THE KEY

Massive voting machine failures in a Pennsylvania county in November are giving election security advocates fresh ammunition to call for nationwide paper ballots.

The problems, which may have been caused by a software glitch, resulted in some Northampton County residents who tried to vote straight-ticket Democrat initially registering as straight-ticket Republican. It also incorrectly showed a Republican judicial candidate winning by a nearly statistically impossible margin, the New York Times’ Nick Corasaniti reports.

In this case, voters got lucky. The county had paper backups for all the votes the machine counted incorrectly. They showed the Democrat judicial candidate Abe Kassis — who the computer tally said got just 164 votes out of 55,000 ballots — actually narrowly won the race.

But about 16 million Americans spread across eight states won’t have a paper backup for their votes in 2020. That means a similar software glitch or a malicious hack by Russia or another U.S. adversary could cause mass uncertainty about an election’s outcome or even result in the wrong candidate taking office.

Even in Pennsylvania, it could have been different. The machines that malfunctioned in November were just purchased this year in response to a statewide mandate to upgrade to new voting machines with paper records.

Election security hawks have been pushing the importance of paper backups since 2016, when Russia probed election systems across more than a dozen states and penetrated systems in Illinois and Florida, according to the Mueller report. But even in 2016 there's no evidence any votes were counted incorrectly.

That's why the Pennsylvania debacle offers stark new evidence for how badly things could go wrong with no paper backups in place, degrading public faith in elections.

“People were questioning, and even I questioned, that if some of the numbers are wrong, how do we know that there aren’t mistakes with anything else?” Matthew Munsey, the chairman of the Northampton County Democrats, told Nick.

Lee Snover, chairwoman of the county Republicans, was just as worried. “There are concerns for 2020. Nothing went right on Election Day. Everything went wrong. That’s a problem,” she said.

Officials haven’t determined what caused the failures, but a senior intelligence official who focuses on election security told Nick there were “no visible signs of outside meddling by any foreign actors.” The miscount shows, however, how voting machine vulnerabilities could be exploited by Russia, China or Iran — which U.S. intelligence and law enforcement agencies said last month are all eager to interfere in the 2020 contest. 

Presidential candidates were quick to  make that connection.

Here’s Sen. Amy Klobuchar (D-Minn.), who sponsored the main Senate bill that would deliver more election security money to states in exchange for paper ballots and other fixes.

Here’s Montana Gov. Steve Bullock, who dropped out of the race this morning:

House Democrats have passed bills that would require paper backups for all votes and deliver $600 million for states to upgrade voting machines and add other cybersecurity protections. But Senate Majority Leader Mitch McConnell (R-Ky.) has blocked any bills that mandate specific election security fixes.

Some House Democrats were quick to seize on the Pennsylvania debacle to push the Senate to act.

Here’s Rep. Tom Malinowski (D-N.J.):

The story also sparked concern in states that will lack paper records for some voters in 2020.

Here’s John Ray Clemmons, a Democratic state representative from Tennessee:

And Sri Preston Kulkarni, a former diplomat who’s running as a Democrat for a House seat in Texas:

Other states where some voters will lack paper records in 2020 are Indiana, Kansas, Kentucky, Louisiana, New Jersey and Mississippi, according to a tally by the Brennan Center for Justice.

Northampton also demonstrates the importance of automatic “risk limiting” audits after elections to make sure that paper records back up machine results.

In this case, there was such a wide margin of victory for the Republican candidate that it was obvious something was fishy. But if hackers or a software glitch caused a much smaller shift in votes, election officials might not have caught it without an audit.

Here’s Matt Blaze, co-founder of an annual challenge to find hackable bugs in election machines at the Def Con cybersecurity conference and a cryptography professor at Georgetown University:

PINGED, PATCHED, PWNED

PINGED: The Trump administration is considering tightening Commerce Department rules to restrict sales of U.S. technology to Huawei even if that technology is in products manufactured outside the United States, two sources told Alexandra Alper and Karen Freifeld at Reuters

The move follows a massive crackdown on U.S. companies selling directly to Huawei, which officials say could abet Chinese spying. 

It could appeal to congressional China hawks who have criticized the Trump administration for not doing enough to keep U.S. technology out of Huawei's hands as it tries to dominate the market for next-generation 5G wireless networks. But it "would be poorly received by U.S. allies and U.S. companies,” Washington trade lawyer Doug Jacobson told Reuters.

The potential change follows the Trump administration's decision last week to delay a blanket ban on most U.S. companies selling parts to Huawei for another 90 days. 

Huawei and the Commerce department did not immediately respond to a request for comment from Reuters.

PATCHED: India's lead cybersecurity agency wants to audit WhatsApp's security systems after the accounts of 121 Indian users were allegedly hacked using tools from the Israeli spyware company NSO Group, Sankalp Phartiyal and Nigam Prusty at Reuters report.

Officials at the agency also want to know why WhatsApp executives, including CEO Will Cathcart, failed to mention the spyware attack when they met with Indian leaders in July and September. Facebook, which owns WhatsApp, is suing NSO for the alleged hacks which affected roughly 1,400 users globally, including many journalists and activists.

The Indian government is also seeking answers from NSO on the malware attacks, Technology Minister Ravi Shankar Prasad said. NSO has denied any wrongdoing.

PWNED: Just one-third of 2020 presidential campaigns are automatically rejecting or quarantining emails that come from suspicious domains and could be part of a phishing attack, TechCrunch's Zack Whittaker reports.

Candidates whose campaigns aren’t automatically rejecting suspicious emails include President Trump and Sen. Bernie Sanders (I-Vt.). That could put the campaigns at a higher risk of opening malware-laden phishing emails like the one that Russia used to target Clinton campaign chairman John Podesta's Gmail account in 2016. 

“When a campaign doesn’t have the basics in place, they are leaving their front door unlocked,” Armen Najarian, chief identity officer at Agari, an email security company told Zack.

Campaigns for former Vice President Joe Biden and Sens. Elizabeth Warren (D-Mass), Kamala Harris (D-Calif.) Amy Klobuchar (D-Minn.) and Cory Booker (D-N.J.) are among those automatically rejecting or quarantining suspicious emails using a tool called DMARC, which verifies a sender's email is legitimate and rejects emails that may be spoofing a real email in order to trick the recipient. That's an increase from May, when Agari researchers found that only Warren was using DMARC to block spoofed emails. 

PUBLIC KEY

— Cybersecurity news from the public sector:

Politics
Kennedy maintained that he hasn’t been “duped” by Russia, even though U.S. intelligence officials have warned that allegations of Ukrainian interference are part of a “fictional narrative” spread by Russian security services.
Felicia Sonmez
Fact Checker
In the space of ten sentences, President Trump told Four Whoopers
Glenn Kessler
If you just bought a smart TV on Black Friday or plan to buy one for Cyber Monday tomorrow, the FBI wants you to know a few things. Smart TVs are like regular television sets but with an internet connection.
TechCrunch
The Department of Homeland Security’s (DHS) cybersecurity agency on Wednesday issued a draft order that would require federal agencies to increase protections against cyber vulnerabilities.
The Hill
Virgil Griffith "provided highly technical information to North Korea" that "could be used to help North Korea launder money and evade sanctions," officials said.
NBC News

PRIVATE KEY

— Cybersecurity news from the private sector:

Researchers from SRLabs found that telecos are implementing the RCS standard in vulnerable ways, which bring back techniques to attack phone networks.
Motherboard
Exclusive: The exposed database was left unprotected without a password. None of the data was encrypted.
TechCrunch
Mixcloud is investigating data for sale on the dark web after Motherboard alerted the company of the issue.
Motherboard

THE NEW WILD WEST

— Cybersecurity news from abroad:

Eastern Europe’s cybercriminals are highly sophisticated. Can they be coaxed into more honest work?
The New York Times
Europol reports 14 arrests across eight countries, including the RAT's creator, in Australia.
ZDNet

ZERO DAYBOOK

— Coming up:

  • The Senate Committee on Foreign Relations will examine the future of United State policy towards Russia at 9:45 a.m. on Tuesday.
  • The Senate Commerce Committee will host a hearing titled “Examining Legislative Proposals to Protect Consumer Data Privacy,” on Wednesday at 10 a.m. 
  • The House Energy and Commerce Committee will host an Federal Communications Commission oversight hearing on Thursday at 10 a.m.
  • The Senate Commerce subcommittee on communications, technology, innovation and the Internet will convene a hearing titled “The Evolution of Next-Generation Technologies: Implementing MOBILE NOW” on Thursday at 10 a.m.