National: 2020 election security to face same vulnerabilities as in 2016 | Michael Heller/TechTarget

For the third year running, the Voting Village at DEF CON shined a light on election security and one thing was made clear: no one agrees on what to expect in 2020. In opening remarks at DEF CON, founders Harri Hursti, Matt Blaze and Jake Braun laid out the long road the Voting Village has traveled to raise awareness of election security issues. Blaze, who serves as the McDevitt Chair of Computer Science and Law at Georgetown University, pointed out the troubles began with the Help America Vote Act (HAVA), which passed in 2002 as an effort to modernize and improve election administration. “They didn’t understand as much at the time as we do now about building voting machines and almost everything produced to comply with the Help America Vote Act has terrible vulnerabilities associated with it,” Blaze said. “That’s partly because we’ve taken these systems that weren’t dependent on software before and made them dependent on software. And, as everybody here in Las Vegas can tell you, software is utterly terrible. So we essentially took a problem that was hard and we added software to it.” A new initiative at this year’s Voting Village was to connect security researchers and hackers directly to election officials to provide pro bono work to help secure the 2020 election. Braun, an executive director for the University of Chicago Harris School of Public Policy’s Cyber Policy Initiative, noted the past work of the Voting Village had been corroborated. “The Mueller report reinforced a lot of what we identified last year, like you can hack a website with a SQL injection and get into a voter registration database, which is exactly what Mueller said the Russians did in 2016,” Braun said. “And frankly, they didn’t even go as far as we said was possible [in last year’s election.]”

National: Civilians, military abroad may find it more expensive to vote | Bill Theobald/The Fulcrum

Election officials are growing increasingly concerned that the Trump administration’s trade war with China could make it more difficult and expensive for overseas voters — including those in the military — to cast ballots in the 2019 and 2020 local, state and federal elections. The issue is the pending withdrawal in October by the U.S. from the Universal Postal Union, a group of 192 nations that has governed international postal service and rates for 145 years. Last October, the U.S. gave the required one-year notice stating it would leave the UPU unless changes were made to the discounted fees that China pays for shipping small packages to the United States. The subsidized fees — established years ago to help poor, developing countries — place American businesses at a disadvantage and don’t cover costs incurred by the U.S. Postal Service. With the U.S.-imposed deadline for withdrawal or new rates fast approaching, states officials are running out of time to prepare for overseas mail-in voting. Last week, Kentucky elections director Jared Dearing pleaded for help from the Election Assistance Commission — for himself and his peers in other states. The deadline for his state and most others to send out absentee ballots for the fall elections, Dearing said, falls a few days before a Sept. 24-25 UPU meeting in Geneva, Switzerland, to discuss the U.S. proposal to revise the rate system. That makes it difficult to provide voters with guidance about how to return their ballots. If the United States ends up withdrawing from the UPU, overseas citizens may not be able to return their ballots using regular mail service and could have to pay upward of $60 to use one of the commercial shipping services, Dearing said.

National: Republicans use McConnell allies to try and force his hand on election security | Lesley Clark/McClatchy

A conservative group is increasing pressure on Senate Majority Leader Mitch McConnell to put election security legislation up for a vote in the Senate by airing ads that target the Kentucky Republican and four other Republican senators in their home states. Republicans for the Rule of Law is unveiling new spots that urge Sens. Marco Rubio, R-Florida, Roy Blunt, R-Missouri, Lindsey Graham, R-South Carolina, and James Lankford, R-Oklahoma, to push McConnell for a vote, urging them “don’t let Mitch McConnell stand in your way.” The group is also re-airing a 60-second ad that calls on McConnell to act. The 30-second spots will air nearly daily on Fox & Friends starting Wednesday. They’ll also run on Fox News Sunday and NBC’s Meet the Press in the senators’ home cities on Sunday as part of a $400,000 ad buy that includes digital ads. The ads note the senators’ support for election security legislation. “McConnell and all Republican Senators have no greater responsibility than protecting our elections from foreign enemies like Russia and Iran,” said Republicans for the Rule of Law legal advisor and spokesman Chris Truax.

National: America faces a voting security crisis in 2020. Here’s why – and what officials can do about it. | Emily Goldberg/Politico

Paperless voting machines are just waiting to be hacked in 2020. And “upgrading” to paper-based voting machines may sound like an oxymoron, but it’s something cybersecurity experts are urging election officials across the country to do. A POLITICO survey found that in 2018, hundreds of counties in 14 states used paperless voting machines — and almost half of the counties that responded to the survey said they don’t plan on changing that ahead of 2020. Security experts said paperless voting machines are vulnerable to hacking because they leave no paper trail and there’s no way to reliably audit the results when an error occurs. Thousands of Redditors joined us as cybersecurity reporter Eric Geller and voting security expert and University of Michigan professor J. Alex Halderman took on Reddit’s most pressing questions about the weaknesses in America’s election systems. We chatted about voting methods in various countries from the U.S. to India, how much the transition to paper ballots would cost, and even “Star Wars.”

National: Most states still aren’t set to audit paper ballots in 2020 – Despite expert recommendations | Colin Lecher/The Verge

Despite some progress on voting security since 2016, most states in the US aren’t set to require an audit of paper ballots in the November 2020 election, according to a new report out this week from the Brennan Center for Justice. The report notes that experts and government officials have spent years recommending states adopt verifiable paper ballots for elections, but a handful still use electronic methods potentially vulnerable to cyberattacks. In 2016, 14 states used paperless machines, although the number today is 11, and the report estimates that no more than eight will use them in the 2020 election. But the report also found that most states won’t require an audit of those paper records, in which officials review randomly selected ballots — another step experts recommend. Today, only 22 states and the District of Columbia have voter-verifiable paper records and require an audit of those ballots before an election is certified. The number will increase to at least 24 states by the 2020 elections, according to the report. “However,” the report notes, “there is nothing stopping most of these remaining states from conducting such audits if they have the resources and will to do so.”

National: Russian hackers, town budgets, Windows updates: Officials grapple with realities of election security | Ben Popken and Kenzi Abou-Sabe/NBC

The nation’s highest agency dedicated to election administration convened a security summit on Thursday to figure out how to confront a problem: The majority of the country’s 10,000 voting jurisdictions still run outdated software. In July, Associated Press reported that many counties still use Windows 7, initially released in 2009, or even older software in their back office election management systems used by officials to administer elections, but not on the machines where voters cast their ballots. It’s so old that Microsoft announced last year it will soon stop supporting it — shipping free updates to bugs or fixing security issues. After 2020, updates will require a fee. But inside a 21-seat conference room in Silver Spring, the discussion of the Election Assistance Commission — which included state election directors, secretaries of state and representatives from the Department of Homeland Security, election system manufacturers and testing laboratories — the hastily organized meeting also touched on broader frustrations over challenges local election officials face in trying to secure their voting systems as well as inaction from politicians in Washington. “We are talking about local communities having trouble funding roads and water bills, and now we want them to take part in defense against foreign and state actors,” said Kentucky State Election Director Jared Dearing.

National: Election Security in 2020 Comes Down to Money, and States Aren’t Ready | Kartikay Mehrotra and Alyza Sebenius/Bloomberg

The front line to protect the integrity of the U.S. presidential election is in a Springfield strip mall, next to a Chuck E. Cheese’s restaurant. There, inside the Illinois Board of Elections headquarters, a couple dozen bureaucrats, programmers, and security experts are furiously working to prevent a replay of 2016, when Russian hackers breached the state’s voter registration rolls. For 2020, Illinois is deploying new U.S. government software to detect malicious intrusions and dispatching technology experts to help local election officials. Even the National Guard, which started its own cyber unit several years ago, is on speed dial for election night if technicians needed to be rushed to a faraway county. Still, Illinois officials are nervous. The cash-strapped state remains far short of the resources needed to combat an increasing number of nations committing geopolitical breaches. “We’re in an unusual time, and yes, there is concern about whether we have enough to go into 2020 totally prepared for what the Chinese, Russians, or North Koreans or any enemy of the United States may do to influence our elections,” says Governor J.B. Pritzker, a Democrat. “We’re securing our elections with state resources, but there is a federal need. This is a national crisis.”

National: Only One Republican Supported That Divisive Election Security Bill. Here’s Why He Voted in Favor | Robert Hackett/Fortune

Last week we discussed election security. Let’s dig a little deeper into divisions provoked by one of the major pieces of proposed legislation, the Securing America’s Federal Elections Act. The bill has lately become a political flashpoint, blocked by Senate Majority Leader Mitch McConnell of Kentucky, who ostensibly fears further federalizing elections more than he fears the subversion of American democracy through hacking, foreign interference, or other hi-jinx. The bill primarily aims to require states to use voting machines that are up-to-date, not Internet-connected, made in America, and produce paper-based, voter-verifiable ballots. These are all sensible criteria, and it’s hard to argue against their adoption. In addition, the bill would earmark federal funds to help states get the new gear in place by 2020—a more contentious component. (See also this Wall Street Journal editorial which lays out other gripes.) While the Democratic House passed the bill with 225 votes in June, only one Republican voted in favor: Representative Brain Mast of Florida. It’s worth noting that Mast is not Republican in name only, as an analysis by the data junkie blog FiveThirtyEight makes clear. As of the end of last year, Mast had voted in line with President Donald Trump’s policy initiatives 92.7% of the time.

National: Windows 7 woes crash into 2020 election cycle | Derek B. Johnson/FCW

Thousands of jurisdictions are relying on a nearly obsolete operating system to run their election systems, and it’s not clear they will have the money or time to wean themselves off before the 2020 elections. At an Aug. 15 election security forum hosted by the U.S. Election Assistance Commission (EAC), state officials, vendors and experts warned that a lack of money and resources as well as technical and logistical hurdles are preventing them from migrating their election systems from the Windows 7 operating system to Windows 10. Lousiana Secretary of State Kyle Ardoin illustrated the costs and complexities associated with replacing outdated operating systems on election equipment like voter registration systems, e-pollbooks and other software. He said Louisiana will have spent more than $250,000 to replace computers using Windows 7 in clerks of court and voter registration offices. An additional $2 million has been spent to temporarily lease voting machines that require Windows 10 while the state waits for a new batch to go through the procurement process. He estimated the cost of updating to Windows 10 to be around $670 per machine, not including the costs associated with testing, configuration and deployment.

National: Election officials want security money, flexible standards | Dean DeChiaro/Roll Call

State officials from Louisiana and Connecticut on Thursday asked for more money and clear standards from the federal government to help secure voting systems before the 2020 elections. But the officials, Louisiana Secretary of State Kyle Ardoin and Connecticut Secretary of State Denise Merrill, stressed the differences between their election systems and asked for leeway from the federal government in deciding how to spend any future funding. “The cultures are different and the voters have different expectations,” Ardoin told commissioners from the federal Election Assistance Commission, or EAC, at a public forum. Both states received federal funds to upgrade cyber and physical security of their voting systems after Congress approved $380 million for election security in 2018. They spent their share of those funds differently. Connecticut has put much of its funding toward training, Merrill said, while Louisiana is scrambling to upgrade systems running Windows 7 to Windows 10 before Microsoft stops offering support for the older operating system in January. Ginny Badanes, the director of Microsoft’s Defending Democracy Program, which is working to help both states and companies that build voting machines and software to prepare for the switch in operating systems, said the company “will do whatever it takes to make sure these customers have access to updates that are straightforward and affordable.” Both the state officials and private sector witnesses urged the commission to adopt and publish standards that would set the best practices for election security.

National: States Struggle to Update Election Systems Ahead of 2020 | Alyza Sebenius and Kartikay Mehrotra/Bloomberg

U.S. states operating outdated and insecure voting machines face major hurdles in protecting them in time for the 2020 presidential election, officials said at a meeting of elections experts. Budgets are strained, decision-making authority is diffuse and standards put in place years ago haven’t kept up with today’s cyberthreats, according to testimony Thursday to the Election Assistance Commission in Silver Spring, Maryland. The Senate Intelligence Committee reported last month that Russia engaged in “extensive” efforts to manipulate elections systems throughout the U.S. from 2014 through “at least 2017.” The Brennan Center for Justice reported Thursday that states will have to spend more than $2 billion to protect their election systems in the next five years, including replacing outdated machines or purchasing the software improvements necessary to help harden existing equipment against hackers. Updating software is a “regular and important part” of cybersecurity, the Center for Democracy & Technology warned in a statement. But even when a software patch is available, states can’t compel “severely under-resourced” local elections officials to buy and implement the improvement, said Jared Dearing, executive director of the Kentucky State Board of Elections. On top of those hurdles, Dearing said, the process of certifying elections equipment to federal standards leaves machines in “a time capsule of when that system was developed.”

National: Hackers can easily break into voting machines used across the U.S.; play Doom, Nirvana | Igor Derysh/Salon

Voting machines used in states across the United States were easily penetrated by hackers at the Def Con conference in Las Vegas on Friday. Participants at Def Con, a large annual hacker conference, were asked to try their skills on voting machines to help expose weaknesses that could be used by hostile actors. A video published by CNN shows a hacker break into a Diebold machine, which is used in 18 different states, in a matter of minutes, using no special tools, to gain administrator-level access. Hackers also quickly discovered that many of the voting machines had internet connections, which could allow hackers to break into machines remotely, the Washington Post reported. Motherboard recently reported that election security experts found that election systems used in 10 different states have connected to the internet over the last year, despite assurances from voting machine vendors that they are never connected to the internet and therefore cannot be hacked. The websites where states post election results are even more susceptible. The event had 40 child hackers between the ages of 6 and 17 attempt to break into a mock version of the sites. Most were able to alter vote tallies and even change the candidates’ names to things like “Bob Da Builder,” CNNreported. “Unfortunately, it’s so easy to hack the websites that report election results that we couldn’t do it in this room because [adult hackers] would find it boring,” event organizer Jake Braun told CNN.

National: Election Assistance Commission Urged to Finalize 2020 Security Standards | Jack Rodgers/Courthouse News

During a forum on election security Thursday, Connecticut’s secretary of state urged a federal agency in charge of the process to act quickly in issuing new security standards for voting systems so states can update software in time for the 2020 election. The U.S. Election Assistance Commission hosted three panels of witnesses, all of whom testified on ways to improve the security of the nation’s election systems during a three-hour forum in Washington, D.C. Last year, Congress appropriated $380 million under the Help America Vote Act, which makes funds available for states to update election security measures and voter registration methods. However, the federal funds, coupled with a state-required match, were not enough to completely update voting equipment across the country. During Thursday’s first panel, the secretaries of state for Connecticut and Louisiana, Denise Merrill and Kyle Ardoin, respectively, both spoke to the benefits of this funding. Merrill said that with the $5 million in HAVA funds appropriated to her state last year, Connecticut had implemented a virtual system that allows those in election advisory roles to view every desktop used for counting and reporting votes in the state. In most of the state’s 169 towns, methods of recording votes differ depending on the area, Merrill said, also noting that some towns don’t use computers.

National: States and localities are on the front lines of fighting cyber-crimes in elections | Elaine Kamarck/Brookings

When it comes to fighting illegal intrusions into American elections, the states and localities are where the rubber meets the road—that is where American elections are administered. This authority is grounded in more than tradition; it derives from Article I, Section 4 of the Constitution. That section notes that while Congress has the authority to intervene in the setting of elections, election administration is largely a function of state and local government. Given this situation, election law and practice vary considerably from state to state, which leads to a number of ramifications. On the one hand, this decentralization makes it hard for a single cyberattack to take down the entire American election system. But having a fragmented system poses some disadvantages as well. Some states and localities are simply better equipped to protect against cyber intrusions than others, and an adversary seeking to sow doubt and confusion about the integrity of an election needs to compromise only a few parts of the entire system in order to undermine public confidence. The vulnerabilities in election administration exist at every step of the process, from the registration of voters, to the recruitment of poll workers for election day, to the books of registered voters at polling places, to the devices that capture and tally the vote, to the transmission of that data to a central place on election night and to the ability to execute an accurate recount. Every state and locality wants to run a fair election but they are limited by inadequate funding, the absence of trained personnel, and outdated technology.

National: Ex-CIA chief worries campaigns falling short on cybersecurity | Maggie Miller/The Hill

Democratic 2020 presidential campaigns say they are working to boost their cybersecurity, but experts worry those efforts may not be enough. Former acting CIA Director Michael Morell told The Hill he worries there is a “void” and that campaigns need outside help to fully address the issue. “There is not a lot of initial thought given to cybersecurity,” Morell said about the campaigns. Several campaigns insist they have prioritized the issue. Chris Meagher, the spokesman for South Bend, Ind., Mayor Pete Buttigieg’s campaign, told The Hill that “our campaign is committed to digital security,” noting the hiring of a full-time chief information security officer (CISO), Mick Baccio, last week. “Hiring a full-time CISO is one way we are protecting against cyberattacks,” Meagher added. A spokesperson for the presidential campaign of former Rep. Beto O’Rourke (D-Texas) told The Hill they are “actively engaged in defending our operation from disinformation and other cyberattacks.” The spokesperson emphasized that “whether it’s training staff as a part of our onboarding process, requiring staff to use complex passwords to protect mobile devices, or using secure messaging services, this campaign understands that protecting our information requires a comprehensive approach to prepare for and manage attacks.”

National: At Def Con, hackers and lawmakers came together to tackle holes in election security | Taylor Telford/The Washington Post

As Sen. Ron Wyden (D-Ore.) toured the Voting Village on Friday at Def Con, the world’s hacker conference extraordinaire, a roomful of hackers applied their skills to voting equipment in an enthusiastic effort to comply with the instructions they had been given: “Please break things.” Armed with lock-pick kits to crack into locked hardware, Ethernet cables and inquiring minds, they had come for a rare chance to interrogate the machines that conduct U.S. democracy. By laying siege to electronic poll books and ballot printers, the friendly hackers aimed to expose weaknesses that could be exploited by less friendly hands looking to interfere in elections. Wyden nodded along as Harri Hursti, the founder of Nordic Innovation Labs and one of the event’s organizers, explained that the almost all of the machines in the room were still used in elections across the United States, despite having well-known vulnerabilities that have been more or less ignored by the companies that sell them. Many had Internet connections, Hursti said, a weakness savvy attackers could abuse in several ways. Wyden shook his head in disbelief. “We need paper ballots, guys,” Wyden said. After Wyden walked away, a few hackers exchanged confused expressions before figuring out who he was. “I wasn’t expecting to see any senators here,” one said with a laugh.

National: Voting machine companies balk at taking part in hacking event | Kevin Collier/CNN

At the country’s biggest election security bonanza, the US government is happy to let hackers try to break into its equipment. The private companies that make the machines America votes on, not so much. The Def Con Voting Village, a now-annual event at the US’s largest hacking conference, gives hackers free rein to try to break into a wide variety of decommissioned election equipment, some of which is still in use today. As in the previous two years, they found a host of new flaws. The hunt for vulnerabilities in US election systems has underscored tensions between the Voting Village organizers, who argue that it’s a valuable exercise, and the manufacturers of voting equipment, who didn’t have a formal presence at the convention. Supporters of the Voting Village say it’s the best way draw attention to problems with an industry that otherwise doesn’t face much public accountability, even in the wake of Russia’s foreign interference in the 2016 election. Their work has attracted the notice of several lawmakers, who are calling for new legislation to strengthen the integrity of US elections.

National: DEF CON Voting Village: It’s About ‘Risk’ | Kelly Jackson Higgins/Dark Reading

DHS, security experts worry about nation-state or other actors waging a disruptive or other attack on the 2020 election to sow distrust of the election process. When DEF CON debuted its first-ever Voting Village in 2017, it took just minutes for researcher Carsten Schürmann to crack into a decommissioned WinVote voting system machine via WiFi and take control of the machine such that he could run malware, change votes in the database, or even shut down the machine remotely. Several other researchers were able to break into other voting machines and equipment by pulling apart the guts and finding flaws by hand that year, and then again on other machines in the 2018 event. The novelty of the live hacking of decommissioned voting machines has worn off a bit now and there weren’t many surprises – nor did the organizers expect many – at this year’s Voting Village, held at DEF CON in Las Vegas last week. But once again the event shone a white hot light on blatant security weaknesses in decommissioned voting machine equipment and systems. “DEF CON is not about proving that voting machines can be hacked. They all can be hacked and 30 years from now, those can be hacked, too. It’s about making sure we understand the risk,” Harri Hursti, Nordic Innovation Labs, one of the founders of the Voting Village, told attendees last week. Hursti as well as other security experts, government officials, and hackers at this year’s event doubled down on how best to secure the 2020 US presidential election: ensuring there’s an audit trail with paper ballots; employing so-called risk-limiting audits (manually checking paper ballots with electronic machine results); and proper security hygiene in voting equipment, systems, and applications.

National: Democrats stump for election security, blast McConnell at hacker conference | Eric Geller/Politico

Democratic lawmakers emerged from the world’s largest hacker conference this weekend with a clear message: Congress must pass legislation to mandate better U.S. election security. In panels and interviews at DEF CON in Las Vegas, where a roomful of hackers demonstrated ways to breach insecure voting machines, those lawmakers focused their fury on the man proudly blocking their bills. “Why hasn’t Congress fixed the problem? Two words: Mitch McConnell,” Sen. Ron Wyden (D-Ore.) said during a Friday keynote address to a packed and largely supportive room at DEF CON’s Voting Village. Rep. Ted Lieu (D-Calif.), one of a handful of computer scientists in Congress, told POLITICO that when it came to his biggest election security concern, “I have two words: Mitch McConnell.” The Senate majority leader has repeatedly blocked votes in the upper chamber on two House Democratic bills that would require voting machines to produce paper records, mandate post-election audits and impose security requirements on election technology companies.

National: Here’s the political bind Democrats face when talking about election security | Joseph Marks/The Washington Post

Rep. Eric Swalwell (D-Calif.) applauded the crowd of cybersecurity researchers uncovering dangerous bugs in voting machines and other election systems at a security conference here — but he’s in a bind about how to talk about election security with constituents. Swalwell, who recently ended a long-shot presidential bid, believes chances are almost nil that Republicans will join Democrats to pass legislation mandating fixes to improve election security before the 2020 contest. By continuing to bang the drum about potential security weaknesses, he worries Democrats risk inadvertently convincing citizens that the election is bound to be hacked — and that there’s no point in voting. “If we tell voters the ballot box is not secure and that we have all these vulnerabilities … if we say that over and over and over, is the result of that suppressing [the vote]?” Swalwell asked a room of researchers this weekend at the Def Con cybersecurity conference’s Voting Village, which focuses exclusively on the security of election systems. This is a predicament that will only get harder for many Democrats who are coming to grips with the idea that they may have run out of time to require states to shift to paper ballots, post-election audits and other cybersecurity best practices before the 2020 contest. Swalwell believes these fixes will happen only if there’s a Democratic president and Congress in 2021 or later — even as intelligence officials warn the 2020 election is a major target for Russia and other adversaries looking to undermine the American political system.

National: Voting Machine Security: Where We Stand Six Months Before the New Hampshire Primary | Brennan Center for Justice

In late July, the Senate Select Committee on Intelligence released its report on the Russian government’s attacks on America’s election infrastructure. While the report offered dozens of recommendations related to vast and varied election systems in the United States (from voter registration databases to election night reporting), it pointedly noted that there was an urgent need to secure the nation’s voting systems in particular. Among the two most important recommendations made were that states should (1) replace outdated and vulnerable voting systems with “at minimum… a voter-verified paper trail,” and adopt statistically sound audits. These recommendations are not new and have been consistently made by experts since long before the 2016 election. Last year, Congress provided $380 million to states to help with upgrades, but it wasn’t enough. This analysis, six months ahead of the first primary for 2020, examines the significant progress we’ve made in these two areas since 2016, and it catalogs the important and necessary work that is left to be done.

National: Why paper is considered state-of-the-art voting technology | Karan Gambhir and Jack Karsten/Brookings

On June 27, the House passed a bill that would bolster America’s high-tech voting infrastructure with a low-tech fix: paper. Introduced by Rep. Zoe Lofgren (D-CA-19), the SAFE Act requires that all voting machines involve “the use of an individual, durable, voter-verified paper ballot of the voter’s vote.” While the inclusion of paper ballots may seem like a technological step backward, the SAFE Act’s affinity for paper is not a quirk. Election security experts from Harvard, Stanford and the Brennan Center for Justice all recommend the phasing out of paperless voting, and twelve of the thirteen Democratic candidates who have declared a position on election security support mandating the use of paper ballots. Yet despite expert consensus, political activism, and availability of funding, opposition in the Republican-controlled Senate makes it unlikely that the SAFE Act or any paper ballot standard will be implemented by 2020. With no method to verify votes in the case of software or hardware failure, paperless voting machines represent a large vulnerability. Failure to act on election security risks not only a loss of trust in the next election, but in the democratic process as a whole.

National: Senate Intelligence Committee report shows how electronic voting systems are inherently vulnerable to hackers. Fred Kaplan/Slate

Just hours after Senate Republicans blocked a vote on a bill to make elections less vulnerable to cyberattacks, the Senate Intelligence Committee released a 67-page report, concluding that, leading up to the 2016 election, Russians hacked voting machines and registration rolls in all 50 states, and they are likely still doing so. The heavily redacted document, based on a two-year investigation, found no evidence that the hackers altered votes or vote tallies, though it says they could have if they’d wanted to. However, three former senior U.S. intelligence officials with backgrounds in cybersecurity told me that the absence of evidence isn’t the same as the evidence of an absence. One of them said, “I doubt very much that any changes would be detectable. Certainly, the hackers would be able to cover any tracks. The Russians aren’t stupid.” Hacking individual voting machines would be an inefficient way to throw an election. But J. Alex Halderman, a computer scientist who has tested vulnerabilities for more than a decade, testified to the Senate committee that he and his team “created attacks that can spread from machine to machine, like a computer virus, and silently change election outcomes.” They studied touch-screen and optical-scan systems, and “in every single case,” he said, “we found ways for attackers to sabotage machines and steal votes.” Another way to throw an election might be to attack systems that manage voter-registration lists, which the hackers also did in some states. Remove people from the lists—focusing on areas dominated by members of the party that the hacker wants to lose—and they won’t be able to vote.

National: Vulnerability Scanning and Tools for Election Security Description Vulnerability | Phil Goldstein/StateTech Magazine

With 2020 political campaigns in full swing, the conversion of election security has again come to the fore. How can state and county election officials help secure their voting systems ahead of the 2020 elections? Vulnerability scanning is a good place to start. Such scans are a Software as a Service function that helps discover weaknesses and allow for both authenticated and unauthenticated scans. In June, perennial swing state Florida announced a $5.1 million investment into election cybersecurity following disclosures in May that two counties in the state fell victim to a spear phishing attack by Russian hackers in 2016. How dangerous is the election security threat landscape? It’s complicated and it covers everything from outdated voting machines that may be vulnerable to hacking to the networks used to process and transfer voting totals and voter registration rolls. Vulnerability scans and assessments of election infrastructure are critical, because “from a cyber perspective, every part of the election process that involves some type of electronic device or software is vulnerable to exploitation or disruption,” as a 2018 Belfer Center for Science and International Affairs report notes.

National: US still ‘not prepared’ in event of a serious cyber attack and Congress can’t help if it happens | Iain Thomson/The Register

Despite some progress, the US is still massively underprepared for a serious cyber attack and the current administration isn’t helping matters, according to politicians visiting the DEF CON hacking conference. In an opening keynote, representatives Ted Lieu (D-CA) and James Langevin (D-IL) were joined by hackers Cris Thomas, aka Space Rogue, and Jen Ellis (Infosecjen) to discuss the current state of play in government preparedness. “No, we are not prepared,” said Lieu, one of only four trained computer scientists in Congress. “When a crisis hits, it’s too late for Congress to act. We are very weak on a federal level, nearly 20 years after Space Rogue warned us we’re still there.” Thomas testified before Congress 20 years ago about the dangers that the internet could pose if proper steps weren’t taken. At today’s conference he said there was much still to be done but that he was cautiously optimistic for the future, as long as hackers put aside their issues with legislators and worked with them. “As hackers we want things done now,” he said. “But Congress doesn’t work that way; it doesn’t work at the ‘speed of hack’. If you’re going to engage with it, you need to recognise this is an incremental journey and try not to be so absolutist.”

National: Schumer calls for $1 billion national investment in election security | David Lombardo/Times Union

Election cybersecurity has the potential to be a growth industry as federal lawmakers push a $1 billion investment in safeguarding next year’s elections. The proposed spending was highlighted Monday by U.S. Sen. Charles E. Schumer, D-N.Y., who stopped in East Greenbush for a tour of the Center for Internet Security, which helps government agencies prevent hacking of elections. The non-profit company also worked with the presidential campaigns of Donald Trump and Hillary Clinton to buttress their systems from cyber attacks in 2016. The money for cybersecurity grants is part of legislation that would also require states to collect paper ballots, set minimum cybersecurity standards, direct federal officials to craft preventative measures states can implement, and impose testing of voting system vulnerabilities. Paper ballots are already used as a safeguard for New York elections. The U.S. Constitution empowers states to administer elections, which has resulted in varying standards across the country.

National: Analysis shows 2020 votes still vulnerable to hacking | Mary Clare Jalonick/Associated Press

More than one in 10 voters could cast ballots on paperless voting machines in the 2020 general election, according to a new analysis, leaving their ballots more vulnerable to hacking. A study released by the Brennan Center for Justice at NYU School of Law on Tuesday evaluates the state of the country’s election security six months before the New Hampshire primary and concludes that much more needs to be done. While there has been significant progress by states and the federal government since Russian agents targeted U.S. state election systems ahead of the 2016 presidential election, the analysis notes that many states have not taken all of the steps needed to ensure that doesn’t happen again. The report also notes that around a third of all local election jurisdictions were using voting machines that are at least a decade old, despite recommendations they be replaced after 10 years. The Associated Press reported last month that many election systems are running on old Windows 7 software that will soon be outdated. “We should replace antiquated equipment, and paperless equipment in particular, as soon as possible,” the report recommends.

National: Hackers Take on Darpa’s $10 Million Voting Machine | Lily Hay Newman/WIRED

For the last two years, hackers have come to the Voting Village at the DefCon security conference in Las Vegas to tear down voting machines and analyze them for vulnerabilities. But this year’s Village features a fancy new target: a prototype secure voting machine created through a $10 million project at the Defense Advanced Research Projects Agency. You know it better as Darpa, the government’s mad science wing. Announced in March, the initiative aims to develop an open source voting platform built on secure hardware. The Oregon-based verifiable systems firm Galois is designing the voting system. And Darpa wants you to know: its endgame goes way beyond securing the vote. The agency hopes to use voting machines as a model system for developing a secure hardware platform—meaning that the group is designing all the chips that go into a computer from the ground up, and isn’t using proprietary components from companies like Intel or AMD. “The goal of the program is to develop these tools to provide security against hardware vulnerabilities,” says Linton Salmon, the project’s program manager at Darpa. “Our goal is to protect against remote attacks.” Other voting machines in the Village are complete, deployed products that attendees can take apart and analyze. But the Darpa machines are prototypes, currently running on virtualized versions of the hardware platforms they will eventually use. A basic user interface is currently being provided by the secure voting firm VotingWorks.

National: Mayberry v. Moscow: How Local Officials Are Preparing to Defend the 2020 Elections | AJ Vicens/Mother Jones

In early June, the Allegheny County Board of Elections held a special meeting in downtown Pittsburgh, inviting a trio of election security experts to offer advice as the county selects new voting equipment. Marian Schneider, a former Pennsylvania state elections official and the current president of Verified Voting, an election security watchdog group, gave an opening statement framing the day’s conversation in stark terms. “Twenty sixteen demonstrated what many of us have long believed…the threat to our computerized voting system was not merely theoretical, but real and persistent,” she warned, reiterating that another nation had “conducted a well-orchestrated attack on American democracy.” The members of the board solemnly listened, took copious notes, and thanked the panel for their expertise as they assessed bids offering new and more secure equipment. After the meeting, Candice Hoke, a longtime election administration and security expert who’d also been invited to speak, described the gathering as an unusual bright spot, contrasting the attention Allegheny County had devoted to the issue to many places around the country where the state of election security lags. Efforts by federal agencies to work with states and jurisdictions to improve election security are helping, Hoke says, but the bureaucrats overseeing the country’s more than 10,000 election jurisdictions are still routinely outmatched.

National: Are States Taking Cybersecurity Seriously Enough? | Katherine Barrett & Richard Greene/Governing

A spike in cyberattacks in recent months has left state and local governments reeling. Baltimore faces more than $18 million in losses following a May ransomware attack. Several Florida cities were hit in June. And Los Angeles police data was hacked in late July. A 2018 report from the National Association of State Chief Information Officers (NASCIO) found one unidentified state undergoing 300 million attacks a day — up from 150 million two years before. Cybersecurity and risk management is at the top of CIOs’ list of 10 priorities for 2019, according to an annual NASCIO survey. Rhode Island was making it the biggest priority. In 2017, it became one of only two states with a cabinet-level cybersecurity position. (The other is Idaho, according to Meredith Ward, NASCIO’s director of policy and research.) But this pioneering approach wasn’t long-lived in Rhode Island. Last month, the position was removed from the state’s 2020 budget. High-level officials in the state, including its CIO, are confident that cybersecurity will continue to be a priority, but others worry it will receive less attention.