National: U.S. Accuses Russian Military Hackers of Attack on Email Servers | Julian E. Barnes and David E. Sanger/The New York Times

The National Security Agency publicly accused Russian government hackers of targeting email servers around the world in an unusual announcement on Thursday, showing that the agency is becoming more aggressive in calling out Moscow’s action as the presidential election approaches. While the Trump administration has publicly attributed cyberattacks to Russia before — including for its 2016 election hack and for paralyzing Ukraine in 2017, which damaged the operations of the shippers Maersk and FedEx — this allegation was unusually specific. It singled out Russia’s military intelligence unit, widely known as the G.R.U., demonstrating intelligence agencies’ concern that Russia intends to interfere in the election only a little more than five months away. But it also comes as President Trump has renewed his baseless claims that the investigation into Russia’s activities was part of a “hoax” intended by Democrats to paralyze him. He has publicly questioned Russia’s culpability in the election hacking and appeared to accept President Vladimir V. Putin’s argument that Russia was so good at cyberoperations that it would never have been caught. “There has been a reluctance to be critical of Russia because of echoes of investigations,” said retired Gen. Martin E. Dempsey, the former chairman of the Joint Chiefs of Staff. “For the N.S.A. to do that, in this climate, they must have absolutely incontrovertible evidence.”

New Mexico: Rio Arriba County hit in ransomware cyberattack | Amanda Martinez/Santa Fe New Mexican

Rio Arriba County government was the victim of a ransomware cyberattack, with a significant but still unknown number of its network servers, electronic files and databases having been encrypted, according to a Wednesday news release. “While the exact extent of this cyberattack has not yet been determined, what is known is that nearly every county server that has files or databases on it has been affected in some way, including the County’s backup servers,” the news release states. Raymond Ortiz, the county’s information technology consultant, confirmed the cyberattack Wednesday but said he could not provide further comment. County Manager Tomas Campós did not immediately return a message. The affected servers, files and databases cannot be accessed, reviewed or edited. Officials discovered agencies had been victims of the cyberattack Tuesday and reported the intrusion to the county’s insurance company and federal law enforcement authorities, according to the news release.

National: States plead for cybersecurity funds as hacking threat surges | Maggie Miller/The Hill

Cash-short state and local governments are pleading with Congress to send them funds to shore up their cybersecurity as hackers look to exploit the crisis by targeting overwhelmed government offices. Members of Congress have taken notice of cyber threats at the state and local level, both before and during the pandemic, and efforts are underway to address the challenges, though how much will be provided is uncertain amid a fight over the amount of additional coronavirus stimulus. For Atlanta’s top cybersecurity official, any funds cannot come soon enough. “We would love and welcome more funding from the federal government as our digital infrastructure is just expanding and it’s going to expand even more because of this,” Gary Brantley, the chief information officer for the city of Atlanta, told The Hill. Brantley said that coronavirus-related attacks have become an issue for his office, particularly those targeted at his office through malicious phishing emails. “We are seeing a lot more malicious activity, especially a lot of activity related to COVID-19,” Brantley said. “I know our phishing attacks are up tremendously across the city and attempts to confuse our user base are high.”

Indonesia: Election commission investigates data breach on over two million voters | AFP

Indonesia is probing how 2.3 million voters’ personal information was leaked online, the election commission said on Friday (May 22). The data breach, which included names, home addresses and national identification numbers, appeared to be from the 2014 election voter list, according to the General Election Commission. Agency commissioner Viryan Azis said an investigation had been launched into the source of the leak earlier this week.

Idaho: Secretary of State working with Boise cybersecurity company on absentee election security | Rachel Spacek/Idaho Press

The Idaho Secretary of State’s Office is working with a Boise-based cybersecurity company to track election security-related issues during the state’s unprecedented absentee ballot election. According to a press release, PlexTrac will allow the secretary of state election cybersecurity team to collaborate with every county in the state about any election security issues that come up. Tuesday, the day of the primary election, was the last day for voters to request a ballot. Completed ballots are due June 2, when results will be released. Foster Cronyn, deputy secretary of state, said the office has implemented several tools over previous election years that monitor and report on election security. “PlexTrac consolidates this very complex information into an organized, actionable report for our cyber security analysts,” Cronyn said. “In previous elections, we have had to manually review these reports and look for patterns. Although this election is absentee ballot only, these are still requested, tallied and reported on using large online computing systems. PlexTrac aggregates security reports from these systems.”

New Jersey: Emergency Motion to Stop Internet Voting in New Jersey | Penny Venetis/Freedom to Tinker

On May 4th, 2020 a press release from mobilevoting.org announced that New Jersey would allow online voting in a dozen school-board elections scheduled for May 12th. On May 11, the Rutgers International Human Rights Clinic filed an emergency motion to stop internet voting in New Jersey. During a conference on May 18 with Superior Court Judge Mary Jacobson, the State notified the court that it had abandoned its plans to use internet voting for the upcoming July 7 primary election.  The Clinic, led by Rutgers Law School professor Penny Venetis, argued that the Democracy Live online voting system (that New Jersey planned to use) violated a broad court order issued in March 2010 by Judge Linda Feinberg.  That order was issued in the Clinic’s case Gusciora v. Corzine, which challenged paperless voting machines as unconstitutional.   The March 2010 court order stated clearly and unequivocally that no part of any New Jersey voting system could be connected to the internet, under any circumstance.  New Jersey has a continuing obligation to ensure that the order is followed, and that all voting-related software is “hardened” on a regular basis.

National: The Cyberspace Solarium Commission Makes Its Case to Congress | William Ford/Lawfare

During a videoconference on May 13, the Cyberspace Solarium Commission made its case to Congress that the U.S. should adopt a strategy of layered cyber deterrence, a three-pronged plan to reduce the frequency of and the damage wrought by cyberattacks targeting America. The commission’s proposal follows 11 months of intense internal deliberation. During that time, the task force worked to answer the question Congress established it to address: What strategic approach should the federal government take to defending the United States in cyberspace? On March 11, the commission unveiled its vision in an exhaustive report detailing the concept of layered cyber deterrence. The commission’s members—two senators, two representatives, four executive branch officials and six private experts—packed the report with scores of policy recommendations, including 57 legislative proposals, which delineate exactly how to execute the novel cyber strategy. The report’s recommendations are designed to be turned into bills, ushered swiftly through Congress, and implemented. To that end, the commission transmitted its legislative proposals directly to the relevant House and Senate committees, some of which have begun the work of incorporating the commission’s ideas into legislation. But more than two months passed between the release of the commission’s report and the first time the task force got to discuss its proposals in public testimony before lawmakers.

Idaho: Privacy please: Protected information for some Idaho voters accidentally released | Misty Inglet/KTBV

The Idaho Secretary of State’s Office is admitting to a computer glitch that led to some private voter information being released. Recently, the Idaho Freedom Foundation requested a list of registered Idaho voters from the Secretary of State’s Office. That list contains voter names, addresses, and party affiliation. That basic voter information is public and as such, the Secretary of State’s Office followed legal procedure by providing the list to the group as well as eight other organizations. However, Dep. Secretary of State Chad Houck confirmed to KTVB that the list provided did contain some protected information that should not have been released. Idaho Freedom Action, a branch of the Idaho Freedom Foundation, posted the list online on May 13, which drew the privacy issue to the attention of the Secretary of State’s Office, as well as others.

Texas: Cyberattack Disrupts Texas Department of Transportation | Lucas Ropek/Government Technology

The Texas Department of Transportation (TxDOT) was hit by a ransomware incident last Thursday, making it the second state agency to suffer such an attack in a little less than a week. On the heels of an attack against the state’s Office of Court Administration (OCA) May 8, a hacker gained access to the TxDOT’s network last week, in what officials are calling a “ransomware event.” The agency took measures to contain the damage and has contacted the FBI to help with its investigation, according to a press release. “We want every Texan to rest assured that we are doing everything we can to swiftly address this issue. We are also working to ensure critical operations continue during this interruption,” TxDOT Executive Director James Bass said in a statement Friday. While it’s unclear which services have been affected by the attack, the agency’s website appears to have lost some functionality and now includes a banner that reads: “Due to technical difficulties, some website features are unavailable. We are working to resolve this issue quickly.”

National: Risks Overshadow Benefits with Online Voting, Experts Warn | Lucas Ropek/Government Technology

Government officials have expressed mounting concerns for how the COVID-19 virus could diminish voter turnout during the 2020 presidential election. As a partial solution, a handful of states have turned to Internet voting pilot programs: New Jersey, Delaware and West Virginia have all recently launched pilots, most of which are limited in scope and focus mainly on alleviating barriers for disabled and overseas voters. However, the computer science community — long critical of internet voting — sees the programs as a slippery slope towards a looming security risk. David Dill, a computer science professor at Stanford University, is one of the prolific naysayers. Having spent much of his career researching holes in software code, Dill said that there is just simply no way to ensure that devices and apps are free of malware that might manipulate a voter’s choices. Similarly, a hacker from an adversarial foreign government could always theoretically hack their way into these systems and change or manipulate votes. “Between your keyboard and your vote going into an electronic ballot box on the other end of the Internet, there are a lot of bad things that could happen,” he said. “This problem is not fixable, at least not in practical terms.”

National: What to make of HBO’s ‘Kill Chain: The Cyber War on America’s Elections’ | Abel Morales/The Fifth Domain

With the election now only months away, officials are desperately trying to find solutions to protect the integrity of our election systems. The big question that remains is, “Will it work?” Kill Chain: The Cyber War on America’s Elections is a new HBO documentary that takes viewers through a journey to discover the weaknesses of today’s election technology. Being a security engineer, it is my job to help analyze some of the techniques that hackers are using in order to better protect the organizations I serve. I decided to watch Kill Chain to understand the minds of the adversaries who are conducting the attacks on our election system. Below are my takeaways from the film. In the documentary, one of the hackers at DEF CON successfully took over a voting machine and forced the system to shut down. The hacker achieved command line access. Within a three-day period, hackers learned from the presenter and found dozens of vulnerabilities. These were just hackers at a three-day conference limited to the resources they held within the conference center. Nation-state attackers have the time and resources to acquire these machines, identify the vulnerabilities and plan a strategic and coordinated attack to impact an election.

National: Commission that pushed a cybersecurity overhaul hopes coronavirus boosts the effort | Joseph Marks/The Washington Post

The lawmakers behind an ominous report about America’s lack of preparedness for a major cyberattack are hoping the coronavirus pandemic will boost their calls to overhaul the nation’s digital defenses. The Cyberspace Solarium Commission on March 11 released its 182-page report calling for a far more muscular stance against U.S. digital adversaries such as Russia and China and new cybersecurity executives with broad powers to cut through red tape at the White House and State Department. But the commission’s bold recommendations were largely lost in the shuffle two days later when President Trump declared the coronavirus a national emergency and official Washington rushed to deal with the pandemic. A planned media tour by the commission’s congressional co-chairs, Sen. Angus King (I-Maine) and Rep. Mike Gallagher (R-Wis.), was also put on ice.

National: What’s lost, gained as Black Hat and DEF CON go virtual | Bradley Barth/SC Media

As Black Hat and DEF CON organizers, researchers and members of the cyber community scramble to figure out how they can salvage or, better yet, enhance the experience as the events go virtual amid the COVID-19 pandemic, security will be a top priority. Meanwhile, other aspects of the conferences are expected to change more drastically, for better or worse. Organizers of the August 2020 events are aware the remote shows will have to emphasize security, as the new format presents a tempting challenge to adversaries who may want to make a name for themselves by hacking into the shows’ remote infrastructure, perhaps hijacking a presentation or disrupting access. While members of the cyber community acknowledged the issue, they don’t seem to be fretting it too heavily. “Sure, there is always a concern, but if cybersecurity conferences can’t figure out how to secure their virtual events, well, they probably shouldn’t claim to be a cybersecurity conference,” said Patrick Wardle, a frequent Black Hat/DEF CON presenter, principal security researcher at Jamf, and founder of Objective-See. “And such conferences already have had to secure their websites and networks at in-person events. And oftentimes such networks were part of a public venue or… belonged to the venue itself, and thus a purely virtual event may be in a way, simpler to secure.”

New Jersey: Lawsuit aims to halt any more online voting in New Jersey | Sara Swann/The Fulcrum

New Jersey piloted a new online voting system for people with disabilities this week, but a lawsuit could stop the state from using it again. Human rights activists and law school students are challenging the new voting system, arguing it’s unfair to expose only one category of voters to significant risk their ballots will get hacked with impunity. Using a special app to vote over the internet is denigrated by most cybersecurity experts, who say the threat of votes being compromised is hardly worth the convenience. Four federal technology, law enforcement and election agencies united behind a report this month bluntly warning states against adopting online voting because “ensuring ballot integrity and maintaining voter privacy is difficult, if not impossible, at this time.” New Jersey ran its first test of online voting in 33 local elections Tuesday. The system was only available for people with disabilities, who would have had difficulty casting ballots in contests that were otherwise conducted entirely by mail because of the coronavirus pandemic.

New Jersey: Lawsuit tries to block Internet voting in New Jersey | Joseph Marks/The Washington Post

Human rights activists and New Jersey law students are suing to block the state from using Internet-based voting systems, which security experts say are fundamentally insecure against hacking. The effort is a shot across the bow for the online systems, which some states have embraced as a solution for people who have trouble voting by mail during the pandemic despite widespread security concerns. New Jersey piloted an app-based system on Tuesday in a collection of 33 small elections for people with disabilities that make it impractical for them to vote by mail. Everyone else had to vote by mail and there was no in-person voting option. New Jersey officials haven’t said whether they plan to repeat the pilot in the state’s July primary or the general election, but the lawsuit is trying to stop those plans before they start. It’s essentially an offshoot of an earlier lawsuit that challenged the security of the state’s voting machines and also dealt with the danger of voting systems going online. “It’s critical that voting be accessible for everybody but not at the expense of security and the risk of a group of people having their votes manipulated,” said Penny Venetis, director of Rutgers University Law School’s International Human Rights Clinic, which is challenging the use of online voting on behalf of Coalition for Peace and its New Jersey division as well as a state legislator.

Utah: Experts agree this year’s election is a big target for hackers, disinformation and foreign interference | Connor Sanders/The Salt Lake Tribune

As the 2020 election nears, the need to strengthen cybersecurity and dispel misinformation grows. “You have to assume you will be targeted by disinformation and misinformation,” said Adam Clayton Powell III, executive director of the Election Cybersecurity Initiative. “Elections and campaigns are too easy of a target for adversaries both foreign and domestic.” Powell and Clifford Neuman, director of USC’s Center for Computer Systems Security, outlined during an online conference Tuesday how hackers and foreign adversaries can not only influence elections through infiltrating the voting system, but also through spreading false information. Neuman mentioned that the first, but rarest, way an election can be compromised is through actual manipulation of the vote count on Election Day. Utah’s transition to mail-in voting not only makes it well-equipped to handle voting in a COVID-19 world, it also makes it difficult for hackers to skew an election through an electronic voting apparatus. But the reach of a hacker extends beyond the ballot box. Powell reported that China, Russia and Iran have already begun to spread false reports online, and foreign countries are now echoing each other’s messages by citing another country’s fake reports as a source.

National: Why A Voting App Won’t Solve Our Problems This November | Kaleigh Rogers/FiveThirtyEight

At 106, MacCene Grimmett is one of the oldest voters in the state of Utah. Though women didn’t have the right to vote when she was born in 1913, by the time she was of voting age, the 19th Amendment had passed. She has voted in every election since, she told her local Fox affiliate, including the Utah County municipal general election last November. But that time, the centenarian cast her ballot in a novel way: She voted via an app. America is 174 days away from a presidential election. It’s also in the middle of a pandemic that upended normal life, requiring mass shutdowns and social distancing. Those two things don’t exactly jive. Having millions of Americans stand in crowded polling places for hours to cast a ballot on Election Day sounds like the makings of a public health disaster — especially if there is a second surge of COVID-19 infections in the fall, as some experts predict. So now, election officials are looking for ways to hold elections remotely. One option that has been proposed is voting via an app on a smartphone or electronic device, just like Grimmett did last fall (though so far, states seem to only be considering this option for certain groups of voters, such as voters with disabilities).

National: Experts sound alarms about security as states eye online voting | Maggie Miller/The Hill

Experts are sounding alarms about potential security risks as several states consider allowing online voting amid the COVID-19 pandemic. Delaware, New Jersey and West Virginia are planning to allow overseas military personnel and voters with disabilities to return their ballots electronically for elections this year amid concerns about voting during a pandemic. But federal officials and cybersecurity experts are strongly urging states to stay away from online voting, arguing that it could open up new avenues for interference less than four years after Russia meddled in the 2016 elections. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) joined a group of federal agencies in condemning the idea of online voting in guidelines first reported by The Guardian last week. The guidelines, sent to states privately, described online voting as “high risk.” “Electronic ballot return, the digital return of a voted ballot by the voter, creates significant security risks to voted ballot integrity, voter privacy, ballot secrecy, and system availability,” the agencies wrote in the guidelines. “Securing the return of voted ballots via the internet while maintaining voter privacy is difficult, if not impossible, at this time.”

National: Experts say mobile voting tech isn’t the answer to COVID-19 | Alexander Culafi/TechTarget

Despite a need for alternatives to in-person voting during the COVID-19 pandemic, experts say mobile voting will not be ready for this year’s general election. Nearly a dozen pilot programs for mobile voting apps and internet voting portals have been launched across the U.S. in the last few years. And that was prior to the coronavirus pandemic, which postponed some state and primary elections this spring and caused concern over the safety of potentially crowded polling locations. “It’s pretty obvious that the coronavirus is making it difficult to have our standard election. That’s having an even bigger impact in urban centers where voting lines can already last for hours and be quite packed. And people are looking for other ways we can have the constitutionally mandated vote without putting people at risk,” said Jim Hendler, artificial intelligence researcher at Rensselaer Polytechnic Institute as well as a fellow at the Association for Computing Machinery (ACM).

Connecticut: State making plans to protect elections from cyber threats, pandemic | Joe Wojtas/The Day

Secretary of the State Denise Merrill is scheduled Monday afternoon to announce a plan to secure election systems across the state from cyberattack this fall and prepare polling places to safely operate during the COVID-19 pandemic. Deputy Secretary of the State Scott Bates outlined the challenges the state faces to ensure a safe and secure election in an op-ed published Monday in The Day. “We’re trying to do all we can do before this election to address the twin challenges of the pandemic and cyber security,” he told The Day on Sunday. Bates said the state will be using more than $15 million in federal funding to ensure outside groups can not interfere with the election and to make polls safe for both voters and workers.

West Virginia: Online Voting Has Worked So Far. That Doesn’t Mean It’s Safe | Lily Hay Newman/WIRED

West Virginia state delegate Eric Porterfield is blind and usually votes at a polling place using an accessible voting machine. He would need assistance to fill out a regular mail-in paper ballot, reducing his ability to keep his votes private. But thanks to a state law passed in January to address accessible remote voting, Porterfield has a new alternative for his state’s June 9 primary. For the first time, he plans to submit his absentee ballot online. “The gold standard for you or me or anyone is to be able to fulfill our constitutional right to vote by private ballot,” Porterfield says. The Covid-19 pandemic has made internet voting options more tempting than ever for election officials across the US. But election integrity advocates and security experts continue to warn that remote digital voting systems, whether mobile apps or cloud portals, do not have strong enough security guarantees for prime time. On Friday, a group of federal agencies including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the Election Assistance Commission sent a risk assessment to states, warning that “electronic ballot return technologies are high-risk even with controls in place.”

Florida: Florida becomes hot spot in the election security wars | Joseph Marks/The Washington Post

Florida, which is a perennial swing state in presidential elections, is now shaping up as a battleground over election security efforts during the pandemic. Officials there have yet to say whether they’ll accept $20 million in federal money that lawmakers and experts say is vital to manage a surge in voting by mail and other changes brought on by the novel coronavirus. The money is Florida’s share of $400 million in election security funding Congress included in the coronavirus stimulus bill in March. But Congress also mandated states match that money with 20 percent of their own funds and it’s not clear whether Gov. Ron DeSantis (R) and the state legislature are prepared to foot the $4 million bill. “Florida doesn’t have a great record of administering elections during normal times, so during a pandemic the lack of planning and the lack of additional resources could be catastrophic,” Rep. Stephanie Murphy (D-Fla.), told me. Florida is the only remaining state that hasn’t signaled its intentions regarding the federal money. If officials there don’t accept it, lawmakers fear that could lead to a dramatic failure on Election Day that throws the winner of the presidential election or control of Congress into question and plays into the hands of U.S. adversaries that want to undermine confidence in democracy.

National: Internet-based voting is the new front in the election security wars | Joseph Marks/The Washington Post

Voting systems that rely on the Internet are fast becoming a major conflict zone in the battle to secure the 2020 election against hacking. The development comes as states are scrambling to revamp their voting procedures to respond to the novel coronavirus pandemic. In some cases that means allowing digital voting to play a more prominent role, despite persistent warnings from experts that it’s highly insecure and often unverifiable. The Department of Homeland Security, the FBI and the Election Assistance Commission jumped into the fray on Friday, sending guidance to states warning about the major security challenges posed by all voting systems that use the Internet in some way. The guidance covers ballots sent digitally to voters; ballots sent and marked online but printed out and returned by physical mail; and ballots that are received and returned entirely digitally. The agencies warned about dangers related to all three systems but especially the third, which they say poses “significant security risks.” Among those risks: Hackers could change large numbers of votes, block votes from being recorded or undermine ballot secrecy.

National: DHS memo: ‘Significant’ security risks presented by online voting | Sean Lyngaas/CyberScoop

The Department of Homeland Security has told election officials and voting vendors that internet-connected voting is risky to the point that ballots returned online “could be manipulated at scale” by a malicious attacker. The advisory that DHS’s Cybersecurity and Infrastructure Security Agency sent states on Fri ay is perhaps the federal government’s sternest warning yet against online voting. It comes as officials weigh their options for conducting elections during a pandemic and as digital voting vendors see an opportunity to hawk their products. While the risk of election officials delivering ballots to voters via the internet can be managed, the return of those ballots by voters “faces significant security risks to the confidentiality, integrity, and availability of voted ballots,” CISA said in the guidance, which CyberScoop reviewed. “These risks can ultimately affect the tabulation and results and, can occur at scale.” The guidance, which is marked “For Official Use Only” and is not public, cites a theoretical “man-in-the-middle” attack, in which a hacker intercepts and alters data, as one risk to voters who return ballots electronically. Other federal agencies involved in election security — the Election Assistance Commission, the FBI, and the National Institute of Standards and Technology — signed off on the document.

National: Federal Agencies Warn States Online Voting Is ‘High Risk’ | Miles Parks/NPR

The federal government is letting states know it considers online voting to be a “high-risk” way of running elections even if all recommended security protocols are followed. It’s the latest development in the debate over Internet voting as a few states have announced they plan to offer it to voters with disabilities this year, while security experts have voiced grave warnings against doing so. An eight-page report distributed to states last week recommends mail-in ballots as a more secure method of voting. It was co-authored by four federal agencies, including the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. “We recommend paper ballot return as electronic ballot return technologies are high-risk even with controls in place,” says the document, according to a copy obtained by The Wall Street Journal. A source with knowledge of the document confirmed its authenticity to NPR. West Virginia, Delaware and New Jersey all have confirmed plans to pilot a system provided by the Seattle-based company Democracy Live in upcoming elections to allow military and overseas voters as well as some voters with disabilities the option to vote online.

National: Putin Is Well on His Way to Stealing the Next Election #DemocracyRIP | Franklin Foer/The Atlantic

Jack Cable sat down at the desk in his cramped dorm room to become an adult in the eyes of democracy. The rangy teenager, with neatly manicured brown hair and chunky glasses, had recently arrived at Stanford—his first semester of life away from home—and the 2018 midterm elections were less than two months away. Although he wasn’t one for covering his laptop with strident stickers or for taking loud stands, he felt a genuine thrill at the prospect of voting. But before he could cast an absentee ballot, he needed to register with the Board of Elections back home in Chicago. When Cable tried to complete the digital forms, an error message stared at him from his browser. Clicking back to his initial entry, he realized that he had accidentally typed an extraneous quotation mark into his home address. The fact that a single keystroke had short-circuited his registration filled Cable with a sense of dread. Despite his youth, Cable already enjoyed a global reputation as a gifted hacker—or, as he is prone to clarify, an “ethical hacker.” As a sophomore in high school, he had started participating in “bug bounties,” contests in which companies such as Google and Uber publicly invite attacks on their digital infrastructure so that they can identify and patch vulnerabilities before malicious actors can exploit them. Cable, who is preternaturally persistent, had a knack for finding these soft spots. He collected enough cash prizes from the bug bounties to cover the costs of four years at Stanford.

Utah: Hackers, COVID-19 and foreign disinformation create challenges for Utah elections this year | Lee Davidson/The Salt Lake Tribune

Hackers likely will still try to infiltrate government voting databases. Officials worry foreign countries may spread disinformation about elections. And the coronavirus is doing away with in-person voting in Utah’s primary on June 30. So what could go wrong amid all that? Utah officials plan to discuss that in an online public workshop Tuesday. But Justin Lee — state elections director for Lt. Gov. Spencer Cox — says Utah is better prepared to deal with challenges than most states because it has years of experience with voting by mail. With COVID-19, “The big concern is just to maintain appropriate social distancing but still allow everyone their right to vote,” so most states are attempting to vote by mail, often for the first time on a large scale, Lee said. “The good thing for Utah is that 90% of our voters already vote by mail,” he said. “So we’re already in a very good place compared to some of these other states that are scrambling.”

National: Coronavirus has upended election security training with just months before November | Joseph Marks/The Washington Post

Russian hackers could target election officials working from home. Adversaries could spread rumors about coronavirus outbreaks at polling sites to deter people from showing up on Election Day. Or they could launch disinformation campaigns claiming elections have been delayed or canceled entirely because of the virus. Those are just some of the new scenarios the University of Southern California’s Election Security Initiative is tackling as it races to conduct virtual training programs for campaign and election officials across all 50 states before November. The big takeaway: Every aspect of securing elections is now far harder than they ever imagined. The array of challenges officials are facing now make the pre-pandemic concerns about Russian hacking seem simple by comparison. “Security concerns now are more urgent in almost all cases because the virus has really exacerbated security issues,” the initiative’s executive director Adam Clayton Powell III told me. “It’s not an abstraction. It’s very real for people that they’ll have to do this work in a more urgent climate than they anticipated.”  USC launched its initiative early this year with a laser focus on helping to combat interference from Russia and other U.S. adversaries.  The group, which received most of its funding from Google, planned to hold in-person trainings across the country and to help officials who attended link up with experts at local universities who could help them prepare for cyberattacks, disinformation campaigns and related threats. But, like everything else about the election landscape, that plan was upended by the pandemic.

National: US government plans to urge states to resist ‘high-risk’ internet voting | Kim Zetter/The Guardian

The Department of Homeland Security has come out strongly against internet voting in new draft guidelines, breaking with its longstanding reluctance to formally weigh in on the controversial issue, even after the 2016 Russian election hacking efforts. The move comes as a number of states push to expand the use of ballots cast online. The eight-page document, obtained by the Guardian, pulls no punches in calling the casting of ballots over the internet a “high-risk” endeavor that would allow attackers to alter votes and results “at scale” and compromise the integrity of elections. The guidelines advise states to avoid it altogether or restrict it to voters who have no other means of casting a ballot. The document primarily addresses a type of internet voting called electronic ballot delivery and return – where digital absentee ballots counties send to voters overseas via email or a web portal are completed and returned via email attachment, fax or direct upload – but it essentially applies to all forms of internet voting. No states currently offer full-on internet voting, but numerous states allow military and civilian voters abroad to receive and return ballots electronically, and some of these voters use an internet-based system that allows them to mark their ballot online before printing it out and mailing it back or returning it via email or fax.

National: Agencies Warn States That Internet Voting Poses Widespread Security Risks | Dustin Volz/Wall Street Journal

Several U.S. government agencies told states on Friday that casting ballots over the internet poses high levels of cybersecurity risk and is vulnerable to disruption, a warning that came as some states consider expanding online voting options to cope with challenges created by the coronavirus pandemic. The unusually stark, eight-page federal risk assessment, sent to states privately, said that electronic delivery and return of ballots could be manipulated at a scale that allows for the wholesale compromise of elections, unlike the tampering of physical mail ballots, which is difficult to achieve and limited in its potential size or impact. But attacks on internet voting “could be conducted from anywhere in world, at high volumes, and could compromise ballot confidentiality, ballot integrity, and/or stop ballot availability,” the advisory, which was reviewed by The Wall Street Journal, stated. It rated the electronic delivery of blank ballots to voters as a low risk, but said allowing voters to return completed ballots electronically was high risk. While government officials previously have said internet voting poses risks, the new assessment contains the most direct language yet from federal authorities who typically avoid specifically instructing state and local election officials on how to carry out their elections. Some election officials have resisted calls for federal limitations on internet voting or voting machines that allow for wireless internet connectivity. But the assessment makes clear that vote-by-mail options are preferred to internet voting. “While there are effective risk management controls to enable electronic ballot delivery and marking, we recommend paper ballot return as electronic ballot return technologies are high-risk even with controls in place,” the document said.