National: FEC shutdown — Democracy dies in daylight, too | Renée Graham/The Boston Globe

The Federal Election Commission is essentially toast. Last week, Matthew Petersen, its Republican vice chairman, resigned, leaving the six-member panel with only three members — one person short of the requisite quorum. “Without a quorum, certain Commission activities will not take place,” said FEC commissioner Caroline C. Hunter in a statement. “For example, the Commission will not be able to hold meetings, initiate audits, vote on enforcement matters, issue advisory opinions, or engage in rulemakings.” In one of his last actions, Petersen, along with Hunter, also a Republican, stopped the FEC from using its powers as intended. They blocked an investigation into a report that Alexander Torshin (a Russian central banker close to Russian President Vladimir Putin) and Maria Butina used the NRA as “a conduit” to illegally funnel money between Russia and the Trump campaign. Butina later pleaded guilty to conspiring to act as an unregistered foreign agent of the Russian state. She was sentenced to 18 months in prison. Now the FEC’s dysfunction is tumbling toward disaster. The regulatory agency charged with enforcing campaign finance laws in federal elections has been kneecapped during a general election season already under a sustained attack by enemies both foreign and domestic.

National: States Upgrade Election Equipment — Wary Of ‘A Race Without A Finish Line’ | Pam Fessler/NPR

With five months before primary season begins, election officials around the country are busy buying new voting equipment. Their main focus is security, after Russians tried to hack into U.S. election systems in 2016. Intelligence officials have warned that similar attacks are likely in 2020, from either Russia or others intent on disrupting U.S. elections. Federal, state and local authorities are trying to improve the security of the nation’s voting systems before that happens. One way they’re doing that is by purchasing more machines that produce paper ballots, which can be used to verify results in the event of a cyberattack on electronic systems. … Marian Schneider, a former Pennsylvania election official, thinks whatever the counties decide, this state is in much better shape than it was in 2016, when more than 80 percent of its machines had no paper records. “You couldn’t check them. Whatever the computer said, the computer said. You were done,” Schneider says. “This is a sea change for Pennsylvania and it’s a good thing.” But Schneider, who runs Verified Voting, a national group that’s long promoted paper ballots, also says paper alone is not enough. “You have to check the paper afterwards. You have to randomly sample those ballots and make sure that the results that the software reported matches what’s on the paper ballots,” she says. She’s talking about something called a risk-limiting audit, which is becoming an increasingly popular way to verify election results. Pennsylvania is among a dozen states now testing the idea.

National: Election Security And Voting Machines: What You Need To Know | Philip Ewing/NPR

Voting systems in the United States have come a long way since the hanging chads of the 2000 recount in Florida — but now cybersecurity is as big a concern as ballot fidelity. Here’s what you need to know.

The good news

There are about 3,200 counties or their equivalents across the United States and its territories, ranging in size from Los Angeles County with around 10 million residents to Kalawao County, Hawaii, with fewer than 100. Most counties — more than 70% — have populations under about 50,000, says the National Association of Counties. That huge breadth and diversity means that most elections truly are local and it would be nearly impossible for a foreign adversary to touch them all with a single effort. Elections in the United States remain, as then-FBI Director James Comey famously told Congress, “a bit of a hairball.”

The bad news

A huge breadth and diversity of counties means a huge breadth and diversity of security capabilities. Also, every jurisdiction that runs elections in the United States doesn’t present the same kind of appeal to a foreign interference campaign. The results of a close election can depend on turnout in only a few key states or other locations, meaning some locations are under much more pressure than others.

At the same time, evidence about successful interference in an election system anywhere in the United States would raise questions about the integrity of elections everywhere. Russian cyberattackers have been able to gain access to voter databases and other systems around country, but U.S. officials say they believe no votes have been changed.

National: States brace for ransomware assaults on voter registries | Laura Hautala/CNET

Extortionists have recently shut down municipal computer systems in Texas, Maryland, Florida and New York, threatening to erase databases unless the cities pay a ransom. Now officials around the country are concerned the tool the hackers used, known as ransomware, could be tapped to target state voter registration rolls and disrupt confidence as the nation heads into the 2020 election. Illinois, for example, is making its voter registration database accessible only from a closed fiber optic network, rather than the open internet, according to Matt Deitrich, a spokesman for the State Board of Elections. The Prairie State is making progress, though it still has a way to go, he says. Less than a third of its 108 jurisdictions currently connect to the database via the dedicated network. The security effort is worth it, Deitrich says. If a hacker successfully hits even one county’s election agency with ransomware, that can create the impression the whole system is compromised. “It’s a phenomenon that can undermine voter confidence,” Deitrich said. Ransomware would be a new feature of election hacking, which came to public attention after intelligence officials said Russian hackers probed voter registries during the 2016 presidential campaign. A ransomware attack in 2020 could prove devastating, preventing voters from registering or poll workers from confirming voter eligibility, officials say. The hackers’ goal wouldn’t be changing the votes that were cast, but spreading doubt that eligible voters were able to make their voices heard.

National: Report highlights Instagram, deepfake videos as key disinformation threats in 2020 elections | Maggie Miller/The Hill

Instagram will likely be the main social media platform used to disseminate disinformation during the 2020 election, while altered “deepfake” videos of candidates will pose a threat as well, according to a report out on Wednesday.  The report on disinformation tactics during the 2020 election, put together by New York University’s (NYU) Stern Center for Business and Human Rights, also pinpointed China, Russia, and Iran as countries likely to launch such attacks against the U.S. in the lead up to the elections. But foreign states will not be alone, with NYU finding that domestic sources of disinformation, such as users within the U.S. creating and circulating it, will be more prevalent than overseas ones. Voter suppression will be the main target of both streams of disinformation, with the report warning that “unwitting Americans” could also be manipulated into participating in rallies and protests. The report from NYU emphasized that while “social media companies are playing better defense than they did in 2016,” it called on them “to step up their games in anticipation of 2020.”

National: Advocates push Census Bureau to prepare for security breaches, disinformation ahead of 2020 count | Bill Lambrecht/San Antonio Express-News

As the first U.S. census to be conducted mainly online gets underway in the coming months, warnings from the Government Accountability Office about “substantial cybersecurity challenges” and disinformation campaigns raise concerns about how such a massive operation – collecting the names, addresses and birth dates of more than 300 million people – could be undermined by malicious actors on social media. Analysts monitoring the internet say they see no evidence of concerted efforts to sow bad information about the 2020 count. Yet in one instance, a post on a neo-Nazi website encouraged people to seek temporary Census Bureau employment in order to turn in immigrants who are living in the country illegally. Census workers are sworn to protect such information. Census experts note the potential lure of the census to people with ill intent. The decennial count is the basis for drawing congressional and legislative districts for a decade and determining where more than $800 billion gets distributed annually. In Texas, an undercount of the state’s fast-growing Latino population could threaten billions in tax dollars and the prospects of gaining three seats in the U.S. House from population shifts.

National: 2020 presidential election: What the NSA is doing to prepare and how the agency tackled the 2018 midterms | Olivia Gazis/ CBS News

The National Security Agency has begun revealing some of its preparations for the 2020 presidential elections, drawing in part from from its previous successes during the 2018 midterm elections. But officials also warned that cyber threats from foreign adversaries were evolving, accelerating and likely to reach a growing number of targets. NSA officials outlined a three-part approach they said was key to ensuring the security of the 2018 midterms: They first sought to understand adversaries’ activities, and then shared, chiefly through the FBI and Department of Homeland Security, information with potential targets. Along with U.S. Cyber Command, the military’s cyber defense arm, officials said they also imposed unspecified “costs” on those aiming to disrupt U.S. political processes. “[W]e said… if there is an adversary or adversaries that are attempting to either influence or interfere in our elections, we’re going to take them on,” General Paul Nakasone, who leads both the NSA and U.S. Cyber Command, said at the annual Intelligence and National Security Alliance (INSA) Summit last week.  

National: Republicans and Democrats agree that the U.S. should strengthen election security. So why doesn’t Mitch McConnell? | Evan Crawford/The Washington Post

The Senate Intelligence Committee recently released the first volume in what will be a series of reports on Russian interference in the 2016 election. Here’s the most startling thing we learned: Russian hackers targeted election infrastructure not just in 21 or 39 states, as previously reported — but in 50 states. These efforts ranged from scanning state election websites to test for vulnerability to gaining access to the Illinois voter database and being “in a position to delete or change voter data,” according to the Senate report, though no evidence has emerged that any data was actually changed. In response, the committee made recommendations to ensure a more secure 2020 election. Election experts have long been calling for many of these actions, including increased communication between federal, state and local election officials; post-election audits; and updated voting equipment. Many of these measures were part of a bill that the House passed, the Securing America’s Federal Elections Act. But Senate Majority Leader Mitch McConnell (R-Ky.) has effectively blocked this legislation from being considered in the Senate. So where does the public stand on these issues? There’s a bipartisan consensus about election security.

National: Alex Halderman Speaks About Election Cybersecurity at CyberSec & AI Prague Conference | Avast/Security Boulevard

Alex Halderman was researching election hacking a decade before the 2016 U.S. presidential race made it front-page news. The computer science professor at the University of Michigan brought change to India’s elections, turned a U.S. voting machine into a Pac-Man arcade game, and warned Congress twice about the vulnerabilities that await 2020’s U.S. elections. Yet he is bringing a decidedly low-tech solution – a return to the backup of a “paper trail” for ballots – to one of cybersecurity’s biggest challenges when he speaks to the top minds in artificial intelligence at the CyberSec & AI Prague conference in October. Halderman has researched elections in India, Estonia, Australia, and the United States and found that – as in other areas of modern life – tech can introduce as well as address cybersecurity problems. “Countries around the world are turning to computer technology and internet-connected systems to try to make elections better, but the fact is that opens up whole new categories of risk.”

National: No Quorum At FEC Means Election Law Enforcement Is On Hold | Brian Naylor/NPR

Barring some kind of miraculous last-minute reprieve, Friday will be the last business day that the Federal Election Commission will be able to function for quite a while, leaving the enforcement of federal campaign finance laws unattended ahead of the 2020 election. The commission’s vice chairman, Matthew Petersen, announced his resignation earlier this week, to take effect at the end of the month. With Petersen gone, the FEC will be down to three members, and won’t have a quorum. In addition to collecting campaign finance data, the FEC investigates potential campaign finance violations, issues fines and gives guidance to campaigns about following election law — but not without a working quorum of at least four commissioners. “To not have the FEC able to take action right now is deeply concerning,” says Daniel Weiner, a former senior counsel at the FEC, who’s now with the Brennan Center for Justice at New York University law school. In particular, Weiner is concerned about another attempt by Russia or other actors to interfere in the 2020 election.

National: Fancy Bear Dons Plain Clothes to Try to Defeat Machine Learning | Robert Lemos/Dark Reading

An analysis of a sample published by the US government shows Russian espionage group APT28, also known as Fancy Bear, has stripped down its initial infector in an attempt to defeat ML-based defenses. The APT28 cyber-espionage group, often called “Fancy Bear” and linked to Russia, has stripped much of the malicious functionality from its initial infector, hiding it in a sea of benign code, according to an analysis published today by Cylance, a subsidiary of Blackberry. The approach shows that the group has developed greater operational sophistication, says Josh Lemos, vice president of research and intelligence at Cylance (and no relation to the author). The authors of the implant appear to be trying to hide in plain site by using well-known libraries, such as OpenSSL, and a widely used compiler, POCO C++, resulting in 99% of the more than 3 megabytes of code being classified as benign, according to Cylance’s analysis. Those steps, taken along with other newly adopted tactics, suggest the group is trying a different approach to dodge evolving defenses, Lemos says.

National: Blockchain e-voting: Backed by US candidate, hacked in Moscow | Sarah Wray/SmartCitiesWorld

The debate over blockchain-based political voting re-emerged recently as Democratic US presidential hopeful Andrew Yang backs the technology to boost voter numbers and security, while a French researcher has hacked into the blockchain-based voting system which officials plan to use next month for the 2019 Moscow City Duma election. On his campaign website, Yang states that voting should be available via mobile devices with verification through blockchain. He argues that modernising voting with decentralised ledger technology could increase security, reduce inconsistent processes between states and restore confidence in democracy. Philip Boucher, a European Policy Research Service (EPRS) policy analyst, explains the theory behind blockchain voting: “In elections, we usually have a central authority that records, checks and counts all of the votes. With blockchain, the process is decentralised so everyone can hold a copy of the full voting record on their own devices. The data is encrypted to protect the identity of individual voters. Illegitimate votes cannot be added and the historical record cannot be changed because everyone holds a copy and can check that all of the votes comply with the rules and are counted properly.” Some have even suggested that in future, blockchain votes could be encoded into ‘smart contracts’ so that the results automatically take effect “like a self-implementing manifesto”. Several countries and local authorities have explored or experimented with the idea of digital voting.

National: FEC vice chairman resigns, leaving agency unable to vote | Maggie Miller/The Hill

The vice chairman of the Federal Election Commission (FEC) submitted his resignation letter to President Trump on Monday, leaving the agency without the necessary number of commissioners to vote on proposed actions. Matthew Petersen, a Republican who has served as a commissioner since 2008, wrote that he will formally step down on Aug. 31. “Throughout my service, I have faithfully discharged my duty to enforce the law in a manner that respects free speech rights, while also fairly interpreting the relevant statutes and regulations and providing meaningful notice to those subject to FEC jurisdiction,” Petersen wrote. “I am honored to have served the American people in this capacity and to have fulfilled the oath taken 11 years ago.” A spokesperson for the FEC confirmed Petersen’s resignation, declining to comment further. His departure leaves the agency with only three of the four members required to vote on proposed actions.

National: As Russia Eyes 2020, America’s Election Watchdog Is Out of Commission | Nicole Goodkind/Newsweek

The Federal Election Commission, an independent agency that enforces all campaign finance law and ensures the integrity of political campaigns, lost its vice chairman Monday evening, essentially rendering the agency useless. In order to take any official enforcement or regulatory action, the agency is required to have a quorum of four members on its board, but the resignation of Matthew Petersen, effective this week, leaves the commission with only three members, all of whom are still working even though their six-year terms of service have all expired. There were already three vacancies before this week’s kerfuffle. The FEC issued about $33.6 million in fines between 1999 and 2008, but over the last 10 years that dropped to $11.4 million. Yet, election security has become an increasingly important issue. Just last month, former special counsel Robert Mueller ominously warned Congress that Russia had lofty plans to interfere in the next election. “They’re doing it as we sit here and they expect to do it during the next campaign,” he said.

National: Ransomware threat raises National Guard’s role in state cybersecurity | Benjamin Freed/StateScoop

National Guard units already play a large role in state governments’ cybersecurity activities, such as protecting election systems, but the threat of ransomware to cripple a state or city organization is a growing concern for uniformed personnel, the top military official overseeing the National Guard across the United States said. While Americans are long used to seeing guardsmen and women roll into to disaster-stricken areas after a hurricane or wildfire, deployments following cyberattacks are increasingly common, Air Force Gen. Joseph Lengyel said Friday on a conference call with reporters, likening the recent ransomware incidents in Texas and Louisiana to a “cyber storm,” though not quite a “cyber hurricane.” “We’re seeing the whole of the first responder networks come to assist and mitigate the damage and get everything back up and running, and the National Guard is part of that response,” he said.

National: U.S. officials fear ransomware attack against 2020 election | Christopher Bing/Reuters

The U.S. government plans to launch a program in roughly one month that narrowly focuses on protecting voter registration databases and systems ahead of the 2020 presidential election. These systems, which are widely used to validate the eligibility of voters before they cast ballots, were compromised in 2016 by Russian hackers seeking to collect information. Intelligence officials are concerned that foreign hackers in 2020 not only will target the databases but attempt to manipulate, disrupt or destroy the data, according to current and former U.S. officials. “We assess these systems as high risk,” said a senior U.S. official, because they are one of the few pieces of election technology regularly connected to the Internet. The Cybersecurity Infrastructure Security Agency, or CISA, a division of the Homeland Security Department, fears the databases could be targeted by ransomware, a type of virus that has crippled city computer networks across the United States, including recently in Texas, Baltimore and Atlanta. “Recent history has shown that state and county governments and those who support them are targets for ransomware attacks,” said Christopher Krebs, CISA’s director. “That is why we are working alongside election officials and their private sector partners to help protect their databases and respond to possible ransomware attacks.”

National: Federal officials working with states to protect elections | Andrew Selsky/Associated Press

Huddled in small groups in a remote town in Oregon, county and state elections officials tried to overcome hacking attempts, power failures and other problems as election day approached and finally arrived. It was a tabletop exercise, held as federal officials work to bolster defenses against interference in the 2020 elections, with states being a main line of defense against attempts by Russia or others to disrupt the elections. Officials from the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency traveled to La Grande, a town located in ranching country in northeast Oregon, for Wednesday’s exercise with county and state officials. During the event held on the campus of Eastern Oregon University, the officials had to work through various scenarios, like official websites being hacked, disinformation being spread on social media and electrical power and communications going down, Oregon Elections Director Stephen Trout said in a telephone interview. Disinformation involves deliberately spreading falsehoods and rumors, while misinformation — another election security threat that experts point to — entails simply disseminating incorrect or misleading information.

National: Groups push lawmakers for hearings on voting machine security | Maggie Miller/The Hill

Voting rights and election security groups on Monday urged two House and Senate committees to hold hearings on the security of voting machines. The groups, which include the National Election Defense Coalition, Electronic Privacy Information Center, R Street Institute and Public Citizen, asked the House Administration Committee and the Senate Rules and Administration Committee in a letter to schedule election security hearings that include testimony from voting machine vendors and election security experts. “The security of our nation’s elections is acutely dependent on the vendors that supply our computerized voting systems,” the groups wrote. “The voting system vendors have operated with little oversight and no regulation for decades.” “Given the gravity and urgency of this issue, we write to you to urge the committees to hold a hearing on election system security featuring sworn testimony from officers of the voting system vendors to shed more light on their practices which directly impact the security of the nation,” they added. The groups cited reports in recent months that certain voting systems rely on outdated Windows 7 operating systems, that one major election machine vendor installed remote access software on its election systems and concerns about a lack of transparency from voting machine vendors.

National: DHS cyber agency to prioritize election security, Chinese threats | Maggie Miller/The Hill

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) plans to prioritize election security, cybersecurity at federal agencies, and the “persistent threat” posed by China, among its many goals. The agency laid out its key priorities in a new “strategic intent” document released on Thursday, which CISA Director Christopher Krebs described in the introduction as the “keystone” for the agency. Among Krebs’s operational priorities is addressing Chinese threats to U.S. supply chains and to the rollout of 5G networks, bolstering election security efforts at the state and local level, and protecting the cybersecurity of industrial control systems. Other priorities are protecting federal networks against cyber attacks, such as ransomware incidents that have increasingly spread across the country, and defending “soft targets” and crowded venues from physical threats. CISA is the primary agency responsible for assisting state and local governments with securing elections, replacing the former National Protection and Programs Directorate in a law that took effect last year.

National: Internet-Connected Election Systems Found in 10 U.S. States | Scott Ikeda/CPO Magazine

There has been much talk in the media about interference in United States presidential elections, but most of it has centered around the use of media and disinformation to influence votes. There is a widespread assumption that the voting machines themselves are safe from hacking; though many are electronic, these election systems are not supposed to be connected to the internet. A new report from Vice’s Motherboard indicates that these systems are not nearly as secure as anyone thought they were, including election officials. Researchers told Motherboard that a particular type of election system that is only supposed to connect to the internet for several minutes to transfer votes has been found to sometimes stay connected for months, and in some cases these machines were constantly connected and were exposed for at least a year. The election systems found to be vulnerable are made by a specific manufacturer: Election Systems & Software (ESS). ESS is the largest voting systems company in the country, with at least 260,000 machines in place in 21 states including in some swing states. Security researchers found backend systems that were connected to the internet when they were not supposed to be, distributed across a number of states including the key “battleground” centers of Florida, Michigan and Wisconsin.

National: IT Security Pros: Encryption Backdoors Would Be Election Hacking Risk | Phil Muncaster/Infosecurity Magazine

The IT security community overwhelmingly believes that government-mandated encryption backdoors will put countries at a greater risk of election hacking, according to new Venafi research. The security vendor polled over 380 security professionals at Black Hat USA 2019 in Las Vegas earlier this month, following recent comments by attorney general, William Barr. Like his predecessors, Barr last month claimed that strong data encryption in tech products is effectively creating a “law-free zone” exploited by terrorists and criminals as it “seriously degrades” the ability of law enforcement to detect and prevent crimes. Also like many others, he argued that government-mandated backdoor access “can and must be done,” claiming that if they only tried hard enough, tech firms could find a solution which could enable lawful access to data without undermining security for all users. This argument has been repeatedly shot down, not only by the tech firms themselves, but also world-renowned cryptography experts. Last year they backed senator Ron Wyden’s demands that the FBI explain the technical basis for its repeated claims that encryption backdoors can be engineered without impacting user security.

National: Election Security Lessons from DEFCON 27 | Ciara Torres-Spelliscy/Brennan Center for Justice

Given the extent of foreign interference in the 2016 election, every American should be concerned about election security in 2020. But what can computer hackers teach us about it? To find out, I went to Las Vegas earlier this month to attend DEFCON 27, the largest annual hacking conference in the United States, knowing this was probably my last chance to see a legal election hacking. Voting machines are protected from reverse engineering under the Digital Millennium Copyright Act. But the Library of Congress, which has certain authorities under the law, set a three-year window to allow third parties access to voting machines to test their security. Barring an extension by the Library of Congress, 2019 is the third and last year these hacks are legal. DEFCON is a huge event, and I saw fellow conference-goers all over Las Vegas with their distinctive glowing badges. I was only interested in the DEFCON Voting Village, which included a large assortment of voting equipment for participants to test, hack, and break.

National: Democrats call for a Senate vote on elections reform package | Jennifer McDermott/Associated Press

Democratic congressmen held an event Thursday in Rhode Island to try to pressure Republican Senate Majority Leader Mitch McConnell into allowing a vote on a comprehensive elections and ethics reform package. Maryland Democratic Rep. John Sarbanes, who is the bill’s main author, met with Rhode Island Rep. David Cicilline and Sen. Sheldon Whitehouse in North Providence. The influence of big money in politics is impeding efforts to address climate change, gun violence and prescription drug costs, they said. Activists working on those issues attended the event. “This isn’t just some theory, like wouldn’t it be good to reform government because good government is an abstract idea,” Cicilline said. “It has a direct effect on people’s lives. The corrupting influence of money and its impact on public policy is hurting the American people.”

National: Microsoft ElectionGuard aims to fix America’s broken voting | Mark Wilson/Fast Company

Voting is broken. From the hanging chad debacle of 2000 to the 2018 midterms when decade-old touchscreen computers cast the wrong votes, to long lines outside polling places, our democratic right to elect our own officials is constantly at odds with unreliable equipment and balloting policies that vary from one district to the next. And this is all not to mention that voting machines are absurdly hackable. It’s enough to make people not want to vote at all. But what if you could vote however you wanted to vote? Which could mean at home or, if you’re a person with a disability, with the assistance of specialized hardware? What if you could go online later and ensure your vote was your vote, and that it counted? What if you could write your own piece of software to do a recount of, or audit, your small town’s mayoral election instantly? That’s the vision of ElectionGuard, a new project by Microsoft, which debuted this summer at the Aspen Security Forum. ElectionGuard is an open code standard, that anyone can audit, freely use, and plug into, to create secure digital voting machines that remove many of the barriers of voting. Microsoft teamed up with Tucker Viemeister, a renowned industrial designer who spent years at prestigious firms including Frog, Smart Design, and Rockwell Group designing devices like hair dryers and coffee makers, to build something of a concept car for the future of voting—mostly out of off-the-shelf parts.

National: State Election Infrastructure Is Still Vulnerable, Report Finds | by Phil Goldstein/StateTech Magazine

The 2020 presidential election is more than 14 months away, but some experts are warning that state governments face an uphill battle in defending election infrastructure from cyberattacks. According to a recent report, “Defending Elections: Federal Funding Needs for State Election Security,” many election security projects at the state level are either unfunded or underfunded. The report calls on the federal government to provide more funding for state-level election security measures ahead of next year’s election. “In administering our elections, states face security challenges of unprecedented magnitude,” the report concludes. “They are, in many cases, ill-equipped to defend themselves against the sophisticated, well-resourced intelligence agencies of foreign governments. States should not be expected to defend against such attacks alone. Our federal government should work to provide the states with the resources they need to harden their infrastructure against cybersecurity threats.” The paper was authored by a bipartisan group of organizations including the Brennan Center for Justice, the Alliance for Securing Democracy, the R Street Institute and the University of Pittsburgh Institute for Cyber Law, Policy, and Security.

National: 2020 election security to face same vulnerabilities as in 2016 | Michael Heller/TechTarget

For the third year running, the Voting Village at DEF CON shined a light on election security and one thing was made clear: no one agrees on what to expect in 2020. In opening remarks at DEF CON, founders Harri Hursti, Matt Blaze and Jake Braun laid out the long road the Voting Village has traveled to raise awareness of election security issues. Blaze, who serves as the McDevitt Chair of Computer Science and Law at Georgetown University, pointed out the troubles began with the Help America Vote Act (HAVA), which passed in 2002 as an effort to modernize and improve election administration. “They didn’t understand as much at the time as we do now about building voting machines and almost everything produced to comply with the Help America Vote Act has terrible vulnerabilities associated with it,” Blaze said. “That’s partly because we’ve taken these systems that weren’t dependent on software before and made them dependent on software. And, as everybody here in Las Vegas can tell you, software is utterly terrible. So we essentially took a problem that was hard and we added software to it.” A new initiative at this year’s Voting Village was to connect security researchers and hackers directly to election officials to provide pro bono work to help secure the 2020 election. Braun, an executive director for the University of Chicago Harris School of Public Policy’s Cyber Policy Initiative, noted the past work of the Voting Village had been corroborated. “The Mueller report reinforced a lot of what we identified last year, like you can hack a website with a SQL injection and get into a voter registration database, which is exactly what Mueller said the Russians did in 2016,” Braun said. “And frankly, they didn’t even go as far as we said was possible [in last year’s election.]”

National: Civilians, military abroad may find it more expensive to vote | Bill Theobald/The Fulcrum

Election officials are growing increasingly concerned that the Trump administration’s trade war with China could make it more difficult and expensive for overseas voters — including those in the military — to cast ballots in the 2019 and 2020 local, state and federal elections. The issue is the pending withdrawal in October by the U.S. from the Universal Postal Union, a group of 192 nations that has governed international postal service and rates for 145 years. Last October, the U.S. gave the required one-year notice stating it would leave the UPU unless changes were made to the discounted fees that China pays for shipping small packages to the United States. The subsidized fees — established years ago to help poor, developing countries — place American businesses at a disadvantage and don’t cover costs incurred by the U.S. Postal Service. With the U.S.-imposed deadline for withdrawal or new rates fast approaching, states officials are running out of time to prepare for overseas mail-in voting. Last week, Kentucky elections director Jared Dearing pleaded for help from the Election Assistance Commission — for himself and his peers in other states. The deadline for his state and most others to send out absentee ballots for the fall elections, Dearing said, falls a few days before a Sept. 24-25 UPU meeting in Geneva, Switzerland, to discuss the U.S. proposal to revise the rate system. That makes it difficult to provide voters with guidance about how to return their ballots. If the United States ends up withdrawing from the UPU, overseas citizens may not be able to return their ballots using regular mail service and could have to pay upward of $60 to use one of the commercial shipping services, Dearing said.

National: Republicans use McConnell allies to try and force his hand on election security | Lesley Clark/McClatchy

A conservative group is increasing pressure on Senate Majority Leader Mitch McConnell to put election security legislation up for a vote in the Senate by airing ads that target the Kentucky Republican and four other Republican senators in their home states. Republicans for the Rule of Law is unveiling new spots that urge Sens. Marco Rubio, R-Florida, Roy Blunt, R-Missouri, Lindsey Graham, R-South Carolina, and James Lankford, R-Oklahoma, to push McConnell for a vote, urging them “don’t let Mitch McConnell stand in your way.” The group is also re-airing a 60-second ad that calls on McConnell to act. The 30-second spots will air nearly daily on Fox & Friends starting Wednesday. They’ll also run on Fox News Sunday and NBC’s Meet the Press in the senators’ home cities on Sunday as part of a $400,000 ad buy that includes digital ads. The ads note the senators’ support for election security legislation. “McConnell and all Republican Senators have no greater responsibility than protecting our elections from foreign enemies like Russia and Iran,” said Republicans for the Rule of Law legal advisor and spokesman Chris Truax.

National: America faces a voting security crisis in 2020. Here’s why – and what officials can do about it. | Emily Goldberg/Politico

Paperless voting machines are just waiting to be hacked in 2020. And “upgrading” to paper-based voting machines may sound like an oxymoron, but it’s something cybersecurity experts are urging election officials across the country to do. A POLITICO survey found that in 2018, hundreds of counties in 14 states used paperless voting machines — and almost half of the counties that responded to the survey said they don’t plan on changing that ahead of 2020. Security experts said paperless voting machines are vulnerable to hacking because they leave no paper trail and there’s no way to reliably audit the results when an error occurs. Thousands of Redditors joined us as cybersecurity reporter Eric Geller and voting security expert and University of Michigan professor J. Alex Halderman took on Reddit’s most pressing questions about the weaknesses in America’s election systems. We chatted about voting methods in various countries from the U.S. to India, how much the transition to paper ballots would cost, and even “Star Wars.”

National: Most states still aren’t set to audit paper ballots in 2020 – Despite expert recommendations | Colin Lecher/The Verge

Despite some progress on voting security since 2016, most states in the US aren’t set to require an audit of paper ballots in the November 2020 election, according to a new report out this week from the Brennan Center for Justice. The report notes that experts and government officials have spent years recommending states adopt verifiable paper ballots for elections, but a handful still use electronic methods potentially vulnerable to cyberattacks. In 2016, 14 states used paperless machines, although the number today is 11, and the report estimates that no more than eight will use them in the 2020 election. But the report also found that most states won’t require an audit of those paper records, in which officials review randomly selected ballots — another step experts recommend. Today, only 22 states and the District of Columbia have voter-verifiable paper records and require an audit of those ballots before an election is certified. The number will increase to at least 24 states by the 2020 elections, according to the report. “However,” the report notes, “there is nothing stopping most of these remaining states from conducting such audits if they have the resources and will to do so.”