National: NSA: ‘We know we need to do some work’ on declassifying threat intel | Shannon Vavra/CyberScoop

One of the National Security Agency’s newly minted Cybersecurity Directorate’s goals is to quickly share information on adversarial threats with the private sector — but the process for doing that needs to be refined, the directorate’s leader said Thursday. “The process in place today is where we know we need to do some work,” Anne Neuberger said while speaking at CyberTalks, produced by CyberScoop. “When we find indications of a threat, we see planning to execute a particular operation, or we see the operation being executed. [But] because we learn about it in a classified way, we treat it as classified.” Part of the difficulty the NSA faces is that adversaries often run operations and then discard their compromised infrastructure, making a protracted declassification process nearly useless since “indicators of compromise pretty much they have a ticking time clock for how useful they are,” Neuberger said. The new directorate, which started operations earlier this month, is measuring success by examining how well it is able to prevent attacks moving forward.

National: Trolls could turn to cyber to disrupt the 2020 census | Amanda Seitz and Rachel Lerman/Fifth Domain

Worried about internet trolls and foreign powers spreading false news, census officials are preparing to battle misinformation campaigns for the first time in the count’s 230-year history. The stakes are huge. Who participates in the 2020 census count could influence how U.S. congressional seats and billions of federal tax dollars to educate children, help low-income families and pave new roads are divvied up. “It’s a fine target,” former U.S. Census Bureau director John Thompson said of the form, which is sent every decade to households in America to count the population. “If you want to disrupt a democracy, you can certainly go about it by disrupting a census.” Already, false and inaccurate social media posts about the census have begun to appear online, where they have been viewed thousands of times. Foremost on everyone’s mind are the misinformation wars waged during the last presidential election to confuse U.S. voters. Fake posts about the census began popping up days after the U.S. Supreme Court ruled in June that the Trump administration could not ask about citizenship status on the 2020 census: Conservative bloggers, Twitter users and pundits falsely blamed former President Barack Obama for scrubbing the question from the form in 2010. In fact, the main census form hasn’t included a citizenship question since 1950, and the bureau’s own analysis found it would discourage people from participating, possibly skewing results.

National: Senate Intelligence report triggers new calls for action on election security | Maggie Miller/The Hill

Democrats are renewing their calls for Senate action on election security measures following the release of a Senate Intelligence Committee report that found the Kremlin directed Russian efforts to interfere in the 2016 presidential election. The party has repeatedly gone after Senate Majority Leader Mitch McConnell (R-Ky.) for imposing obstacles to action on election security, a point underscored once again in the wake of the bipartisan Intelligence report. McConnell was “blocking a full-throated U.S. response” by stopping various election security bills from being brought up in the Senate and burying them “in his legislative graveyard,” Senate Minority Leader Charles Schumer (D-N.Y.) charged in a statement. Sen. Michael Bennet (D-Colo.), a member of the Senate Intelligence Committee and a 2020 presidential candidate, called on McConnell to allow votes on election security legislation.

National: Internet Group Says Most U.S. Presidential Candidates Have Cybersecurity Flaws | Sintia Radu/US News

Moire than three years after media reports disclosed hackers were interfering in the 2016 U.S. presidential race to influence voters, most of the country’s candidates in the 2020 presidential election are struggling with cybersecurity issues, according to a nonpartisan group focused on internet standards. A majority of the 23 candidates in the race for the White House failed to meet the privacy and security standards set by the Internet Society’s Online Trust Alliance (OTA), according to the group’s audit released this week. The findings are the latest to show the increasing pressure countries are facing to preserve online security during elections, as well as in their industries and infrastructure. The research by the OTA examined how well the 23 Democratic, Republican and Independent candidates are handling online security challenges in their campaigns. Just seven of the 23 politicians scored 80% or higher in campaign cybersecurity, meaning researchers found no failures in the three areas examined: privacy, website security and consumer protection. Weaknesses ensuring the data privacy of users accessing the candidate’s online platforms raised the most red flags, researchers found.

National: Study links Russian tweets to release of hacked emails | Tami Abdollah/Associated Press

Russia’s interference in the 2016 U.S. election has generally been seen as two separate, unrelated tracks: hacking Democratic emails and sending provocative tweets. But a new study suggests the tactics were likely intertwined. On the eve of the release of hacked Clinton campaign emails, Russian-linked trolls retweeted messages from thousands of accounts on both extremes of the American ideological spectrum. Those retweets increased the odds selected Twitter users would be online and able to express outrage when the next day on Oct. 7, details such as the revelation that Clinton may have had early access to a primary debate question were released. Those retweets also brought those lesser-known users a wider audience, encouraging them to tweet more, and ultimately helping polarize American public debate.

National: Bipartisan Senate report calls for sweeping effort to prevent Russian interference in 2020 election | Craig Timberg and Tony Romm/The Washington Post

A bipartisan panel of U.S. senators Tuesday called for sweeping action by Congress, the White House and Silicon Valley to ensure social media sites aren’t used to interfere in the coming presidential election, delivering a sobering assessment about the weaknesses that Russian operatives exploited in the 2016 campaign. The Senate Intelligence Committee, a Republican-led panel that has been investigating foreign electoral interference for more than 2½ years, said in blunt language that Russians worked to damage Democrat Hillary Clinton while bolstering Republican Donald Trump — and made clear that fresh rounds of interference are likely ahead of the 2020 vote. “Russia is waging an information warfare campaign against the U.S. that didn’t start and didn’t end with the 2016 election,” said Sen. Richard Burr (R-N.C.), the committee’s chairman. “Their goal is broader: to sow societal discord and erode public confidence in the machinery of government. By flooding social media with false reports, conspiracy theories, and trolls, and by exploiting existing divisions, Russia is trying to breed distrust of our democratic institutions and our fellow Americans.”

National: House Democrats introduce new legislation to combat foreign election interference | Maggie Miller/The Hill

A group of House Democrats led by Administration Committee Chairwoman Zoe Lofgren (Calif.) on Tuesday introduced new legislation aimed at combating foreign efforts to interfere in U.S. elections. The SHIELD Act would require campaigns to report “illicit offers” of election assistance from foreign governments or individuals to both the FBI and the Federal Election Commission (FEC), and also take steps to ensure that political advertisements on social media are subject to the same stricter rules as ads on television or radio. The bill classifies the “offering of non-public campaign material to foreign governments and those linked with foreign governments and their agents as an illegal solicitation of support,” while also closing gaps that allow foreign investment in aspects of U.S. elections. The bill is also sponsored by House Judiciary Committee Chairman Jerrold Nadler (D-N.Y.), along with Reps. John Sarbanes (D-Md.), Derek Kilmer (D-Wash.), Stephanie Murphy (D-Fla.), Jamie Raskin (D-Md.), Susan Davis (D-Calif.), G. K. Butterfield (D-N.C.), Marcia Fudge (D-Ohio), Pete Aguilar (D-Calif.), A. Donald McEachin (D-Va.) and Tom Malinowski (D-N.J.). Lofgren in a statement heavily criticized President Trump and his administration for “welcoming” foreign interference in U.S. elections.

National: Cybersecurity and Democracy Collide: Locking Down Elections | Andrew Westrope/Governing

When asked at a congressional hearing if Russia would attack U.S. election systems again in 2020, Special Counsel Robert Mueller was unequivocal: “It wasn’t a single attempt,” he said. “They’re doing it as we sit here, and they expect to do it during the next campaign.” Presidential campaigns are now underway, and election systems are still vulnerable. From voter registration databases to result-reporting websites to the voting machines themselves, researchers have identified soft spots across the system for hackers to exploit, meaning cybersecurity is now a front line of defense for American democracy. There are many parties working on this problem — secretaries of state, the Department of Homeland Security (DHS), EI-ISAC (Elections Infrastructure Information Sharing and Analysis Center), various nonprofits and private companies — and a few common refrains between them. They’re all pushing for paper ballots, vulnerability screenings, staff training, contingency plans, audits and, above all, more consistent funding. And they all have the same basic message for state and local officials: The security of our elections is riding on you.

National: Foreign interference is coming in the 2020 election whether Trump asks for it or not | Mark Porubcansky/MinnPost

Forget about China helping President Trump smear Joe Biden and his son. Or Ukraine doing so. Or any foreign country with reasonably sane leadership. Foreign interference in next year’s election, if it occurs, is likely to take a more familiar route. Here’s one possibility: Several countries, each with a lot at stake and all using Russia’s 2016 hacking and disinformation playbook, line up on opposite sides of the election. North Korea and Saudi Arabia, for instance, might trying to help Trump get re-elected while Iran tries to help his opponent. The Russians never really shut down, as Special Counsel Robert Mueller stressed in his testimony to Congress in July. China is highly capable, as well, and has a strong interest in who wins the election. Even if no one manages the 2020 equivalent of hacking the Democratic National Committee, they could sow doubt and disgust toward what’s already shaping up to be a very dirty campaign.

National: Iranian Hackers Target Trump Campaign as Threats to 2020 Mount | Nicole Perlroth and David E. Sanger/The New York Times

The 2020 presidential election is still 13 months away, but already Iranians are following in the footsteps of Russia and have begun cyberattacks aimed at disrupting the campaigns. Microsoft said on Friday that Iranian hackers, with apparent backing from the government, had made more than 2,700 attempts to identify the email accounts of current and former United States government officials, journalists covering political campaigns and accounts associated with a presidential campaign. Though the company would not identify the presidential campaign involved, two people with knowledge of the hacking, who were not allowed to discuss it publicly, said it was President Trump’s. In addition to Iran, hackers from Russia and North Korea have started targeting organizations that work closely with presidential candidates, according to security researchers and intelligence officials. “We’ve already seen attacks on several campaigns and believe the volume and intensity of these attacks will only increase as the election cycle advances toward Election Day,” said Oren Falkowitz, the chief executive of the cybersecurity company Area 1, in an interview.

National: Iranian attacks expose vulnerability of campaign email accounts | Maggie Miller/The Hill

A recent hacking attempt by Iran targeting a U.S. presidential campaign highlighted the vulnerability of email accounts heading into the 2020 elections. Microsoft revealed last week that it had tracked an Iranian group named “Phosphorus” attempting to access the email accounts of an unnamed presidential campaign, along with accounts tied to journalists and former and current U.S. officials. While the group compromised only four accounts, it identified 2,700 accounts for targeting and attacked 241 of them. The accounts associated with the unnamed presidential campaign, which Reuters identified as the Trump campaign, were not successfully compromised. The Trump campaign told The Hill they had “no indication that any of our campaign infrastructure was targeted.” Tom Kellermann, who served on a presidential cybersecurity commission during the Obama administration, said campaigns should ensure “modern cybersecurity technologies” are being used to insulate endpoints, and that “websites and mobile apps should be tested for vulnerabilities and hardened accordingly.” But even if campaigns take those steps, Kellermann said, rising tensions between the U.S. and Iran could lead to attacks on other aspects of campaigns and elections.

National: Why over 130,000 new voting machines could lead to more distrust in U.S. elections | Steven Rosenfeld/Salon

cross America, counties and states have acquired at least 130,000 new precinct voting machines that will debut in 2020’s primaries — including areas that can sway national elections. But the machines are controversial, splitting independent experts and election activists on issues that will likely affect public trust and confidence. Those key issues concern the transparency of voting and counting votes, whether reported election results can be double-checked and what role local election boards should play after Election Day to judge voter intent on ballots during challenges and recounts. The boosters of these new voting machines, called ballot-marking devices (BMDs), say that these touch-screen computers printing completed ballots will make voting simpler and more trustworthy. They say that is especially true for infrequent voters and voters with disabilities. They also say that automating ballots will end vote-counting fights — because printing completed ballots will eliminate that jury-like process, which BMD salesmen tout.

National: Hacking a voting machine is getting easier | Brooke Crothers/Fox News

At the world’s premier hackers convention, hacking a voter system was as easy as ever, according to media reports. A summary of the “Voting Village” event posted last week said hackers at Defcon “compromised every single machine over the 2.5-day event, many of them with trivial attacks that require no sophistication or special knowledge on the part of the attacker.” “In most cases, vulnerabilities could be exploited under election conditions surreptitiously…an attack that could compromise an entire jurisdiction could be injected in any of multiple places,” according to a full version of the report. In many cases, physical ports were unprotected, passwords were either left unset or in their default configuration and security features went unused or in some cases, were disabled, the report added. Attendees were given access to over 100 machines at the event, including direct-recording electronic voting machines, electronic poll books, Ballot Marking Devices, Optical scanners and hybrid systems. One machine, based on an old PC hardware, had no BIOS password set on the machine. The BIOS (Basic Input Out System) controls the basic functions of a PC.

National: Former officials flag disinformation as top threat to U.S. elections | Derek B. Johnson/FCW

Two top former national security officials believe that disinformation campaigns may pose a greater long-term threat to election infrastructure than cybersecurity risks. “Securing the voting apparatus … that’s hugely important, but that to me at least is one bin of the problem,” said former Director of National Intelligence James Clapper while speaking at an Oct. 2 Washington Post event. “The other bin is what I would call, for lack of a better term, intellectual security, meaning how do you get people to question what they read, see and hear on the internet? And this where the Russians exploited our divisiveness by using social media, so that part of the problem I’m not sure about.” Clapper said that when it comes to protecting voting machines and other election infrastructure, agencies like the FBI, Department of Homeland Security, National Security Agency and others have “done a lot” since 2016.

National: US Officials Not Taking Putin Election Comments Lightly | Jeff Seldin/VoA News

U.S. security officials are not laughing at the latest comments by Russian President Vladimir Putin about the Kremlin’s attempts to interfere in U.S. elections. Putin, speaking at an economic forum in Moscow Wednesday, dismissed U.S. allegations that Russia meddled in both the 2016 U.S. presidential election and the 2018 mid-term election as “ridiculous.” “Or it would be ridiculous if it was not that sorrowful, because all we see now in the U.S. domestic politics ruins Russia-U.S. relations, and I am sure it harms the United States itself, too,” Putin said. “I’m telling you as a secret – yes, we will definitely do it (meddle in next year’s U.S. presidential election) in order to deliver you the best of fun,” Putin joked with the audience. “Just don’t tell anyone.” Despite Putin’s comments, U.S. security and intelligence officials have said, consistently, that they have seen indications Russia will try to interfere with the upcoming 2020 presidential elections.

National: US diplomats told Zelenskiy that Trump visit was dependent on Biden statement | Julian Borger and Lauren Gambino/The Guardian

US diplomats told Ukraine’s president, Volodymyr Zelenskiy, that a prestigious White House visit to meet Donald Trump was dependent on him making a public statement vowing to investigate Hunter Biden’s company, and a Ukrainian role in the 2016 elections, according to texts released on Thursday night. The texts, released by three congressional committees holding impeachment hearings, show that the diplomats made clear that any improvement in Kyiv’s relations with Washington would be dependent on Zelenskiy’s cooperation in Trump’s quest to find damaging material about son of his leading political opponent, and on the Democrats in general. In August, Zelenskiy’s government became aware, through a US press report, that military aid for its struggle with Russia, had been withheld by Trump, in an apparent effort to increase the pressure on the Ukrainian government. The texts are exchanges from July to early September between three US diplomats – Gordon Sondland, the ambassador to the European Union, Kurt Volker, the then special envoy on Ukraine, and Bill Taylor, the acting ambassador to Kyiv. Trump’s personal lawyer, Rudy Giuliani and a Zelenskiy aide, Andrey Yermak, also make brief appearances in the correspondence.

National: Hacker conference report details persistent vulnerabilities to US voting systems | Maggie Miller/The Hill

U.S. voting systems remain vulnerable to cyberattacks three years after documented efforts to penetrate election machines, according to a report released Thursday. The report is based on the findings of the white-hat hacker DEF CON Voting Village, an annual gathering of hackers that uses election machines to find vulnerabilities that could allow someone to interfere with the voting process. This year’s event allowed hackers to test voting equipment, including e-poll books, optical scan paper voting devices and direct recording electronic voting machines — all certified for use in at least one U.S. voting jurisdiction. “Voting Village participants were able to find new ways, or replicate previously published methods, of compromising every one of the devices in the room in ways that could alter stored vote tallies, change ballots displayed to voters, or alter the internal software that controls the machines,” the report said. Despite the “disturbing” findings of the report, the authors wrote that the findings were “not surprising,” particularly in light of the fact that many of the election equipment cyber vulnerabilities found were “reported almost a decade earlier.” Equipment that was tested included those made by leading voting machines companies Election Systems and Software (ES&S) and Dominion Systems.

National: Some Voting Machines Still Have Decade-Old Vulnerabilities | Lily Hay Newman/WIRED

In three short years, the Defcon Voting Village has gone from a radical hacking project to a stalwart that surfaces voting machine security issues. This afternoon, its organizers released findings from this year’s event—including urgent vulnerabilities from a decade ago that still plague voting machines currently in use. Voting Village participants have confirmed the persistence of these flaws in previous years as well, along with a raft of new ones. But that makes their continued presence this year all the more alarming, underscoring how slow progress on replacing or repairing vulnerable machines remains. Participants vetted dozens of voting machines at Defcon this year, including a prototype model built on secure, verified hardware through a Defense Advanced Research Projects Agency program. Today’s report highlights detailed vulnerability findings related to six models of voting machines, most of which are currently in use. That includes the ES&S AutoMARK, used in 28 states in 2018, and Premier/Diebold AccuVote-OS, used in 26 states that same year.

National: Hacking 2020 voting systems is a ‘piece of cake’ | Lisa Vaas/Naked Security

It’s still child’s play to pick apart election systems that will be used in the 2020 US presidential election, as ethical hackers did, once again, over the course of two and a half days at the Voting Village corner of the DefCon 27 security conference in August. The results are sobering. This is the third year they’ve been at it, and security is still abysmal. On Thursday, Voting Village organizers went to Capitol Hill to release their findings, in an event attended by election security funding boosters Sen. Ron Wyden and Rep. Jackie Speier. In a nutshell: in August, hackers easily compromised every single one of the more than 100 machines to which they were given access, many with what they called “trivial attacks” that required “no sophistication or special knowledge on the part of the attacker.” They didn’t get their hands on every flavor of voting system in use in the country, but every one of the machines they compromised is currently certified for use in at least one voting jurisdiction, including direct-recording electronic (DRE) voting machines, electronic poll books, Ballot Marking Devices (BMDs), optical scanners and hybrid systems.

National: With Sanctions on Russians, U.S. Warns Against Foreign Election Meddling | Lara Jakes/The New York Times

The United States issued new economic sanctions on Monday against seven Russians linked to an internet troll factory in what Secretary of State Mike Pompeo called a warning to foreigners who seek to interfere in American elections. The penalties were announced as Congress is investigating whether President Trump tried to enlist Ukraine’s leader in a political smear campaign against one of his top Democratic challengers in 2020, former Vice President Joseph R. Biden Jr. “We have been clear: We will not tolerate foreign interference in our elections,” Mr. Pompeo said in a sharp statement. “The United States will continue to push back against malign actors who seek to subvert our democratic processes,” Mr. Pompeo continued, “and we will not hesitate to impose further costs on Russia for its destabilizing and unacceptable activities.” The Treasury Department said the sanctions sought to punish attempts to influence the 2018 midterm elections, in which Democrats won control of the House. Early last year, the Justice Department indicted 13 Russians and companies linked to the Internet Research Agency on charges of meddling in the 2016 presidential election.

National: Trump told Russian officials in 2017 he wasn’t concerned about Moscow’s interference in U.S. election | Shane Harris, Josh Dawsey and Ellen Nakashima/The Washington Post

President Trump told two senior Russian officials in a 2017 Oval Office meeting that he was unconcerned about Moscow’s interference in the 2016 U.S. presidential election because the United States did the same in other countries, an assertion that prompted alarmed White House officials to limit access to the remarks to an unusually small number of people, according to three former officials with knowledge of the matter. The comments, which have not been previously reported, were part of a now-infamous meeting with Russian Foreign Minister Sergei Lavrov and Russian Ambassador Sergey Kislyak, in which Trump revealed highly classified information that exposed a source of intelligence on the Islamic State. He also said during the meeting that firing FBI Director James B. Comey the previous day had relieved “great pressure” on him. A memorandum summarizing the meeting was limited to a few officials with the highest security clearances in an attempt to keep the president’s comments from being disclosed publicly, according to the former officials, who spoke on the condition of anonymity to discuss sensitive matters. The White House’s classification of records about Trump’s communications with foreign officials is now a central part of the impeachment inquiry launched this week by House Democrats. An intelligence community whistleblower has alleged that the White House placed a record of Trump’s July 25 phone call with Ukraine’s president, in which he offered U.S. assistance investigating his political opponents, into a code-word classified system reserved for the most sensitive intelligence information.

National: Democrats seize on whistleblower report to push for election security | Maggie Miller/The Hill

Democrats renewed their push for election security legislation after a stark warning from acting Director of National Intelligence Joseph Maguire and the release of a whistleblower complaint about President Trump’s call with Ukraine’s leader. Maguire on Thursday warned that the “greatest challenge” the U.S. is facing is “maintaining the integrity of our election system” and said “there are foreign powers that are trying to get us to question the validity of whether or not our elections are valid. “The intelligence official made the comment during testimony before the House Intelligence Committee on Thursday about a whistleblower complaint alleging that Trump tried to persuade Ukraine to mount a corruption investigation against former Vice President Joe Biden, the current front-runner for the Democratic nomination. Democrats also highlighted a section in the whistleblower complaint that Trump’s actions could pose “risks to U.S. national security and undermine the U.S. Government’s efforts to deter and counter foreign interference in U.S. elections.” The two events have bolstered the need for election security legislation, these Democrats argued, not long after former special counsel Robert Mueller’s report highlighted Russia’s efforts to interfere in the 2016 elections. “The President again, just [as] he did in 2016, sought out assistance from a foreign power to help in his reelection,” House Homeland Security Committee Chairman Bennie Thompson (D-Miss.) said in a statement on Thursday. “This is election interference, plain and simple. The President has continually and persistently undermined the integrity of our elections and our democracy.”

National: Russian Secret Weapon Against U.S. 2020 Election Revealed In New Cyberwarfare Report | Zak Doffman/Forbes

The FBI has warned that “the threat” to U.S. election security “from nation-state actors remains a persistent concern,” that it is “working aggressively” to uncover and stop, and the U.S. Director of National Intelligence has appointed an election threats executive, explaining that election security is now “a top priority for the intelligence community—which must bring the strongest level of support to this critical issue.” With this in mind, a new report from cybersecurity powerhouse Check Point makes for sobering reading. “It is unequivocally clear to us,” the firm warns, “that the Russians invested a significant amount of money and effort in the first half of this year to build large-scale espionage capabilities. Given the timing, the unique operational security design, and sheer volume of resource investment seen, Check Point believes we may see such an attack carried out near the 2020 U.S. Elections.” None of which is new—it would be more surprising if there wasn’t an attack of some sort, to some level. What is new, though, is Check Point’s unveiling of the sheer scale of Russia’s cyberattack machine, the way it is organised, the staggering investment required. And the most chilling finding is that Russia has built its ecosystem to ensure resilience, with cost no object. It has formed a fire-walled structure designed to attack in waves. Check Point believes this has been a decade or more in the making and now makes concerted Russian attacks on the U.S. “almost impossible” to defend against. The new research was conducted by Check Point in conjunction with Intezer—a specialist in Genetic Malware Analysis. It was led by Itay Cohen and Omri Ben Bassat, and has taken a deep dive to get “a broader perspective” of Russia’s threat ecosystem. “The fog behind these complicated operations made us realize that while we know a lot about single actors,” the team explains, “we are short of seeing a whole ecosystem.”

National: After Resisting, McConnell and Senate G.O.P. Back Election Security Funding | Carl Hulse/The New York Times

Facing mounting criticism for blocking proposals to bolster election security, Senator Mitch McConnell on Thursday threw his weight behind a new infusion of $250 million to help states guard against outside interference in the 2020 voting. Mr. McConnell, Republican of Kentucky and the majority leader, has been under regular attack from both Democrats and a conservative group for refusing to allow the Senate to vote on various election security proposals, some of them bipartisan, despite dire warnings from the intelligence community that Russia is already trying to replicate the elaborate meddling campaign it carried out during the 2016 presidential contest. The additional funding, Mr. McConnell said in announcing his support, “will bring our total allocation for election security — listen to this — to more than $600 million since fiscal 2018.” The money was quickly approved by the Appropriations Committee later Thursday. Though Mr. McConnell has embraced other seemingly derogatory nicknames over the years, he was incensed at being called “Moscow Mitch” by those who claimed his opposition showed he was willing to accept foreign election interference because it had benefited his own party by helping to elect President Trump, despite the senator’s long record of taking a hard line against Russia.

National: For latest election security moves, the devil is in the details | Derek B. Johnson/FCW

Last week it looked like a logjam was cleared on election security. The Senate approved $250 million in funding to states to secure election infrastructure ahead of 2020. Microsoft announced it would continue supporting Windows 7, the soon-to-be-obsolete operating system used on voting machines in thousands of jurisdictions, throughout the 2020 election cycle. Additionally, the Election Assistance Commission met to discuss its latest security standards for voting machines. While new federal dollars for election security are welcome, experts caution that more money might be required and more direction is needed on how to spend the money in the form of new legislation to put smart policy behind congressional outlays. The Brennan Center for Justice estimates the cost of replacing all paperless voting machines in the country at $734 million over five years. When added to the costs estimated to tackle other problems like protecting voter registration data, implementing post-election audits and extending cybersecurity assistance to state and local governments, the total price comes out to more than $2.1 billion. According to research from the OSET Institute, software licenses, maintenance fees and other costs to support voting machines past their first year are hard to quantify and can end up costing more than the initial equipment purchase. Contract language tends to leave the timing, nature and additional costs of such updates at the discretion of voting machine manufacturers.

National: McConnell’s support for election security funding is just the start of a big fight | Joseph Marks/The Washington Post

Senate Majority Leader Mitch McConnell (R-Ky.) partially relented yesterday in the fight over election security by throwing his support behind a $250 million infusion of cash for state election officials. But that concession is likely just the start of what could be a battle royal in Congress. Democrats, who have derided McConnell as “Moscow Mitch” for blocking progress on election security after the Russian interference in the 2016 election, were already arguing the majority leader had only embraced a half measure. McConnell signed on to a measure, which is expected to be approved as part of a must-pass spending bill, to provide cash to states to upgrade their election systems, but it doesn’t mandate how it should be spent. Senate Minority Leader Chuck Schumer (D-N.Y.) took to the Senate floor to bemoan the language supported by McConnell for not requiring changes such as paper ballots and post-election security audits experts say are vital to thwart hackers from Russia and elsewhere. “It doesn’t include a single solitary reform that virtually everyone knows we need, but it’s a start,” Schumer said. A bill that delivers money for election security but doesn’t mandate any particular fixes is a good bargain for McConnell and many Republicans who are wary of expanding federal authority over state and local-run elections — and who fear blowback from President Trump if they talk too much about Russia’s 2016 hacking and influence operation aimed at helping Trump’s election.

National: Senate’s Election Security Funding Bill Leaves Election Assistance Commission Strapped for Cash | Courtney Buble/Government Executive

he cash-strapped, understaffed federal agency responsible for promoting voting machine security standards and best practices for election administration will receive very little new funding under a Senate appropriations bill aimed at bolstering election security. Bowing to pressure from Democrats and some Republicans, Senate Majority Leader Mitch McConnell last week reversed course and said he would support legislation aimed at preventing foreign interference in U.S. elections. On Sept. 19, the Senate Appropriations Committee reported out the “Financial Services and General Government Appropriations Act of 2020” (S.2524), which includes funding for $250 million in election security grants for state and local election administrators. But the bill includes almost no new funds for the Election Assistance Commission, the severely understaffed and underfunded agency that serves as a clearinghouse for information about voting machine security standards and administrative best practices. Under the Senate legislation, EAC would receive $11,995,000 in 2020, about $2 million more than it received in 2019, however $1.5 million of that would be transferred to the National Institute for Standards and Technology to develop voluntary state voting system guidelines, and another  $2.4 million is designated for the EAC’s relocation to new offices.

National: States try to combat election interference as Washington deadlocks | Evan Halper/ Los Angeles Times

With the White House and Congress paralyzed over how — or even whether — to act on intelligence agency warnings about foreign interference in U.S. elections, Maryland opted to take matters into its own hands. The state adopted transparency rules for political advertising on Facebook, Twitter and elsewhere online. The pioneering move drew praise from election reformers as a blow against foreign meddling. Then came the backlash. And it wasn’t from Russia. Newspaper publishers hauled the state into federal court. The new rules ran afoul of the 1st Amendment and created burdens on media organizations that could push struggling local papers under, they protested. Even one of the world’s most vocal advocates for transparency, the Reporters Committee for Freedom of the Press, joined the objectors. Along with the Washington Post, Associated Press and others, they successfully blocked the state’s effort in federal court.

National: EAC says it won’t de-certify voting systems running old versions of Windows | Sean Lyngaas/CyberScoop

The U.S. Election Assistance Commission has told lawmakers that it will not de-certify certain voting systems that use outdated Microsoft Windows systems, a disclosure that highlights the challenge of keeping voting equipment secure after a vendor ceases offering support for a product. While a voting system would fail certification if it were running software that wasn’t supported by a vendor, the act of de-certifying the system is cumbersome and “has wide-reaching consequences, affecting manufacturers, election administration at the state and local levels, as well as voters,” EAC commissioners wrote in a letter to the Committee on House Administration that CyberScoop obtained. To pass certification, voting vendors must meet a series of specifications outlined in the Voluntary Voting Systems Guidelines (VVSG), a set of standards that the EAC has been slow to update. In response to questions from the committee’s staff, EAC commissioners said the laborious de-certification process can be initiated if there is credible information that a voting system no longer complies with the guidelines. However, in the case of Election Systems & Software, the country’s largest voting vendor, for example, the EAC said it didn’t have “grounds to decertify any ES&S product that uses software that is no longer supported by a third-party vendor.” The commissioners also said that there is no stipulation for how far into the future operating systems must support security patches for them to be certified.

National: EAC parting ways with embattled top staffer | Eric Geller/Politico

The embattled executive director of the Election Assistance Commission, whose tenure has been marked by internal turmoil, will not serve another term, two government employees with knowledge of the decision told POLITICO. While the departure of Brian Newby will remove a controversial figure from one of the federal agencies charged with helping states secure their election systems, the shakeup will likely further hamper its mission ahead of the 2020 election, which intelligence officials say hackers working for Russia and other U.S. adversaries will once again attempt to disrupt. EAC commissioners voted over the weekend of Sept. 7-8 not to reappoint Newby for four more years, according to an agency staffer and a House aide, who declined to be named because of the sensitivity of the issue. The commissioners also voted not to retain Cliff Tatum, the agency’s general counsel. Both men joined the EAC on Oct. 22, 2015. The vote on the two appointments was 2-2, splitting the Democratic and Republican commissioners, said the House aide. A decision to reappoint them would have required a majority. The vote came three months after a POLITICO story about how Newby has faced extensive criticism from inside and outside the EAC for undermining its election security work and ignoring, micromanaging and mistreating staff.