National: Chinese Technology in Voting Machines Seen as Emerging Threat | Michaela Ross/Bloomberg

The infiltration by foreign countries like China into election voting equipment is emerging as a growing concern among vendors, who are actually asking for more federal regulation as they grapple with a lack of domestic suppliers producing critical technologies. Top executives of the three largest voting machine vendors—Hart InterCivic, Dominion Voting Systems and Election Systems & Software—told the House Administration Committee Thursday they are hoping for guidance and support from the Department of Homeland Security on how to secure their subcontractors. Committee Chairwoman Zoe Lofgren (D-Calif.) said the hearing marked the first time all three CEOs of the largest companies supplying voting machines in the U.S. agreed under oath that they’d welcome comprehensive regulations from the federal government. The executives told committee members they have no choice but to rely on components from China due to a lack of U.S.-made equivalents, a problem facing developers of other technology products including 5G telecommunications and drones.

National: U.S. Probes If Russia Targeting Biden in 2020 Election Meddling | Chris Strohm/Bloomberg

U.S. intelligence and law enforcement officials are assessing whether Russia is trying to undermine Joe Biden in its ongoing disinformation efforts with the former vice president still the front-runner in the race to challenge President Donald Trump, according to two officials familiar with the matter. The probe comes as senior U.S. officials are warning that Russia’s election interference in 2020 could be more brazen than in the 2016 presidential race or the 2018 midterm election. Part of the inquiry is to determine whether Russia is trying to weaken Biden by promoting controversy over his past involvement in U.S. policy toward Ukraine while his son worked for an energy company there. Trump was impeached by the House and faces a trial in the Senate over his pressure on Ukraine’s president to investigate Biden, the early front-runner for the Democratic presidential nomination, as well as an unsupported theory that Ukraine, not Russia, interfered in the 2016 election.

National: Keeping US elections safe from hackers | Maggie Miller/The Hill

Robert Mueller’s former chief of staff from his time at the FBI says Washington isn’t doing nearly enough to secure U.S. election systems in the wake of the special counsel report on Russian interference in 2016. John Carlin, who now chairs the law firm Morrison & Foerster’s global risk and crisis management group and co-chairs its national security practice group, told The Hill in a recent interview that foreign threats against elections are “here and present,” adding that he “absolutely” expects Moscow to attempt to interfere in this year’s vote. “The overall message that the seriousness of what they found in terms of the Russian government interfering in our elections in a sweeping and systematic action, you would hope that this is the type of report that would drive in a bipartisan way all Americans to see what we can do to prevent it from occurring again,” said Carlin. “I wish there would be more of a bipartisan focus on what Russia did and holding them [to] account.” Carlin noted that while “there have been improvements” from the federal government to address election security concerns — most notably $425 million Congress designated to states for election security as part of the recent appropriations cycle — the ongoing “plague” of ransomware attacks poses a new threat.

National: Cyber Threats to Elections Reported Nationwide | Associated Press

West Virginia reported unusual cyber activity targeting its election systems. The Texas governor said the state was encountering attempted “attacks” at the rate of “10,000 times a minute” from Iran. Information technology staff in Las Vegas responded to an intrusion, though the city says no data was stolen. All told, state election officials in at least two dozen states saw suspicious cyber activity last week, although it’s unclear who was behind the efforts and no major problems were reported. Long before a U.S. drone strike assassinated a top Iranian general, there were already concerns about foreign efforts to hack American institutions and its elections. The conflict with Iran has exacerbated those fears. Yet as the recent spate of reports makes clear, not all suspicious cyber activities are equally troublesome, the work of a foreign government or a precursor to the type of Russian interference seen in the 2016 election on behalf of Donald Trump.

National: Russians Hacked Ukrainian Gas Company at Center of Impeachment | Nicole Perlroth and Matthew Rosenberg/The New York Times

With President Trump facing an impeachment trial over his efforts to pressure Ukraine to investigate former Vice President Joseph R. Biden Jr. and his son Hunter Biden, Russian military hackers have been boring into the Ukrainian gas company at the center of the affair, according to security experts. The hacking attempts against Burisma, the Ukrainian gas company on whose board Hunter Biden served, began in early November, as talk of the Bidens, Ukraine and impeachment was dominating the news in the United States. It is not yet clear what the hackers found, or precisely what they were searching for. But the experts say the timing and scale of the attacks suggest that the Russians could be searching for potentially embarrassing material on the Bidens — the same kind of information that Mr. Trump wanted from Ukraine when he pressed for an investigation of the Bidens and Burisma, setting off a chain of events that led to his impeachment. The Russian tactics are strikingly similar to what American intelligence agencies say was Russia’s hacking of emails from Hillary Clinton’s campaign chairman and the Democratic National Committee during the 2016 presidential campaign. In that case, once they had the emails, the Russians used trolls to spread and spin the material, and built an echo chamber to widen its effect.

National: Voting vendors, security pros still far apart on protecting 2020 election | Joseph Marks/The Washington Post

Voting machine companies and cybersecurity advocates are still miles apart on what it will take to secure 2020 against Russian hackers. During a nearly three-hour congressional hearing yesterday, security advocates sounded alarm bells about possible election hacks, warning machines in use today can be easily compromised. Companies, meanwhile, mostly defended the status quo. At one point, the chief executive of Hart InterCivic, one of three major companies that control more than 80 percent of the voting machine market, even defended selling paperless voting machines that can’t be audited and that top security experts and the Department of Homeland Security have warned are far too vulnerable in an era when elections are being targeted by sophisticated Russian hackers. “We actually believe our [machines] are secure,” said Hart CEO Julie Mathis, describing a number of internal defensive measures and security reviews they passed – primarily before 2016. The divisions highlighted how, despite three years of surging congressional attention to election security since Russia’s 2016 hacking efforts, there has been almost no government oversight of voting machine makers themselves. … Mathis’s comments were panned by security advocates. “It’s very simple. No matter how secure that device is, there’s no way to know whether the choice that’s recorded matches what the voter intended. It’s rightly called a black box,” Edward Perez, a former Hart executive who’s now global director of technology development at OSET Institute, a nonprofit election technology organization, said in an interview. 

National: Voting machine makers face questions from House lawmakers — but more remain | Ben Popken/NBC

For decades, the companies that dominated the U.S. voting machine industry operated in relative anonymity. Now, lawmakers want answers and transparency. The CEOs of the three companies that make more than 80 percent of the country’s voting machines testified before Congress Thursday for the first time, marking a new and bipartisan effort to ensure the security of the 2020 election. The three companies, Election Systems & Software (ES&S), Dominion Voting Systems and Hart InterCivic, are almost entirely unregulated. But in recent years, policymakers and election advocates have begun to question who owns the companies, how they make their machines and whether they could be susceptible to remote hacking. Zoe Lofgren, D-Calif., chair of the congressional subcommittee that oversees federal elections, said in her opening remarks that they need more information from the companies. “Despite their outsized role in the mechanics of our democracy, some have accused these companies with obfuscating, and in some cases misleading election administrators and the American public,” said. “There is much work to do, and much for Congress to learn about this industry.”

National: Voting equipment companies throw weight behind enhanced disclosures | Maggie Miller/The Hill

The CEOs of the three largest U.S. voting equipment companies on Thursday supported more disclosure requirements, marking a major step for an industry that has come under close scrutiny in recent years due to election security concerns. The leaders of Election Systems and Software (ES&S), Dominion Voting Systems and Hart InterCivic testified before the House Administration Committee during a House hearing, marking the first time leaders from the three major voting equipment manufacturers testified together before Congress. Committee Chairwoman Rep. Zoe Lofgren (D-Calif.) kicked off the hearing by asking whether the CEOs of these companies, which are estimated to control at least 80 percent of the market for voting equipment in the U.S., would support legislation mandating more disclosures.  Specifically, Lofgren asked if they would support requirements to disclose company cybersecurity practices, cyberattacks experienced by the companies, background checks done on employees, foreign investments in the companies, as well as information on the supply chain involved in building the voting equipment. Tom Burt, the president and CEO of ES&S, which has the largest individual share of the voting equipment market, answered that he “would support a requirement for all five of those requirements.” Julie Mathis, the CEO and president of Hart InterCivic, and John Poulos, the CEO and president of Dominion, both also agreed with Lofgren’s listed disclosure requirements.

National: ‘Chaos Is the Point’: Russian Hackers and Trolls Grow Stealthier in 2020 | Matthew Rosenberg, Nicole Perlroth and David E. Sanger/The New York Times

The National Security Agency and its British counterpart issued an unusual warning in October: The Russians were back and growing stealthier. Groups linked to Russia’s intelligence agencies, they noted, had recently been uncovered boring into the network of an elite Iranian hacking unit and attacking governments and private companies in the Middle East and Britain — hoping Tehran would be blamed for the havoc. For federal and state officials charged with readying defenses for the 2020 election, it was a clear message that the next cyberwar was not going to be like the last. The landscape is evolving, and the piggybacking on Iranian networks was an example of what America’s election-security officials and experts face as the United States enters what is shaping up to be an ugly campaign season marred by hacking and disinformation. American defenses have vastly improved in the four years since Russian hackers and trolls mounted a broad campaign to sway the 2016 presidential election. Facebook is looking for threats it barely knew existed in 2016, such as fake ads paid for in rubles and self-proclaimed Texas secessionists logging in from St. Petersburg. Voting officials are learning about bots, ransomware and other vectors of digital mischief. Military officials are considering whether to embrace information warfare and retaliate against election interference by hacking senior Russian officials and leaking their personal emails or financial information.

National: Election security officials brace for possible Iran cyber retaliation | Joshua Lott/ABC

With tensions between Washington and Tehran on the rise, election security officials are warning of possible retaliation from Iran in the form of election meddling — a familiar threat in the wake of Russia’s efforts in the 2016 presidential election. “The thing I’m most worried about are a repeat of some of the types of attacks we say in 2016 against larger election infrastructure,” said Matt Blaze, a Georgetown University Law Center professor, during a Thursday hearing before the Committee on House Administration. “A determined adversary who wanted to disrupt our elections would have a frighteningly easy task.” As the presidential primary season gets underway, the threat of Iranian interference highlights efforts by the federal government and states since 2016 — when Russian hackers successfully infiltrated voting systems — to shore up their defenses. Last week, after the death of Gen. Qassem Soleimani, the head of Iran’s elite Quds Force, leaders in Tehran vowed to seek revenge. As ABC News and others have previously reported, Iran is capable of targeting a broad range of public and private institutions with cyber intrusions and attacks.

National: Facebook sticking with policies on politicians’ lies and voter targeting | Alexandra S. Levine and Zach Montellaro/Politico

Facebook is standing by its policies that allow politicians to lie to voters, while targeting their ads at narrow subsets of the public — decisions with vast implications for the more than $1 billion in online campaign messaging expected in this year’s elections. The online giant announced Thursday morning that it is not changing the most controversial elements of its approach to campaign ads, after months of a debate that has divided Silicon Valley and brought Facebook a barrage of criticism from Democrats. The critics have been most incensed by Facebook’s refusal to fact-check politicians’ claims, accusing the company of knowingly profiting from deception. Facebook has defended the policy on free-speech grounds, saying voters should be the ones scrutinizing politicians’ messages. The company’s separate decision not to limit “microtargeting” is probably welcome news to candidates of both parties, who value the ability to tailor messages based on data such as a voter’s age, gender, neighborhood, job or sports fandom. President Donald Trump’s campaign has pushed Facebook not to limit ad-targeting, a step Google took in November, and accused Twitter of trying to “silence conservatives” when it banned political ads altogether in October.

National: Voting machines touted as secure option are actually vulnerable to hacking, study finds | Joseph Marks/The Washington Post

New voting machines that hundreds of districts will use for the first time in 2020 don’t have enough safeguards against hacking by Russia and other U.S. adversaries, according to a study out this morning from researchers at the University of Michigan. The study marks the first major independent review of the machines called ballot-marking devices, or BMDs, which at least 18 percent of the country’s districts will use as their default voting machines in November. The results are a major blow for voting machine companies and election officials, who have touted BMDs as a secure option in the wake of Russia’s 2016 efforts to compromise U.S. election infrastructure. “The implication of our study is that it’s extremely unsafe [to use BMDs], especially in close elections,” Alex Halderman, a University of Michigan computer science professor and one of seven authors of the study, said in an interview. People who use BMDs cast their votes using a computer touch screen, but the machine spits out a paper record of those votes. That is usually used to tally the results and can be saved for audits that ensure votes were tallied correctly. The machines were touted by election officials as a compromise between paperless voting machines, which experts uniformly agree are far too vulnerable to hacking, and hand-marked paper ballots, which serious cybersecurity hawks favor but which can be tougher to tally and are inaccessible for many people with disabilities. But only a handful of people who vote on BMDs are likely to check that their votes were recorded accurately, the researchers found – meaning that if hackers succeed in altering even a small percentage of electronic votes, they might be able to change the outcome of a close election without being detected.

National: Voting machine vendors to testify on election security | Maggie Miller/The Hill

The CEOs of the three biggest U.S. voting equipment manufacturers will testify before the House Administration Committee on Thursday, marking the first election security hearing of 2020. The hearing, which is to be focused on the status of election security, will represent the first time that top executives from the three companies have testified together before Congress. The presidents and CEOs of Dominion Voting Systems, Hart InterCivic and Election Systems and Software (ES&S) are all scheduled to appear. These three companies are estimated to control more  90 percent of the voting equipment market in the U.S., according to a report put out by the University of Pennsylvania’s Wharton Public Policy Initiative. All three have come under scrutiny from Washington in the wake of Russia’s interference in the 2016 presidential race. The Senate Intelligence Committee in volume one of its investigation into Russia’s actions expressed concerns for the security of voting machines. It voiced particular concerns with “direct-recording electronic” machines, which do not print out a paper copy of a voter’s vote.

National: New voting machines’ top security challenge? The voters, researchers say | Bill Theobald/The Fulcrum

Let’s get something straight about the security and reliability of elections: No matter how a voting system is designed, something could go wrong — either accidentally or on purpose. That is important to keep in mind in considering a report, released Wednesday, criticizing a type of voting machine that’s been purchased by jurisdictions all across the country in the past few years in the name of improved security. The study, led by computer science graduate students at the University of Michigan, found that most people who participated in a mock election using ballot-marking devices, known as BMDs, failed to notice errors that had been introduced on the paper ballots that were generated and then used for casting votes. The problem, in other words, was with the attentiveness of the citizens but not the reliability of the hardware. Nonetheless, the Michigan researchers are touting their findings as evidence that BMDs don’t provide sufficient safeguards against hacking by the Russians or other adversaries out to disrupt democracy in the November presidential election.

National: New “secure” voting machines are still vulnerable—because of voters | Patrick Howell O’Neill/MIT Technology Review

A new study of voting machines is spotlighting the “serious risk” that election results can be manipulated because most voters do not check that their ballot is correct, according to new research. Ballot-marking devices, or BMDs, combine physical and digital voting methods in a single machine. A voter selects a candidate on a computer screen, and the machine then prints out a paper ballot for review. The goal is to provide both ease of voting and a physical audit trail that hackers can’t readily change, and the Washington Post reports that ballot-marking devices are used by at least 18% of the country’s electoral districts. But the new study from the University of Michigan suggests that if a voting machine is compromised, people are not likely to realize it, because so few of them check that their printout is correct. And even the rare voters who do check the paper version almost never catch errors when they’ve been made. The research raises questions about hackable computers and post-election audits—two major issues in election cybersecurity—just weeks before the first US primary votes are cast in Iowa on February 3. “Inserting a hackable computer in between the voter and the recording of intent poses big issues,” says Eddie Perez, a former election industry executive with Hart InterCivic for 16 years. “If we don’t know if voters actually look at the the paper and accurately confirm their intent, the strength of audit is weakened.”

National: Why the 2020 US presidential election is still vulnerable to foreign interference | Armen Najarian/Help Net Security

With the international political situation becoming increasingly fraught and divisive, it is hard to ignore the shadow of foreign interference looming over electoral proceedings around the world. Not only are the US elections arguably some of the most influential on the global stage, but the infamous cyber attack on Clinton campaign manager John Podesta during the 2016 presidential elections was a watershed moment. The attack, which used email-based social engineering techniques to breach Podesta’s email account and leak thousands of emails, marked a move towards more overt and hostile cyber activity in the political arena. The threat of foreign interference takes many forms, from the more subtle use of fake news and online trolls to confuse and frustrate the political discourse, to direct attacks on vulnerable voting infrastructure and to disrupt or breach political parties and individuals. Four years on from the Podesta hack, email remains one of the most prominent weapons in the cyber attacker’s arsenal – and worryingly, the majority of political parties and candidates are still extremely vulnerable to email attacks.

National: Facebook Bans Deepfakes but Permits Some Altered Content | Betsy Morris/Wall Street Journal

Facebook Inc. is banning videos that have been manipulated using advanced tools, though it won’t remove most doctored content, as the social-media giant tries to combat disinformation without stifling speech. But as with many efforts by social-media companies to address content on their sites that is widely seen as problematic, Facebook’s move swiftly drew criticism for not going far enough and having too many loopholes. The policy unveiled Monday by Monika Bickert, Facebook’s vice president for global policy management, is the company’s most concrete step to fight the spread of so-called deepfakes on its platform. Deepfakes are images or videos that have been manipulated through the use of sophisticated machine-learning algorithms, making it nearly impossible to differentiate between what is real and what isn’t. “While these videos are still rare on the internet, they present a significant challenge for our industry and society as their use increases,” Ms. Bickert said in a blog post. Facebook said it would remove or label misleading videos that had been edited or manipulated in ways that would not be apparent to the average person. That would include removing videos in which artificial intelligence tools are used to change statements made by the subject of the video or replacing or superimposing content.

National: The 2020 election will be the country’s biggest cybersecurity test ever | Joseph Marks/The Washington Post

What will be the biggest cybersecurity story of the year? You hardly have to ask. The 2020 election probably is the most anticipated event in U.S. history when it comes to digital security. Russia’s hacking and disinformation campaign to interfere in the last presidential election shook the nation’s confidence in the U.S. democratic process and rocketed cybersecurity into the mainstream of Washington’s political life. Top questions now are not just when but how Russia will try to interfere in the approaching presidential election and whether it will be emboldened by the fact it has yet to face any significant consequences — and, of course, whether other U.S. adversaries will jump into the fray. “Nobody has really punished them for it and the reality is our adversaries are constantly pushing the envelope,” John Hultquist, director of intelligence analysis at the cybersecurity firm FireEye, told me. “They see what they can get away with and then they push the envelope again.” If the election concludes without a security disaster that compromises the results or undermines public confidence in them, that will be a victory for solid planning, education and more than $900 million spent on digital election defense since 2016. If it’s disrupted, however, it will be a drastic blow to faith in democracy and to the idea the United States can set any red lines in cyberspace that our adversaries won’t cross.

National: Facebook data misuse and voter manipulation back in the frame with latest Cambridge Analytica leaks | Natasha Lomas/TechCrunch

More details are emerging about the scale and scope of disgraced data company Cambridge Analytica’s activities in elections around the world — via a cache of internal documents that’s being released by former employee and self-styled whistleblower, Brittany Kaiser. The now shut down data modelling company, which infamously used stolen Facebook data to target voters for President Donald Trump’s campaign in the 2016 U.S. election, was at the center of the data misuse scandal that, in 2018, wiped billions off Facebook’s share price and contributed to a $5BN FTC fine for the tech giant last summer. However plenty of questions remain, including where, for whom and exactly how Cambridge Analytica and its parent entity SCL Elections operated; as well as how much Facebook’s leadership knew about the dealings of the firm that was using its platform to extract data and target political ads — helped by some of Facebook’s own staff. Certain Facebook employees were referring to Cambridge Analytica as a “sketchy” company as far back as September 2015 — yet the tech giant only pulled the plug on platform access after the scandal went global in 2018. Facebook CEO Mark Zuckerberg has also continued to maintain that he only personally learned about CA from a December 2015 Guardian article, which broke the story that Ted Cruz’s presidential campaign was using psychological data based on research covering tens of millions of Facebook users, harvested largely without permission. (It wasn’t until March 2018 that further investigative journalism blew the lid off the story — turning it into a global scandal.)

National: DHS issues bulletin warning of potential Iranian cyberattack | Maggie Miller/The Hill

The Department of Homeland Security (DHS) released a bulletin this week through its National Terrorism Advisory System warning of Iran’s ability to carry out cyberattacks with “disruptive effects” against critical U.S. infrastructure. In the bulletin, sent in the wake of the U.S. airstrike that killed Iranian Quds Force commander Gen. Qassem Soleimani, DHS noted that while there is currently “no information indicating a specific, credible threat to the Homeland,” Iran does have the ability to attack the U.S. in cyberspace. “Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.- based targets,” DHS wrote in the bulletin. The agency noted that “Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.” Acting DHS Secretary Chad Wolf tweeted Saturday that the bulletin was intended to “inform & reassure the American public, state/local governments & private partners that DHS is actively monitoring & preparing for any specific, credible threat, should one arise.”

National: Election vendors executives head to the Hill | Tim Starks/Politico

he House Administration Committee will start off the new year with a bang on Thursday when it convenes a hearing with the presidents of the three largest election technology vendors. Testifying on the first panel of the hearing, the committee told MC, are Tom Burt, president and CEO of Election Systems & Software; John Poulos, president and CEO of Dominion Voting Systems; and Julie Mathis, president and CFO of Hart InterCivic. The major vendors have sent lower-level representatives to congressional hearings in the past, but this is the first time that all three top executives have testified together, a House aide told MC. The timing is auspicious: the presidential primary season, which begins in just a few weeks, represents a high-profile test of many states’ new paper-backed electronic voting machines. Vendor oversight has been a top concern of voting security experts and activists, because the three largest firms have historically shunned transparency, downplayed security concerns and threatened competitors with lawsuits. House Administration Chairwoman Zoe Lofgren (D-Calif.) first told POLITICO that she was planning this hearing in August, after a bipartisan group of activist organizations pressed her panel and its Senate counterpart to scrutinize the vendors more closely. After vendor executives testify, the Administration Committee will hear from a trio of experts, according to the witness list shared with MC. They are Liz Howard from the Brennan Center for Justice, Georgetown University professor Matt Blaze and University of Florida professor Juan Gilbert.

National: Cyber attacks and electronic voting errors threaten 2020 outcome, experts warn | Peter Stone/The Guardian

Potential electronic voting equipment failures and cyber attacks from Russia and other countries pose persistent threats to the 2020 elections, election security analysts and key Democrats warn. In November significant electronic voting equipment problems occurred in an election in the vital battleground state of Pennsylvania, sparking a lawsuit by advocacy groups charging the state is using insecure electronic voting machines. Other key states like Florida and North Carolina which experienced voting problems in 2016 and Georgia which had serious equipment problems in 2018, are being urged to take precautions to curb new difficulties in 2020, say election analysts. The Brennan Center’s electoral reform program last month released a study that stressed testing backup systems and electronic voting equipment before the primaries and next November’s general election was needed to reduce risks of cyber attacks and equipment failures, and offered guidance about ways to recover from attacks or malfunctions. In response to these and other threats, Congress in December added $425m for election related spending, including security measures, to a massive $1.4tn spending bill for 2020.

National: Election Security At The Chip Level | Andy Patrizio/Semiconductor Engineering

Technological advances have changed every facet of our lives, from reading to driving to cooking, but one task remains firmly rooted in 20th-century technology — voting. Electronic voting remains doggedly unavailable to most, and almost always unusable to those who have it. For more than a decade, it seems every election is accompanied by numerous reports of voting machine problems. The most common issue involves machines changing votes. It has happened in numerous states, and even to Ellen Swenson, chief analyst for the Election Integrity Project, a non-partisan California group seeking to preserve election integrity. It’s not easy when two separate voting machines in Riverside County, where Swenson resides, recorded incorrect votes. At least that machine worked. “So many have said they’ve gone to polls and the machines break down. That’s another thing that hurt the subject. There were so many broken machines across [Los Angeles] County in 2018 and none were fixed, so LA had to use paper ballots,” she said. For some people, the old paper punch ballot is actually preferable, said Swenson. “There is a whole set of challenges, philosophically and psychologically. The idea of connecting to the Internet scares some people, their fear of the privacy of their vote being compromised, or hacking it and changing the results. There’s a real psychological wall to climb,” she said.

National: America Won’t Give Up Its Hackable Wireless Voting Machines | Kartikay Mehrotra/Bloomberg

After Russian hackers made extensive efforts to infiltrate the American voting apparatus in 2016, some states moved to restrict internet access to their vote-counting systems. Colorado got rid of barcodes used to electronically read ballots. California tightened its rules for electronic voting machines that can go online. Ohio bought new voting machines that deliberately excluded wireless capabilities. Michigan went in a different direction, authorizing as much as $82 million for machines that rely on wireless modems to connect to the internet. State officials justified the move by saying it is the best way to satisfy an impatient public that craves instantaneous results. The problem is, connecting election machines to the public internet, especially wirelessly, leaves the whole system vulnerable, according to cybersecurity experts. So Michigan’s new secretary of state is considering using some of the state’s $10 million in federal election funds to rip out those modems before the March presidential primary. “The system we inherited is not optimal for security since our election equipment can and has connected to the internet,” said Jocelyn Benson, who won election as secretary of state and took office in January 2019. She convened a committee of cybersecurity experts to evaluate the state election system’s vulnerabilities. “If that’s what the committee recommends, we’ll take them out.”

National: Election Infrastructure Remains Vulnerable to Attacks | Diane Ritchey/Security Magazine

In 10 months, U.S. citizens will elect a new president (or re-elect a current one). As the race heats up and election day nears, a key component of the U.S. election infrastructure remains vulnerable to attack. Only five percent of the country’s largest counties are protecting their election officials from impersonation, according to an analysis by Valimail. The rest are vulnerable to impersonation, meaning their domains could become the vectors for cyberattacks and misinformation campaigns. According to Seth Blank, director of industry initiatives for Valimail, “This is a problem because the overwhelming majority of cyberattacks can be traced to impersonation-based phishing emails. In the corporate world, these cyberattacks result in the loss of funds or proprietary data. But when it comes to elections, the bedrock of democracy – free and fair elections – is at stake.” An August 2019 report from Valimail noted that most presidential candidates’ campaigns are not protected from email impersonation. An earlier report found a similar situation across the thousands of domains that are used by state and local governments. “And we’re not just talking about voting machines being vulnerable,” Blank says. “While most voting machines are isolated from the Internet (they are often air-gapped for security), the same cannot be said for other elements of the election process. The electronic pollbooks that voters use to sign in on election day and the machines that tabulate votes may be connected to the Internet for software updates or to receive or transmit voting information. This makes them potential targets for email-based attacks aimed at other users of the same networks.”

National: Paralysis Grips Federal Election Commission While Complaints Pile Up | Kenneth P. Doyle/Bloomberg Government

The agency charged with enforcing campaign finance law begins the presidential election year paralyzed by the lack of a board quorum and unable to dispense with hundreds of complaints. As Republican Caroline Hunter assumes the rotating chairmanship of the Federal Election Commission, she inherits a growing backlog of more than 300 pending campaign finance complaints, nearly 70 of which may never be resolved because they are close to the expiration of a five-year statute of limitations. FEC analysts continue to review campaign finance reports filed by candidates, and staff lawyers can interview witnesses and collect documents in more than two dozen investigations approved by the commissioners before the loss of a quorum at the end of August. However, none of these probes can conclude and no new investigations can begin until a quorum is restored.

National: New Funding for Election Security Assistance Doesn’t Go Far Enough, Experts Say | Courtney Bublé/Government Executive

With just over 10 months to go before Americans head to the polls to elect their next president, states will have access to additional money to help shore up insecure voting equipment. The funding—$425 million—was included in appropriations for the Election Assistance Commission under the 2020 spending bills President Trump signed into law on Dec. 20. EAC Chairwoman Christy McCormick said the commission “will do everything in its power to distribute these funds as expeditiously as possible.” The funding is a boost over Congress’ most recent appropriation of $380 million for election improvements in 2018—the first time since 2010 that Congress made resources available to help states and localities with their election infrastructure and administration. “State and local election officials from across the country regularly tell us about the need for additional resources,” said EAC Vice Chair Benjamin Hovland. “This new funding will allow election officials to continue making investments that strengthen election security and improve election administration in 2020 and beyond.”  Despite widespread evidence of foreign interference in the 2016 U.S. presidential election and repeated warnings from the intelligence community about the vulnerability of election infrastructure, the bipartisan and independent Election Assistance Commission has struggled with funding and staff cuts as well as House Republicans’ threats to terminate it. With the 2020 presidential election less than a year away, the EAC lacks a permanent director and general counsel.

National: How good is the government at threat information sharing? | Andrew Eversden/Fifth Domain

Over and over cybersecurity officials in the civilian government, the intelligence community and the Department of Defense say the same platitude: information sharing is important. Often, however, little insight, or metrics, back up exactly how well they are doing it. But a new joint report from inspectors general across the government found that information sharing among the intelligence community and the rest of government “made progress.” The report, titled “Unclassified Joint Report on the Implementation of the Cybersecurity Information Sharing Act of 2015” and released Dec. 19, found that cybersecurity threat information sharing has improved throughout government over the last two years, though some barriers remain, like information classification levels. Information sharing throughout government has improved in part because of security capability launched by the Office of the Director of National Intelligence’s Intelligence Community Security Coordination Center (IC SCC) that allowed the ODNI to increase cybersecurity information all the way up to the top-secret level. The capability, called the Intelligence Community Analysis and Signature Tool (ICOAST), shares both indicators of compromise and malware signatures that identify the presence of malicious code. According to the report, the information from the platform is available to “thousands” of users across the IC, DoD and civilian government.

National: Election security, ransomware dominate cyber concerns for 2020 | Maggie Miller/The Hill

Headed into 2020, with a presidential election on the horizon, cyber concerns are certain to be in the spotlight in Washington. Atop the list of cyber issues will be persistent questions about election security. Officials at the federal, state and local levels say they will be vigilant to any efforts to interfere in the election after 2016, even as lawmakers weigh additional actions to safeguard the vote. But lawmakers will also be looking to tackle other issues as well, such as the ransomware attacks spreading across the country and the growing concerns over companies with foreign ties accessing Americans’ data. 2020 will see a presidential election, along with nationwide elections for the House and a third of the Senate. It will be a major test for efforts to improve security after Russian interference efforts in the 2016 election. U.S. intelligence agencies, former special counsel Robert Mueller and the Senate Intelligence Committee have all concluded that Russia conducted a sweeping and systematic attack against the 2016 elections, using both hacking and disinformation campaigns. Mueller has warned that Russia would attempt to interfere again, testifying to the House Intelligence Committee in July that the Russians were trying to interfere “as we sit here.”

National: How Close Did Russia Really Come to Hacking the 2016 Election? | Kim Zetter/Politico

On November 6, 2016, the Sunday before the presidential election that sent Donald Trump to the White House, a worker in the elections office in Durham County, North Carolina, encountered a problem. There appeared to be an issue with a crucial bit of software that handled the county’s list of eligible voters. To prepare for Election Day, staff members needed to load the voter data from a county computer onto 227 USB flash drives, which would then be inserted into laptops that precinct workers would use to check in voters. The laptops would serve as electronic poll books, cross-checking each voter as he or she arrived at the polls. The problem was, it was taking eight to 10 times longer than normal for the software to copy the data to the flash drives, an unusually long time that was jeopardizing efforts to get ready for the election. When the problem persisted into Monday, just one day before the election, the county worker contacted VR Systems, the Florida company that made the software used on the county’s computer and on the poll book laptops. Apparently unable to resolve the issue by phone or email, one of the company’s employees accessed the county’s computer remotely to troubleshoot. It’s not clear whether the glitch got resolved—Durham County would not answer questions from POLITICO about the issue—but the laptops were ready to use when voting started Tuesday morning. Almost immediately, though, a number of them exhibited problems. Some crashed or froze. Others indicated that voters had already voted when they hadn’t. Others displayed an alert saying voters had to show ID before they could vote, even though a recent court case in North Carolina had made that unnecessary.