verification, is available on many commercial email services. “Humans are horrific at creating passwords, which is why ‘password’ is the most commonly used password,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., who has pushed for security fixes in the voting process. This means increasingly we need something other than passwords to secure access to our accounts, especially email, which tends to undergird all our other accounts.”
National: Feds brief House Oversight on election security for 2018 midterm elections | Washington Examiner
The House Oversight Committee held a classified briefing on election security and foreign influence on Thursday, with less than two months until the midterm elections. “As we near midterm elections, we must take every step possible to safeguard our electoral process and ensure our fellow citizens have confidence in the security of elections,” said committee Chairman Trey Gowdy, R-S.C., in a statement.
National: Lawmakers warn Trump’s election interference order does not go nearly far enough | The Washington Post
The Trump administration’s latest effort to deter foreign interference in U.S. elections is falling flat with lawmakers, who are prepared to pursue even tougher punishments against Russia and other adversaries who seek to disrupt U.S. politics. Democrats — and at least one Republican — said President Trump’s order Wednesday authorizing additional sanctions against foreign entities that interfere in elections is too weak because it gives Trump discretion over when to impose the harshest penalties, as my colleagues Anne Gearan and Felicia Sonmez reported. The lawmakers seized on the opportunity to renew calls for legislation that they argued would more effectively deter election cyberattacks.