State election officials said Tuesday that they’ve been watching how their state governments have responded to incidents like ransomware attacks as lessons on what they would do if the voter registration databases, vote-total reporting systems and other components of election infrastructure that they manage were targeted.
Though the ransomware incidents that have spread through state and local governments across the United States have largely spared election systems from the worst, most debilitating effects, the Department of Homeland Security last year said that local officials could be targeted by viruses that lock them out of voter rolls unless they pay a financial demand.
And at a conference in Washington hosted by the Election Assistance Commission, state officials said they are paying attention to ransomware wave.
“Case in point, Texas had a widespread ransomware attack,” said Keith Ingram, that state’s elections director. “[The response] was mainly directed toward law enforcement, but within hours, DHS was on the phone with me, asking if the elections were impacted, could they be of service.”
Ingram said his agency’s network wasn’t affected, but in a state as sprawling as Texas — with 254 counties — he’s responsible for helping local election officials get up to speed. Of Texas’ counties, 113 have populations of less than 15,000, he said, and most of those jurisdictions don’t have IT assets dedicated to protecting the vote. But Ingram said there have been a few recent measures to help out those counties.
About half of the $24.4 million grant that Texas got in 2018 from the EAC is being used to assess the cybersecurity of all 254 counties’ election offices, checking for vulnerabilities, including whether files and applications pertaining to election administration aren’t segmented from the county government’s main network. On Tuesday, Ingram said about 70 counties have completed their assessments so far, though he expects all 254 to have been checked out by the end of the year.
How things have changed
Texas also has new state laws that require anyone accessing the state’s voter registration system to participate in annual cyber hygiene training and gives Ingram’s office the authority to certify the electronic poll books that precincts use to check in voters.
“Before, it was the Wild, Wild West,” he said.
Earlier in the day, Vermont Secretary of State Jim Condos opened the conference by saying that since 2016, when Russian government hackers attempted to penetrate the voter databases in at least 21 states, election administrators “now eat, sleep and breathe cybersecurity.”
States are spending down their shares of $380 million the EAC doled out in 2018, and a federal spending plan approved last month authorized a new $425 million round of grants. But as the elections administration community enters its fourth year as a component of federally designated “critical infrastructure,” Condos repeated election officials’ calls for regular, dedicated funding to secure voting systems.
“A one-time lump sum fund every so often is helpful, but we need more than that,” he said. “We actually need to have annual sustainable and dedicated funding. Cybersecurity is a race without a finish line.”
A favorite topic of discussion
Shelby Pierson, the U.S. intelligence community’s election threats executive, said Tuesday that state election officials will be briefed Thursday on the top cyberthreats to the electoral process, including possibly an increase in Iranian activity following escalating tensions between the United States and the Islamic Republic.
But ransomware attacks were also a recurring topic at the EAC conference. Louisiana Secretary of State Kyle Ardoin also recounted how local governments across his state were targeted throughout 2019, including two incidents that prompted Gov. John Bel Edwards to declare statewide emergencies.
Although Ardoin’s website was briefly offline during a ransomware incident last November that affected multiple statewide agencies, he said no data pertaining to election administration was damaged or compromised, thanks to his agency running on a different network than the rest of the Louisiana state government.
“We were able to see all the protocols that were in place that worked, where we could make adjustments, and we did so,” Ardoin told StateScoop on Tuesday. “But the good news is that everything that was already in place worked and kept us from being hacked.”
Still, he called Louisiana’s ransomware experiences “real-life fire drills,” lessons that need to trickle down to local governments. Ardoin said he’s convening twice-yearly “election academies” to train parish election officials on various issues, including tests to see if employees know not to click on suspicious links in emails. Ardoin suggested the pass rates on those phishing tests are high, but there are always stragglers.
“There’s one or two because they let their guard down,” he said. “But once they flunk it, they get a real warning. At least we’re doing it during testing.”