Archives

Media Release: Verified Voting Applauds Oregon’s Senate for Passing Bill Requiring Robust Post-Election Audits to Verify Elections

Marian K. Schneider: “Oregon is leading the way towards better integrity and security with the passage of SB 944.”

The following is a statement from Marian K. Schneider, president of Verified Voting, on Oregon’s Senate passage of SB 944, offering counties the option to audit elections using a process known as risk-limiting audits, which are designed to bolster public confidence in elections. For additional media inquiries, please contact aurora@newheightscommunications.com  

“Oregon is leading the way towards better election integrity and security with the Senate’s passage of SB 944. This bill requires county clerks across the state to conduct audits after every election — not just general elections — and lets them choose between a partial hand count and risk-limiting audits (RLAs). An RLA examines a sample of the paper ballots to check if the election outcome is correct.  RLAs provide strong evidence when election outcomes are correct, and have a guaranteed large chance of correcting wrong outcomes or, outcomes that are wrong because of counting errors. Read More

International: 1 in 5 elections faced foreign cyber interference | Dylan Bushell-Embling/Technology Decisions

One in five national elections held worldwide since 2016 were potentially influenced by foreign interference, according to a joint report from the Australian Strategic Policy Institute (ASPI) and IT industry professional association ACS. An analysis of 97 national elections and 31 referenda that have been held since the 2016 US presidential election identified 20 countries with clear examples of foreign interference, including Australia. The analysis was limited to countries considered to be free or partly free countries. These incidents ranged from cyber attacks to voter registration systems, to DDoS attacks to national election commissions, to the use of Facebook to spread disinformation and discourage voter turnout. Read More

Counting Votes: Election Cybersecurity Legislation Hits a Wall, RobinHood Visits Baltimore, and of course Florida

“According to a joint report from the Australian Strategic Policy Institute (ASPI) and IT industry professional association ACS, one in five national elections held worldwide since 2016 were potentially influenced by foreign interference, … “Democracies around the world have been struggling to grapple with foreign interference from state actors during elections,” International Cyber Policy Centre head Fergus Hanson said. “More empirical data means they can respond in a more targeted way calibrating policy responses to the likely risk, methods and adversary.” Technology Decisions

In an extensive Roll Call article this morning, Gopal Ratnam reports that despite the best intentions of election officials and many lawmakers, in 2020 many jurisdictions will be using “voting machines that are woefully outdated and that any tampering by adversaries could lead to disputed results.”

In addition to eliminating direct recording electronic (DRE) voting machines and requiring routine post-election audits, many of the legislative efforts have addresses cybersecurity vulnerabilities in voting systems. Edgardo Cortés, election security advisor at the Brennan Center for Justice noted, “In some sense, anything that has an internet connection can be hacked. Wireless capability, even if the functionality can be turned off through hardware or software, poses risks of remote access by adversaries, he said.”

Verified Voting President Marian Schneider explained inthe article that beyond prohibiting voting equipment that can connect to the internet, “machines may still need to have some type of wireless communication system so that administrators can upload new ballot information ahead of each election. Some counties and precincts insert manual cartridges into machines to upload ballot information, but others push out that information wirelessly because it’s easier.”

“The software on new models of voting machines would also need routine updates, and that would require some type of connectivity,” Schneider continued, “the question is, how you do it safely? Because we can’t reduce the risk to zero, we need to do audits to check the results after. Post-election audits, in which samples of cast paper ballots are recounted, is considered the gold standard for verifying election results, but few states conduct them.”

The concern over election cybersecurity was reflected in the many federal election cybersecurity related bills that have been introduced in the past several days. Those bills met an icy reception yesterday, as Senate Rules Committee Chairman Roy Blunt (R-MO) said he doesn’t expect to hold hearings on any election security bills this Congress because he doesn’t think Senate Majority Leader Mitch McConnell (R-KY) will bring them to a floor vote.

On May 10 House Democrats introduced the Election Security Act, portions of which were included in H.R. 1, the For the People Act, an omnibus bill including a broad range of electoral reforms. Last Tuesday, a bipartisan group of senators introduced the Voting System Cybersecurity Act, which would require a cybersecurity expert from the Department of Homeland Security (DHS) be included on the committee tasked with developing voluntary voting system guidelines as part of the effort to make U.S. elections secure.

On Wednesday, Sen. Ron Wyden (D-OR) and a group of 12 other senators introduced a bill to mandate the use of paper ballots in U.S. elections and also ban all internet, Wi-Fi and mobile connections to voting machines in order to limit the potential for cyber interference. And on Thursday, Sen. Amy Klobuchar introduced a Senate companion for the Election Security Act, which has garnered the support so far of 38 co-sponsors, all Democrats or independents.

The EAC: Understaffed and Underfunded

With deadlines to complete a new iteration of the VVSG fast approaching, and forced to meet other responsibilities on a shoestring budget and short staff, the EAC commissioners visited the Hill last week seeking increased funding. Comparing the EAC’s role in working on “the infrastructure of our democracy,” the Commission’s vice chairman, Benjamin Hovland, told the committee. “What we need is an investment from Congress to help us do that work.” Hovland noted that “The commission’s budget request for fiscal 2020 is $7.95 million, which is about $1 million less than 2019 and lower than the annual money set aside by Kansas City, Missouri, to fix its potholes.

“With additional resources, the EAC would have the opportunity to fund additional election security activities within its election technology program,” said McCormick. “There is no shortage of ambition at EAC when it comes to supporting this work, but there is a stark shortage of funds for such activities.”

Derek Johnson, writing for FCW, notes that the “EAC’s budget has been chopped in half over the past decade, and the Trump administration has proposed further cuts in its 2020 budget.“ At the hearing McCormick revealed that the EAC doesn’t have any full-time employees dedicated to election security work and only four full-time employees working on certification of voting machines.

[Earlier today in CybersScoop, Sean Lygrass reported, the EAC had added Jessica Bowers, a former executive at Dominion Voting Systems and Paul Aumayr, a former Maryland election official, to its voting system certification program staff.]

Last month, a group of 31 Democratic Senators led by Rules Committee ranking member Amy Klobuchar (D-Minn.) sent a letter to the Senate Appropriations Committee urging them to fund the EAC at Fiscal 2009 levels, when it had nearly fifty employees and a budget of just under $18 million, citing cybersecurity as a top concern.

“As you know, our state and local government partners face significant and sophisticated cybersecurity threats from foreign actors,” the Senators wrote. “Against this backdrop, it is critical that our nation’s election officials have the support they need from the federal government in modernizing their voting systems, and the EAC has a responsibility to maintain a high-functioning certification program.”

Florida: Who Got Hacked?

Joseph Marks wrote in the Washington Post about the frustration expressed by Florida lawmakers learning that the FBI took more than two years to acknowledge Russian hackers had penetrated some of the state’s voter database. “This lack of transparency is counterproductive,” Rep. Stephanie Murphy (D) complained. “I’m really concerned that it can erode public confidence in the integrity of our elections almost as much as the actual hacking did.”

The Mueller Report noted that the FBI had determined two Florida counties had been hacked, but the identities have not been released. Explaining their cloak-and-dagger secrecy, the FBI says it defines the counties themselves — as opposed to the actual voters within them — as the victims of the hack. Therefore, it’s up to the counties involved to disclose their own identities, as reported by Marc Caputo at Politico.

Rep. Michael Waltz (R-FL), who was briefed with other congressional members Thursday about the counties’ identities, objected, “Basically, what they’re classifying as the ‘victim’ — which is the elections official — is a mischaracterization in and of itself. The victim is the voter.”

David Smiley at the Tampa Bay Times suspects that nearly identical “jargon-filled non-denials” issued by Washington and Sumter Counties might be clues.

The NGA Cybersecurity Summit in Shreveport and RobinHood in Baltimore

Dan Lohrmann reported for GovTech on the third National Governors Association National Summit on State Cybersecurity held in Shreveport, LA. In his keynote presentation, DHS cybersecurity director Chris Krebs described the actions of Russia in 2016 as “game-changers in the history of cybersecurity, because the hacking was not just for data, but was an attempt to undermine democracy.” While noting progress on election cybersecurity, Mr. Krebs cautioned that in addition to threats from nation-states, “ransomware and a host of other cyber trends were top priorities.”

On the subject of ransomware, the RobinHood ransomware attack on the Baltimore city government has prompted the creation of a Committee on Cybersecurity and Emergency Preparedness, even as the city works to restore the systems taken down by the debilitating attack Maggie Miller wrote  in The Hill. The attack took down several of the city’s services last week, including the Department of Elections. As Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology told Mindy Moretti in electionline Weekly “Ransomware is unfortunately one of the more challenging cybersecurity threats that election offices might face.”

Hall recommended that election offices keep all software is updated and back up critical systems, but observed that “Updating software may sound easy, but if an elections office has dependencies such as relying on the wider city or county infrastructure, this may be out of the election office’s hands and they may not be able to demand that the software they are using is updated as soon as new updates are available,” Hall said.

Threats to EU Elections

Responding to concerns by European and U.S. officials over cyber-attacks related to election meddling and intellectual property theft, the EC last week agreed on “new rules that will grant it authority to impose travel bans and asset freezes against individuals responsible for cyber-attacks that pose a significant threat to the bloc.”

 

The EU Parliament election this weekend will be the first since Russia’s disinformation campaign aimed at the 2016 US presidential election put other nations on high alert for similar behavior. Earlier this year, the security firm Fireeye reported that Russian hackers had been targeting European government agencies, as well media outlets in France and Germany.

Election Cybersecurity in Indonesia

The Jakarta Globe interviewed Fernando Serto, director of security technology and strategy at Akamai APJ, about efforts made by Indonesian officials to address the threat of election cyberattack. Noting that cybercrimes often happen during elections all over the world, Serto said “This is not unique to Indonesia; every time a country holds an election, we see a lot of hacking activity. We’ve seen it happen during elections in the Philippines and the US.”

“We see a lot of hacktivists, people who disagree with the policies of a particular candidate, trying to hack into their official website and put very aggressive messages on it,” Serto continued. “The role of the government is crucial in preventing hacktivists from creating cyber chaos during elections.”

National: Technology has made voting lines move faster but also made elections less secure | Miles Parks/NPR

From 8 a.m. to noon on Election Day last November, voting in Johnson County, Ind., ground to a halt. Lines at precincts across the county, just south of Indianapolis, swelled. Some voters waited hours to cast a ballot; some left furious that they were unable to do so. “People weren’t happy. People had to leave and go to work,” said Cindy Rapp, the Democratic member on Johnson County’s election board. The county votes on electronic voting machines, which don’t provide a paper trail — something cybersecurity experts vehemently warn against. But those machines weren’t what caused the issue in November. Instead, the problem came from the computer system, known as an electronic poll book, that poll workers were using to check people in. Increasingly, more and more states and voting jurisdictions are using these systems to speed up and improve in-person voting. According to federal data, nearly half of all voters who voted in person in 2016 signed in at their polling place using an electronic poll book. That’s up from 27 percent just one presidential election prior. Like many issues surrounding elections, moving from paper to a digital process may bring convenience, but it also brings big questions about security and reliability. Read More

National: Republicans make alleged conservative bias top priority at election security hearing | Cat Zakrzewski/The Washington Post

Google, Facebook and Twitter executives came to Capitol Hill to testify about election security. Instead they faced a grilling about whether their platforms are biased against conservatives. A string of Republicans on the House Oversight and Reform Committee skipped questions about how the companies were tackling disinformation campaigns or preventing Russians from purchasing political ads on their platforms in the run-up to the 2020 election. They were more interested in whether Facebook and Twitter were “shadow-banning” — quietly blocking or restricting — conservatives’ accounts on their platform. “The minute you start putting your hand on the scale of freedom and justice to tilt it one way or another, quite frankly we’ve got to act as members of Congress,” warned Rep. Mark Meadows (R-N.C.). The technology executives vehemently denied that they engage in shadow banning. There is no evidence that the platforms have been systematically biased against one political party. Read More

National: U.S. House bill would require feds to notify public of election hacking | Benjamin Freed/StateScoop

Two members of the U.S. House of Representatives from Florida said Thursday they will introduce a bill that would require federal officials to inform Congress, state and local authorities and the public if an election-related computer system is hacked. The measure, from Democrat Stephanie Murphy and Republican Michael Waltz, comes as a response to federal authorities’ refusal to publicly name the two Florida counties where voter registration databases were successfully breached by Russian military intelligence hackers during the 2016 presidential election. Under the bill, text of which has not yet been released, federal law enforcement and cybersecurity authorities who detect unlawful access of election systems would be required to “promptly” notify the relevant state and local officials, as well as members of Congress representing the targeted jurisdiction. In turn, state and local officials would be obligated to notify any potentially affected voters. Read More

Editorials: There’s Bipartisan Support for Election Security. Mitch McConnell Won’t Let It Happen. | Lawrence Norden/Slate

Robert Mueller’s first public comments about the Russia investigation Wednesday had everyone from Fox News to the New York Times reporting that House Democrats would now feel increased pressure to begin an impeachment inquiry against the president. No doubt, the question of whether Donald Trump obstructed justice and should be subject to impeachment is of critical importance to Congress and the nation. But Robert Mueller also began and ended his comments with another issue that he said “deserves the attention of every American.” Namely, that a foreign government made multiple, systematic attempts to interfere in our elections. Congress is not doing enough to prevent it from happening again, despite ongoing attempts to sound the alarm by cybersecurity experts, intelligence agencies, and Robert Mueller himself. By the next presidential election, the Russians will have had four years to leverage the knowledge they gained in 2016. That could mean even more harm the next time around. That harm will no doubt include more disinformation on social media and potential attacks on our election infrastructure. And there is every reason to believe other nation-states will now get in on the game. Read More

National: Mueller remarks put renewed focus on election security bills | Maggie Miller/The Hill

Legislation aimed at securing U.S. elections got an unexpected shot in the arm this week when Robert Mueller devoted a fair share of his first remarks on the Russia probe to the threat posed by foreign actors seeking to undermine democracy at the ballot box. Election security bills have been languishing in Congress for months, due in large part to Republicans who do not want to shine a light on Russia’s actions and risk the fury of President Trump. The president weighed in on the issue Thursday, telling reporters that “we are doing a lot, and we are trying to do paper ballots as a backup system as much as possible, because going to good old-fashioned paper in this modern age is the best way to do it.” Those remarks came after he said Russia did not help him secure the presidency — his first on-camera response to Mueller’s comments, though he tweeted earlier in the day that Russia helped him win the election. The president’s comments came a day after Mueller shined a spotlight on Russia’s attempts to interfere in the 2016 U.S. presidential election. Mueller emphasized that “the central allegation of our indictments” was “there were multiple, systematic efforts to interfere in our election.” He ended his 10-minute statement by saying this “deserves the attention of every American.” Read More

Texas: Embattled elections chief on brink of losing job | Paul J. Weber & Jim Vertuno/Houston Chronicle

Texas’ embattled elections chief who wrongly questioned the U.S. citizenship of tens of thousands of voters was on the brink of losing his job Sunday, while Republican lawmakers prepared to head home hoping to save their own in 2020. Secretary of State David Whitley appeared set to go down without a public fight in the final hours of an unusually quiet session of the Texas Legislature, where a weakened GOP majority this year showed little appetite for partisan battles over signs their grip on the Capitol is slipping. Whitley, a former top aide of Republican Gov. Greg Abbott, can’t stay in office unless the state Senate confirms his nomination before the session ends Monday. But his prospects were dimming by the minute as Democrats continued blocking a vote on his confirmation, as they have done since February. That was after Whitley’s office rolled out a bungled scouring of voter rolls that flagged nearly 100,000 voters as potential noncitizens. President Donald Trump seized on the news out of Texas to renew his unsubstantiated claims of widespread voter fraud, but within days, it became clear the data used was deeply flawed. Read More

Editorials: What if 2020 election is disputed? | Edward Foley/The Hill

Speaker Nancy Pelosi was correct when she recently said that the best way to avoid a disputed election is for the result to be a blowout. But that is a hope, and we need a plan. If the midterm elections are any indication, the number of states with razor thin majorities is increasing. With partisan distrust on the rise, the result could be a constitutional standoff, a loss of democratic legitimacy for the outcome, and even violence stemming from anger. We need to agree in advance on procedures for resolving electoral disputes that determine the winner of the presidential election next year. Read More

National: Keeping voting security standards from bureaucracy | Derek B. Johnson/GCN

Although the security updates to the Election Assistance Commission’s new Voluntary Voting System Guidelines 2.0 are sorely needed, its approval and updating process can’t keep up with the technological changes. Later this year, the full commission is expected to vote to approve a five-page document outlining principles that will guide the development of VVSG 2.0, including a new emphasis on security. At a May 21 hearing, however, a number of stakeholders advised the agency to refrain from requiring a full vote to approve the technical portions of the guidelines, saying it could keep the latest technology from being incorporated into voting machine standards. “We cannot wait weeks or months for a decision on a federal level when there’s a need to act immediately,” Iowa Secretary of State Paul Pate said. “I’m asking all of you to have a dialogue about what happens if we run into that situation again when there is not a full quorum on the EAC. How will decisions be made, and will that make it more difficult for state election officials to protect the security and integrity of the vote?” Read More

National: Top Republican says Senate unlikely to vote on any election security bills | Maggie Miller/The Hill

Sen. Roy Blunt (R-Mo.), a member of Senate GOP leadership, said Wednesday that the chamber is unlikely to vote on any election security legislation, despite requests from a federal agency for more funding to improve election systems nationwide. Blunt made the remarks at a Senate Rules Committee hearing where Election Assistance Commission (EAC) officials highlighted what they said is an urgent need for more resources. His comments were in response to Senate Minority Whip Dick Durbin (D-Ill.) pointedly asking during the hearing whether the Rules Committee, chaired by Blunt, would mark up any election security bills already introduced this Congress. “At this point I don’t see any likelihood that those bills would get to the floor if we mark them up,” Blunt said. When Durbin asked why that was the case, Blunt said, “I think the majority leader is of the view that this debate reaches no conclusion. And frankly, I think the extreme nature of H.R. 1 from the House makes it even less likely we are going to have that debate.” Read More

National: Americans may vote in 2020 using old, unsecured machines | Gopal Ratnam/Roll Call

The first primary in the 2020 presidential race is a little more than 250 days away, but lawmakers and experts worry that elections will be held on voting machines that are woefully outdated and that any tampering by adversaries could lead to disputed results. Although states want to upgrade their voting systems, they don’t have the money to do so, election officials told lawmakers last week. Overhauling the nation’s election systems would mean injecting as much as $1 billion in federal grants that would then be supplemented by states, but top Senate Republicans have said they are unlikely to take up any election security bills or give more money to the states. The deadlock could mean that even as federal government and private companies spend tens of billions of cybersecurity dollars annually to protect their computers and networks from attacks, the cornerstone of American democracy could remain vulnerable in the upcoming elections. Read More

National: EAC rattles the cup on Capitol Hill | Derek B. Johnson/FCW

For the first time in nearly a decade, the Election Assistance Commission has a full slate of commissioners in place. Now, with the agency sitting at the center of several key election security debates, they’re asking Congress to make their budget whole too. At a May 15 Senate Rules Committee hearing, Christy McCormick, who chairs the EAC, said the commission is at “a critical crossroads with regard to having sufficient resources necessary to better support state and local election administrators and the voters they serve” and asked members of Congress for more funding. “With additional resources, the EAC would have the opportunity to fund additional election security activities within its election technology program,” said McCormick. There is no shortage of ambition at EAC when it comes to supporting this work, but there is a stark shortage of funds for such activities.” Read More

National: EAC hires 2 tech experts for testing and certification program | Sean Lyngaas/CyberScoop

The U.S. Election Assistance Commission has added two experienced hands to its voting system certification program amid concerns it had a shortage of technical experts overseeing election infrastructure. The agency is staffing up its crucial certification program by hiring Jessica Bowers, a former executive at Dominion Voting Systems, one of the country’s three largest voting system vendors, and Paul Aumayr, a former Maryland election official. Both new hires will work as senior election technology specialists. In an email announcement to staff obtained by CyberScoop, EAC Executive Director Brian Newby touted Bowers and Aumayr’s technical acumen. Bowers has “over 18 years of software development and product support experience,” while Aumayr is a “Microsoft-certified systems engineer,” Newby wrote. Read More

National: Here’s how the military’s hacking arm is gearing up to protect the 2020 election |The Washington Post

Russia viewed the midterm elections as a “warm-up” for 2020. The U.S. military’s hacking division is treating it that way, too. In the run-up to the presidential election, U.S. Cyber Command is surging election defense efforts that proved useful during the midterms, officials told reporters Tuesday — including probing allies’ computer networks to glean insights about Russian threats. Cybercom is also working more closely with election defense teams at the Department of Homeland Security and the FBI, and with industry sectors that are targeted by Kremlin hackers and might have early warnings about threats facing the election, my colleague Ellen Nakashima reported from that briefing. “Our goal is to have no interference in our elections,” said Maj. Gen. Tim Haugh, who heads the command’s cyber national mission force. “Ideally, no foreign actor is going to target our electoral process.” Cybercom is the only outfit among the myriad federal state and local government agencies tasked with protecting the 2020 election that is allowed to punch back against Russian hackers — and it’s using its new authorities granted during the Trump administration to be more aggressive in cyberspace. Read More

Florida: Florida lawmakers rail against FBI for secrecy on voter breaches | Joseph Marks/The Washington Post

Florida lawmakers are railing against the FBI for taking more than two years to acknowledge Russian hackers penetrated some of the state’s voter files — and for remaining mum about which voters were affected. The long delay signals to voters in Florida and elsewhere that the government won’t level with them if and when their votes are manipulated, the lawmakers say. And that lack of public faith could do just as much damage as the Russian hacking and disinformation operation that upended the 2016 election and cast doubts on the legitimacy of President Trump’s victory. “This lack of transparency is counterproductive,” Rep. Stephanie Murphy (D) told me. “I’m really concerned that it can erode public confidence in the integrity of our elections almost as much as the actual hacking did.” Read More

Florida: Which Florida counties were hacked? Maybe these non-denial denials are a clue. | David Smiley/Tampa Bay Times

Ever since a leaked classified intelligence document revealed that Russian hackers had tried to access Florida’s elections networks in 2016 by crafting malware-laced emails made to look like they came from a software vendor, reporters all over the country have been searching for electronic correspondence sent three years ago to the state’s 67 elections offices. But could emails crafted by the elections offices themselves hold the clue to determining which two jurisdictions were in fact hacked? This week, in response to hacking questions sent to every supervisor of elections in the state by the Tampa Bay Times and Miami Herald, two offices issued the same legalistic non-denial. Almost word-for-word, they gave the same response when asked if their voter registration networks were hacked in 2016, explaining that they could not answer questions because to do so could “directly or indirectly” help determine the answer — which has been deemed classified by the FBI. It now turns out that at least one of those two offices was, in fact, hacked. Read More

Louisiana: States Explore Opportunities at National Summit on Cybersecurity | Dan Lohrmann/Government Technology

The National Governors Association Center for Best Practices held their third National Summit on State Cybersecurity from May 14-15, 2019 at the Shreveport Convention Center. The unique event convened state homeland security advisors, chief information officers, chief information security officers, governors’ policy advisors, National Guard leaders, and others from all 55 states and territories to explore cybersecurity challenges and promising practices. Over the course of two days, participants engaged in a series of interactive sessions and breakouts to discuss countering the newest threats, disruption response planning, workforce development, and much more. … The sessions were packed with best practices, case studies, opportunities for improving cybersecurity in different areas and much more. Read More

Maryland: Baltimore creates cybersecurity review panel following ransomware attack | Maggie Miller/The Hill

Baltimore City Council President Brandon Scott announced the creation of a Committee on Cybersecurity and Emergency Preparedness on Thursday, as the city works to restore the systems taken down by a debilitating ransomware attack last week. “This cyber attack against Baltimore City government is a crisis of the utmost urgency,” Scott said. “That is why I will convene a select committee, co-chaired by Councilman Eric Costello and Councilman Isaac ‘Yitzy’ Schleifer, to examine the City’s coordination of cybersecurity efforts, including the Administration’s response to the cybersecurity attack and testimony from cybersecurity experts.” A type of ransomware known as “RobinHood” took down several of the city’s services last week, including some of the capabilities of the Baltimore City Department of Transportation, the Department of Public Works, and the Department of Finance. The city is also currently unable to send or receive email. Read More