After Russia’s misinformation campaign rattled the 2016 United States election season, scrutiny over this year’s midterms has been intense. And while foreign cybersecurity threats have so far been relatively muted, an unclassified government report obtained by The Boston Globe this week indicates more than 160 suspected election-related incidents since the beginning of August, ranging from suspicious login attempts to compromised municipal networks. Officials haven’t attributed most of it to an actor yet, but the situations include suspicious attempted logins on election systems like voter databases and municipal network compromises. Even in July, Microsoft said it had spotted four incidents of attempted campaign phishing. … The government won’t go it alone. Verified Voting, a group that promotes election system best practices, is part of the nonpartisan Election Protection coalition, which offers a hotline for voter information and issues. Verified Voting particularly specializes in fielding questions about technology issues related to voting. Some of those have already come up; in Texas and Georgia, outdated software and poor design features on paperless voting machines have caused a small but jarring number of incidents in which votes appear to be switched from a voter’s selection.Full Article: Midterms 2018: The Unprecedented Effort to Secure Election Day | WIRED.
Verified Voting in the News
It’s been two years since international interference sabotaged the United States’ election security, and still the vulnerability of our voting infrastructure remains a major problem. This past May, during Tennessee’s primary election, the Knox County election website fell prey to a DDoS attack. And just days ago, Texas voters experienced “ominous irregularities” from voting machines. In the lead up to the midterm elections, Radware surveyed Facebook users on the safety of U.S. elections, and the results paint a gloomy picture. The overwhelming majority (93.4 percent) of respondents believe that our election system is vulnerable to targeting and hacking—and they’re correct. What’s more, respondents were unable to suggest long-term tenable solutions when asked how the U.S. can improve its election safety (which is understandable, given the complexity of the issue). It is alarmingly quick and easy to hack into U.S. voting systems; just ask the 11-year-old boy who earlier this year demonstrated how he could hack into a replica of the Florida state election website and change voting results in under 10 minutes.Full Article: Hacking Democracy: Vulnerable Voting Infrastructure and the Future of Election Security - Security Boulevard.
It’s been 18 years and several thousand lifetimes since the contested Bush-Gore presidential elections of 2000. Yet “hanging chads” are still haunting us — but not in the way you might think. Since states began introducing electronic voting machines and other technology in the voting process, digitizing various aspects of voting has been a boon for democracy in many ways. Online voter registration has supercharged get-out-the-vote efforts. ID scanning at check-ins helps reduce lines. And, of course, ballots submitted digitally allow for near instantaneous returns. But on Tuesday, there were reports in states across the country that problems with electronic voting machines were causing massive delays. “There are about a dozen states in which problems have been reported, specifically with electronic voting systems,” said Marian Schneider, president of the elections integrity organization Verified Voting. “The problems we’re seeing are diffuse. They don’t seem to be systemic. But in the localities that they’re happening, they’re impactful.” … “Our election administration is woefully underfunded,” said Schneider. “When we have problems on election day, you can trace it right back to resources.”Full Article: Why America is using glitchy electronic voting machines.
As key midterm elections approach, U.S. authorities are taking measures to make sure the balloting is secure and free of foreign influence. For years, a number of polling places have gone more high-tech with electronic voting machines. Fears about vulnerabilities in the systems, however, are turning eyes to a strikingly low-tech option — paper ballots. The United States largely moved away from paper ballots after the 2004 Help America Vote Act replaced lever and punch-card voting machines with Direct Recording Electronic, or DRE, systems. The reform was a direct result of the notoriously contested 2000 presidential election, which triggered weeks of recounts and multiple complaints about paper ballots in Florida. … The committee said many of the electronic voting systems are now outdated, and recommended all states go back to paper ballots — or, at least mandate that electronic machines produce a paper hard copy that can be audited.Full Article: Dozens of states tighten election security -- by going back to paper.
National: Complaints Allege Cruz, Kemp Benefitting from Faulty Voting Machines That Change Dem Ballots to GOP | Law & Crime
Early voters submitting ballots for hotly contested races in Texas and Georgia claim that their states’ paperless voting machines are changing their votes for Democratic candidates to Republican, or deleting them altogether. According to Politico, individuals, as well as civil rights groups, have filed complaints alleging that glitches are resulting in votes for Republican Sen. Ted Cruz (R-Texas) instead of his Democratic challenger Beto O’Rourke. There have also been complaints that votes have gone to Georgia’s Republican candidate for governor, Brian Kemp, instead of his Democratic opponent Stacey Abrams. Voting technology experts have said that this is not the result of foul play, but outdated, faulty systems that don’t even leave a paper trail of what happened. Kemp, who is currently the Georgia Secretary of State, has resisted past calls for the state to change voting systems. His state has used the same system since 2002. Texas only uses electronic machines in some counties, but there have been reports of ballots that were intended to be “straight ticket” votes for one party were changed to the other party.Full Article: Voters Complain Democrat Ballots Changed to GOP | Law & Crime.
There is a voting machine in J. Alex Halderman’s office, not a particularly large one, just an oversize computer tablet set into a plastic frame balanced on tubular legs. But Halderman’s office isn’t especially large, either, so the machine takes up an inordinate, almost clumsy, amount of space. The machine is a Diebold AccuVote-TSX. In the jargon of election machinery, it is a DRE, which is short for direct recording electronic: Voters touch the screen to make their choices, which are then logged in the AccuVote’s memory. This is not exotic technology. DREs have been used in American elections for three decades, and the AccuVote and similar machines are being used in some 30 states this fall, when voters are determining, among other things, which party will control one or both houses of the United States Congress and whether there will be any reasonable checks on the current administration. Halderman got his AccuVote-TSX on eBay. It cost him $94.90 from a seller in North Canton, Ohio, who by last spring had sold at least 40 other used AccuVote-TSXs and had at least 10 more for sale (by the last week of October, he either had sold out or gone out of business, as his listing was gone). Because Halderman is a computer scientist at the University of Michigan, he programmed his AccuVote to tally a two-candidate election for “greatest university” between Michigan and, of course, Ohio State.Full Article: How to Hack an Election | GQ.
With Election Day just hours away, we are seeing reports across the country that electronic voting machines are already inaccurately recording votes and questions are being raised about potential foreign interference after 2016. While the responsibility to deal with these issues falls to state election officials, here is a quick guide for how to respond to some issues on Election Day, along with a handy resource from our friends at Verified Voting indicating what equipment is used in each polling place across the nation. 866-OUR-VOTE: If you experience voter machine glitches, see voters being turned away from the poll, or run into other issues, report them to the nonpartisan Election Protection network. This is the only way that we can spot patterns, put pressure on election officials to respond and, in the long run, make the case for paper ballots and risk limiting audits. Since the first electronic voting machines were introduced, security experts have warned that they pose a risk of interference or simple malfunction that cannot be easily detected or corrected. If someone hacks the machines, they hack the vote. If the machines fail, the vote is wrong. The fix is clear: all elections must include paper backups and a settled-on process for real risk limiting audits. If voting machines are down, you should ask for an emergency paper ballot. Do not simply accept that you cannot vote—broken machines should not result in disenfranchisement.Full Article: What to Do When Voting Machines Fail | Electronic Frontier Foundation.
National: File-Sharing Software on State Election Servers Could Expose Them to Intruders | ProPublica
As recently as Monday, computer servers that powered Kentucky’s online voter registration and Wisconsin’s reporting of election results ran software that could potentially expose information to hackers or enable access to sensitive files without a password. The insecure service run by Wisconsin could be reached from internet addresses based in Russia, which has become notorious for seeking to influence U.S. elections. Kentucky’s was accessible from other Eastern European countries. The service, known as FTP, provides public access to files — sometimes anonymously and without encryption. As a result, security experts say, it could act as a gateway for hackers to acquire key details of a server’s operating system and exploit its vulnerabilities. Some corporations and other institutions have dropped FTP in favor of more secure alternatives. Officials in both states said that voter-registration data has not been compromised and that their states’ infrastructure was protected against infiltration. Still, Wisconsin said it turned off its FTP service following ProPublica’s inquiries. Kentucky left its password-free service running and said ProPublica didn’t understand its approach to security.Full Article: File-Sharing Software on State Election Servers Could… — ProPublica.
The scenario would go like this. On Tuesday, November 6, Americans tune to television sets and radio broadcasts, unlock their phones and keep an eye on their desktop screens, all waiting for the same thing: A definitive account of who has won what in the midterm elections. Throughout the night, election numbers shoot across their screens—live, preliminary return data pumped in from congressional and Senate races across the country, and key gubernatorial races, too. Then, around 10 PM EST, CNN anchors announce the network’s call: The Democrats have taken control of the House, winning 31 of the necessary 24 seats to successfully wrest control from Republicans. On camera, Van Jones and Anderson Cooper waste no time as they begin discussing the implications of the victory and how the midterm results have placed the Trump presidency in a new chapter of turmoil. But there’s a problem. Fox News analysts have just announced the opposite result: In an extraordinary turn of events, Republicans have managed to hang on to their majority by a single seat, retaining control of the House. It’s a major political upset, says Bret Baier, and a replay of Trump’s surprise victory in 2016. And yet for clients of the newswire Reuters, the results are simply opaque—with political analysts there reporting that control of the House, and several nail-biter gubernatorial and Senate races, still remain too close to call.Full Article: Could Hackers Give Us Another Bush v. Gore? | Washingtonian.
There likely isn’t a quick fix for complex U.S. election integrity challenges such as social-engineering interference on Facebook. Experts say there is a straightforward response, however, to vulnerable voting-machine software. The problem is that it involves cooperation in Congress. When the Senate failed to move the Secure Elections Act forward in August because of White House concerns over states’ rights, coupled with funding concerns, the United States lost its best chance this year of taking steps toward patching voting machines. The most recent federal dollars devoted to improving elections came from the Help Americans Vote Act of 2002, which was itself flawed because its authors failed to predict cybersecurity standards for voting machines. The idea of hackers infiltrating computerized voting machines at the time was “completely ridiculous,” says Margaret MacAlpine, a voting-machine security researcher and a founding partner of cybersecurity consultancy Nordic Innovation Labs. “The cybersecurity threat was more than science fiction at that point,” she says. And even now, as knowledge that the machines are vulnerable to hackers spreads, there is still a lack of political will to allocate the funds needed to replace them and ensure that new machines are secured against attacks, she says.Full Article: Securing voting machines means raising funds - The Parallax.
Heralded as the state voting system’s “most transformational reform to date,” the ability for Kentuckians to register to vote online also made them vulnerable to attack. A ProPublica investigation found that as recently as this week, a computer server powering Kentucky’s voter registration website was inadvertently exposing sensitive back-end files to hackers. Kentucky introduced online voter registration in 2016. At the time, Secretary of State Alison Lundergan Grimes said the move would pave the way for increased participation in elections. … “FTP is a 40-year-old protocol that is insecure and not being retired quickly enough,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., and an advocate for better voting security. “Every communication sent via FTP is not secure, meaning anyone in the hotel, airport or coffee shop on the same public Wi-Fi network that you are on can see everything sent and received. “And malicious attackers can change the contents of a transmission without either side detecting the change.”Full Article: Kentucky's online voter registration left system vulnerable to attack | National News | messenger-inquirer.com.
A few weeks ago computer scientist J. Alex Halderman rolled an electronic voting machine onto a Massachusetts Institute of Technology stage and demonstrated how simple it is to hack an election. In a mock contest between George Washington and Benedict Arnold three volunteers each voted for Washington. But Halderman, whose research involves testing the security of election systems, had tampered with the ballot programming, infecting the machine’s memory card with malicious software. When he printed out the results, the receipt showed Arnold had won, 2 to 1. Without a paper trail of each vote, neither the voters nor a human auditor could check for discrepancies. In real elections, too, about 20 percent of voters nationally still cast electronic ballots only. As the U.S. midterm elections approach, Halderman, among others, has warned our “outmoded and under-tested” electronic voting systems are increasingly vulnerable to attacks. They can also lead to confusion. Some early voters in Texas have already reported votes they cast for Democratic U.S. Senate challenger Beto O’Rourke were switched on-screen to incumbent Republican Sen. Ted Cruz. There’s no evidence of hacking, and the particular machines in question are known to have software bugs, which could account for the errors.Full Article: The Vulnerabilities of Our Voting Machines - Scientific American.
A national spotlight fell on Texas’ voting equipment last week after some voters complained that their votes on electronic voting machines had changed. State election officials chalked it up to user error. Critics alleged malfeasance or a software bug. The Austin-based company behind the machines says an important piece of context is missing from this debate: these machines are 16 years old. “It’s very much like someone calling Apple and asking for support on their iPhone 1,” said Steven Sockwell, vice president of marketing at Hart InterCivic. Most Texas counties last upgraded their electronic voting machines well over a decade ago, tapping billions in funds Congress approved to upgrade voting equipment around the country following election irregularities during the 2000 presidential election. Dozens of Texas counties purchased Hart’s eSlate machines. It’s those same machines that a number of voters attempted to cast straight-ticket ballots on last week only to hit a snag: when they reviewed their list of candidates on the summary screen, their choices were deselected or a candidate from an opposing party was selected.Full Article: Texas straight-ticket voting problems could be due to old machines | The Texas Tribune.
Texas voters experiencing issues with voting machines used in that state have been told by election officials that they are the problem, not the machines. The state says voters are inadvertently touching the machines in ways they shouldn’t, causing the machines to alter or delete their vote in the hotly contested senate race between Republican incumbent Ted Cruz and Democratic challenger Beto O’Rourke. But Dan Wallach, a computer science professor at Rice University in Houston who has examined the systems extensively in the past, told Motherboard in a phone interview that the problem is a common type of software bug that the maker of the equipment could have fixed a decade ago and didn’t, despite previous voter complaints. What’s more, he says the same systems have much more serious security problems that the manufacturer has failed to fix that make them susceptible to hacking. The problem involves eSlate voting machines made by Hart InterCivic—direct-recording electronic machines that use a dial and button for voters to make their selections. Voters turn the dial in the lower right corner of the machine to scroll through each race and page of a digital ballot, and press the “enter” button, located just left of the dial, to make their selections.Full Article: An Expert Explains Why Texas Voting Machines Are Switching Votes From Beto O'Rourke to Ted Cruz.
You could call it buyer’s remorse. Five US states went all in on electronic voting machines, and four of those states are poised to get out. Delaware, Georgia, Louisiana, New Jersey and South Carolina are the only states relying solely on voting machines that produce no paper record of an individual voter’s ballot. All but Georgia are on the cusp of swapping those out for new machines that print out a paper record of each completed ballot — and Georgia is under pressure to do the same. None, though, will be ready for next week’s determined the 2000 presidential election. … Hackers could also infiltrate the computers that tabulate results, as security experts found when they examined voting-related software at the annual Defcon hacking conference this year, and they could attack or alter the websites that announce winners. The Defcon experts also found half of US states are using voting machines that have known software vulnerabilities.Full Article: . It’s the next step in voting systems since Florida’s infamous hanging chads and butterfly ballots Electronic voting was going to be the future. Now paper's making a comeback - CNET.
To help shore up the nation’s election infrastructure, Congress repurposed $380 million of leftover funding from the 2002 Help America Vote Act into grant funding for states to improve election security. States collectively invested an additional $19 million in matching funds for the same purpose. States could use the grants to replace old voting machines, upgrade election-related computer systems to address vulnerabilities identified by the Department of Homeland Security, implement post-election audits, provide cybersecurity training for state and local election officials or other activities that are specifically tailored to addressing cybersecurity needs.According to the Election Assistance Commission, 41 states used 36.3 percent of those funds to directly improve election cybersecurity. An additional 27.8 percent of the funding went to purchase new voting equipment while another 13.7 percent went to upgrade voter registration systems. Only 5.6 percent of the funds were used to implement post-election audits. However, it’s important to understand that these upgrades and expenditures are expected to take place over the course of the next two to three years; relatively little of the work is being completed before the midterm elections.Full Article: Are elections any more secure than in 2016? -- GCN.
A software flaw can be just as damaging to the voting process as a hacker. That much is clear in Texas, where some early voters have claimed that machines are changing their votes in the midterm election. Keith Ingram, the Texas Director of Elections, said in an advisory that the problem is happening because voters are jumping the gun. The issue crops up if a voter selects the “straight party ticket” option, and then keeps pressing buttons before the page finishes loading on the screen, he said. “As a reminder, voters should always carefully check their review screen before casting their ballots,” Ingram said. … Electronic voting machine experts should expand their focus beyond looking for the kinds of flaws a hacker could exploit, and start looking for flaws that just make machines malfunction, said voting machine security expert Dan Wallach, a computer science professor at Rice University. “I would say that a decade ago we put a lot of focus on security bugs” he said. “Glitches have never received the same degree of attention.”Full Article: Software bugs could compromise midterm votes in Texas - CNET.
The future of voting should not involve your cellphone, according to a leading cybersecurity expert. In a first-of-its-kind pilot program, West Virginia will test blockchain encrypted mobile phone voting for members of the U.S. military. But Joe Hall, chief technologist and director of internet architecture at the Center for Democracy & Technology, warned that the plan presents a host of risks. “West Virginia has taken the ridiculous step of deciding that they’re going to not only vote on a mobile device, which in and of itself is just a bad idea, but use a blockchain mechanism, something associated with crypto-currency or bitcoin,” Hall told Grant Burningham, host of the Yahoo News podcast “Bots & Ballots.” In a September interview with Burningham, venture capitalist Bradley Tusk argued that his foundation’s plan to test cellphone voting was a way to boost voter participation in the U.S. However, Hall believes the risks outweigh the possible benefits.Full Article: Blockchain voting too risky, cybersecurity expert says.
Since the adoption of electronic voting machines in the 1990s, election experts have argued that paper records are critical for auditing elections and detecting potential tampering with vote tallies. The issue gained new prominence following the 2016 elections, which spurred multiple investigations into allegations of Russian interference in the electoral process. In a panel discussion hosted by Princeton’s Center for Information Technology Policy (CITP), experts examined the state of U.S. election security. The moderator Ed Felten, the Robert E. Kahn Professor of Computer Science and Public Affairs and director of CITP, opened the discussion by noting that “Princeton has quite a bit of expertise in this area.” He cited two faculty members working in election technology and policy, Andrew Appel and Jonathan Mayer. Appel, the Eugene Higgins Professor of Computer Science, recently served as a member of the National Academies’ Committee on the Future of Voting, while Mayer, assistant professor of computer science and public affairs, recently developed bipartisan election security legislation as a staffer in the United States Senate. Also on the panel was Marian Schneider, a former Pennsylvania elections official and the president of Verified Voting, a nonprofit organization that aims to improve election security practices.Full Article: Experts assess voting security as midterm elections approach.
In March, officials from 38 states packed into a conference hall in Cambridge, Massachusetts, for a two-day election simulation exercise that was run like a war game. More than 120 state and local election officials, communications directors, IT managers, and secretaries of state ran drills simulating security catastrophes that could happen on the worst Election Day imaginable. The tabletop exercise began each simulation months before the Nov. 6 midterm elections, accelerating the timeline until states were countering attacks in real time as voters went to the polls. Organized by the Defending Digital Democracy (D3P) project at Harvard, a bipartisan effort to protect democratic processes from cyber and information attacks, the drills forced participants to respond to one nightmare scenario after another—voting machine and voter database hacks, distributed denial of service (DDoS) attacks taking down websites, leaked misinformation about candidates, fake polling information disseminated to suppress votes, and social media campaigns coordinated by nation-state attackers to sow distrust.Full Article: Under Attack: How Election Hacking Threatens the Midterms - PCMag UK.