For better election security, get to know the IT people
A day before Super Tuesday, when 14 states will hold their presidential primaries, officials from the individual counties that conduct elections gathered in Washington for a crash course on protecting voting systems and securing ballots. And when Michael Moore, the information security officer for the county recorder’s office in Maricopa County, Arizona, asked attendees if their counties had IT staff dedicated to elections, only two or three hands went up.
“Part of the reason my job exists is that I did security assessments of recorders offices,” Moore said at the National Association of Counties legislative conference. “And at some point my now-manager found it unacceptable things were not being fixed. He used that excuse to create an information security officer position. Never waste a disaster.”
Moore said his county, which includes Phoenix, has mirrored the national trend of treating election security as a joint, multiagency effort by spending election days inside a fusion center, and working with the state National Guard, state homeland security department and other agencies.
But most counties are not as large and well-staffed as Maricopa, which is home to more than half of all Arizonans. Sitting alongside Moore, Pennsylvania Secretary of the Commonwealth Kathy Boockvar said her office offers free cybersecurity services, like monthly phishing tests, to her state’s 67 counties. She also said Pennsylvania, which holds its primary April 28, is running tabletop exercises that simulate incidents like a cyberattack against voter registration databases. Those drills have brought together officials who previously didn’t interact, she said.
“I love the tabletops,” Boockvar said. “We’ve included election officials, IT teams, emergency management officials. People not knowing who their peers were, that’s one of the best things that’s happened.”
Boockvar also touted Pennsylvania’s counties replacing voting machines — most of which used paperless touchscreens — with new equipment that creates a paper record of every ballot cast.
“Every one of the 67 counties has upgraded its voting systems to meet current technologies and standards,” she said, referring to a process that was only completed last December, when the last holdout county chose a new vendor, and after Gov. Tom Wolf issued $90 million in state debt to help counties purchase new machines.
Still, the speakers said the biggest stumbling block to good election security is the human factor, with temporary poll workers needing to be trained in how to manage the new systems.
“It is transient workers who are going to be part of this, transient facilities,” said Bindu Sundaresan, a director in AT&T’s cybersecurity practice. “Every one of these poses a risk.”
She also said workers who do fall prey to phishing attempts shouldn’t be shy about admitting it.
“Reporting on an email you find suspicious is not a bad thing, even if you clicked on it,” she said.
Boockvar told StateScoop that human error was also responsible for a temporary miscount that occurred in a race for a local judgeship last November when new touchscreen-based machines failed to count votes for a candidate who later won after a recount of paper ballot backups.
“The main problem is the human error in programming,” Boockvar said. “The paper ballots were all accurate. It’s training and testing and training and testing. [Voting] machines have been programmed for more than a decade and sometimes errors are made. You need to do really thorough logic and accuracy testing. If there are late changes and late entries, you have to do logic and accuracy testing again.”
During the panel discussion, Moore offered what he considered one of the most important first steps to avoiding election-security mishaps.
“If you’re an elected [official] and do not have a relationship with your IT director, you really ought to talk to them,” he said.