Ready or not, states are about to find out if their election security investments worked
Last month, election officials in Vermont disclosed that the state had notified the U.S. Department of Homeland Security that it had detected a computer with an internet protocol address leading back to Russia snooping around its voter registration database in August. While the state said no data was altered , the incident was a reminder that the foreign cyberthreat is still out there, nearly two years after it dominated the conversation about the 2016 campaign.
This election cycle, state and local officials who supervise elections have scrambled to add cybersecurity to portfolios that long consisted mostly of registering voters and tabulating ballots. The inflection point came in September 2017, when DHS said that Russian hackers attempted to penetrate the voter registration systems in at least 21 states in 2016 and did so successfully in Illinois.
With all that in mind, those state officials have become active partners with the federal government, while upgrading computer systems, replacing equipment and sharing threat information. On Tuesday, they and their voters will find out if their efforts were worthwhile.
“The 2018 election will be the most secure election ever,” Christopher Krebs, the DHS undersecretary who oversees cybersecurity programs, said at a Capitol Hill briefing last month. “We do not say 100 percent secure, but the most secure to date and the most resilient.”
But that sunny outlook from the federal level takes many different forms when looking at how states are actually approaching the first nationwide vote since election security became a mainstream issue.
More money, more people
In August, states disclosed their plans for their shares of $380 million in grants from the U.S. Election Assistance Commission. Some states are using their grants to purchase new voting equipment, others are using it to create full-time cybersecurity positions in election offices. But that money, authorized under the 2003 Help America Vote Act, is meant as a down payment on long-term solutions. In the countdown to Election Day, building a cyberdefense around voting systems has meant shifting around existing personnel.
“We were able to to bring them up to speed pretty quickly with staff transferring in from other roles, Meagan Wolfe, the interim administrator of the Wisconsin Elections Commission,” told StateScoop recently.
Wolfe’s office plans to create full-time cybersecurity positions in the future, but for the short-term, she’s borrowing workers from the states Division of Enterprise Technology who can implement steps like more routine assessments and multifactor authentication to log into voter databases. It helps, she said, to have a good partnership with Wisconsin Chief Information Officer David Cagigal.
For most states, elections are run at the county level. In Wisconsin, every individual municipality 1,853 by Wolfe’s count is responsible for its own election setup, leaving the statewide commission responsible for corralling reports of suspicious activity and dishing out information and resources.
“We feel we have the framework ready to address whatever challenges that might come our way,” she said. “I don’t think we know what challenges might come our way, but we do feel confident well have the framework in place.”
Part of that framework is an expanded use of post-election audits . Under new rules Wolfe published in September, election clerks in 5 percent of the state’s precincts will manually review every ballot they collect, and compare those totals with the tallies provided by the machines that count votes on Election Day. (Every voting machine in Wisconsin, including the touchscreen devices that account for about 10 percent of the states inventory, produces a paper receipt for each vote, Wolfe said.)
Groups that advocate for stronger ballot security, like Verified Voting and the Brennan Center for Law and Justice have urged states to adopt stronger auditing methods like Wisconsins. The push has also been echoed by the National Academies of Science, Engineering and Medicine , and researchers at the Massachusetts Institute of Technology .
“Robust, routine post-election audits of vote tabulation machines are vital for protecting U.S. elections and bolstering public confidence,” Mark Lindeman, Verified Voting’s senior science and technology policy officer, said when Wisconsin announced its new audit procedure.
Techies in camouflage
Other states are turning to to their National Guards to help fend off cyberthreats against their election systems. Washington Secretary of State Kim Wyman was one of the first election chiefs to call on her states military resources in the wake of 2016. Uniformed personnel will have roles at the states security operations center alongside her civilian staff, running a series of threat assessments and vulnerability scans leading into Election Day.
“They only have to get it right once, and we have to get it right 24-7,” Wyman said in Seattle last month. “We are seeing activity. We assume every single threat could be someone trying to mess with our elections.”
Bringing in the National Guard, many members of which have day jobs with tech firms like Amazon and Microsoft, she said, “gives us an additional layer of security.
Other states, including Colorado, Ohio and South Carolina have also brought their National Guards into the election defense process. On Tuesday, many of them will be bunkered down in SOCs and fusion centers alongside state IT workers and liaisons from the federal agencies. A senior Trump administration official said Wednesday that the Justice Department plans to have an officer in each U.S. attorney district to coordinate reports of election-related crimes.
The story doesn’t end on Tuesday
Security experts warn all these additional layers may not add up to much.
“What I worry about candidly is that government is creating a TSA for elections,” cybersecurity consultant John Dickson told StateScoop. “It’s the lack of creativity and original thinking that will create a default where the only thing we can do is spend money and do rote testing.”
Dickson said state and local officials should be on the lookout for attempts like distributed denial-of-service attacks that disable websites where election results are posted, or robocalls that give voters the wrong information about when and where to vote. Either sort of operation is capable of undermining confidence in the election, yet both are relatively easy to launch, he said.
“The thing I recommended [to states] that I don’t think anybody’s done is create a rapid-response cell where they have a multidisciplinary team,” he said. “This is not an IT problem, this is an information-sharing operation, and cyber’s one piece of it. That’s what I fear, that this is left to the techies.”
A major effort to disrupt the 2018 elections may not come at all, though, which could lull officials into a false sense of success. “The weird thing about this too is that theres a good chance the Russians will sit this one out and all these guys will take credit,” he said. “It wont be that they didn’t get nailed, it’ll be that nobody came after them.”
States do have longer-term plans to build out their security operations. California plans to spend $134 million in state funds over the next two years furnishing its counties with new hardware and software to register voters and count ballots, as well as create a specialized Office of Election Cybersecurity within the secretary of state’s bureau. New York, New Jersey and Illinois announced similar projects that they plan to fund with their EAC awards.
Many states also plan to purchase entirely new fleets of voting equipment between now and the next presidential election in 2020 to phase out digital-only machines that do not produce paper records. Five states use those kinds of devices exclusively, and many other states deploy them in a majority of precincts. While voting machines are not connected to the internet, the digital-only variety can preclude officials from conducting audits.
‘This is going to be a lot of fun’
But even in the short term, there are tangible changes in how state and local officials are approaching election cybersecurity. The January 2017 decision by DHS to designate election systems as critical infrastructure led to the creation in March of the Election Infrastructure Information Sharing and Analysis Center at the nonprofit Center for Internet Security in Upstate New York, where a round-the-clock team of analysts looks at the latest reports of suspicious activity submitted by election officials. The EI-ISAC is also shipping out scores of Albert sensors, devices that detect potentially illicit activity on government computer networks, to state and county offices.
Ben Spear, the EI-ISACs executive director, said he’s been impressed with how election officials, whose main duties involve counting voters and ballots, have embraced the new challenge.
“I’ve never seen a field in which people are so passionate about a job, how seriously they take an election and making sure everything goes right and everything goes secure,” he said.
Still, cybersecurity has no finish line, and fewer disruptions next week than there were in 2016 will not give voter registration databases and other election systems immunity in the future, Dickson warned.
“There’s a lot of ground to make up,” he said. “There’s a decent chance nothing may happen. Its really the prerogative of the attackers. This is going to be a lot of fun.”