A note to readers: Our indefatigable researcher, Bastien Inzaurralde, is on vacation. We're bringing you an abbreviated version of our newsletter this Thanksgiving week, and we won't be publishing Thursday and Friday. Today is also my last day anchoring the Cybersecurity 202. I'll now be focused on launching my forthcoming newsletter, The Technology 202. You won’t want to miss our daily analysis on the complex relationship between Washington and Silicon Valley, coming to your inbox in December.

THE KEY

Several states still have not taken action to ensure their voting machines produce a paper trail, stoking concerns that voters may again head to the polls in 2020 without this widely accepted security practice in place.

During the 2018 midterms, 13 states — including Georgia, Texas and Pennsylvania — were home to at least some precincts that relied on electronic voting machines without paper backups -- leaving them without a way to verify election results in the event of a cyber attack on the systems. (Florida, luckily, largely had a paper trail.) An even larger number of states lack backup paper ballots for people with disabilities.

There seem to have been no major failures in the 2018 midterms when it came to voting security. But experts warn that was no thanks to old voting machines, a patchwork state and county system and the failure of many states to ensure they have a paper trail should electronic voting machines fail.

Lawrence Norden, the deputy director of the Brennan Center’s Democracy Program, said some states, such as Delaware, Pennsylvania and Louisiana, are working to replace equipment to ensure there is a paper trail by 2020. But at least six of states — including many counties in Texas — are still likely to rely entirely on paperless machines in the next presidential election, he said.

“One of the stories out of the election was our antiquated systems were failing us,” Norden said.

After revelations of Russia’s campaign to hack the 2016 election, states such as Virginia rushed to ensure they had a paper ballot trail in the case of electronic failures. But a lack of funding and concerns over who controls local election processes are hampering efforts to secure voting infrastructure. In the months leading up to the midterms, policymakers conceded the necessary changes to systems would be impossible, so officials instead set their sights on 2020. 

The stakes are higher for the presidential election, which will undoubtedly be a bigger target for possible foreign or domestic interference.

But immediate assistance from the federal level isn't likely to be forthcoming. A GOP Senate staffer told me on Tuesday it’s “doubtful” the Secure Elections Act will get floor time during the lame-duck congressional session. A bipartisan group of senators introduced the bill, which initially required states receiving federal assistance for election security have a paper ballot trail.  But revisions to the bill significantly watered down those measures, sparking a partisan feud. The bill stalled this summer following resistance from the White House and some state officials

Marian Schneider, president of Verified Voting, said election security should be recognized as a national security issue following evidence of Russian interference n 2016.

“The cost to replace the machines throughout the country would be a fraction of our homeland security budget,” she said. “People don’t see this as a threat because of the decentralized nature of our election system.”

Election security advocates pointed to Georgia as a case study for the necessity of paper backups. Though there are no reports implicating the insecurity of Georgia's voting machines, there were issues with old machines functioning properly on Election Day. Georgia does not have paper backups statewide — stoking concerns as security threats were politicized during the tight race for governor.

After activists brought a lawsuit against the state, a judge denied a motion to force Georgia to adopt a paper backup system in the weeks before the midterms, my colleague Ellen Nakashima reported. However, the judge indicated she may compel the state to do so in the future.  

Funding remains the biggest barrier for states seeking to update their systems. Many Pennsylvania counties, including Philadelphia, did not have paper backups in this year's elections. Democratic Gov. Tom Wolf's administration has told counties to backup their electronic tallies with a paper trail by 2020. But the estimated price tag — $125 million — may complicate the matter. The state's 2018-2019 budget only earmarked $14 million for election security, primarily from a $380 million congressional package earlier this year.

“The original allocation that comes out of Congress right now has been woefully inadequate,” said David Hickton, who co-leads the state’s independent, nonpartisan election security commission. He’s working to see whether the state can strike public-private partnerships with voting machine companies to make up the gap.

Norden said Texas, Indiana, Tennessee, Kansas, Mississippi and Kentucky have made no promises, increasing the possibility they won't have paper backups in place for the next presidential election. 

Democrats called for paper ballots in Tennessee earlier this year, but state election coordinator Mark Goins said the election systems were secure and dismissed those calls, according to a Tennessean report. Rep.  Jim Cooper (D-Tenn.) wanted the state to use  some of the federal funding for election security to update to systems with a paper trail, but the state ultimately rejected that call. 

“State leaders decided not to spend the money this year, but America’s intelligence chiefs continue to warn us — we’re vulnerable,”  Cooper told me. “Tennessee officials must listen and make improvements before 2020. Our right to vote is at stake.”

Chris Davis, the chief of the Texas Association of Elections Administrators, told the Victoria Advocate that Texas counties should decide themselves what voting methods to use.

“I would trust no one else other than the election officer of that county to know what works for their county and the process for having voters vote in a secure way,” Davis said in an interview with the Victoria Advocate.

According to a Houston Public Media report, 46 Texas counties have upgraded their voting machines since the 2016 elections. But only 11 of those counties chose machines that have a paper backup.

Correction:  A previous version of this article misattributed the quote from Jim Cooper to Mark Goins.

PUBLIC KEY
Politics
President Trump defended his daughter, but Republicans and Democrats in Congress demanded documents and said they’ll look into her actions.
Felicia Sonmez and Colby Itkowitz
The tax agency also failed to review another 15,000 breached taxpayer ID numbers it received for possible fraud monitoring, an audit found.
Nextgov
The Switch
But critics say it could lead to censorship of legitimate messages.
Brian Fung and Tony Romm
Since its rollout this summer, the biometrics program is finding more success at land borders than airports.
Nextgov
National Security
The Columbia University institute seeks documents relating to agencies’ “duty to warn.”
Ellen Nakashima
PRIVATE KEY
Facebook CEO Mark Zuckerberg pushed back against calls for him to step down as chairman and said he hoped to continue working with his longtime chief operating officer, Sheryl Sandberg, in a TV interview.
Wall Street Journal
Business
A weeks-long swoon in tech stocks deepens and drags down energy and retail sectors.
Thomas Heath
More than half a million users have installed Android malware posing as driving games — from Google’s own app store.
TechCrunch
Instagram's promise to root out "inauthentic activity" sends some social media marketers into crisis.
Wired
Hennessy said he’s not confident Google will be better off bringing a censored search engine to China -- a key goal of Google Chief Executive Officer Sundar Pichai.
Bloomberg
THE NEW WILD WEST
Researchers say the Emotet is improving its ability to steal financial credentials by using emails scraped from its own victims to make templates.
For better and worse, humans are only improving their ability to deceive themselves with technology.
New York Times
Recorded Future claims Tessa88's identity is a 29-year-old Russian named Maksim Vladimirovich Donakov.
ZDNet
Two new reports show an uptick in sophisticated phishing attacks originating from—where else—Russia.
Wired
FOR THE N00BS
Security firms are warning consumers about an uptick in holiday cyber threats, cautioning online shoppers to watch which sites and links they click on during the upcoming holiday season.
You can now sign into Microsoft accounts password-free, thanks to Yubico, Microosft, and other FIDO2 device manufactuerers.
VentureBeat
EASTER EGGS