THE KEY

Election security advocacy groups are suing the state of Pennsylvania today to stop some counties from using controversial voting machines they say are vulnerable to hacking by Russia and other adversaries in 2020.

The suit, shared exclusively with The Cybersecurity 202, comes just weeks after these particular machines had technical issues and went haywire and called the wrong winner in a county judge's race in November. The groups say hackers could do far worse to these electronic machines if they tried. 

Concerns about hacking are supersized in Pennsylvania — a battleground state that could be vital to determining the next president. The ExpressVote XL machines, designed by Election Systems & Software, are being used in three counties that account for about 17 percent of the state’s registered voters, including Philadelphia County, the largest in the state. That's more than enough to tip a close election. 

“Pennsylvania is going to be under a microscope in 2020. It needs to have voting systems that are demonstrably secure, trustworthy and auditable,” said Susan Greenhalgh, vice president of policy and programs for the National Election Defense Coalition, one of the groups that brought the lawsuit along with Pennsylvania residents. 

More than three years after Russia probed election networks across the nation in advance of the 2016 contest, this is just the latest lawsuit seeking to force states and counties to abandon machines that they say don’t provide a sufficient paper trail to make sure votes were tallied correctly. The plaintiffs are asking a judge to bar the electronic machines before Pennsylvania's party primaries in April, which would likely force the state to use hand-marked paper ballots, which activists say are the most secure option. 

The new Pennsylvania lawsuit details numerous ways hackers from Russia or elsewhere could compromise the machines to change an election outcome or sow widespread mistrust among voters. They could break into an easily accessible administrator panel and reprogram the machines, for example, or they could trick the ballot printer to alter votes after the voter has reviewed them. The machines are also too prone to malfunctioning and make it too hard to verify that votes are being recorded accurately, the plaintiffs say.

One key piece of evidence is the technical issues from the first time the machines were used in Northampton County, Pa. The machines dramatically miscounted the votes. The bad tally for the local judge's race was evident on election night, forcing a recount. The correct judge is set to take office in January. 

That was a technical malfunction caused by bad programming, ES&S said during a news conference yesterday. But the groups note that even technical malfunctions can devastate public confidence in an election's outcome. 

“When people lose trust in the integrity of elections, they can become disillusioned. They may not vote at all. They may throw up their hands and say, ‘it's all rigged.’ And that fundamentally undermines democracy,” Ronald Fein, an attorney with Free Speech for People, which is representing the plaintiffs, told me. 

A spokeswoman for ES&S declined to comment on the lawsuit but said the ExpressVote XL “has been thoroughly tested and proven to be secure and accurate.” A spokeswoman for the Pennsylvania Department of State, which certifies voting machines, also declined to comment. 

As states vary in their responses to the hacking threat, citizens are increasingly turning to the courts to challenge the security of their voting machines. Citizens have sued to block vulnerable machines in Georgia and Tennessee, with mixed success. And Pennsylvania is already facing a separate legal challenge over the ExpressVote XL machines brought by 2016 Green Party candidate Jill Stein, who says the machines violate a settlement she reached with the state to end her demands for a recount. 

“There’s a real debate going on right now in American society about what facts you can trust, and that extends to our elections,” said Kevin Skoglund, a chief technologist for Citizens for Better Elections, which is also a plaintiff in the lawsuit. “We need to agree on the facts about elections. The losers and their supporters need to know they lost fair and square, and winners need to be confident they really won.”

The fight in Pennsylvania could be the most dramatic, though, because the hard-fought state could be critical to voters trusting the outcome of the 2020 election.

“There could be states or counties where the problems might be just as severe but you wouldn't be likely to notice because the votes tend not to be close,” Fein told me. “But Pennsylvania is a battleground state. Everyone will have their eyes on this state and it's important, not only for Pennsylvania, but for the nation as a whole, to know that there is a secure and reliable election taking place.” 

PINGED, PATCHED, PWNED

PINGED: A pair of lawmakers wants to grant the nation's top cybersecurity agency the legal power to access information that could prevent devastating cyberattacks on the nation's electric grid, hospitals and water supply. The bill sponsored by Senate Homeland Security Committee Chairman Ron Johnson (R-Wis.) and Sen. Maggie Hassan (D-N.H.) would allow the Cybersecurity and Infrastructure Security Agency to issue subpoenas compelling Internet service providers to share information about companies that manage vital services and are vulnerable to hacking so CISA can alert them.

“Every day, CISA is made aware of vulnerabilities to these systems — some easily fixable — but is powerless to warn the potential victims,” Johnson said. “This legislation gives CISA the authority necessary to reach out and warn owners of critical infrastructure that they are open and vulnerable to cyberattacks before they become a victim.”

The legislation could face a backlash, however, from critics who worry the agency will use the power to snoop on companies and bully them into adopting digital protections.

Hassan tried to push back on those concerns, saying the bill is “narrowly tailored” and gives “CISA only the bare minimum of information necessary.” CISA would also have to destroy any personal information it collects after 6 months.

Key members of the House also expressed support for the bill, the Hill's Maggie Miller reports.

PATCHED: Chinese tech giant Huawei will survive a U.S. trade blockade but it may take several years to undo the harm, CEO and founder Ren Zhengfei told my colleagues Jeanne Whalen and Anna Fifield in an interview at the company's Shenzhen headquarters. Zhengfei also slammed President Trump for “trying to crush businesses and intimidate countries around the world.”

Zhengfei acknowledged the U.S. ban has had a “pretty big impact” on the company, but said Huawei is now producing telecom network equipment without U.S. chips or components. The company also scored a recent win to sell equipment for part of Germany's buildout of next-generation 5G telecom networks to the chagrin of White House officials who have urged allies to ban the company from 5G.

Jeanne and Anna also detailed Huawei's growing troubles inside China in a story out this morning. 

PWNED: The United States isn't prepared to deal with cyberattacks against the nation's critical infrastructure such as the electric grid that could pose “an existential threat” to economic stability and national security, a panel of infrastructure executives convened by the president warned in a draft report approved yesterday.

The White House must take “bold action” to prevent a “catastrophic cyberattack on energy, communication, and financial infrastructures,” the group wrote.

The group also warns that “America’s companies are fighting a cyber war against multi-billion-dollar nation-state cyber forces that they cannot win on their own,” and that “incremental steps are no longer sufficient” to manage the threat.

Top recommendations include establishing a new government command center to help share information about cybersecurity threats and creating a new government agency tasked with mitigating cybersecurity risks to industry that pose national security threats.

PUBLIC KEY

— Cybersecurity news from the public sector:

Economy
His Twitter post gave a jolt to the stock market, as he acknowledged he was interested in cutting a deal.
David Lynch
Researchers uncover a phishing campaign attempting to steal login credentials from government departments across North America, Europe and Asia - and nobody knows who is behind it
ZDNet
A bipartisan coalition of lawmakers this week worked overtime to vilify encryption, oblivious to the fact that weakening encryption standards will put the public, and the internet, at risk.
Motherboard

PRIVATE KEY

— Cybersecurity news from the private sector:

In the NulledCast hackers livestream the harassment of Ring camera owners after accessing their devices. Hundreds of people can listen.
Motherboard
More than a dozen Telegram accounts of Russian entrepreneurs have been hacked, but there's something even more sinister than run-of-the-mill snooping going on, according to researchers.
Forbes
A new wave of reports about the home surveillance cameras getting hijacked by creeps is painfully familiar.
Wired