When Georgia voters head to the polls for the state’s primary today, they’ll cast their ballots on aging electronic voting machines that government officials and security experts agree are easy to hack.
But if a long-shot federal lawsuit succeeds, they could vote in a much more secure way come November: On paper.
As the intelligence community warns against a repeat of the kind of digital interference we saw in the 2016 elections, a nonpartisan advocacy organization and a group of Georgia voters are asking a judge to compel the state to abandon its electronic voting machines in favor of paper ballots before the midterm elections.
The electronic machines produce no paper vote record, making them virtually impossible to audit. The plaintiffs want the state instead to switch to a hand-marked paper ballot system, which experts widely regard as safer because the results can be easily verified.
“Given what we've learned about election interference and what's expected in the midterms, you can’t go forward with a machine that can’t be audited,” said David Cross, an attorney for the plaintiffs. “If we can get the relief we want before November, the system will be much more secure.” The plaintiffs' goal is to have such a system in place before Nov. 6, even if it means having every Georgia voter cast a paper absentee ballot for the time being.
They face an uphill battle. Similar legal challenges have failed in other states in recent years, with judges showing a reluctance to order states to change their systems.
With more public information surfacing about the digital threats facing elections, that may change, says Lawrence Norden, deputy director of the Brennan Center for Justice’s Democracy Program. “While these lawsuits in the past few years have seemed like Hail Marys, there may be a different calculation now given what's come out about actual threats against these systems,” Norden told me. “Courts may be more willing to take these lawsuits seriously.”
And this case could serve as a bellwether for others looking to challenge their states' voting systems in court. Norden expects other lawsuits like this one to keep coming up if efforts across the country to get states to scrap outdated machines continue to stall.
Five states including Georgia rely exclusively on electronic voting machines that produce no paper trail, and another eight states use them in some districts. Officials are facing mounting pressure from Congress, the Department of Homeland Security and private groups to replace that equipment with paper-backed systems, but upgrades are expensive — and some have been slow or unwilling to legislate the change.
“People are feeling very desperate about this," Norden said. "They’re concerned, and despite all the publicity around security risks of paperless systems, they haven’t been able to succeed legislatively."
Georgia in particular has resisted the push to ditch electronic voting machines, which are known as Direct Recording Equipment, or DREs. Secretary of State Brian Kemp (R) has argued that the equipment is safe, and that replacing it with paper ballots might not make the system more secure. He also told Politico last year that he opposed financial assistance from the federal government to help overhaul the state’s voting system.
In this case, the plaintiffs allege that state officials ignored warnings from experts that Georgia's voting system was insecure and failed to take the minimum steps to make sure it was safeguarded. They argue that's all in violation of Georgians' voting rights. Meanwhile, the state has asked the court to dismiss the lawsuit on various grounds, including that the state is immune from the litigation under the Georgia Constitution.
But Kemp, who is running for governor this year, has more recently signaled he's thawing his opposition on this issue. He tapped a panel of state officials in April to weigh options for a new voting system after a bill to replace Georgia’s DREs failed in the legislature. He says he now supports a system with a paper trail and wants to have it in place by 2020.
“I am confident that the current system, which is tested by experts for every election, continues to properly capture and reflect all voters’ choices,” he said in a statement last week. Kemp and attorneys for the state declined to comment on the case.
The plaintiffs, led by the Coalition for Good Governance, originally sued in Georgia state court, and the case was moved to the U.S. District Court for the Northern District of Georgia in August 2017.
There are heavy-hitting lawyers on both sides of the case. Cross, an antitrust attorney with the law firm Morrison and Foerster, is representing the plaintiffs pro bono with John Carlin, another lawyer from the firm who previously served as assistant attorney general for the Justice Department’s National Security Division. The defendants are being represented by Roy Barnes, the former Democratic governor of Georgia who was in office when the state purchased many of its DREs, and his law partner John Salter.
Cross said the parties are expecting a hearing on a preliminary injunction in July or August. That would leave enough time to take the logistical steps necessary to get a more secure voting system in place ahead of the midterms, he said.
Mothballing tens of thousands of electronic voting machines and switching to paper ballots in just a matter of weeks is no small undertaking.
But Cross says it’s possible. He pointed to Virginia, where the board of elections last fall ordered all the state’s DREs scrapped and replaced with hand-marked paper ballots to better secure its elections. The process took about a month.
“Virginia did this quite quickly,” he said. “It’s not as big a deal as it might seem.”
Correction: A previous version of this story incorrectly identified Roy Barnes, the former Georgia governor. He is a Democrat.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Sen. Ron Wyden (D-Ore.) is urging the Pentagon to beef up security on its public websites. In a letter today to Dana Deasy, the Defense Department's chief information officer, Wyden is asking the Pentagon to implement “cybersecurity best practices on all publicly accessible” department websites. You can read it here first on The Cybersecurity 202.
Wyden wrote that many military websites -- including those belonging to the Navy, the Marines and Deasy's own office -- “either do not secure connections with encryption or only prove their authenticity” with certificates that mainstream Web browsers do not consider “trustworthy.” Users are often presented with “scary security warnings” when they access Defense Department pages from personal computers and have to navigate through them, he said. “The DoD cannot continue these insecure practices,” Wyden wrote. He noted that Google Chrome is set to begin warning users in July that non-HTTPS sites are “not secure.” (Google wrote about the change in a blog post this year.)
"These warnings will erode the public's trust in the Department and its ability to defend against sophisticated cyber threats," Wyden wrote. "Moreover, the DOD's refusal to implement cybersecurity best practices actively degrades the public's security by teaching users to treat critical security warnings as irrelevant." Wyden asked that Deasy reply by July 20 with a plan detailing the progress made in addressing those issues.
PATCHED: Regulators in the United States and Canada are going after cryptocurrency investment scams. The North American Securities Administrators Association announced on Monday that state and provincial regulators in the United States and Canada have opened nearly 70 investigations into fraudulent investment products, The Washington Post's Brian Fung reports.
“Despite a series of public warnings from securities regulators at all levels of government, cryptocriminals need to know that state and provincial securities regulators are taking swift and effective action to protect investors from their schemes and scams,” Joseph Borg, the association's president and the director of the Alabama Securities Commission, said in a statement. Regulators from more than 40 jurisdictions have taken part in those enforcement operations, called “Operation Cryptosweep,” and 35 cases have been completed or are pending. Members of NASAA are also conducting additional investigations.
"They target unregistered securities offerings that promise lucrative returns without adequately informing investors of the risks, according to state regulators,” Fung writes. "The state agencies are also pursuing suspicious cases of initial coin offerings, or ICOs, a fundraising technique used by both legitimate and illegitimate cryptocurrency projects in ways that resemble initial public offerings of stock."
PWNED: In a departure from past presidents, Trump uses a cell phone that does not have sophisticated security features that could protect his communications, two senior administration officials told Politico's Eliana Johnson, Emily Stephenson and Daniel Lippman. One of the officials said Trump uses at least two iPhones — one serves to make calls only and another is for accessing Twitter and a few news sites.
“While aides have urged the president to swap out the Twitter phone on a monthly basis, Trump has resisted their entreaties, telling them it was 'too inconvenient,' the same administration official said,” Johnson, Stephenson and Lippman write. Trump has gone as long as five months without having the phone checked by security pros for possible compromise, they report, while President Barack Obama by contrast had his White House phones examined every 30 days.
Additionally: "Trump's call-capable cellphone has a camera and microphone, unlike the White House-issued cellphones used by Obama," they write. "Keeping those components creates a risk that hackers could use them to access the phone and monitor the president’s movements. The GPS location tracker, however — which can be used to track the president’s whereabouts — is disabled on Trump's devices."
— Twitter lit up with reactions to revelations about Trump’s cellphone use:
From former CIA analyst Nada Bakos:
"Trump’s call-capable cell phone has a camera and microphone, unlike the White House-issued cell phones used by Obama." He doesn't have to make a call for the phone to be compromised, just having it on him could be enough.— 𝙽𝚊𝚍𝚊 𝙱𝚊𝚔𝚘𝚜 (@nadabakos) May 22, 2018
From The Post's Philip Rucker:
Using a personal cell that isn’t equipped with security features isn’t that far off from using an email account on a home-brew server https://t.co/oP6c9Hf3gT— Philip Rucker (@PhilipRucker) May 22, 2018
From former Obama official Chris Lu:
When I traveled to China during Obama Admin., I was given strict instructions about cell phone use and potential for calls to be intercepted. When I returned to US, security officials destroyed the phone.— Chris Lu (@ChrisLu44) May 21, 2018
Trump isn't following even basic safeguards that all WH staff must follow.
From MSNBC’s Chris Hayes:
Am I wrong that there's, like, a 100% chance the phone has been hacked? https://t.co/TMPn0g1gcu— Chris Hayes (@chrislhayes) May 21, 2018
From Buzzfeed News’s Charlie Warzel:
— Secretary of State Mike Pompeo on Monday said the State Department will work alongside the Pentagon and allies in the Middle East “to prevent and counteract any Iranian malign cyberactivity.” Pompeo presented the Trump administration's Iran policy in a speech at the Heritage Foundation.
“In his first major foreign policy address as secretary of state, Pompeo listed a dozen demands, an agenda encompassing Iran’s foreign ventures as well as its nuclear and missile programs,” The Post's Carol Morello writes. “If Iran agreed to those demands, he said, the United States would lift all sanctions, reestablish diplomatic relations with Tehran and provide it access to advanced technology.”
It’s not a pipe dream to ask the #Iranian leadership to behave like a normal, responsible country. Our asks are simple.— Secretary Pompeo (@SecPompeo) May 21, 2018
— An internal Defense Department document from May 2017 shows that the Pentagon is considering disabling enemy nuclear weapons before they are launched in a strategy that appears to involve cyberattacks, the Daily Beast’s Spencer Ackerman reports. “The Pentagon document does not name adversaries,” Ackerman writes. “But experts who reviewed it for The Daily Beast considered it aimed at North Korea—and may represent a fallback option for the Trump administration should its June 12 summit with Kim Jong Un fail to result in the denuclearization President Trump desires.” The document “explicitly cites ‘non-kinetic options’ for destroying missiles that would fall short of a ‘use of force’ under the United Nations charter,” Ackerman writes.
— CyberScoop's Chris Bing sheds light on Project Indigo, a confidential information-sharing agreement between U.S. Cyber Command and a unit of the Financial Services Information Sharing and Analysis Center, an industry group representing financial institutions. "The broad purpose of Project Indigo is to help inform U.S. Cyber Command about nation-state hacking aimed at banks. In practice, this intelligence is independently evaluated and, if appropriate, Cyber Command responds under its own unique authorities... It’s possible that a bank could tip off the military about a cyberattack against the financial industry, prompting Cyber Command to react and take action,” Bing writes. That could include giving information back to the industry, or even, as Bing writes, "taking offensive measures to disrupt the attacker — such as retaliatory hacking — if it’s appropriate and the Pentagon approves it, according to current and former U.S. officials.”
— Homeland Security Secretary Kirstjen Nielsen, FBI Director Christopher A. Wray and Director of National Intelligence Daniel Coats are expected to deliver a classified briefing to lawmakers today about threats to election systems, the Hill's Morgan Chalfant reports. The briefing was initially set to be unclassified and had been scheduled for last week, but House Speaker Paul D. Ryan (R-Wis.) postponed it, according to Chalfant. “Ryan postponed the briefing last week in order to make it classified, after Democrats complained that the unclassified nature would prevent officials from going into sufficient detail about the scope of the threat or the administration's efforts to secure upcoming elections,” she writes.
— More cybersecurity news about the public sector:
— A group of iPhone users in Britain is suing Google over claims that the company illegally collected personal data about them in 2011 and 2012, Bloomberg News's Jonathan Browning reports. Google said in a court filing that the group, called Google You Owe Us, may seek up to about $4.3 billion in damages.
“While any potential damages are still to be determined, the group has suggested each individual could receive 750 pounds if the case is successful, Google said in court documents,” Browning writes. “The Mountain View, California-based company denies the allegations and argued at the hearing that the dispute doesn't belong in a London court.” Google You Owe Us alleges on its website that Google illegally gathered users' private data “by bypassing default privacy settings on the iPhone’s Safari browser.” The group also says that it wants “to show that the world’s biggest companies are not above the law.”
Google are trying to delay our case by questioning the jurisdiction. This case should be heard in the English and Welsh courts. Don’t let them get away with it! Speak up by sharing and tagging your friends https://t.co/1WJg6177LF #GoogleYouOweUs pic.twitter.com/miH0DTPD4a— Google You Owe Us (@GoogleYouOweUs) May 21, 2018
— More cybersecurity news from the private sector:
— A meeting later today between Facebook chief executive Mark Zuckerberg and European Parliament lawmakers that was initially planned to occur in private will now be live-streamed, Politico's Mark Scott reports.
“The decision marks a turnaround from previous plans, with Zuckerberg originally expected to hold closed-door meetings with leaders of Parliament’s political groups and selected MEPs,” Scott reports. “The secrecy of the meeting prompted widespread criticism from MEPs, policymakers and the public.”
From European Parliament President Antonio Tajani:
I have personally discussed with Facebook CEO Mr Zuckerberg the possibilty of webstreaming meeting with him. I am glad to announce that he has accepted this new request. Great news for EU citizens. I thank him for the respect shown towards EP. Meeting tomorrow from 18:15 to 19:30— Antonio Tajani (@EP_President) May 21, 2018
— Read more international cybersecurity news:
- House Energy Committee hearing on Internet of Things legislation.
- Senate Armed Services subcommittee on cybersecurity closed markup of the National Defense Authorization Act for fiscal 2019.
- Security Through Innovation Summit in Washington.
- GMU-AFCEA Symposium 2018 in Fairfax today through tomorrow.
- Air Force Cyber Strategy Conference at Maxwell Air Force Base, Ala., today through tomorrow.
- Panel discussion hosted by the International Republican Institute, the National Democratic Institute and Harvard Kennedy School’s Belfer Center in Brussels today on election security in Europe.
- IEEE Symposium on Security and Privacy in San Francisco continues today through tomorrow.
- Ignite '18 Cybersecurity Conference in Anaheim, Calif., continues today through May 24.
- Enfuse 2018 conference in Las Vegas continues today through May 24.
- Senate Banking Committee hearing on cybersecurity risks to the financial services industry on May 24.
- The European Union's General Data Protection Regulation goes into effect on May 25.
Gina Haspel was sworn in as CIA director yesterday:
Mt. Everest has proven deadly. These climbers took on the challenge anyway:
Watch a Naval Academy plebe cap Herndon Monument in an annual tradition: