Congress provided $380 million in election security funding as part of its massive spending bill, a move that reflects the growing consensus in Washington that more needs to be done to ensure the integrity of America’s elections. The funding would go to the Election Assistance Commission, which then must distribute the funds to states within 45 days to replace aging voting machines, implement post-election audits, and provide cybersecurity training for state and local officials, among other election security related improvements. “In this challenging political time, this has to be seen as a win and a recognition that [election security] is an important responsibility,” Adam Ambrogi, the director of the Elections Program at the Democracy Fund, told Business Insider. “The federal government needs to aid the states. The states don’t have this money laying around.”
Editorials: The Senate has released election-security recommendations. Now it’s time to act. | The Washington Post
The House Intelligence Committee voted on party linesThursday to release a one-sided report on the panel’s hastily closed Russia investigation, deepening the partisan morass and enabling President Trump to undermine law enforcement and the intelligence community. The Senate Intelligence Committee, meanwhile, has taken Russia’s continuing attacks on the nation’s democracy more seriously than its House counterpart. The Senate probe continues in a bipartisan — and, as of now, constructive — manner. The panel on Tuesday released preliminary recommendations on election security, the first of several documents the committee will release on Russia’s meddling in the country’s elections. It will take some time to get the committee’s full analysis, which must undergo declassification review. But with primary elections already starting, acting on the recommendations is urgent.
Georgia: Bill to replace Georgia’s electronic voting machines advances | Atlanta Journal-Constitution
A proposal to replace Georgia’s electronic voting machines passed a subcommittee Tuesday despite concerns that the legislation doesn’t go far enough to safeguard elections. The measure calls for the state to begin using a new voting system with paper ballots in time for the 2020 presidential election. State lawmakers say the state’s all-digital election system, in use since 2002, is outdated and needs to be scrapped after tech experts exposed security vulnerabilities last year in the same type of voting machines as those used in Georgia. … Critics of the voting legislation say the touch-screen machines, which the state tested during a Conyers election in November, are vulnerable to tampering because they use bar codes for tabulation purposes. Voters wouldn’t be able to tell whether the bar codes matched the candidates they chose, which would also be printed on the ballot.
Florida lawmakers want to expand the use of digital voting and tallying machines. Many of the state’s election managers are behind the plan. But critics don’t want to leave the paper ballot behind. … Leon County Elections Supervisor Mark Earley supports the bill. He says digital recounts would be more effective and efficient. “We would’ve not only been able to find the paper very quickly because of the digital ballot sorting that is inherent in this audit system, the great power of it, it’s very visual and transparent. We could’ve seen the problem ballots, assessed the images. And if the county commission or canvasing board so desired, they could have immediately said, ‘Let’s go see these 60 ballots or these 38 ballots’ or whatever it was that were in dispute, and we could’ve pulled the paper very easily out of the box,”Earley said.
This oped was originally published in the York Dispatch on February 1, 2018. An oversight in York County, Pennsylvania on the eve of last November’s Election Day questioned the rightful winner of the election, but thankfully the potential damage stopped there. Still, the discovery of a technical error — one that allowed voters to cast multiple votes…
Verified Voting Public Commentary: Verified Voting Testimony before the Pennsylvania State Senate Senate State Government Committee: Voting System Technology and Security
Download as PDF The security of election infrastructure has taken on increased significance in the aftermath of the 2016 election cycle. During the 2016 election cycle, a nation-state conducted systematic, coordinated attacks on America’s election infrastructure, with the apparent aim of disrupting the election and undermining faith in America’s democratic institutions. Intelligence reports that have…
Verified Voting Blog: Testimony of Verified Voting to the Georgia House of Representatives House Science and Technology Committee
Download as PDF Georgia’s voting machines need an update. The lifespan of voting machines has been estimated at 10-15 years.1 Purchased in 2002 Georgia’s voting machines are at the outside of that estimate. As voting systems age they are more susceptible to error, malfunction or security threats potentially losing or miscounting votes. Georgia is one…
North Carolina: Forsyth County seeks voting machine extension from General Assembly | Winston Salem Chronicle
Forsyth County Board of Elections is hoping the General Assembly will give counties an extension on getting new voting machines. Currently the county is under a state deadline to switch to a paper-based ballot system by next year. The county had planned to replace its current touchscreen voting machines used for early voting with new machines that will produce paper ballots. Plans to test the machines and have them ready by 2018, were sidelined by a legal battle over proposed changes to the makeup of election boards in the state. As North Carolina awaits a ruling, the State BOE’s term expired and the board is currently vacant. Without a state board, there is no one to certify new voting machines for use in the state, so Forsyth can’t get new machines and its current ones will no longer be certified after year’s end.
Nearly a year after the 2016 presidential election, many Americans have been forced, some for the very first time, to look critically at their voting protections, and recognize that US balloting systems are not nearly as impregnable as they once thought. Clearly, the US intelligence reports about Russia hacks provided a long-overdue wake up call for this issue. The good news: some progress has been made in some jurisdictions in the last year. The bad news: that progress hasn’t been as widespread or comprehensive as the problem would seem to demand. “I think we’re moving in the right direction,” said Larry Norden, of NYU’s nonpartisan Brennan Center for Justice. “I’m heartened by the fact that, for instance, we’re seeing, in both House and Congress, bipartisan proposals to invest in increased election system security.” … Election consultant Pam Smith agreed that there has “definitely [been] a pattern towards more secure elections” across the country. Some states appear to be ahead of the game. Virginia, for example, recently earned praise for decertifying all its touchscreen, paperless Direct Record Electronic (DRE) voting machines ahead of the termination date required by its own legislation.
DEFCON Report on Machine Vulnerabilities Critical First Step in Raising Awareness, But to Secure Election Systems, States Must Adopt Paper Ballots A new report on cyber vulnerabilities of our elections systems raises awareness of a critical issue, but in order to secure our elections, we need fundamental changes made at the state and local level.…
The Travis County Commissioners court rejected all proposals to build its custom-designed voting system that was supposed to improve security, turning it toward more traditional methods of finding a replacement for its current system. Officials made this decision after proposals to build STAR-Vote did not meet the requirements to create a complete system that fulfills all of the county’s needs. A request for proposals went out late last year, with vendors submitting their ideas early this year. Since 2012, Travis County and the county clerk invested more than $330,000 in time and resources to evaluate election computer security and compare various voting systems. Ultimately, it decided to try to invent its own.
This fall’s statewide elections in Virginia and New Jersey are the first big test of security measures taken in response to last year’s attempts by Russia to meddle with the nation’s voting system. Virginia was among 21 states whose systems were targeted by Russian hackers last year for possible cyberattacks. While officials say the hackers scanned the state’s public website and online voter registration system for vulnerabilities and there’s no sign they gained access, state authorities have been shoring up the security of their election systems. One of the most drastic steps was a decision by the Virginia Board of Elections earlier this month to order 22 counties and towns to adopt all new paper-backed voting machines before November. The board decided that the paperless electronic equipment they had been using was vulnerable to attack and should be replaced.
The thin, long piece of paper slides slowly out the voting machine, the internal mechanism guiding it making a sound similar to a copying machine. Printed on it are choices selected during voting, tapped seconds before on an electronic screen attached to the same machine. The piece of paper, in this case a ballot, is then carried to a second machine that electronically tabulates the votes while also dropping the paper into a locked, internal box. “Every vote that’s been cast there is a hard-copy paper record that each voter validated before it was inserted, scanned and tabulated,” said Jeb S. Cameron with Election Systems and Software, a Nebraska-based voting software and election management company that will help Georgia pilot a new paper-ballot voting system in November. That touches on one of the fiercest criticisms Georgia’s current system has received: There’s currently no paper record for most ballots cast in its elections.
The state of Alaska is exploring options for conducting elections after 2018, as it is faced with an aging voting system and financial pressures amid an ongoing state budget deficit. A bipartisan working group established by Lt. Gov. Byron Mallott is examining the issue. Josie Bahnke, director of the state Division of Elections, said one option that has gotten attention is a hybrid system would include allowing for early, in-person voting and voting by mail. But she said discussions are preliminary and more research must be done to see if this approach would work in Alaska, a vast state with far-flung communities. In certain parts of Alaska, the state must provide language assistance, including for a number of Alaska Native languages and dialects.
Federal money set aside to help states upgrade their voting equipment is running out, at a time when many states are seeking to replace aging machines and further fortify against cyberattacks. While federal funding has gradually diminished, the 2016 fiscal year marked a new low. As of September 2016, states had collectively spent more than the approximately $3.2 billion, distributed over several years, that Congress provided under the 2002 Help America Vote Act, according to a report from the independent Election Assistance Commission released Wednesday. Several states now rely mostly on any interest accrued from federal grants or on other sources for election-related efforts, such as replacing equipment that is in some cases a decade old.
Editorials: Utah needs to think about security above all as it buys new voting machines | Robert Gehrke/The Salt Lake Tribune
State elections officials held an open house earlier this month to demonstrate five election systems vying to replace the voting machines that have been chugging away for the past 13 years. Just a few days earlier, a group of hackers in Las Vegas took part in a demonstration of their own, designed to show how easily they could exploit the machines used around the country and potentially compromise our elections process. The results were alarming. The first voting machine was hacked within 90 minutes. By the end of the afternoon, all five had been compromised. One was reprogrammed to play Rick Astley’s 1987 hit “Never Gonna Give You Up.” The whole thing had been Rick Rolled. … Barbara Simons, president of Verified Voting, has been sounding the alarm about voting machine security — or lack thereof — for years. But even she was skeptical before the DefCon hacker exercise that the hackers would be able to compromise the machines. She was wrong. And the Russian interest in hacking election equipment makes her doubly concerned.
The recent news that thirty electronic voting machines of five different types had been hacked for sport at the Def Con hackers’ conference in Las Vegas, some in a matter of minutes, should not have been news at all. Since computerized voting was introduced more than two decades ago, it has been shown again and again to have significant vulnerabilities that put a central tenet of American democracy—free and fair elections—at risk. The Def Con hacks underscored this. So did the 2016 presidential election, in which the voter databases of at least twenty-one and possibly thirty-nine states, and one voting services vendor, came under attack from what were apparently Russian hackers. Last September, then-FBI Director James Comey vowed to get to the bottom of “just what mischief” Russia was up to, but, also sought to reassure lawmakers that our election system remained secure. “The vote system in the United States…is very, very hard for someone to hack into because it’s so clunky and dispersed,” Comey told the House Judiciary Committee. “It’s Mary and Fred putting a machine under the basketball hoop in the gym. These things are not connected to the Internet.” Comey was only partially correct. Clunky and dispersed, American elections are run by the states through three thousand individual counties, each one of which is responsible for purchasing and operating the voting machines set up by Mary and Fred. But Comey missed a central fact about many of those machines: they run on proprietary, secret, black-box software that is not immune to hacking, as Def Con demonstrated.
The toughest thing to convey to newcomers at the DefCon Voting Village in Las Vegas this weekend? Just how far they could go with hacking the voting machines set up on site. “Break things, just try to pace yourself,” said Matt Blaze, a security researcher from the University of Pennsylvania who co-organized the workshop. DefCon veterans were way ahead of him. From the moment the doors opened, they had cracked open plastic cases and tried to hot-wire devices that wouldn’t boot. Within two minutes, democracy-tech researcher Carsten Schürmann used a novel vulnerability to get remote access to a WINVote machine. The Voting Village organizers—including Harri Hursti, an election technology researcher from Finland, and Sandy Clark from the University of Pennsylvania—had set up about a dozen US digital voting machines for conference attendees to mess with. Some of the models were used in elections until recently and have since been decommissioned; some are still in use. Over three days, attendees probed, deconstructed and, yes, even broke the equipment in an effort to understand how it works and how it could be compromised by attackers. Their findings were impressive, but more importantly, they represented a first step toward familiarizing the security community with voting machines and creating momentum for developing necessary defenses.
The Department of Homeland Security (DHS) provided cybersecurity assistance to 33 state election offices and 36 local election offices leading up to the 2016 presidential election, according to information released by Democratic congressional staff. During the final weeks of the Obama administration, the DHS announced that it would designate election infrastructure as critical, following revelations about Russian interference in the 2016 election. Since January, two states and six local governments have requested cyber hygiene scanning from the DHS, according to a memo and DHS correspondence disclosed Wednesday by the Democratic staff of the Senate Homeland Security and Governmental Affairs Committee. The information is related to the committee’s ongoing oversight of the DHS decision to designate election infrastructure.
If there’s a single lesson Americans have learned from the events of the past year, it might be this: Hackers are dangerous people. They interfere in our elections, bring giant corporations to their knees, and steal passwords and credit card numbers by the truckload. They ignore boundaries. They delight in creating chaos. But what if that’s the wrong narrative? What if we’re ignoring a different group of hackers who aren’t lawless renegades, who are in fact patriotic, public-spirited Americans who want to use their technical skills to protect our country from cyberattacks, but are being held back by outdated rules and overly protective institutions? In other words: What if the problem we face is not too many bad hackers, but too few good ones? The topic of ethical hacking was on everyone’s mind at Def Con, the hacker convention last week in Las Vegas. It’s the security community’s annual gathering, where thousands of hackers gathered to show their latest exploits, discuss new security research and swap cyberwar stories. Many of the hackers I spoke to were gravely concerned about Russia’s wide-ranging interference in last year’s election. They wanted to know: How can we stop attacks like these in the future?
The manufacturer of the digital voting machines used across the state filed suit in Travis County district court this week, seeking to block the Texas secretary of state from certifying rival machine makers whose devices produce a paper receipt of votes cast. The lawsuit adds to the growing controversy surrounding the security of voting systems across the country — prompted, in part, by fears of potential hacking and by unsubstantiated claims by President Donald Trump that millions of illegal votes were cast in the 2016 election. The lawsuit filed by Hart InterCivic — the manufacturer of the eSlate voting machines used in Travis County — asks a district court judge to preemptively rule that voting machines that produce a paper record do not comply with state laws requiring the use of electronic voting machines for all countywide elections. The Texas secretary of state’s office declined to comment. Hart Intercivic’s attorney did not return calls from the American-Statesman.
“Anyone who says they’re un-hackable is either a fool or a liar.” Jake Braun, CEO of Cambridge Global Advisors and one of the main organizers of the DEFCON Voting Village, said the U.S. election industry has an attitude similar to what had been seen with the air and space industry and financial sectors. Companies in those sectors, Braun said, would often say they were un-hackable their machines didn’t touch the internet and their databases were air-gapped — until they were attacked by nation-states with unlimited resources and organized cybercrime syndicates and they realized they were “sitting ducks.” … Candice Hoke, law professor and co-director of the Center for Cybersecurity and Privacy Protection, said in a DEFCON talk the laws surrounding investigations of potential election hacking were troublesome. “In some states, you need evidence of election hacking in order to begin an investigation. This is an invitation to hackers,” Hoke said. “We all know in the security world that you can’t run a secure system if no one is looking.”
It took less than a day for attendees at the DefCon hacking conference to find and exploit vulnerabilities in five different voting machine types. “The first ones were discovered within an hour and 30 minutes. And none of these vulnerabilities has ever been found before, they’ll all new,” said Harri Hursti, co- coordinator of the event. One group even managed to rick-roll a touch screen voting machine, getting it to run Rick Astley’s song “Never Gonna Give You Up,” from 1987. … The groups weren’t able change votes, noted Hursti, a partner at Nordic Innovation Labs and an expert on election security issues. “That’s not what we’re trying to do here today. We want to look at the fundamental compromises that might be possible,” he said.
National: U.S. elections are an easier target for Russian hackers than once thought | Los Angeles Times
When Chris Grayson pointed his Web browser in the direction of Georgia’s elections system earlier this year, what he found there shocked him. The Santa Monica cybersecurity researcher effortlessly downloaded the confidential voter file of every registered Georgian. He hit upon unprotected folders with passwords, apparently for accessing voting machines. He found the off-the-shelf software patches used to keep the system secure, several of which Grayson said could be easily infected by a savvy 15-year-old hacker. “It was like, holy smokes, this is all on the Internet with no authentication?” Grayson said in an interview. “There were so many things wrong with this.” … Among the most alarmed have been pedigreed computer security scholars, who warn that a well-timed hack of a vendor that serves multiple states could be enough to cause chaos even in systems that were thought to be walled off from one another. And they say security lapses like those in Georgia reveal the ease with which hackers can slip in.
Russia’s meddling in the 2016 election may not have altered the outcome of any races, but it showed that America’s voting system is far more vulnerable to attack than most people realized. Whether the attackers are hostile nations like Russia (which could well try it again even though President Trump has raised the issue with President Vladimir Putin of Russia) or hostile groups like ISIS, the threat is very real. The question is this: Can the system be strengthened against cyberattacks in time for the 2018 midterms and the 2020 presidential race? The answer, encouragingly, is that there are concrete steps state and local governments can take right now to improve the security and integrity of their elections. A new study by the Brennan Center for Justice identifies two critical pieces of election infrastructure — aging voting machines and voter registration databases relying on outdated software — that present appealing targets for hackers and yet can be shored up at a reasonable cost. … The report identifies three immediate steps states and localities can take to counter the threat.
As new reports emerge about Russian-backed attempts to hack state and local election systems, U.S. officials are increasingly worried about how vulnerable American elections really are. While the officials say they see no evidence that any votes were tampered with, no one knows for sure. Voters were assured repeatedly last year that foreign hackers couldn’t manipulate votes because, with few exceptions, voting machines are not connected to the Internet. “So how do you hack something in cyberspace, when it’s not in cyberspace?” Louisiana Secretary of State Tom Schedler said shortly before the 2016 election. But even if most voting machines aren’t connected to the Internet, says cybersecurity expert Jeremy Epstein, “they are connected to something that’s connected to something that’s connected to the Internet.” … While it’s unclear if any of the recipients took the bait in the email attack, University of Michigan computer scientist Alex Halderman says it’s just the kind of phishing campaign someone would launch if they wanted to manipulate votes.
Revelations that Russian hackers tried to break into Dallas County’s web servers, likely with the intention of accessing voter registration files, in the lead up to last November’s election renewed concerns about Texas election security. Both Wednesday night’s news out of Dallas and a Bloomberg report on Monday—which said that the Russian hacking attempts affected 39 states—are forcing states to look inward and re-examine the security of their local and state-level electoral technologies. The particular targets of Russian hackers were the accounts of elections officials and voter registration rolls, which are connected to the internet and are unlike the voting systems that actually do the recording and vote tallying. But a possible security breach of one area of electoral technologies has the potential to ripple out and affect the integrity of other ones. “The reason why this whole Russian hacking thing is a wake-up call is because we’ve been caught not paying as much attention as we should have in an area that all of us didn’t think was that vulnerable,” Dana DeBeauvoir, the Travis County clerk since 1987, says. “And yet it has turned out to be extremely vulnerable in ways we did not expect.”
Hackers will target American voting machines—as a public service, to prove how vulnerable they are. When over 25,000 of them descend on Caesar’s Palace in Las Vegas at the end of July for DEFCON, the world’s largest hacking conference, organizers are planning to have waiting what they call “a village” of different opportunities to test how easily voting machines can be manipulated. Some will let people go after the network software remotely, some will be broken apart to let people dig into the hardware, and some will be set up to see how a prepared hacker could fiddle with individual machines on site in a polling place through a combination of physical and virtual attacks.
In January, America’s main intelligence agencies issued a report concluding that Russia interfered in the 2016 election, using a combination of cyber-intrusion, espionage, and propaganda. In addition to the details provided in this account, media outlets have since reported that several election databases were hacked before and after the election. While the Department of Homeland Security found no evidence any of these efforts manipulated vote tallies, the assaults have left many Americans asking: Just how safe are voting machines from cyberattack? The answer is not reassuring. For more than a decade, independent security experts have repeatedly demonstrated that many electronic voting machines are dangerously insecure and vulnerable to attack and manipulation by bad actors.
Elections clerks across Montana could find themselves increasingly challenged to serve voters with severe physical disabilities because of a dwindling supply of polling equipment designed especially for people who cannot use traditional voting machines. Existing inventories of voting machines for disabled voters are antiquated, some nearly two decades old. Many units are in disrepair and elections officials have been unable to replace the aging machines with newer, modern equipment because of state law. In 2008, a disabled voter sued Missoula County for not being in full compliance with federal law when it did not have a backup unit for a malfunctioning machine specially designed for people who do not have full function of their limbs.