A voting system certified and tested earlier this year for use in North Carolina’s March 2020 primaries won’t be available, according to manufacturer Elections Systems and Software, so the company’s lobbyists have suggested the state quickly approve one of its other systems instead. While the N.C. Board of Elections director has recommended going along with the vendor on the substitution, others see the move as a deceptive bait and switch. One Board of Elections member, Stella Anderson, has objected to the situation, thereby forcing the board to convene a special meeting on the issue. She and others have questioned the integrity of the company and suggested both ES&S and board staff have used language that understates the significance of the difference between the two systems and misrepresents federal government requirements for approving such modifications to voting systems. ES&S has been trying to get its EVS voting system certified in North Carolina since 2017. Litigation between the Republican legislature and the Democratic governor, the 9th Congressional District ballot fraud scandal in 2018, and the resignation of the former Board of Elections chairman delayed certification of the new system until the 11th hour.
The Voting News
National: The voting machine certification process is making it harder to secure elections | Chris Iovenko/Slate
A judicial election in Northampton County, Pennsylvania, in November produced a literally unbelievable result. About 55,000 votes were cast on newly purchased electronic voting machines, but only 164 votes were registered for the Democratic candidate. Luckily, the touch-screen machines produced a backup paper trail, which allowed for an accurate recount. Ultimately, the Democrat won by some 5,000 votes. The root cause of this systemic vote switching is still under investigation. Whatever the case, though, the mass malfunction of these machines highlights the reliability and security issues around electronic voting systems that are mostly already primed for use in the 2020 elections. As disturbing as the Northampton County miscount is in its own right, it throws into relief a grave general issue that applies to voting systems across the country. One would hope that whatever glitch or virus, once identified, that caused the massive malfunction will be quickly and easily fixed, patched, or updated so that those machines can be relied upon to work properly going forward. Further, one would also assume that other vulnerable voting systems around the country will be updated prophylactically to prevent similar malfunctions in next year’s elections. However, neither of those things is very likely to happen. Our current regimen for certifying electronic voting systems makes changing or updating election systems in the run-up to an election very difficult—and as Election Day 2020 gets closer, that maintenance becomes virtually impossible.
The U.S. federal government subjects nearly every industry to a slew of operational rules and regulations. Defense contractors are prohibited from utilizing certain Chinese telecommunications companies like Huawei in order to prevent theft of the nation’s military technology. Power companies must abide by mandatory reliability standards and report any attempted or successful breaches of their systems to a federal commission. National banks implement federally required security procedures to prevent robberies. These sectors are meticulously managed with hundreds of requirements specifically because the Department of Homeland Security considers them so vital that their incapacitation would have a “debilitating effect” on the country as a whole. But when it comes to elections, a cornerstone of American democracy, the vendors whose voting equipment is used throughout the country largely lack the level of federal oversight and direction that protect other critical infrastructure industries from domestic and foreign interference.
National: What Is Election Hacking, and Can It Change Who Wins? | Kartikay Mehrotra & Andrew Martin/Bloomberg
Americans have relied on computers to tally votes since at least 1964, when two Georgia counties used them to count punch-card ballots in a primary election. Over time, high-tech election systems largely supplanted paper ballots and gear-and-lever machinary, a trend hastened by the contested 2000 presidential election between George W. Bush and Al Gore. (Remember hanging chads?) But ever-greater reliance on digital voter registration, electronic voting and computerized tabulation have created the opportunity, at least, for hackers to sabotage elections, and Americans aren’t the only ones who are fearful.
1. What is meant by ‘election hacking’?
It’s sometimes used as a catch-all phrase to encompass all sorts of underhanded efforts to subvert elections, including the type of social media disinformation campaign undertaken by Russia to taint elections in the U.S., Europe and Africa. But in its most literal form, election hacking refers to computer breaches that are intended to manipulate voter data, change a vote tally or otherwise discredit tabulated results.
ary Scott can tell you a lot about the internet. Or rather, how little of it his machines are connected to. “There’s always some barrier between these machines and any online systems,” said Scott, the general registrar and director of elections for Fairfax County, Virginia. Standing next to one of several DS200 voting machines set up for training purposes in the Office of Elections in Fairfax County, he emphasized that none of the fleet of voting machines he oversees have ever been connected to the internet. Neither have any of the computers used to program them, nor the machines that will receive the final vote count. The most surprising piece of technology involved in Fairfax’s voting approach might well be the oldest one: paper. “We got a lot of resistance from the public because they wanted to know why we were going ‘backwards’ to paper, but it’s a much more secure method of doing it,” Scott said. Fairfax County initiated a move toward paper ballots years before Virginia decertified paperless voting machines across the state, aligning with the latest shifts in thinking about election security—both in the U.S. and abroad. The embrace of paper by districts like Fairfax marks a change in the nationwide trend toward electronic voting infrastructure that can be traced back to the Help America Vote Act of 2002.
National: Ukraine claims threaten Senate consensus on Russian hacking | Joseph Marks/The Washington Post
A tenuous Senate consensus on the dangers of Russian election hacking is being threatened by the GOP’s embrace of President Trump’s debunked argument that Ukraine also interfered in 2016. Numerous Senate Republicans promoted that argument this week, bucking the conclusion of U.S. intelligence officials and ignoring warnings the claims are part of a Kremlin-backed effort to muddy the waters on Russia’s own interference. “There’s no question in my mind Ukraine did try to influence the election,” Sen. John Neely Kennedy (R-La.), one of Trump’s most vocal supporters on the issue, said yesterday. Senate Democrats also struck back. “The only people who are advancing the discredited theory about Ukraine and intervention are part of the continuing Russian disinformation campaign,” Sen. Mark R. Warner (Va.), ranking Democrat on the Senate Intelligence Committee, said. The conflict is a sea change for the Senate, which has generally maintained a bipartisan consensus on the singular damage caused by Russia’s 2016 hacking and disinformation campaign and the danger of a repeat in 2020 — even as House GOP lawmakers have proved far more willing to follow Trump’s lead in questioning Russia’s role in the attacks and embrace conspiracy theories. The shift could prove especially damaging as the legislative clock ticks down to 2020. The Senate is still considering election security measures, including providing more money for states to upgrade their voting systems and to impose new transparency requirements on political advertisements.
New research shows that email is still a weak link in U.S. election infrastructure, with only five percent of the nation’s largest counties protecting election officials from impersonation attempts. The latest research from Valimail finds that an “overwhelming majority of cyberattacks can be traced to impersonation-based phishing emails,” with 90 percent of attacks involving phishing, and 89 percent of phishing involving impersonation. Valimail looked at Sender Privacy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC) status for 187 domains that were used by election officials in each state’s three largest counties. The researchers then sought to determine whether each domain is protected from impersonation attacks by a correctly configured DMARC record with a policy of enforcement.
Florida: Website hack could be as bad as vote attack, warns Florida official | Mary Ellen Klas/Tampa Bay Times
Florida’s top election official on Tuesday warned that attackers could attempt to disrupt elections without even breaking into the voting systems — by simply changing the results on election websites. Secretary of State Laurel Lee told the governor’s Cybersecurity Task Force that Florida’s elections tabulation system is secure, but state and county elections websites “are far more vulnerable to being attacked or defaced and pose a very real threat, not of changing election results, but of undermining voter confidence.” “If our website is defaced such that it reflects that the losing candidate won, and I have to go out the next morning and explain to the press and the public that the actual winner was the other candidate, we’ve lost critical public trust,’’ Lee told the group meeting at Florida International University in Miami. To address that possibility, Lee said the department is “working very hard to secure those sites and stay on top of evolving threats and tactics to keep them secure.”
Georgia: Groups warn of hidden costs of new Georgia voting machines | Mark Niesse/The Atlanta Journal-Constitution
Georgia taxpayers could be saddled with tens of millions of dollars in hidden costs for new voting machines, according to calculations released Wednesday by three groups critical of the state’s election spending. The groups, which span the political spectrum, said a $104 million contract for a new statewide voting system fails to provide enough money for voting machines, equipment, software and personnel, resulting in an estimated $82 million shortfall. The Georgia secretary of state’s office responded that the groups’ estimates are incorrect, the voting system is within its budget, and the state government has already ordered 3,000 additional machines to meet voters’ needs. The cost analysis was produced by Fair Fight Action, a voting rights group founded by former Democratic nominee for governor Stacey Abrams; FreedomWorks, which advocates for free markets and small government; and the National Election Defense Coalition, an election security organization. “By imposing this unfunded mandate, the secretary of state has put all 159 counties in a position of either enacting massive local tax hikes or facing widespread lawsuits at taxpayer expense,” said Jason Pye of FreedomWorks.
Ohio: Russian-owned company caught trying to hack Ohio voting systems on Election Day | Igor Derysh/Salon
A Russian-owned company tried to hack the Ohio office that oversees the state’s voting systems on Election Day, according to Ohio Secretary of State Frank LaRose. LaRose told the Columbus Dispatch that the state’s internal systems detected an “SQL injection” attack that attempted to insert malicious code onto his office’s website. LaRose said that the attack originated in Panama but was traced back to a Russian-owned company. He downplayed the attempted hack as “relatively unsophisticated.” “Some of these unsophisticated attacks are ways that they probe for vulnerabilities. They are poking around for soft spots,” LaRose explained. He went on to credit the state’s “Albert” alert system that quickly identified the attack. “The good guys won that day and the bad guys lost,” he said. LaRose said that similar attacks are designed to disrupt or undermine the credibility of elections but he is confident that hackers cannot access voting machines because they are not connected to the internet. LaRose’s announcement came several months after Florida Gov. Ron DeSantis revealed that Russian hackers had breached the voting systems of two counties in the state in 2016, though he said there was “nothing that affected the vote count.”
Northampton County’s voting-machine vendor will report next week on what went wrong during the November election and how it can be fixed. The ExpressVote XL machines used Nov. 5 led to long lines and frustration at the polls because the touchscreens were too sensitive and the backup paper ballots were hard to read. Election Systems & Software (ES&S), maker of the machines, will be at Northampton County Council’s next meeting. “ES&S was in Northampton County today reviewing our voting systems,” County Executive Lamont McClure told the council at its Thursday meeting. “They will come next Thursday and tell you what they found and the fixes.” The next council meeting will be Dec. 12 at 4:30 p.m. at the government center. McClure and Council President Ronald Heckman have insisted that ES&S identify and fix what went wrong before the next election. The county paid $2.88 million for the machines after Gov. Tom Wolf required systems across Pennsylvania that would thwart hacking and provide a backup paper trail. Despite the problems, McClure has said the election was fair and accurate because the backup worked.
Pennsylvania: Misplaced votes mean new rules for Erie County poll workers, officials | Matthew Rink/GoErie
After the polls closed on Nov. 5, poll workers at Kury Hall in Millcreek Township suspected that something was amiss. Like all poll workers at the county’s 149 precincts, they were responsible for inserting a device called a PEB that records the votes from a flash drive on each machine and “closes out” the machine so that no additional votes can be recorded. When the PEB generated the results at Millcreek’s 4th Precinct, though, poll workers suspected that it had shown too few votes. “They had some sense that their number of total votes wasn’t correct,” Erie County Clerk Doug Smith said. “But they thought it would all come out in the wash. They didn’t think it was a serious thing and that we would catch it when we did the audit.” What followed was a perfect storm, Smith said, of poor communication between poll workers themselves and between poll workers and elections officials stationed at the Erie County Courthouse. It would result in roughly 400 votes not being tabulated on either Election Night or during the final audit, or count, conducted by elections officials days later. In fact, were it not for the razor-thin margin between Erie County Controller Mary Schaaf and her challenger, Erie County Councilman Kyle Foust, the controller-elect, the missing votes might never have been counted.
An elections advocacy group urged a Sixth Circuit panel Tuesday to reinstate its case against the Tennessee Election Commission based on claims that one county’s electronic voting machines and software have created an inherently insecure system. Shelby County Advocates for Valid Elections, or SAVE, and several individual voters sued Tennessee Secretary of State Tre Hargett, the state’s election commission and the Shelby County Election Commission five days before early voting began in Shelby County for the November 2018 election. SAVE alleged the AccuVote-TSx R7 direct-recording electronic voting machines and Diebold GEMS voting software utilized by Shelby County fail to meet statutory requirements because they do not create a “voter verified paper audit trail,” and store votes solely on removable memory cards. The group’s complaint alleged election results are subject to manipulation because of their digital-only nature, which could result in the disenfranchisement of voters in the county with the state’s largest black population.
Tennessee: Likely no paper trail for voting in Memphis on Super Tuesday | Jonathan Mattise/Associated Press
Tennessee’s largest county probably won’t have new voting machines that create a voter-verifiable paper trail in place for the presidential primary election on March 3, an attorney for the state said Tuesday. Janet Kleinfelter of the Tennessee attorney general’s office discussed the timeline to implement the new machines in Memphis-anchored Shelby County during a federal appellate court hearing Tuesday. The hearing involved a lawsuit that has challenged the security of Shelby County’s voting machines. Kleinfelter said the machines will be in place by August, when state and federal primaries are held. Previously, Shelby County Elections Administrator Linda Phillips’ office said the goal was to start using the machines in the Super Tuesday elections. Shelby County commissioners have approved funding for the machines, which are expected to cost $10 million to $12 million. The county is now going through the procurement process, Kleinfelter said.
Wisconsin: Heading Into 2020, Election Security In Wisconsin Remains At Forefront | Maayan Silver/WUWM
In this tech-heavy world, it’s a new landscape when it comes to election security. Nation states like Russia could be poised to hack voting machines or systems. And Wisconsin clerks in small towns and municipalities — often with no information technology department — must make sure elections are secure. So, over the last few years, the Wisconsin Elections Commission has implemented more election security measures. They include: a cybersecurity training program, multifactor authentication for people who access the state election management system and voter list (WisVote), and a grant program where qualified election clerks get up to $1,200 in federal funding to buy new computers or update operating systems. At Monday’s meeting of the commission, administrator Meagan Wolfe summarized her staff’s efforts for election commissioners: “One of the major ones is alerting and educating clerks about the importance of having a .gov email address or an HTTPS website, especially for our county clerks,” she says.
Federal police and national intelligence agencies could monitor state and territory elections next year to ensure they aren’t hacked or hijacked by fake news. The Northern Territory goes to the polls on August 22 next year, followed by the ACT on October 17 and Queensland on October 31. An electoral integrity task force has so far overseen the NSW and federal elections and will turn its attention to future polls, a parliamentary committee heard on Friday. Jeff Pope, from the Australian Electoral Commission, told the hearing – when asked by Greens senator Larissa Waters whether the May federal poll was affected by hackers – nothing had affected the commission’s systems. However, the task force’s activities did result in AFP investigations and provided advice on social media posts which were not properly authorised, with subsequent action taken to take them down.
Russia: U.S. Targets Russian ‘Evil Corp’ Hacker Group With Sanctions, Indictments | Ian Talley & Sadie Gurman/Wall Street Journal
The Trump administration Thursday placed a $5 million bounty on the leader of a Russian hacker group called Evil Corp for his alleged work for Moscow’s intelligence agency, part of what U.S. officials say is a broader reprisal for a Kremlin-directed cyber offensive against the U.S. The State Department’s action against Maksim Yakubets coincides with Treasury Department sanctions and indictments by the Justice Department and the U.K.’s National Crime Agency against core members of the group, which is accused of orchestrating the theft of more than $100 million from more than 300 banks in the U.S. and dozens of other countries. The cyber theft, using malware that stole credentials and passwords, isn’t believed to be directed by Russian intelligence, though a senior administration official said the activities couldn’t have been carried out without the knowledge of the Russian government. But the Treasury Department said Mr. Yakubets was conducting separate work for Russia’s Federal Security Service as of 2017, and was seeking a license to handle classified intelligence with the agency in April of last year. The State Department bounty is for information that leads to the capture or conviction of Mr. Yakubets.
United Kingdom: Labour’s Ben Bradshaw claims he was target of Russian cyber-attack | Luke Harding/The Guardian
The Labour candidate Ben Bradshaw has said he has been the victim of a suspected Russian cyber-attack after he received an email from Moscow with attachments containing sophisticated malware. Bradshaw – who has repeatedly raised the subject of Kremlin interference in British politics, including in the EU referendum – received the email at his election gmail address. The sender – “Andrei” – claimed he was a whistleblower from inside Vladimir Putin’s presidential administration. The email contained several apparently genuine documents. They showed how the Kremlin has set up a secret “fake news unit” in Russia’s far east region which is used to suppress negative stories and to boost pro-government sentiment. However, two of the documents carried malicious code.
Pennsylvania: A Pennsylvania County’s Election Day Nightmare Underscores Voting Machine Concerns | Nick Corasaniti/The New York Times
It was a few minutes after the polls closed here on Election Day when panic began to spread through the county election offices. Vote totals in a Northampton County judge’s race showed one candidate, Abe Kassis, a Democrat, had just 164 votes out of 55,000 ballots across more than 100 precincts. Some machines reported zero votes for him. In a county with the ability to vote for a straight-party ticket, one candidate’s zero votes was a near statistical impossibility. Something had gone quite wrong. Lee Snover, the chairwoman of the county Republicans, said her anxiety began to pick up at 9:30 p.m. on Nov. 5. She had trouble getting someone from the election office on the phone. When she eventually got through, she said: “I’m coming down there and you better let me in.” With clearly faulty results in at least the judge’s election, officials began counting the paper backup ballots generated by the same machines. The paper ballots showed Mr. Kassis winning narrowly, 26,142 to 25,137, over his opponent, the Republican Victor Scomillio. “People were questioning, and even I questioned, that if some of the numbers are wrong, how do we know that there aren’t mistakes with anything else?” said Matthew Munsey, the chairman of the Northampton County Democrats, who, along with Ms. Snover, was among the observers as county officials worked through the night to count the paper ballots by hand. The snafu in Northampton County did not just expose flaws in both the election machine testing and procurement process. It also highlighted the fears, frustrations and mistrust over election security that many voters are feeling ahead of the 2020 presidential contest, given how faith in American elections has never been more fragile. The problematic machines were also used in Philadelphia and its surrounding suburbs — areas of Pennsylvania that could prove decisive next year in one of the most critical presidential swing states in the country.
Still-incomplete explanations of problematic aspects of new voting systems that debuted in November 2019 and will be used in 2020 suggest that voters will likely see random delays in voting and vote counting during next year’s presidential primaries and fall election. The new voting systems were being tested or deployed in advance of 2020. While the machinery did not widely fail across all jurisdictions, there were diverse and serious problems that could undermine public trust if they recur in 2020. However, the official responses, thus far, have not been reassuring. Take Georgia, for example. There, new systems were tested in nine counties on November 5 before statewide use in 2020’s primaries. In four counties, the start of voting was delayed by more than one hour, according to a secretary of state summary that mostly blamed the users, but not the technology. The users would be poll workers and other officials (who underwent training) and private contractors who program the system checking in voters. The opening of the polls is one of the busiest times at polling places, when people come to vote on their way to work. “We had 45 incidents out of 27,482 votes or an incident rate of 0.164 percent,” the secretary of state’s report summary said. “Nearly all issues were caused by human error or interaction which can be mitigated through training or identified through testing.” That statistical assessment is breezy. The report’s fine print describes poll openings delayed by an hour, but does not say how many voters were kept waiting. The apparent reason was that the electronic poll book system had “an additional field within the dataset erroneously.” If that analysis is correct, that is an amateur programming error. The report said that private vendors used Wi-Fi to access and reprogram it. But that wasn’t the only problem.