The Associated Press and The Washington Post

County clerks in Oregon would be required to audit results after each election under a bill that overwhelmingly passed the Senate on Election Day. The bill approved Tuesday requires county clerks to conduct hand-count or risk-limiting audits after every primary, general and special election. Risk-limiting audits are based on counts of statistical samples of paper ballots.

Sen. Lew Frederick, a Portland Democrat, said the bill ensures more audits happen to make sure election results are correct.

The bill requires audits after every election, instead of just general elections. It goes next to the House.

More election security news

Heading into the 2020 cycle, a new report out Tuesday provides a stark warning about the cyber-insecurity of the highest-profile U.S. political organizations even after years of concerted efforts to improve digital safeguards and an intense focus in Washington on the need to secure campaigns and elections.

The Democratic National Committee’s computer networks still contain hackable vulnerabilities more than two years after a devastating breach that upended the 2016 election and dealt a major blow to the Hillary Clinton campaign. And the Republican National Committee is doing only moderately better, according to the report from the company SecurityScorecard.

While SecurityScorecard found significant improvements since the last presidential campaign cycle, when the DNC was penetrated by Russian hackers -- who compromised vast troves of information and coordinated its release to damage Hillary Clinton’s campaign -- these fixes may not be sufficient to keep either organization secure this time around.

“They’re doing better, but a focused adversary is still going to be able to get in there and they’re still going to be able to get interesting information,” SecurityScorecard Chief Technology Officer Jasson Casey said.

SecurityScorecard rates organizations’ digital protections based on information that’s available on the public internet, such as how often they patch their software and whether public-facing internet tools are encrypted. The company makes most of its money by helping large organizations vet the cybersecurity of their partners and suppliers without conducting an intensive internal security audit.

A DNC official who reviewed the latest results said this kind of external assessment doesn’t capture all the work the organization has done to improve cybersecurity since 2016, but didn’t dispute that there are still improvements to be made. The official, who spoke on the condition of anonymity to express himself freely also criticized the report for lacking specific details about some of the vulnerabilities it claimed to find.

“I think we need to improve our security posture and we’ll take feedback in whatever form it comes,” the official said. “Our adversaries are hard at work, nonstop. We’d just like to have more detail.”

The results could raise questions about the vulnerability of a crowded field of Democratic presidential candidates who typically have much less time and far fewer resources to devote to security than the DNC — but are equally juicy targets for Russian hackers, Casey noted. SecurityScorecard plans to start assessing the cybersecurity of those campaigns in the next couple of months, he said.