National: The 2020 election will be the country’s biggest cybersecurity test ever | Joseph Marks/The Washington Post

What will be the biggest cybersecurity story of the year? You hardly have to ask. The 2020 election probably is the most anticipated event in U.S. history when it comes to digital security. Russia’s hacking and disinformation campaign to interfere in the last presidential election shook the nation’s confidence in the U.S. democratic process and rocketed cybersecurity into the mainstream of Washington’s political life. Top questions now are not just when but how Russia will try to interfere in the approaching presidential election and whether it will be emboldened by the fact it has yet to face any significant consequences — and, of course, whether other U.S. adversaries will jump into the fray. “Nobody has really punished them for it and the reality is our adversaries are constantly pushing the envelope,” John Hultquist, director of intelligence analysis at the cybersecurity firm FireEye, told me. “They see what they can get away with and then they push the envelope again.” If the election concludes without a security disaster that compromises the results or undermines public confidence in them, that will be a victory for solid planning, education and more than $900 million spent on digital election defense since 2016. If it’s disrupted, however, it will be a drastic blow to faith in democracy and to the idea the United States can set any red lines in cyberspace that our adversaries won’t cross.

National: Facebook data misuse and voter manipulation back in the frame with latest Cambridge Analytica leaks | Natasha Lomas/TechCrunch

More details are emerging about the scale and scope of disgraced data company Cambridge Analytica’s activities in elections around the world — via a cache of internal documents that’s being released by former employee and self-styled whistleblower, Brittany Kaiser. The now shut down data modelling company, which infamously used stolen Facebook data to target voters for President Donald Trump’s campaign in the 2016 U.S. election, was at the center of the data misuse scandal that, in 2018, wiped billions off Facebook’s share price and contributed to a $5BN FTC fine for the tech giant last summer. However plenty of questions remain, including where, for whom and exactly how Cambridge Analytica and its parent entity SCL Elections operated; as well as how much Facebook’s leadership knew about the dealings of the firm that was using its platform to extract data and target political ads — helped by some of Facebook’s own staff. Certain Facebook employees were referring to Cambridge Analytica as a “sketchy” company as far back as September 2015 — yet the tech giant only pulled the plug on platform access after the scandal went global in 2018. Facebook CEO Mark Zuckerberg has also continued to maintain that he only personally learned about CA from a December 2015 Guardian article, which broke the story that Ted Cruz’s presidential campaign was using psychological data based on research covering tens of millions of Facebook users, harvested largely without permission. (It wasn’t until March 2018 that further investigative journalism blew the lid off the story — turning it into a global scandal.)

National: DHS issues bulletin warning of potential Iranian cyberattack | Maggie Miller/The Hill

The Department of Homeland Security (DHS) released a bulletin this week through its National Terrorism Advisory System warning of Iran’s ability to carry out cyberattacks with “disruptive effects” against critical U.S. infrastructure. In the bulletin, sent in the wake of the U.S. airstrike that killed Iranian Quds Force commander Gen. Qassem Soleimani, DHS noted that while there is currently “no information indicating a specific, credible threat to the Homeland,” Iran does have the ability to attack the U.S. in cyberspace. “Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.- based targets,” DHS wrote in the bulletin. The agency noted that “Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.” Acting DHS Secretary Chad Wolf tweeted Saturday that the bulletin was intended to “inform & reassure the American public, state/local governments & private partners that DHS is actively monitoring & preparing for any specific, credible threat, should one arise.”

National: Election vendors executives head to the Hill | Tim Starks/Politico

he House Administration Committee will start off the new year with a bang on Thursday when it convenes a hearing with the presidents of the three largest election technology vendors. Testifying on the first panel of the hearing, the committee told MC, are Tom Burt, president and CEO of Election Systems & Software; John Poulos, president and CEO of Dominion Voting Systems; and Julie Mathis, president and CFO of Hart InterCivic. The major vendors have sent lower-level representatives to congressional hearings in the past, but this is the first time that all three top executives have testified together, a House aide told MC. The timing is auspicious: the presidential primary season, which begins in just a few weeks, represents a high-profile test of many states’ new paper-backed electronic voting machines. Vendor oversight has been a top concern of voting security experts and activists, because the three largest firms have historically shunned transparency, downplayed security concerns and threatened competitors with lawsuits. House Administration Chairwoman Zoe Lofgren (D-Calif.) first told POLITICO that she was planning this hearing in August, after a bipartisan group of activist organizations pressed her panel and its Senate counterpart to scrutinize the vendors more closely. After vendor executives testify, the Administration Committee will hear from a trio of experts, according to the witness list shared with MC. They are Liz Howard from the Brennan Center for Justice, Georgetown University professor Matt Blaze and University of Florida professor Juan Gilbert.

National: Cyber attacks and electronic voting errors threaten 2020 outcome, experts warn | Peter Stone/The Guardian

Potential electronic voting equipment failures and cyber attacks from Russia and other countries pose persistent threats to the 2020 elections, election security analysts and key Democrats warn. In November significant electronic voting equipment problems occurred in an election in the vital battleground state of Pennsylvania, sparking a lawsuit by advocacy groups charging the state is using insecure electronic voting machines. Other key states like Florida and North Carolina which experienced voting problems in 2016 and Georgia which had serious equipment problems in 2018, are being urged to take precautions to curb new difficulties in 2020, say election analysts. The Brennan Center’s electoral reform program last month released a study that stressed testing backup systems and electronic voting equipment before the primaries and next November’s general election was needed to reduce risks of cyber attacks and equipment failures, and offered guidance about ways to recover from attacks or malfunctions. In response to these and other threats, Congress in December added $425m for election related spending, including security measures, to a massive $1.4tn spending bill for 2020.

National: Election Security At The Chip Level | Andy Patrizio/Semiconductor Engineering

Technological advances have changed every facet of our lives, from reading to driving to cooking, but one task remains firmly rooted in 20th-century technology — voting. Electronic voting remains doggedly unavailable to most, and almost always unusable to those who have it. For more than a decade, it seems every election is accompanied by numerous reports of voting machine problems. The most common issue involves machines changing votes. It has happened in numerous states, and even to Ellen Swenson, chief analyst for the Election Integrity Project, a non-partisan California group seeking to preserve election integrity. It’s not easy when two separate voting machines in Riverside County, where Swenson resides, recorded incorrect votes. At least that machine worked. “So many have said they’ve gone to polls and the machines break down. That’s another thing that hurt the subject. There were so many broken machines across [Los Angeles] County in 2018 and none were fixed, so LA had to use paper ballots,” she said. For some people, the old paper punch ballot is actually preferable, said Swenson. “There is a whole set of challenges, philosophically and psychologically. The idea of connecting to the Internet scares some people, their fear of the privacy of their vote being compromised, or hacking it and changing the results. There’s a real psychological wall to climb,” she said.

National: America Won’t Give Up Its Hackable Wireless Voting Machines | Kartikay Mehrotra/Bloomberg

After Russian hackers made extensive efforts to infiltrate the American voting apparatus in 2016, some states moved to restrict internet access to their vote-counting systems. Colorado got rid of barcodes used to electronically read ballots. California tightened its rules for electronic voting machines that can go online. Ohio bought new voting machines that deliberately excluded wireless capabilities. Michigan went in a different direction, authorizing as much as $82 million for machines that rely on wireless modems to connect to the internet. State officials justified the move by saying it is the best way to satisfy an impatient public that craves instantaneous results. The problem is, connecting election machines to the public internet, especially wirelessly, leaves the whole system vulnerable, according to cybersecurity experts. So Michigan’s new secretary of state is considering using some of the state’s $10 million in federal election funds to rip out those modems before the March presidential primary. “The system we inherited is not optimal for security since our election equipment can and has connected to the internet,” said Jocelyn Benson, who won election as secretary of state and took office in January 2019. She convened a committee of cybersecurity experts to evaluate the state election system’s vulnerabilities. “If that’s what the committee recommends, we’ll take them out.”

National: Election Infrastructure Remains Vulnerable to Attacks | Diane Ritchey/Security Magazine

In 10 months, U.S. citizens will elect a new president (or re-elect a current one). As the race heats up and election day nears, a key component of the U.S. election infrastructure remains vulnerable to attack. Only five percent of the country’s largest counties are protecting their election officials from impersonation, according to an analysis by Valimail. The rest are vulnerable to impersonation, meaning their domains could become the vectors for cyberattacks and misinformation campaigns. According to Seth Blank, director of industry initiatives for Valimail, “This is a problem because the overwhelming majority of cyberattacks can be traced to impersonation-based phishing emails. In the corporate world, these cyberattacks result in the loss of funds or proprietary data. But when it comes to elections, the bedrock of democracy – free and fair elections – is at stake.” An August 2019 report from Valimail noted that most presidential candidates’ campaigns are not protected from email impersonation. An earlier report found a similar situation across the thousands of domains that are used by state and local governments. “And we’re not just talking about voting machines being vulnerable,” Blank says. “While most voting machines are isolated from the Internet (they are often air-gapped for security), the same cannot be said for other elements of the election process. The electronic pollbooks that voters use to sign in on election day and the machines that tabulate votes may be connected to the Internet for software updates or to receive or transmit voting information. This makes them potential targets for email-based attacks aimed at other users of the same networks.”

National: Paralysis Grips Federal Election Commission While Complaints Pile Up | Kenneth P. Doyle/Bloomberg Government

The agency charged with enforcing campaign finance law begins the presidential election year paralyzed by the lack of a board quorum and unable to dispense with hundreds of complaints. As Republican Caroline Hunter assumes the rotating chairmanship of the Federal Election Commission, she inherits a growing backlog of more than 300 pending campaign finance complaints, nearly 70 of which may never be resolved because they are close to the expiration of a five-year statute of limitations. FEC analysts continue to review campaign finance reports filed by candidates, and staff lawyers can interview witnesses and collect documents in more than two dozen investigations approved by the commissioners before the loss of a quorum at the end of August. However, none of these probes can conclude and no new investigations can begin until a quorum is restored.

National: New Funding for Election Security Assistance Doesn’t Go Far Enough, Experts Say | Courtney Bublé/Government Executive

With just over 10 months to go before Americans head to the polls to elect their next president, states will have access to additional money to help shore up insecure voting equipment. The funding—$425 million—was included in appropriations for the Election Assistance Commission under the 2020 spending bills President Trump signed into law on Dec. 20. EAC Chairwoman Christy McCormick said the commission “will do everything in its power to distribute these funds as expeditiously as possible.” The funding is a boost over Congress’ most recent appropriation of $380 million for election improvements in 2018—the first time since 2010 that Congress made resources available to help states and localities with their election infrastructure and administration. “State and local election officials from across the country regularly tell us about the need for additional resources,” said EAC Vice Chair Benjamin Hovland. “This new funding will allow election officials to continue making investments that strengthen election security and improve election administration in 2020 and beyond.”  Despite widespread evidence of foreign interference in the 2016 U.S. presidential election and repeated warnings from the intelligence community about the vulnerability of election infrastructure, the bipartisan and independent Election Assistance Commission has struggled with funding and staff cuts as well as House Republicans’ threats to terminate it. With the 2020 presidential election less than a year away, the EAC lacks a permanent director and general counsel.

National: How good is the government at threat information sharing? | Andrew Eversden/Fifth Domain

Over and over cybersecurity officials in the civilian government, the intelligence community and the Department of Defense say the same platitude: information sharing is important. Often, however, little insight, or metrics, back up exactly how well they are doing it. But a new joint report from inspectors general across the government found that information sharing among the intelligence community and the rest of government “made progress.” The report, titled “Unclassified Joint Report on the Implementation of the Cybersecurity Information Sharing Act of 2015” and released Dec. 19, found that cybersecurity threat information sharing has improved throughout government over the last two years, though some barriers remain, like information classification levels. Information sharing throughout government has improved in part because of security capability launched by the Office of the Director of National Intelligence’s Intelligence Community Security Coordination Center (IC SCC) that allowed the ODNI to increase cybersecurity information all the way up to the top-secret level. The capability, called the Intelligence Community Analysis and Signature Tool (ICOAST), shares both indicators of compromise and malware signatures that identify the presence of malicious code. According to the report, the information from the platform is available to “thousands” of users across the IC, DoD and civilian government.

National: Election security, ransomware dominate cyber concerns for 2020 | Maggie Miller/The Hill

Headed into 2020, with a presidential election on the horizon, cyber concerns are certain to be in the spotlight in Washington. Atop the list of cyber issues will be persistent questions about election security. Officials at the federal, state and local levels say they will be vigilant to any efforts to interfere in the election after 2016, even as lawmakers weigh additional actions to safeguard the vote. But lawmakers will also be looking to tackle other issues as well, such as the ransomware attacks spreading across the country and the growing concerns over companies with foreign ties accessing Americans’ data. 2020 will see a presidential election, along with nationwide elections for the House and a third of the Senate. It will be a major test for efforts to improve security after Russian interference efforts in the 2016 election. U.S. intelligence agencies, former special counsel Robert Mueller and the Senate Intelligence Committee have all concluded that Russia conducted a sweeping and systematic attack against the 2016 elections, using both hacking and disinformation campaigns. Mueller has warned that Russia would attempt to interfere again, testifying to the House Intelligence Committee in July that the Russians were trying to interfere “as we sit here.”

National: How Close Did Russia Really Come to Hacking the 2016 Election? | Kim Zetter/Politico

On November 6, 2016, the Sunday before the presidential election that sent Donald Trump to the White House, a worker in the elections office in Durham County, North Carolina, encountered a problem. There appeared to be an issue with a crucial bit of software that handled the county’s list of eligible voters. To prepare for Election Day, staff members needed to load the voter data from a county computer onto 227 USB flash drives, which would then be inserted into laptops that precinct workers would use to check in voters. The laptops would serve as electronic poll books, cross-checking each voter as he or she arrived at the polls. The problem was, it was taking eight to 10 times longer than normal for the software to copy the data to the flash drives, an unusually long time that was jeopardizing efforts to get ready for the election. When the problem persisted into Monday, just one day before the election, the county worker contacted VR Systems, the Florida company that made the software used on the county’s computer and on the poll book laptops. Apparently unable to resolve the issue by phone or email, one of the company’s employees accessed the county’s computer remotely to troubleshoot. It’s not clear whether the glitch got resolved—Durham County would not answer questions from POLITICO about the issue—but the laptops were ready to use when voting started Tuesday morning. Almost immediately, though, a number of them exhibited problems. Some crashed or froze. Others indicated that voters had already voted when they hadn’t. Others displayed an alert saying voters had to show ID before they could vote, even though a recent court case in North Carolina had made that unnecessary.

National: Voting by app is a thing, and it’s spreading, despite the fears of election security experts | Mark Sullivan/Fast Company

In this age of extreme concern—even paranoia—over election security, you might be a little surprised to hear that some voters in parts of the country are voting from home, using an app. So far the vote-by-app option has been reserved for military people serving overseas and elderly people who might have physical difficulty getting to the polls. One state (West Virginia) and a number of cities and counties have already used a voting app called Voatz in elections, mainly small ones. Voatz, a Boston-based startup that’s raised almost $10 million in venture capital, birthed its app at a SXSW hackathon in 2016, and went through the TechStars incubator. Its technology is unique in that it utilizes the biometric security features (such as fingerprint readers and facial recognition cameras) of newer smartphones to verify the voter’s identity. Those security technologies are already used to secure sensitive transactions like sharing financial information and making online purchases. But election security people have raised concerns about internet-connected voting technologies. The Mueller report exposed numerous attempts by foreign hackers to infiltrate U.S. voting systems via the internet during the 2016 election. Since then, states and counties have rushed to disconnect all voting systems–including voting machines, tabulators, and administrative technologies–from the public internet. The Voatz app’s use of the internet is the main reason it’s caught the attention of the election security community.

National: U.S. Cybercom contemplates information warfare to counter Russian interference in 2020 election | Ellen Nakashima/The Washington Post

Military cyber officials are developing information warfare tactics that could be deployed against senior Russian officials and oligarchs if Moscow tries to interfere in the 2020 U.S. elections through hacking election systems or sowing widespread discord, according to current and former U.S. officials. One option being explored by U.S. Cyber Command would target senior leadership and Russian elites, though probably not President Vladimir Putin, which would be considered too provocative, said the current and former officials who spoke on the condition of anonymity because of the issue’s sensitivity. The idea would be to show that the target’s sensitive personal data could be hit if the interference did not stop, though officials declined to be more specific. “When the Russians put implants into an electric grid, it means they’re making a credible showing that they have the ability to hurt you if things escalate,” said Bobby Chesney, a law professor at the University of Texas at Austin. “What may be contemplated here is an individualized version of that, not unlike individually targeted economic sanctions. It’s sending credible signals to key decision-makers that they are vulnerable if they take certain adversarial actions.” Cyber Command and officials at the Pentagon declined to comment.

National: State, local election officials train for cyber attacks as ‘another level of war’ | Christina Almeida Cassidy/Associated Press

Inside a hotel ballroom near the nation’s capital, a U.S. Army officer with battlefield experience told 120 state and local election officials that they may have more in common with the military strategists than they might think. These government officials are on the front lines of a different kind of high-stakes battlefield — one in which they are helping to defend American democracy by ensuring free and fair elections. “Everyone in this room is part of a bigger effort, and it’s only together are we going to get through this,” the officer said. That officer and other past and present national security leaders had a critical message to convey to officials from 24 states gathered for a recent training held by a Harvard-affiliated democracy project: They are the linchpins in efforts to defend U.S. elections from an attack by Russia, China or other foreign threats, and developing a military mindset will help them protect the integrity of the vote.

National: Preparing for Cyberattacks and Technical Failures: A Guide for Election Officials | Brennan Center for Justice

America’s intelligence agencies have unanimously concluded that the risk of cyberattacks on election infrastructure is clear and present — and likely to grow. 1 While officials have long strengthened election security by creating resiliency plans, 2 the evolving nature of cyber threats makes it critical that they constantly work to improve their preparedness. It is not possible to build an election system that is 100 percent secure against technology failures and cyberattacks, but effective resiliency plans nonetheless ensure that eligible voters are able to exercise their right to vote and have their votes accurately counted. This document seeks to assist officials as they revise and expand their plans to counter cybersecurity risks. Many state and local election jurisdictions are implementing paper-based voting equipment, risk-limiting audits, and other crucial preventive measures to improve overall election security. In the months remaining before the election, it is at least as important to ensure that adequate preparations are made to enable quick and effective recovery from an attack if prevention efforts are unsuccessful. While existing plans often focus on how to respond to physical or structural failures, these recommendations spotlight how to prevent and recover from technological errors, failures, and attacks. Advocates and policymakers working to ensure that election offices are prepared to manage technology issues should review these steps and discuss them with local and state election officials.

National: Chinese parts, hidden ownership, growing scrutiny: Inside America’s biggest maker of voting machines | Ben Popken, Cynthia McFadden and Kevin Monahan/NBC

Just off a bustling interstate near the border between Nebraska and Iowa, a 2,800-square-foot American flag flies over the squat office park that is home to Election Systems & Software LLC. The nondescript name and building match the relative anonymity of the company, more commonly known as ES&S, which has operated in obscurity for years despite its central role in U.S. elections. Nearly half of all Americans who vote in the 2020 election will use one of its devices. That’s starting to change. A new level of scrutiny of the election system, spurred by Russia’s interference in the 2016 election, has put ES&S in the political spotlight. The source of the nation’s voting machines has become an urgent issue because of real fears that hackers, whether foreign or domestic, might tamper with the mechanics of the voting system. That has led to calls for ES&S and its competitors, Denver-based Dominion Voting Systems and Austin, Texas-based Hart Intercivic, to reveal details about their ownership and the origins of the parts, some of which come from China, that make up their machines. But ES&S still faces questions about the company’s supply chain and the identities of its investors, although it has said it is entirely owned by Americans. And the results of its government penetration tests, in which authorized hackers try to break in so vulnerabilities can be identified and fixed, have yet to be revealed. The secrecy of ES&S and its competitors has pushed politicians to seek information on security, oversight, finances and ownership. This month, a group of Democratic politicians sent the private equity firms that own the major election vendors a letter asking them to disclose a range of such information, including ownership, finances and research investments.

National: EAC advisers to consider draft voting system standards | Eric Geller/Politico

The EAC’s Technical Guidelines Development Committee meets today by phone to review the latest draft of version 2.0 of the Voluntary Voting System Guidelines. Public working groups have been meeting for months to revise different aspects of the widely cited federal standards, including its security provisions. In October, the cybersecurity working group added a ban on internet and wireless connectivity, which prompted some consternation and confusion at a TGDC meeting in November. Input from the TGDC — a body that includes technical experts and election officials — marks one of the first steps in the process of approving a new VVSG. But more work remains to be done on VVSG 2.0, and the TGDC isn’t likely to give the draft its final seal of approval at today’s meeting. “We anticipate continuing the discussion of the requirements with the TGDC on the next call,” NIST staffer Gema Howell wrote in an email to members of the cyber working group.

National: Limited election security funds pose risk for 2020 | Kimberly Adams/Marketplace

As presidential candidates vie for voters’ attention, there’s another group getting ready for 2020: state and local election officials. Congress sent $380 million to states after attempts, some successful, to hack voter lists and election machines in the 2016 election. But elections security experts say that’s unlikely to be enough to fix the patchwork of voting machines, voter lists, and state or county computer systems that make up America’s voting infrastructure. Efforts to shore up that infrastructure happen in quiet offices like that of Chris Piper, commissioner for the Virginia Department of Elections. “The irony of being an election official is that if you’ve done your job right, nobody notices,” he said. Virginia was among the states probed by foreign hackers in 2016, and Piper said the commonwealth is working to ensure that doesn’t happen again. “Virginia was obviously one of the states that was scanned, but we were not breached,” Piper said. “We’ve taken an incredible number of steps to improve that security posture.”

National: More election security funds headed to states as 2020 looms | Christina A. Cassidy/NPR

Congress is giving states a last-minute infusion of federal funds to help boost election security with voting in early caucus and primary states slated to begin in February. Under a huge spending bill, states would receive $425 million for upgrading voting equipment, conducting post-election audits, cybersecurity training and other steps to secure elections. To receive the funds, states must match 20% of their allocation. The Senate approved the bill Thursday, sending it to President Donald Trump for his signature. States have been scrambling to shore up their systems ahead of the 2020 election. The nation’s intelligence chiefs have warned that Russia and others remain interested in attempting to interfere in U.S. elections and undermine democracy. For many who have been advocating for more congressional action on election security, the money is welcome, but they say more must still be done to ensure elections are secure. Sen. Ron Wyden, a Democrat from Oregon, has been among those pushing Congress to require states to implement rigorous post-election audits and use paper ballots in exchange for federal funds. “I’m afraid this bill will widen the gulf between states with good election security and those with perilously weak election security,” Wyden said in a statement. “I appreciate the intent behind this provision, but until Congress takes steps to secure the entire election system, our democracy will continue to be vulnerable to foreign interference.”

National: 2019’s top cybersecurity story is still what Russia did in 2016 | Joseph Marks/The Washington Post

The historic House vote to impeach President Trump last night also marked the most recent turn in a cybersecurity saga that’s gripped the nation since 2016 and consumed much of the past year. Russia’s hacking and disinformation operation in 2016 has occupied lawmakers, election officials and cybersecurity pros for three years now as they try to hold the Kremlin accountable and to prevent a repeat in 2020. It was also Trump’s obsession with poking holes in the official narrative about that operation – by urging Ukraine’s president to investigate a baseless conspiracy theory about Russia’s Democratic National Committee hack and the cybersecurity firm CrowdStrike — that helped spark an impeachment trial that promises to grip the nation for weeks to come. “This impeachment is, to a great degree, a cyber story,” Jon Bateman, a Cyber Policy Initiative fellow at the Carnegie Endowment for International Peace and a former Pentagon cybersecurity official, told me. “It’s the president’s inability to grasp what really happened in a series of cyber incidents that’s led to our current political crisis.” Election hacking was a key battleground for lawmakers this year as Democrats demanded Congress provide $600 million for states and localities to secure their voting machines and impose strict mandates to ensure elections are as secure as possible. They also pummeled Republicans who blocked those efforts, accusing them of being complicit with Russia, and even branding Senate Majority Leader Mitch McConnell (R-Ky.) as “Moscow Mitch” before he relented this week and endorsed sending $425 million to states. Homeland Security Department officials, meanwhile, crisscrossed the country vetting election equipment and running cybersecurity training for local officials. But they were regularly undermined by the president’s wavering on whether Russia was actually responsible for the 2016 interference, helping spark concern the Kremlin will do it again.

National: Pressure still on McConnell after $425 million election security deal | Joseph Marks/The Washington Post

Democrats and activists plan to keep pressing Senate Majority Leader Mitch McConnell (R-Ky.) for major election security reforms — even after he endorsed delivering an additional $425 million to state and local election officials. That money, which was part of a last-minute government funding deal, marks a major turnaround for McConnell, who for months refused to consider any new election security spending and only recently endorsed a far smaller cash infusion of $250 million. But it doesn’t include any of the election security mandates that McConnell has long resisted and that cybersecurity experts say are vital, such as paper ballots and post-election audits. Without those mandates, Democrats worry the Kremlin will still be able to upend the 2020 election by attacking the least-protected voting districts. Those concerns are also hyper-charged as intelligence and law enforcement agencies are already warning that not just Russia but also “China, Iran, and other foreign malicious actors” are all eager to compromise the election. “Mitch McConnell refused to agree to safeguards for how this funding is spent, which means state and local governments will continue buying machines with major security problems,” said Sen. Ron Wyden (D-Ore.), who has called for strict security mandates on states. “Until Congress takes steps to secure the entire election system, our democracy will continue to be vulnerable to foreign interference.” Sen. Mark Warner (D-Va.) applauded the new funding on Twitter, but warned it is “*not* a substitute for passing election security reform legislation that Senate GOP leadership has been blocking all year.”

National: $425M allocated for election security in government funding deal | Maggie Miller and Jordain Carney/The Hill

The spending deal agreed upon by House and Senate negotiators includes $425 million for states to improve their election security, two congressional source confirmed to The Hill on Monday. According to the sources, the appropriations deal, set to be made public later Monday, will also include a requirement for states to match 20 percent of the federal funds, meaning the eventual amount given to election officials to improve election security would reach $510 million. The federal funds set to be given to states through the Election Assistance Commission (EAC) represent a compromise between the amounts separately offered by the House and Senate earlier this year for election security purposes. The House included $600 million for election security efforts in its version of the fiscal 2020 Financial Services and General Government Bill, which the chamber passed earlier this year.

National: Spending Deal Allots Millions for Election Security, but Democrats Say It Isn’t Enough | Alexa Corse/Wall Street Journal

The U.S. House voted Tuesday to provide more funding to help states secure their election systems as part of a sweeping budget agreement, but Democrats argued that the compromise still doesn’t do enough to protect U.S. elections from hacking or other interference. A budget agreement would provide $425 million to help states upgrade their voting systems, lawmakers said, the largest amount for a single fiscal year in over a decade. That is part of nearly $1.4 trillion in spending which cleared the House on Tuesday and is expected to win approval from the Senate and from President Trump, preventing a possible government shutdown after Friday. The new funding represents a rare moment of agreement between top Democrats and Republicans concerning how to secure U.S. elections in the run-up to the 2020 contests, which U.S. intelligence officials repeatedly have said hostile powers remain intent on disrupting. But the issue is likely to continue to face partisan headwinds. Key Democrats continued to call for more funding and stricter standards. “This is a welcome development after months of pressure, but this money is no substitute for a permanent funding mechanism for securing and maintaining elections systems,” said Sen. Mark Warner (D., Va.), the top-ranking Democrat on the Senate Intelligence Committee. He also called for comprehensive election-security legislation that would mandate stronger standards, which he said top Republicans had blocked.

National: New federal funds for election security garner mixed reactions on Capitol Hill | Maggie Miller/The Hill

The inclusion of $425 million for election security purposes in the House and Senate-negotiated annual appropriations bill garnered mixed reactions on Capitol Hill on Tuesday, with Democrats taking issue with how states will be allowed to spend the funds. Sen. Ron Wyden (D-Ore.), one of the key Senate Democrats who has advocated strongly this year for the Senate to take action on election security, told reporters on Tuesday that it was a “huge mistake” for Congress to allow the new funds to be spent on items including voting machines that experts might not deem as secure. “Under this language they can basically spend it on a whole variety of things apparently that really don’t go to the heart of modern security,” Wyden said. “As a member of the [Senate] Intelligence Committee, I won’t talk about anything classified, but I will say that the threats we face in 2020 will make what we saw in 2016 look like small potatoes.” The funds were included in the government appropriations deal following negotiations between the House and Senate, along with a requirement that states match the federal funds by 20 percent, meaning the final amount available for election security upgrades will total $510 million.

National: Democrats want tougher language on election security in defense bill | Maggie Miller/The Hill

Democrats are complaining that the annual National Defense Authorization Act (NDAA) set for a Senate vote this week doesn’t go far enough to protect election security. The bill includes a number of provisions that would tighten security, but Democrats — who for much of the year have targeted Senate Majority Leader Mitch McConnell (R-Ky.) on the issue of election security — say it lacks key safeguards that would help prevent foreign meddling, including post-election audits of the results and requirements for states that do not use paper ballots. While the concerns won’t prevent the Senate from approving the massive bill, they are likely to lead to complaints as Democrats continue to press the issue of election security next year. “We can’t mandate that, but we could say if you want to take the federal money, you’ve got to meet these prerequisites,” Sen. Mark Warner (D-Va.), the top Democrat on the Senate Intelligence Committee, said of the paper ballot issue. “I still don’t think we’re as protected as we should be going into the 2020 election.”

National: Election, grid security provisions in defense bill | Tim Starks/Politico

Via inclusion of a multi-year intelligence authorization measure, the defense legislation issues numerous election security edicts. The legislation would establish briefings and notifications from the Director of National Intelligence and DHS to Congress, state and local governments, campaigns and parties when there’s a significant cyber intrusion or attack campaign. It would take steps to expand and speed up security clearances for election officials. It would require development of a strategy for countering foreign influence. And ODNI would have to designate a lead counterintelligence official for election security. Intel officials (often in partnership with other agencies) would have to deliver reports and assessments to Congress on past attempted and successful cyberattacks on the 2016 elections, as well as those anticipated in the future; how prepared intel agencies are to counter Russian election influence; foreign intelligence threats to U.S. elections; and Russian influence campaigns in foreign elections. The grid: House and Senate negotiators included a proposal (S. 174) from Sens. Angus King (I-Maine) and Jim Risch (R-Idaho) that would establish a program to test analog and other methods of protecting the grid from cyberattack. It would authorize the use of military construction funding to make cyber and other improvements to utility systems that serve military installations.

National: Voting-Machine Parts Made by Foreign Suppliers Stir Security Concerns | Alexa Corse/Wall Street Journal

A voting machine that is widely used across the country contains some parts made by companies with ties to China and Russia, researchers found, fueling questions about the security of using overseas suppliers, which has also sparked scrutiny in Washington. Voting-machine vendors could be at risk of using insecure components from such overseas suppliers, which generally are difficult to vet and monitor, said a report being released Monday by Interos Inc., an Arlington, Va.-based supply-chain monitoring company that has consulted for government agencies and Fortune 500 companies. The findings are likely to fan worries about whether voting-machine vendors are doing enough to defend themselves against foreign interference ahead of the 2020 U.S. elections, which U.S. intelligence officials say hostile powers could try to disrupt. Voting-machine vendors assailed the research, which Interos conducted independently, saying the report failed to note existing safeguards, such as testing done at the federal, state and local levels, and the vendors’ internal protocols. The report comes as U.S. lawmakers and national-security officials increasingly have sounded alarms about supply-chain risks. Although supply chains that span the globe are common in the tech industry, Russia and China pose concerns because of how, according to U.S. officials, they press companies for access to technology within their borders. Washington lawmakers have specifically cited voting machines as an area of concern, among such other products as telecom equipment made by Chinese firm Huawei and antivirus software from Russia-based Kaspersky Lab. Russia and China historically have denied interfering in U.S. politics. The report examined one voting machine as a case study. In that machine, around 20% of the components in the supply chain that Interos was able to identify came from China-based companies, including processors, software and touch screens, according to the Interos research. Those components weren’t necessarily made in China, as the suppliers may have several locations globally, and the Interos data doesn’t necessarily cover the entire supply chain, the researchers noted. Researchers declined to name the particular model of voting machine they examined, or its maker, citing the sensitivity of the issue. They said only that it is “widely used” in the U.S. Two major vendors, Election Systems & Software LLC and Dominion Voting Systems Corp., said they didn’t think it was one of their products.

National: The biggest tech threats to 2020 elections | Roi Carmel/VentureBeat

As our election system modernizes, securing our democratic process has become a chief concern for both U.S. legislators and voters. Just last month, the House passed the SHIELD Act, which is focused on securing our elections. But that’s not going to be enough in an era when technology is turning out entirely new attack surfaces. In 2016, the Pew Research Center put the number of electronic voting machines — also known as direct-recording electronic (DRE) devices — at 28%. The 2020 election cycle will likely show an uptick in that number. But attacking American voting booths is an obvious move, and attackers consistently follow the path of least resistance. In the case of election security, the weakest point today is critical infrastructure. It’s the framework that supports our modern democratic process, and it runs deep, from traffic light systems and mass transit to the way we receive vital news and information.