Russian hackers might not be as active in interfering with U.S. voting systems this year as they were in 2016, but that doesn’t mean states don’t have plenty of work to do to secure future elections, state and federal officials told members of the House of Representatives Wednesday.
“Many elections across our country are being run on equipment that is either obsolete or near the end of its useful life,” Rhode Island Secretary of State Nellie Gorbea told the House Homeland Security Committee.
But Gorbea, who said her state started buying new paper-ballot optical scanning machines to count votes in 2015, said replacing hardware is only one part of making the elections she oversees less vulnerable. In her experience, she said, the state-, county- and city-level officials who actually manage elections are “ill-prepared” to deal with cyberthreats.
The more looming threat to election security is the number of threats against the computer networks used by state agencies involved in conducting elections, rather than against the ballot boxes themselves, Gorbea and Christopher Krebs, the Homeland Security undersecretary in charge of the department’s cybersecurity programs, said at the hearing.
“Voting systems in and of themselves are systems within systems,” Krebs said when asked if he was aware of any attempts by hackers to directly access ballot-counting machines. “You also have backend systems that store voter registrations. Just like any IT system, there are going to be vulnerabilities. What we’re looking for is resilience in the system.”
Krebs said that resiliency extends from defending against actual attacks to preventing system failures that have similar consequences, such as a recent “programming error” in Maryland’s statewide voter file that caused as many as 80,000 voter registrations to not be entered in the system just before last month’s primary elections. In that instance, and a similar situation in Los Angeles County, affected voters were able to cast provisional ballots, but both events were reminders that no system can be perfected.
But then there are actual incidences of foreign attempts to access a state’s voter database, such as Illinois’s, which U.S. intelligence agencies say Russian hackers successfully accessed in 2016. While no records were changed, Krebs told the committee it was possible hackers attempted to probe voter files in all 50 states and the District of Columbia. The intelligence community has said Kremlin-backed hackers successfully scanned voting systems in 21 states in 2016.
Two big differences between then and now, Krebs said, are that the public is more aware of cyberthreats against elections, and that the federal government is more involved in responding to the attacks. But how much of that awareness and response trickles down depends on state and local officials.
For Rhode Island’s part, Gorbea said her office is getting every local jurisdiction in the state to enroll in the Elections Infrastructure Information Sharing and Analysis Center, or EI-ISAC, a goal she said will be completed later this month. Gorbea also said she’s brought in local elections officials to run drills on hypothetical Election Day mishaps.
Gorbea also said Rhode Island is also starting to use some of the funds her office received as part of a $380 million package of grants from the federal Election Assistance Commission to state elections officials. Rhode Island is spending $500,000 out of a $3.15 million grant on cybersecurity upgrades to its voting systems this year, she said.
The next Podesta
Many of Gorbea’s counterparts across the country are taking steps to bolster their election security. Last month, the secretaries of state from Minnesota, Missouri and Vermont briefed members of a Senate panel on the steps they’ve taken to batten down their systems, stressing the importance of paper trails and post-election audits.
But cybersecurity experts caution against putting too much faith in hardware upgrades. Paper ballots are more reliable than digital counts, but one of the easiest ways for a hacker to compromise an election system is with a phishing attack triggered by a government worker clicking the wrong link.
“No one wants to be the next John Podesta” — the chairman of Hillary Clinton’s 2016 campaign, whose personal emails ended up on Wikileaks after he fell for an email fraudulently claiming to be from Google — “but the biggest problem is you’ve taken 50 secretaries of state and 5,000 county officials, these sleepy government administrators, and put them on the front line of a war with a nation-state,” said John Dickson of the Denim Group, a cybersecurity consulting firm in San Antonio.
Dickson said that voting machines themselves, which tend to spend most of their lives in warehouses and are not networked, are easier to secure. But voter registration databases and websites that report election results are glaring targets. Even if an election board has an accurate vote count stored offline, Dickson said that a successful denial-of-service attack can create a public perception that the results have been tampered with.
Instead of simply pursuing new hardware and other procurements, Dickson said election officials need to focus on training and education.
“What I recommend is some kind of two-factor authentication, at least at the state level, combined with social education to make [people] more aware about the phishing attacks that are always going to come in,” he said. “In some of the counties they do that, but think of the 254 counties in Texas.”
With respect to Texas, Dickson said some of the bigger counties — such as Bexar, where San Antonio is located — have the resources to upgrade authentication and educate staff, but many of Texas’ counties are rural and have small, part-time election officials.
“I think the question is how quickly they can move before November?” he said.
Many of the country’s top election officials will spend time trying come up with answers this weekend when they gather for the National Association of Secretaries of State’s summer conference in Philadelphia. The schedule features sessions on voter and ballot security, and Krebs said at Wednesday’s House hearing that top DHS officials plan to brief the conference.
If what Krebs and Gorbea told federal lawmakers is any guide, the solutions will have to be collaborative, both between different levels of government and between states. Nearly 1,100 states and municipalities have signed up for the EI-ISAC, which provides members with cybersecurity tools and guidelines. The Department of Homeland Security, Krebs said, will train state and local officials on how to conduct regular cyber-hygiene tests and get better about reporting threats up the chain to federal authorities.
But as much as assistance as the federal government can offer in protecting election systems, state and local officials will have to learn to fend for themselves.
There are 10,000 election jurisdictions, Krebs said, “and not enough cybersecurity expertise to go around.”