National: America Won’t Give Up Its Hackable Wireless Voting Machines | Kartikay Mehrotra/Bloomberg

After Russian hackers made extensive efforts to infiltrate the American voting apparatus in 2016, some states moved to restrict internet access to their vote-counting systems. Colorado got rid of barcodes used to electronically read ballots. California tightened its rules for electronic voting machines that can go online. Ohio bought new voting machines that deliberately excluded wireless capabilities. Michigan went in a different direction, authorizing as much as $82 million for machines that rely on wireless modems to connect to the internet. State officials justified the move by saying it is the best way to satisfy an impatient public that craves instantaneous results. The problem is, connecting election machines to the public internet, especially wirelessly, leaves the whole system vulnerable, according to cybersecurity experts. So Michigan’s new secretary of state is considering using some of the state’s $10 million in federal election funds to rip out those modems before the March presidential primary. “The system we inherited is not optimal for security since our election equipment can and has connected to the internet,” said Jocelyn Benson, who won election as secretary of state and took office in January 2019. She convened a committee of cybersecurity experts to evaluate the state election system’s vulnerabilities. “If that’s what the committee recommends, we’ll take them out.”

National: Election Infrastructure Remains Vulnerable to Attacks | Diane Ritchey/Security Magazine

In 10 months, U.S. citizens will elect a new president (or re-elect a current one). As the race heats up and election day nears, a key component of the U.S. election infrastructure remains vulnerable to attack. Only five percent of the country’s largest counties are protecting their election officials from impersonation, according to an analysis by Valimail. The rest are vulnerable to impersonation, meaning their domains could become the vectors for cyberattacks and misinformation campaigns. According to Seth Blank, director of industry initiatives for Valimail, “This is a problem because the overwhelming majority of cyberattacks can be traced to impersonation-based phishing emails. In the corporate world, these cyberattacks result in the loss of funds or proprietary data. But when it comes to elections, the bedrock of democracy – free and fair elections – is at stake.” An August 2019 report from Valimail noted that most presidential candidates’ campaigns are not protected from email impersonation. An earlier report found a similar situation across the thousands of domains that are used by state and local governments. “And we’re not just talking about voting machines being vulnerable,” Blank says. “While most voting machines are isolated from the Internet (they are often air-gapped for security), the same cannot be said for other elements of the election process. The electronic pollbooks that voters use to sign in on election day and the machines that tabulate votes may be connected to the Internet for software updates or to receive or transmit voting information. This makes them potential targets for email-based attacks aimed at other users of the same networks.”

National: Paralysis Grips Federal Election Commission While Complaints Pile Up | Kenneth P. Doyle/Bloomberg Government

The agency charged with enforcing campaign finance law begins the presidential election year paralyzed by the lack of a board quorum and unable to dispense with hundreds of complaints. As Republican Caroline Hunter assumes the rotating chairmanship of the Federal Election Commission, she inherits a growing backlog of more than 300 pending campaign finance complaints, nearly 70 of which may never be resolved because they are close to the expiration of a five-year statute of limitations. FEC analysts continue to review campaign finance reports filed by candidates, and staff lawyers can interview witnesses and collect documents in more than two dozen investigations approved by the commissioners before the loss of a quorum at the end of August. However, none of these probes can conclude and no new investigations can begin until a quorum is restored.

National: New Funding for Election Security Assistance Doesn’t Go Far Enough, Experts Say | Courtney Bublé/Government Executive

With just over 10 months to go before Americans head to the polls to elect their next president, states will have access to additional money to help shore up insecure voting equipment. The funding—$425 million—was included in appropriations for the Election Assistance Commission under the 2020 spending bills President Trump signed into law on Dec. 20. EAC Chairwoman Christy McCormick said the commission “will do everything in its power to distribute these funds as expeditiously as possible.” The funding is a boost over Congress’ most recent appropriation of $380 million for election improvements in 2018—the first time since 2010 that Congress made resources available to help states and localities with their election infrastructure and administration. “State and local election officials from across the country regularly tell us about the need for additional resources,” said EAC Vice Chair Benjamin Hovland. “This new funding will allow election officials to continue making investments that strengthen election security and improve election administration in 2020 and beyond.”  Despite widespread evidence of foreign interference in the 2016 U.S. presidential election and repeated warnings from the intelligence community about the vulnerability of election infrastructure, the bipartisan and independent Election Assistance Commission has struggled with funding and staff cuts as well as House Republicans’ threats to terminate it. With the 2020 presidential election less than a year away, the EAC lacks a permanent director and general counsel.

National: How good is the government at threat information sharing? | Andrew Eversden/Fifth Domain

Over and over cybersecurity officials in the civilian government, the intelligence community and the Department of Defense say the same platitude: information sharing is important. Often, however, little insight, or metrics, back up exactly how well they are doing it. But a new joint report from inspectors general across the government found that information sharing among the intelligence community and the rest of government “made progress.” The report, titled “Unclassified Joint Report on the Implementation of the Cybersecurity Information Sharing Act of 2015” and released Dec. 19, found that cybersecurity threat information sharing has improved throughout government over the last two years, though some barriers remain, like information classification levels. Information sharing throughout government has improved in part because of security capability launched by the Office of the Director of National Intelligence’s Intelligence Community Security Coordination Center (IC SCC) that allowed the ODNI to increase cybersecurity information all the way up to the top-secret level. The capability, called the Intelligence Community Analysis and Signature Tool (ICOAST), shares both indicators of compromise and malware signatures that identify the presence of malicious code. According to the report, the information from the platform is available to “thousands” of users across the IC, DoD and civilian government.

National: Election security, ransomware dominate cyber concerns for 2020 | Maggie Miller/The Hill

Headed into 2020, with a presidential election on the horizon, cyber concerns are certain to be in the spotlight in Washington. Atop the list of cyber issues will be persistent questions about election security. Officials at the federal, state and local levels say they will be vigilant to any efforts to interfere in the election after 2016, even as lawmakers weigh additional actions to safeguard the vote. But lawmakers will also be looking to tackle other issues as well, such as the ransomware attacks spreading across the country and the growing concerns over companies with foreign ties accessing Americans’ data. 2020 will see a presidential election, along with nationwide elections for the House and a third of the Senate. It will be a major test for efforts to improve security after Russian interference efforts in the 2016 election. U.S. intelligence agencies, former special counsel Robert Mueller and the Senate Intelligence Committee have all concluded that Russia conducted a sweeping and systematic attack against the 2016 elections, using both hacking and disinformation campaigns. Mueller has warned that Russia would attempt to interfere again, testifying to the House Intelligence Committee in July that the Russians were trying to interfere “as we sit here.”

National: How Close Did Russia Really Come to Hacking the 2016 Election? | Kim Zetter/Politico

On November 6, 2016, the Sunday before the presidential election that sent Donald Trump to the White House, a worker in the elections office in Durham County, North Carolina, encountered a problem. There appeared to be an issue with a crucial bit of software that handled the county’s list of eligible voters. To prepare for Election Day, staff members needed to load the voter data from a county computer onto 227 USB flash drives, which would then be inserted into laptops that precinct workers would use to check in voters. The laptops would serve as electronic poll books, cross-checking each voter as he or she arrived at the polls. The problem was, it was taking eight to 10 times longer than normal for the software to copy the data to the flash drives, an unusually long time that was jeopardizing efforts to get ready for the election. When the problem persisted into Monday, just one day before the election, the county worker contacted VR Systems, the Florida company that made the software used on the county’s computer and on the poll book laptops. Apparently unable to resolve the issue by phone or email, one of the company’s employees accessed the county’s computer remotely to troubleshoot. It’s not clear whether the glitch got resolved—Durham County would not answer questions from POLITICO about the issue—but the laptops were ready to use when voting started Tuesday morning. Almost immediately, though, a number of them exhibited problems. Some crashed or froze. Others indicated that voters had already voted when they hadn’t. Others displayed an alert saying voters had to show ID before they could vote, even though a recent court case in North Carolina had made that unnecessary.

National: Voting by app is a thing, and it’s spreading, despite the fears of election security experts | Mark Sullivan/Fast Company

In this age of extreme concern—even paranoia—over election security, you might be a little surprised to hear that some voters in parts of the country are voting from home, using an app. So far the vote-by-app option has been reserved for military people serving overseas and elderly people who might have physical difficulty getting to the polls. One state (West Virginia) and a number of cities and counties have already used a voting app called Voatz in elections, mainly small ones. Voatz, a Boston-based startup that’s raised almost $10 million in venture capital, birthed its app at a SXSW hackathon in 2016, and went through the TechStars incubator. Its technology is unique in that it utilizes the biometric security features (such as fingerprint readers and facial recognition cameras) of newer smartphones to verify the voter’s identity. Those security technologies are already used to secure sensitive transactions like sharing financial information and making online purchases. But election security people have raised concerns about internet-connected voting technologies. The Mueller report exposed numerous attempts by foreign hackers to infiltrate U.S. voting systems via the internet during the 2016 election. Since then, states and counties have rushed to disconnect all voting systems–including voting machines, tabulators, and administrative technologies–from the public internet. The Voatz app’s use of the internet is the main reason it’s caught the attention of the election security community.

National: U.S. Cybercom contemplates information warfare to counter Russian interference in 2020 election | Ellen Nakashima/The Washington Post

Military cyber officials are developing information warfare tactics that could be deployed against senior Russian officials and oligarchs if Moscow tries to interfere in the 2020 U.S. elections through hacking election systems or sowing widespread discord, according to current and former U.S. officials. One option being explored by U.S. Cyber Command would target senior leadership and Russian elites, though probably not President Vladimir Putin, which would be considered too provocative, said the current and former officials who spoke on the condition of anonymity because of the issue’s sensitivity. The idea would be to show that the target’s sensitive personal data could be hit if the interference did not stop, though officials declined to be more specific. “When the Russians put implants into an electric grid, it means they’re making a credible showing that they have the ability to hurt you if things escalate,” said Bobby Chesney, a law professor at the University of Texas at Austin. “What may be contemplated here is an individualized version of that, not unlike individually targeted economic sanctions. It’s sending credible signals to key decision-makers that they are vulnerable if they take certain adversarial actions.” Cyber Command and officials at the Pentagon declined to comment.

National: State, local election officials train for cyber attacks as ‘another level of war’ | Christina Almeida Cassidy/Associated Press

Inside a hotel ballroom near the nation’s capital, a U.S. Army officer with battlefield experience told 120 state and local election officials that they may have more in common with the military strategists than they might think. These government officials are on the front lines of a different kind of high-stakes battlefield — one in which they are helping to defend American democracy by ensuring free and fair elections. “Everyone in this room is part of a bigger effort, and it’s only together are we going to get through this,” the officer said. That officer and other past and present national security leaders had a critical message to convey to officials from 24 states gathered for a recent training held by a Harvard-affiliated democracy project: They are the linchpins in efforts to defend U.S. elections from an attack by Russia, China or other foreign threats, and developing a military mindset will help them protect the integrity of the vote.

National: Preparing for Cyberattacks and Technical Failures: A Guide for Election Officials | Brennan Center for Justice

America’s intelligence agencies have unanimously concluded that the risk of cyberattacks on election infrastructure is clear and present — and likely to grow. 1 While officials have long strengthened election security by creating resiliency plans, 2 the evolving nature of cyber threats makes it critical that they constantly work to improve their preparedness. It is not possible to build an election system that is 100 percent secure against technology failures and cyberattacks, but effective resiliency plans nonetheless ensure that eligible voters are able to exercise their right to vote and have their votes accurately counted. This document seeks to assist officials as they revise and expand their plans to counter cybersecurity risks. Many state and local election jurisdictions are implementing paper-based voting equipment, risk-limiting audits, and other crucial preventive measures to improve overall election security. In the months remaining before the election, it is at least as important to ensure that adequate preparations are made to enable quick and effective recovery from an attack if prevention efforts are unsuccessful. While existing plans often focus on how to respond to physical or structural failures, these recommendations spotlight how to prevent and recover from technological errors, failures, and attacks. Advocates and policymakers working to ensure that election offices are prepared to manage technology issues should review these steps and discuss them with local and state election officials.

National: Chinese parts, hidden ownership, growing scrutiny: Inside America’s biggest maker of voting machines | Ben Popken, Cynthia McFadden and Kevin Monahan/NBC

Just off a bustling interstate near the border between Nebraska and Iowa, a 2,800-square-foot American flag flies over the squat office park that is home to Election Systems & Software LLC. The nondescript name and building match the relative anonymity of the company, more commonly known as ES&S, which has operated in obscurity for years despite its central role in U.S. elections. Nearly half of all Americans who vote in the 2020 election will use one of its devices. That’s starting to change. A new level of scrutiny of the election system, spurred by Russia’s interference in the 2016 election, has put ES&S in the political spotlight. The source of the nation’s voting machines has become an urgent issue because of real fears that hackers, whether foreign or domestic, might tamper with the mechanics of the voting system. That has led to calls for ES&S and its competitors, Denver-based Dominion Voting Systems and Austin, Texas-based Hart Intercivic, to reveal details about their ownership and the origins of the parts, some of which come from China, that make up their machines. But ES&S still faces questions about the company’s supply chain and the identities of its investors, although it has said it is entirely owned by Americans. And the results of its government penetration tests, in which authorized hackers try to break in so vulnerabilities can be identified and fixed, have yet to be revealed. The secrecy of ES&S and its competitors has pushed politicians to seek information on security, oversight, finances and ownership. This month, a group of Democratic politicians sent the private equity firms that own the major election vendors a letter asking them to disclose a range of such information, including ownership, finances and research investments.

National: EAC advisers to consider draft voting system standards | Eric Geller/Politico

The EAC’s Technical Guidelines Development Committee meets today by phone to review the latest draft of version 2.0 of the Voluntary Voting System Guidelines. Public working groups have been meeting for months to revise different aspects of the widely cited federal standards, including its security provisions. In October, the cybersecurity working group added a ban on internet and wireless connectivity, which prompted some consternation and confusion at a TGDC meeting in November. Input from the TGDC — a body that includes technical experts and election officials — marks one of the first steps in the process of approving a new VVSG. But more work remains to be done on VVSG 2.0, and the TGDC isn’t likely to give the draft its final seal of approval at today’s meeting. “We anticipate continuing the discussion of the requirements with the TGDC on the next call,” NIST staffer Gema Howell wrote in an email to members of the cyber working group.

National: Limited election security funds pose risk for 2020 | Kimberly Adams/Marketplace

As presidential candidates vie for voters’ attention, there’s another group getting ready for 2020: state and local election officials. Congress sent $380 million to states after attempts, some successful, to hack voter lists and election machines in the 2016 election. But elections security experts say that’s unlikely to be enough to fix the patchwork of voting machines, voter lists, and state or county computer systems that make up America’s voting infrastructure. Efforts to shore up that infrastructure happen in quiet offices like that of Chris Piper, commissioner for the Virginia Department of Elections. “The irony of being an election official is that if you’ve done your job right, nobody notices,” he said. Virginia was among the states probed by foreign hackers in 2016, and Piper said the commonwealth is working to ensure that doesn’t happen again. “Virginia was obviously one of the states that was scanned, but we were not breached,” Piper said. “We’ve taken an incredible number of steps to improve that security posture.”

National: More election security funds headed to states as 2020 looms | Christina A. Cassidy/NPR

Congress is giving states a last-minute infusion of federal funds to help boost election security with voting in early caucus and primary states slated to begin in February. Under a huge spending bill, states would receive $425 million for upgrading voting equipment, conducting post-election audits, cybersecurity training and other steps to secure elections. To receive the funds, states must match 20% of their allocation. The Senate approved the bill Thursday, sending it to President Donald Trump for his signature. States have been scrambling to shore up their systems ahead of the 2020 election. The nation’s intelligence chiefs have warned that Russia and others remain interested in attempting to interfere in U.S. elections and undermine democracy. For many who have been advocating for more congressional action on election security, the money is welcome, but they say more must still be done to ensure elections are secure. Sen. Ron Wyden, a Democrat from Oregon, has been among those pushing Congress to require states to implement rigorous post-election audits and use paper ballots in exchange for federal funds. “I’m afraid this bill will widen the gulf between states with good election security and those with perilously weak election security,” Wyden said in a statement. “I appreciate the intent behind this provision, but until Congress takes steps to secure the entire election system, our democracy will continue to be vulnerable to foreign interference.”

National: 2019’s top cybersecurity story is still what Russia did in 2016 | Joseph Marks/The Washington Post

The historic House vote to impeach President Trump last night also marked the most recent turn in a cybersecurity saga that’s gripped the nation since 2016 and consumed much of the past year. Russia’s hacking and disinformation operation in 2016 has occupied lawmakers, election officials and cybersecurity pros for three years now as they try to hold the Kremlin accountable and to prevent a repeat in 2020. It was also Trump’s obsession with poking holes in the official narrative about that operation – by urging Ukraine’s president to investigate a baseless conspiracy theory about Russia’s Democratic National Committee hack and the cybersecurity firm CrowdStrike — that helped spark an impeachment trial that promises to grip the nation for weeks to come. “This impeachment is, to a great degree, a cyber story,” Jon Bateman, a Cyber Policy Initiative fellow at the Carnegie Endowment for International Peace and a former Pentagon cybersecurity official, told me. “It’s the president’s inability to grasp what really happened in a series of cyber incidents that’s led to our current political crisis.” Election hacking was a key battleground for lawmakers this year as Democrats demanded Congress provide $600 million for states and localities to secure their voting machines and impose strict mandates to ensure elections are as secure as possible. They also pummeled Republicans who blocked those efforts, accusing them of being complicit with Russia, and even branding Senate Majority Leader Mitch McConnell (R-Ky.) as “Moscow Mitch” before he relented this week and endorsed sending $425 million to states. Homeland Security Department officials, meanwhile, crisscrossed the country vetting election equipment and running cybersecurity training for local officials. But they were regularly undermined by the president’s wavering on whether Russia was actually responsible for the 2016 interference, helping spark concern the Kremlin will do it again.

National: Pressure still on McConnell after $425 million election security deal | Joseph Marks/The Washington Post

Democrats and activists plan to keep pressing Senate Majority Leader Mitch McConnell (R-Ky.) for major election security reforms — even after he endorsed delivering an additional $425 million to state and local election officials. That money, which was part of a last-minute government funding deal, marks a major turnaround for McConnell, who for months refused to consider any new election security spending and only recently endorsed a far smaller cash infusion of $250 million. But it doesn’t include any of the election security mandates that McConnell has long resisted and that cybersecurity experts say are vital, such as paper ballots and post-election audits. Without those mandates, Democrats worry the Kremlin will still be able to upend the 2020 election by attacking the least-protected voting districts. Those concerns are also hyper-charged as intelligence and law enforcement agencies are already warning that not just Russia but also “China, Iran, and other foreign malicious actors” are all eager to compromise the election. “Mitch McConnell refused to agree to safeguards for how this funding is spent, which means state and local governments will continue buying machines with major security problems,” said Sen. Ron Wyden (D-Ore.), who has called for strict security mandates on states. “Until Congress takes steps to secure the entire election system, our democracy will continue to be vulnerable to foreign interference.” Sen. Mark Warner (D-Va.) applauded the new funding on Twitter, but warned it is “*not* a substitute for passing election security reform legislation that Senate GOP leadership has been blocking all year.”

National: $425M allocated for election security in government funding deal | Maggie Miller and Jordain Carney/The Hill

The spending deal agreed upon by House and Senate negotiators includes $425 million for states to improve their election security, two congressional source confirmed to The Hill on Monday. According to the sources, the appropriations deal, set to be made public later Monday, will also include a requirement for states to match 20 percent of the federal funds, meaning the eventual amount given to election officials to improve election security would reach $510 million. The federal funds set to be given to states through the Election Assistance Commission (EAC) represent a compromise between the amounts separately offered by the House and Senate earlier this year for election security purposes. The House included $600 million for election security efforts in its version of the fiscal 2020 Financial Services and General Government Bill, which the chamber passed earlier this year.

National: Spending Deal Allots Millions for Election Security, but Democrats Say It Isn’t Enough | Alexa Corse/Wall Street Journal

The U.S. House voted Tuesday to provide more funding to help states secure their election systems as part of a sweeping budget agreement, but Democrats argued that the compromise still doesn’t do enough to protect U.S. elections from hacking or other interference. A budget agreement would provide $425 million to help states upgrade their voting systems, lawmakers said, the largest amount for a single fiscal year in over a decade. That is part of nearly $1.4 trillion in spending which cleared the House on Tuesday and is expected to win approval from the Senate and from President Trump, preventing a possible government shutdown after Friday. The new funding represents a rare moment of agreement between top Democrats and Republicans concerning how to secure U.S. elections in the run-up to the 2020 contests, which U.S. intelligence officials repeatedly have said hostile powers remain intent on disrupting. But the issue is likely to continue to face partisan headwinds. Key Democrats continued to call for more funding and stricter standards. “This is a welcome development after months of pressure, but this money is no substitute for a permanent funding mechanism for securing and maintaining elections systems,” said Sen. Mark Warner (D., Va.), the top-ranking Democrat on the Senate Intelligence Committee. He also called for comprehensive election-security legislation that would mandate stronger standards, which he said top Republicans had blocked.

National: New federal funds for election security garner mixed reactions on Capitol Hill | Maggie Miller/The Hill

The inclusion of $425 million for election security purposes in the House and Senate-negotiated annual appropriations bill garnered mixed reactions on Capitol Hill on Tuesday, with Democrats taking issue with how states will be allowed to spend the funds. Sen. Ron Wyden (D-Ore.), one of the key Senate Democrats who has advocated strongly this year for the Senate to take action on election security, told reporters on Tuesday that it was a “huge mistake” for Congress to allow the new funds to be spent on items including voting machines that experts might not deem as secure. “Under this language they can basically spend it on a whole variety of things apparently that really don’t go to the heart of modern security,” Wyden said. “As a member of the [Senate] Intelligence Committee, I won’t talk about anything classified, but I will say that the threats we face in 2020 will make what we saw in 2016 look like small potatoes.” The funds were included in the government appropriations deal following negotiations between the House and Senate, along with a requirement that states match the federal funds by 20 percent, meaning the final amount available for election security upgrades will total $510 million.

National: Democrats want tougher language on election security in defense bill | Maggie Miller/The Hill

Democrats are complaining that the annual National Defense Authorization Act (NDAA) set for a Senate vote this week doesn’t go far enough to protect election security. The bill includes a number of provisions that would tighten security, but Democrats — who for much of the year have targeted Senate Majority Leader Mitch McConnell (R-Ky.) on the issue of election security — say it lacks key safeguards that would help prevent foreign meddling, including post-election audits of the results and requirements for states that do not use paper ballots. While the concerns won’t prevent the Senate from approving the massive bill, they are likely to lead to complaints as Democrats continue to press the issue of election security next year. “We can’t mandate that, but we could say if you want to take the federal money, you’ve got to meet these prerequisites,” Sen. Mark Warner (D-Va.), the top Democrat on the Senate Intelligence Committee, said of the paper ballot issue. “I still don’t think we’re as protected as we should be going into the 2020 election.”

National: Election, grid security provisions in defense bill | Tim Starks/Politico

Via inclusion of a multi-year intelligence authorization measure, the defense legislation issues numerous election security edicts. The legislation would establish briefings and notifications from the Director of National Intelligence and DHS to Congress, state and local governments, campaigns and parties when there’s a significant cyber intrusion or attack campaign. It would take steps to expand and speed up security clearances for election officials. It would require development of a strategy for countering foreign influence. And ODNI would have to designate a lead counterintelligence official for election security. Intel officials (often in partnership with other agencies) would have to deliver reports and assessments to Congress on past attempted and successful cyberattacks on the 2016 elections, as well as those anticipated in the future; how prepared intel agencies are to counter Russian election influence; foreign intelligence threats to U.S. elections; and Russian influence campaigns in foreign elections. The grid: House and Senate negotiators included a proposal (S. 174) from Sens. Angus King (I-Maine) and Jim Risch (R-Idaho) that would establish a program to test analog and other methods of protecting the grid from cyberattack. It would authorize the use of military construction funding to make cyber and other improvements to utility systems that serve military installations.

National: Voting-Machine Parts Made by Foreign Suppliers Stir Security Concerns | Alexa Corse/Wall Street Journal

A voting machine that is widely used across the country contains some parts made by companies with ties to China and Russia, researchers found, fueling questions about the security of using overseas suppliers, which has also sparked scrutiny in Washington. Voting-machine vendors could be at risk of using insecure components from such overseas suppliers, which generally are difficult to vet and monitor, said a report being released Monday by Interos Inc., an Arlington, Va.-based supply-chain monitoring company that has consulted for government agencies and Fortune 500 companies. The findings are likely to fan worries about whether voting-machine vendors are doing enough to defend themselves against foreign interference ahead of the 2020 U.S. elections, which U.S. intelligence officials say hostile powers could try to disrupt. Voting-machine vendors assailed the research, which Interos conducted independently, saying the report failed to note existing safeguards, such as testing done at the federal, state and local levels, and the vendors’ internal protocols. The report comes as U.S. lawmakers and national-security officials increasingly have sounded alarms about supply-chain risks. Although supply chains that span the globe are common in the tech industry, Russia and China pose concerns because of how, according to U.S. officials, they press companies for access to technology within their borders. Washington lawmakers have specifically cited voting machines as an area of concern, among such other products as telecom equipment made by Chinese firm Huawei and antivirus software from Russia-based Kaspersky Lab. Russia and China historically have denied interfering in U.S. politics. The report examined one voting machine as a case study. In that machine, around 20% of the components in the supply chain that Interos was able to identify came from China-based companies, including processors, software and touch screens, according to the Interos research. Those components weren’t necessarily made in China, as the suppliers may have several locations globally, and the Interos data doesn’t necessarily cover the entire supply chain, the researchers noted. Researchers declined to name the particular model of voting machine they examined, or its maker, citing the sensitivity of the issue. They said only that it is “widely used” in the U.S. Two major vendors, Election Systems & Software LLC and Dominion Voting Systems Corp., said they didn’t think it was one of their products.

National: The biggest tech threats to 2020 elections | Roi Carmel/VentureBeat

As our election system modernizes, securing our democratic process has become a chief concern for both U.S. legislators and voters. Just last month, the House passed the SHIELD Act, which is focused on securing our elections. But that’s not going to be enough in an era when technology is turning out entirely new attack surfaces. In 2016, the Pew Research Center put the number of electronic voting machines — also known as direct-recording electronic (DRE) devices — at 28%. The 2020 election cycle will likely show an uptick in that number. But attacking American voting booths is an obvious move, and attackers consistently follow the path of least resistance. In the case of election security, the weakest point today is critical infrastructure. It’s the framework that supports our modern democratic process, and it runs deep, from traffic light systems and mass transit to the way we receive vital news and information.

National: GOP Senator Blocks Bipartisan Election Security Bill, claims protecting election security is an ‘attack’ on Trump | Emily Singer/The American Independent

Sen. Mike Crapo (R-ID) blocked a bipartisan bill aimed at protecting elections, saying it’s ‘designed more to attack the Trump administration.’A bipartisan bill to protect American elections from foreign interference was once again blocked on Tuesday, this time by a Republican senator who claimed that the legislation was an “attack” on Donald Trump. “The mechanisms in this bill have been designed more to attack the Trump administration and Republicans than to attack the Russians and those who would attack our country and our elections,” Sen. Mike Crapo (R-ID) said of the Defending Elections from Threats by Establishing Redlines Act. The DETER Act — introduced by Sens. Chris Van Hollen (D-MD) and Marco Rubio (R-FL) — directs the head of the U.S. intelligence community to expose any foreign interference in federal elections and sanction the countries that were determined to have interfered. The bill is a response to Russia’s hacking and disinformation campaign in the 2016 election.

National: Secretaries of State Unite to Fight Election Misinformation | Jessica Mulholland/Government Technology

There’s no question — the U.S. election system is vulnerable. In fact, it’s even more vulnerable than originally reported following the 2016 election. Government executives at all levels know, and they’re working on the problem, focusing on cybersecurity, inter-agency communication, paper trails and  audits. And the National Association of Secretaries of State (NASS) is working another angle: In mid-November, it launched  #TrustedInfo2020, an education campaign that aims to fight election misinformation by encouraging citizens to“to look to their state and local election officials as the trusted sources for election information,” according to the press release. The nation’s secretaries of state, 40 of whom serve as their state’s chief election official, will guide voters directly to election officials’ websites and verified social media pages to ensure they get accurate election information. In a NASS-led Twitter chat held Dec. 12, secretaries of state from California to West Virginia — along with various groups and associations — discussed the initiative and how likely it is to make an impact.

National: Several election security provisions are in the massive defense bill | Andrew Eversden/The Fifth Domain

The National Defense Authorization Act released Dec. 9 contains several provisions aimed at securing U.S. election infrastructure months before presidential primary season is in full-swing. The provisions in the compromised conference report mandate a broad range of election-related steps, from an assessment of foreign intelligence threats to U.S. elections to allowing top state election officials to receive Top Secret security clearances. The security clearance language is good news for the information-sharing relationship between the the federal government and state election officials, who don’t have proper clearance to view high-level intelligence related to election infrastructure cyberthreats. Throughout the 2016 election, the Department of Homeland Security and the FBI had a fraught information-sharing relationship with the states. In the years since, top federal election officials have consistently said information sharing needed to be improved, and while officials say it has been, the clearance problem was still a hindrance.

National: RNC, DNC bank on Duo authentication ahead 2020 election | Shannon Vavra/CyberScoop

The Republican National Committee is relying on authentication tools and careful social media behavior in order to avoid a devastating data breach like the kind that derailed its Democratic counterparts in 2016. The RNC, which develops and promotes the party’s platform and currently supports President Donald Trump’s re-election campaign, is banking on Duo Security, which specializes in multi-factor authentication, to keep state-sponsored hackers out of party accounts, according to recent Federal Election Commission filings. Even if a user’s password credentials are stolen, an extra layer of authentication can ensure that only the legitimate account holder could access his or her communications. Since March of this year, the RNC has paid just over $1,000 per month to Duo, according to FEC filings. The RNC started using Duo in 2016, just days before the election. And it’s not just email account access the RNC is trying to protect — the RNC uses multiple layers of authentication to protect other user accounts, both personal and professional, too, according to Mike Gilding, the deputy director of information technology at the RNC. The approach reflects the urgency with which both major political U.S. parties must adopt even basic cybersecurity measures after Russian hackers accessed email accounts belonging to key members of the Democratic National Committee in 2016. Another similar attack against either party could disrupt what is shaping up to be a particularly contentious U.S. election season, as impeachment proceedings against the president move forward. The DNC and RNC have a lot to safeguard, including polling data, candidate research, campaign funding, and election strategies.

National: Russia’s efforts to target U.K. elections a stark warning for 2020 | Joseph Marks/The Washington Post

An alleged Russian influence campaign to undermine this week’s British elections shows how tough it will be to keep foreign influence out of the 2020 U.S. contest. Russian-backed accounts on Reddit actively worked to boost the trove of documents appearing to detail key U.S.-U.K. trade negotiations that have been gaining traction over the internet for months, the social sharing site revealed Saturday. It’s not clear whether the documents were leaked or hacked, but Britain’s opposition Labour Party, has been using the seemingly genuine documents to slam the ruling conservative party for considering giving U.S. companies far more influence over Britain’s popular state-run National Health Service as part of a post-Brexit trade deal. It’s yet another example of Russia’s powerful digital army allegedly seeking to influence the outcome of a Western election — and it offers a stark reminder of how influence operations can be highly effective even before they’re identified. This dramatically undermines government and industry efforts to blunt their power or hold off their spread.

National: Multistate voter database suspended in lawsuit settlement | Roxana Hegeman/Associated Press

A much-criticized database that checks whether voters are registered in multiple states has been suspended “for the foreseeable future” until security safeguards are put in place as part of a settlement of a federal lawsuit, a civil rights group said Tuesday. The Interstate Crosscheck program was the subject a class-action lawsuit by the American Civil Liberties Union of Kansas on behalf of 945 voters whose partial Social Security numbers were exposed by Florida officials through an open records request. Kansas has operated the multistate program since 2005, although the program hasn’t been used since 2017 when a Homeland Security audit discovered security vulnerabilities. The settlement includes a list of safeguards the state has agreed to implement to protect voter’s personal information before the program can resume, the ACLU said in a news release.