In the past eight days, federal officials — including Dan Coats, the director of national intelligence; Kirstjen Nielsen, the homeland security secretary; and Christopher Krebs, the homeland security undersecretary for cybersecurity — have warned that the Russian hackers who attempted to meddle in the 2016 election are on the prowl again.
Depending on who you ask, state election officials are either implementing sweeping new security measures or making minimal progress in safeguarding voters ahead of this November’s general election. Every state has claimed its piece of the $380 million the federal Election Assistance Commission offered for new security measures, and several states’ top election officials have told Congress they’re using the money to harden the firewalls around their voter registration files and to replace antiquated ballot equipment with new machines that offer paper records.
According to other reports, though, states aren’t making much progress. According to Politico , just 13 states are using their EAC money to buy new voting equipment, while 22 won’t be replacing their balloting machines before November. Only 18 states are taking the Department of Homeland Security up on its offer of cybersecurity assessments.
But the EAC money makes up just a small percentage of what’s actually needed to overhaul a election system — upgrades could cost some individual states upward of $100 million. An additional wave of federal dollars is unlikely, and so too is the possibility that states will replace ballot machines with less than four months until Election Day.
So in the meantime, some states’ top election officials are taking their own measures to beef up security between now and November. Over two days in Philadelphia last weekend, attendees of a national conference of secretaries of state detailed a few different approaches they’re taking to secure their votes.
Training and authentication
While there’s no evidence hackers altered vote tallies in 2016, there are other paths into messing with an election, especially statewide voter files, which are often connected to the internet. Last week, the federal government accused 12 Russian intelligence officers of infiltrating a state’s voter registration system — believed to be Illinois’ but not explicitly named by investigators — and making off with 500,000 voters’ personal information.
That attack has prompted election officials to consider the security around their voter files. But those systems are accessed at multiple levels of government, and even within a forward-thinking state, not every jurisdiction can afford a robust, full-time information technology staff.
“I’m not giving a blueprint to the bad guys when I say a weak link in election security can be local government,” Minnesota Secretary of State Steve Simon said at the Philadelphia conference. “We have our statewide voter registration system. It’s a password-access system, but passwords get lost, stolen and shared.”
Most of the $6.6 million Minnesota is getting from the EAC will go to new voting machines, but Simon said he and local elections officials agreed that $1.5 million will be spent on rebuilding the statewide voter file, which was last overhauled in 2004.
“It was built very well,” he said. “But like many things built well in 2004, like that flip phone, it doesn’t work so well in 2018.”
A key component of Minnesota’s new voter registration system is that it will include multi-factor authentication, meaning users will need to provide not only a password, but also a second form of authentication such as a randomly generated code. Simon said the state is absorbing the entire cost of the authentication upgrade — about $80,000 in the first year — for all 87 counties to implement it before the Aug. 14 primary.
Simon said he’s also considering using some of the EAC funds to add an information technology professional to his office who can help train staff in Minnesota’s smaller communities, where election officiating and cybersecurity are not full-time roles.
“Hennepin County” — which contains Minneapolis — “probably is fine,” he said. “But Lincoln County, which has no stop lights, there isn’t an elections IT area. Maybe we’re providing training to people who usually do drainage, property taxes and all the rest.”
Sharing resources, Simon said, could go a long way to restoring voters’ confidence in elections. “I don’t care where you live,” he said, “you deserve the same protection and that takes effort and collaboration.”
A similar collaborative, multi-jurisdictional approach toward election security is also underway in Colorado. It started on Election Day in 2016 when the state convened threat-information-sharing “fusion centers” in conjunction with officials from Denver, suburban Jefferson County, the National Guard and the FBI.
Spreading cybersecurity expertise across locations allowed the state to respond quickly to mishaps that day, Secretary of State Wayne Williams said. When the fire alarm in the commercial building housing Williams’s command center went off, the state’s distributed approach ensured there was no lapse in monitoring threats.
Later that afternoon, election officials briefly lost access to the statewide voter registration system. A cyberattack was quickly ruled out, and Williams said his staff was able to repair the glitch in less than 30 minutes.
Colorado has also implemented multi-factor authentication for its voter file — state workers accessing it must enter a code generated by a digital or physical card — and encryption for ballots from overseas voters. Of the 23,000 Coloradans, including deployed military members, who voted from abroad in 2016, about 11,000 used the state’s then-new secure ballot return system that transmits completed ballots on an encrypted channel that can only be retrieved by a county administrator using multi-factor authentication.
The added steps have paid off: Colorado has achieved a reputation as one of — if not the — safest states in which to cast a vote. Williams’ policies have been cited as a national example by the likes of Verified Voting, a group that advocates for election security, and Colorado was one of only a handful of states to get the highest mark in a Center for American Progress report assessment of election infrastructure.
The push to replace voting equipment is motivated largely because many of the existing machines prevent officials from conducting post-election audits to verify the results. Five states — Delaware, Georgia, Louisiana, New Jersey and South Carolina — currently use only direct-recording electronic machines, known as DREs, that do not produce backup paper records. The mid-20th-century gear-and-lever equipment still used by other states, including New York and Pennsylvania, don’t produce paper records, either.
Thirty-two states mandate post-election audits, but there are several ways to review vote counts. Many traditional audits look like the system used by Vermont, where following every election, Secretary of State Jim Condos’s office randomly selects 5 percent of Vermont’s towns and cities, and manually reviews “100 percent of ballots and 100 percent of races” from those jurisdictions.
Some states, though have been moving toward what’s known as a “risk-limiting audit,” which election security experts say are more accurate and less expensive. These audits take more mathematically advanced approach using much smaller samples, but with sophisticated statistical methods that analyze the audit sample against the official vote count. Indiana, for instance, conducted one in 2016 using just 61 ballots to confirm that Democratic nominee Hillary Clinton won Indianapolis by a wide margin, Secretary of State Connie Lawson said.
Rhode Island became the second state last year, after Colorado, to require risk-limiting audits after elections. At the Philadelphia conference, Rhode Island Secretary of State Nellie Gorbea, sitting next to Lawson, said the new method represents one more step toward restoring voters’ confidence.
“Elections only work if people trust the results, otherwise it doesn’t really matter,” she said. “The benefit of a risk-limiting adult is that it uses statistics to bring in certain efficiencies. The hard part is how do you explain that to voters who have no reason to understand statistics.”
Still, while advanced auditing methods can save time and money, they also require staff training and new equipment, and not every state is ready, Condos said during Gorbea’s presentation.
“There are very few states that can do risk-limited audits,” he said. “Until we’re ready for new machines, we’re not going to do it.”
The National Guard
If all else fails, you can always bring in the Army. That’s not quite what Washington Secretary of State Kim Wyman is doing, but her office has formed a partnership with the state’s National Guard to bolster elections security. The relationship was inspired by Washington’s National Guards to be one of the first in the country with a dedicated cybersecurity unit, many members of which have day jobs with tech and computer firms.
“We don’t want the military to take over our elections, but they have resources that will make our elections stronger,” Wyman said. “Because Washington is home to Microsoft and Amazon, a lot of our National Guard members work in the industry.”
With Washington voting almost exclusively by mail, Wyman said she does not need to worry as much about replacing ballot equipment and can instead focus more on cybersecurity. That came in handy in July 2016, when Washington IT workers detected an attempted intrusion of its voter file and tipped off DHS — the state was eventually named as one of 21 that U.S. intelligence officials say were the target of Russian hackers attempted to breach voting systems.
The National Guard personnel now working with state election officials will help train local staffs to spot cyberthreats, test firewalls, and take part in tabletop exercises before Election Day that will simulate cyberattacks against the state’s voting systems, Wyman said.
U.S. Rep. Derek Kilmer, a Seattle-area Democrat, recently introduced legislation proposing cybersecurity units in every state’s National Guard. Wyman, a Republican, said partnering with the guard has proven especially useful in helping smaller, less tech-y communities improve their cyberdefenses.
“We have counties that range from 1 million registered voters to counties with fewer than 2,000,” she said. “Small counties don’t have all the tools they need. Partnerships are the key.”