The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: D.C.’s use of email voting shows what could go wrong in November

with Tonya Riley

The District of Columbia’s last-minute decision to allow voting by email in this week’s primary is sounding warning bells for election security hawks. 

The practice puts election results at higher risk of hacking because there’s no way for voters to verify their votes were recorded accurately, they say. 

And the scramble is a disturbing preview of how election officials beset by challenges may bargain away security if they’re not better prepared by November. 

“Between now and November, the D.C. board and any other jurisdiction that’s paying attention to what happened [Tuesday] needs to be absolutely focusing their energies on ramping up voting by mail capacities,” Edward Perez, global director of technology development at OSET Institute, a nonprofit election technology organization, told me. “And they need to do it now, now, now. Not in July or August, and definitely not in September.”

The D.C. Board of Elections’ decision was effectively a desperate move after numerous people who had requested mail-in ballots because of the coronavirus pandemic didn’t receive them in time – and it became clear that a reduced number of in-person polling sites would be challenged by hours-long lines. This problem was made even worse considering the public health risks of crowding into polling stations during a pandemic – and the confusion sparked by a curfew imposed on D.C. streets that went into effect a full hour before the polls technically closed. 

The chaotic Election Day resulted in D.C. Council member Elissa Silverman (I-At Large) calling for Board of Elections Chair Michael Bennett’s resignation and Mayor Muriel E. Bowser pledging that she would “not tolerate continued failed leadership or execution.”

November’s elections are likely to be faced by just as many challenges, and experts fear a similar predicament could create doubts about the validity of results. Even without an actual hack, it could give fodder to foreign adversaries that want to use the chaos to make Americans question the election’s legitimacy and undermine the democratic process.

“This needs to serve as a warning for November, Perez said. “Even if this was a difficult trade-off they needed to make now, sending PDF ballots by email should not be thought of as a contingency plan in November.” 

About 500 District voters received ballots by email, but it’s not clear how many returned them that way. 

That’s because some voters printed and mailed in the ballots, Bennett told Julie Zauzmer, Jenna Portnoy and Erin Cox

The board appears to have taken some security precautions, including requiring people who voted by email to submit an affidavit verifying their identity. 

The board also plans to call everyone who voted by email to verify that’s how they submitted their ballot, Bennett told my colleagues.

But those efforts won’t detect whether hackers changed votes before they reached the board, which is a major concern for security pros. 

“Sending voted material electronically simply cannot be done securely,” Marian Schneider, president of the voting security group Verified Voting, told me. “You can’t guarantee votes weren’t altered in transmission. You can’t verify those ballot are counted as the voter intends.”

The District does not plan to use email voting for locals in November.

Bennett told my colleagues “there are a number of issues associated with that” and “it is always used sparingly.”

The Board of Elections did not provide answers to questions about any other security measures it put in place or how many ballots specifically were returned by email. Spokeswoman Rachel Coll said the board will try to answer questions this week.

Since we don't know how many email ballots were used, it's unclear how concerned voters should be about the primary's legitimacy. 

The District and numerous states regularly allow email ballots from military and overseas votes despite security concerns. The justification is generally that those voters cast such a small percentage of ballots that it’s exceptionally unlikely hackers could alter an election’s outcome by changing their votes alone. 

Depending on how many people returned ballots by email in Tuesday’s election, however, that concern could go up. 

Even before the District’s election, experts worried states would adopt insecure electronic voting methods due to the pandemic. 

New Jersey allowed residents with disabilities to vote using a mobile app during local elections last month, and West Virginia and Delaware are planning to use the same app for voters with disabilities in primaries later this year. 

Those plans sparked so much concern that the Department of Homeland Security, the FBI and the Election Assistance Commission sent states a guidance memo detailing the risks. 

The memo warned that returning ballots using the Internet poses “significant security risks,” including that hackers could change large numbers of votes, block votes from being recorded or undermine ballot secrecy.

Security experts generally say increasing voting by mail is the most secure option when in-person voting is unsafe. But it takes a lot of work and money to get the right ballots to voters and to ensure they can safely return those ballots. It's a process most states are going through now. 

In an ironic twist, the District played a leading role in proving the vulnerability of Internet-based voting. 

In 2010, the city conducted a mock election in which voters could cast ballots through a website and invited security researchers to try to hack the process. A group of University of Michigan researchers hacked into the site within 48 hours. 

We successfully changed every vote and revealed almost every secret ballot,” the researchers said in a 2012 paper. “Election officials did not detect our intrusion for nearly two business days — and might have remained unaware for far longer had we not deliberately left a prominent clue.”

The clue: “We modified the Thank You page that appears at the end of the voting process to play the University of Michigan fight song.” 

Election experts did express sympathy for D.C. officials in a tough situation.

They noted that they likely used emailed ballots because there was no other way to ensure everyone who wanted to vote could do so. 

“I understand having your back against the wall and trying to ensure people can cast a ballot, but email voting on a broad scale isn’t ready for prime time,” David Levine, the elections integrity fellow at the Alliance for Securing Democracy, told me.

They also warned that without additional funding, officials in the District and numerous states could end up in a similarly desperate situation in November — especially if the novel coronavirus is still making in-person voting difficult and requests to vote by mail continue to soar. 

Congress appropriated $400 million for elections in its $2 trillion coronavirus stimulus bill, but experts warn the cost of running safe elections during the pandemic could cost up to $2 billion

Congressional Democrats have pushed for another $3.6 billion in election funding in a future stimulus bill but have made little headway with Senate Majority Leader Mitch McConnell (R-Ky.), who has historically been wary of spending on election security.

“The most important takeaway here is Congress needs to act,” Schneider said. “We have to give election officials the resources they need so they can be prepared for November.” 

The keys

Democrats are demanding answers about the government’s surveillance of protesters.

Democrats on the House Homeland Security Committee wrote to DHS and the FBI demanding documents related to the surveillance by June 19 and a briefing no later than June 12. 

The request comes amid broad uncertainty about what surveillance is being conducted and who’s conducting it. The Drug Enforcement Administration was granted the authority to “conduct covert surveillance” on protesters, according to an agency memo obtained by BuzzFeed News

But it is not clear what the agency will do. The DEA is limited by statute to enforcing drug-related crimes, so Attorney General William P. Barr's approval for the agency to operate outside of that scope raises unprecedented questions.

That prompted a new wave of concern among lawmakers.

Rep. Jackie Speier (D-Calif.):

Sen. Chris Murphy (D-Conn.):

President Trump has claimed that mail voting encourages fraud and cheating. His recent attempt to do it was rejected for not following the rules. 

Trump’s initial application to vote by mail in Florida claimed the White House as his legal address, violating a rule that only state residents can vote absentee in Florida, Manuel Roig-Franzia reports. He revised the September 2019 application a month later to use the Florida address of his Mar-a-Lago resort, allowing him to vote in the states Republican primary.  

But the Palm Beach City Council has questioned whether Trumps private club qualifies him for residency. 

And Trump stated as recently as this week that he lives in Manhattan, possibly putting him afoul of Floridas strict residency laws for voter registration. Democratic lawyer Marc E. Elias:

The death of George Floyd in police custody and the protests that followed have sparked conversations about race and discrimination in the cybersecurity industry.

For some African American cybersecurity pros, the events of recent days have highlighted how uncomfortable their colleagues are talking about race and racism, Sean Lyngaas, Greg Otto and Shannon Vavra at CyberScoop report.

Too many people, especially in the infosec community have remained silent, possibly waiting for the story of George Floyd to ‘blow over’ or paralyzed by not knowing what to say,” said Richie Cyrus, an African American manager at cybersecurity company SpecterOps. “Not only is this detrimental to inclusion in our industry, it further deters true progress.”

Others say it highlights  how minority voices are silenced within cybersecurity companies. “It’s always women and people of color who have to shoulder the burden,” said an industry lawyer, who spoke on the condition of anonymity over fear of reprisal. 

Other cybersecurity pros told CyberScoop they’re uncomfortable working for companies that contract with the federal government, which they see as unfairly targeting protesters. 

It’s difficult to reconcile working with a company that is currently supporting the government in a cybersecurity role,” said one source who works at a publicly traded cybersecurity company and asked not to be identified. “I know [the company] is not implicitly or explicitly supporting police brutality or the words of our president, but it’s an aspect of it that keeps me up at night.”

Moodys cyber-risk analyst Leroy Terrelonge III tweeted about how he's been affected by recent events.

Chat room

Other cybersecurity professionals also shared their thoughts about the need for companies to allow employees to speak out amid the protests. Google security researcher Maddie Stone:

Dragos CEO Robert M. Lee:

Hill happenings

The Senate Intelligence Committee forwarded a measure requiring presidential campaigns to report foreign election influence efforts.

The measure comes after Trump said last summer that he would consider accepting foreign intelligence on his opponents. The comments caused widespread alarm following Russia's efforts to interfere in the 2016 contest. Former vice president Joe Biden, the presumptive Democratic presidential nominee, and other Democrats said they would refuse such offers.  

The committee passed the measure in an 8-to-7 vote with Sen. Susan Collins (R-Maine) joining Democrats, CNN reports. The measure was added to a key Intelligence policy bill, which makes it far more likely to pass than as a stand-alone bill. Lawmakers are also considering attaching the intelligence bill to an annual defense policy bill, which nearly guarantees passage.  

Sen. Mark R. Warner (D-Va.), the committees top Democrat, originally introduced a stand-alone version of the measure that would apply to all campaigns for federal office. The version passed Wednesday would only apply to presidential campaigns. Warner’s bill was repeatedly blocked by Republicans.

More government cybersecurity news:

Rosenstein says, in hindsight, he would not have signed application to surveil former Trump campaign adviser (Matt Zapotosky)

Top DHS official says to expect 'every intelligence service' to target COVID-19 research (The Hill)

Cyber insecurity

Advocacy groups are seeing a more than 1,000 percent increase in attacks trying to knock down their websites since protests began.

Internet protections firm Cloudflare said it had blocked more than 135 billion malicious Web requests against advocacy groups since the death of George Floyd, CyberScoop reports. Thats more than four times the number of attacks on military and police organizations. 

Cloudflare did not provide the names of specific clients.

But the protests havent distracted hackers entirely from coronavirus-themed scams.

Scammers are using malware-laced résumés to steal bank passwords, researchers at Check Point found. The files are often attached as Microsoft Excel sheets with misleading subject lines like “applying for a job” or “regarding job.” They've doubled in the past two months as the coronavirus has pummeled the job market. 

More hacking news:

Ransomware gang says it breached one of NASA's IT contractors (ZDNet)

Zoom has partially fixed two new flaws, with other security hurdles ahead - CyberScoop (CyberScoop)

Global cyberspace

British officials may urge telecom companies to reduce or remove Huawei hardware as soon as this month. 

The move reported by the Wall Street Journal would be a major victory in the U.S. governments quest to get allies to drop the Chinese company over security concerns.

More global news:

Europe nears tipping point on Russian hacking (Politico)

France’s virus-tracing app 'off to a good start’ (BBC News)


  • The RSA Conference will host a webcast on nation-state cyberthreats and the 2020 election on Thursday at 4 p.m.
  • The Brennan Center for Justice and Microsoft’s Defending Democracy Program will host a workshop, “Building Election Resilience,” at noon on Friday.
  • The Senate Judiciary Committee has scheduled a hearing, titled “COVID-19 Fraud: Law Enforcement’s Response to Those Exploiting the Pandemic,” for June 9 at 10 a.m.

Secure log off

In memoriam: