Another Click2Gov data breach hits Indio, California
October 15, 2018
The online bill payment software used by hundreds of local governments continues to be a frequent source of cybersecurity incidents.
The document calls for $1.4 billion in more assistance to states for election security, with an emphasis on paper-based ballot machines.
Benjamin Freed is the technology editor for StateScoop, covering how states and cities make decisions about the technology that powers government s...
Eighteen states made a list of the "most vulnerable" election systems in the country in a report published Thursday by the U.S. House Administration Committee. The states included in the report were faulted for lacking several of the things voting-security advocates frequently call for, including paper records of ballots and post-election audits.
The report also states that the $380 million in funds currently being distributed to states by the federal Election Assistance Commission isn't nearly enough, and that it could cost another $1.4 billion over the next decade for every state to properly secure its election systems.
All 50 states plus the District of Columbia have now requested their share of the EAC's grant money, but the report claims that much more will be needed to upgrade election officials' information technology, implement cybersecurity training and swap out paper-free Direct Recording Electronic ballot machines, known as DREs.
But it's unclear how much sway the report will have in creating more election-security assistance to the states: the document was produced and signed only by the Administration Committee's Democratic members. Still, it pulls in many of the most frequently mentioned faults with state election security to press its case, including U.S. intelligence agencies' finding that hackers linked to the Russian government attempted to penetrate election officials' systems in at least 21 states during the 2016 cycle.
The five states bunched in the top tier of vulnerable states — Delaware, Georgia, Louisiana, New Jersey and South Carolina — earned that distinction because they're the only states that conduct all their elections on DREs that do not produce printed receipts.
"We have found that one of the most significant steps a state can take to protect its voting system is to replace paperless voting machines with voting machines that provide a paper trail," the report reads.
The report also says it'll cost those states much more than what they've received from the EAC to replace those machines, with Delaware expected to need $20 million and Georgia anywhere between $35 million and $100 million. Groups of voters in Georgia and South Carolina have also filed lawsuits against their state governments aimed at replacing the electronic machines.
Election-security advocates say paper records of ballots make it easier to determine if there are any irregularities in vote counts. But even if enough money to replace all the paperless machines were to suddenly appear in states' coffers, analysts say it takes a lot more than new hardware to secure the vote. "Voting machines aren't the only place you can undermine the election process," Mike Garcia, a consultant at the Center for Internet Security, said in May.
State election agencies have also been advised that they need to beef up their cyberdefenses, from making systems like voter registration databases more resilient against hackers to training employees to be more aware of phishing attempts. A few states mentioned in the report are using their EAC grant money to bolster their cybersecurity, such as Iowa, where Secretary of State Paul Pate recently announced plans to implement two-factor authentication for workers to access the state's voter file, and Washington, where Secretary of State Kim Wyman and the National Guard plan to run cyberattack simulation drills ahead of elections.
The nation's secretaries of state are meeting this weekend in Philadelphia for their annual summer conference, where election security is expected to dominate the agenda.
Here's the full list of states included in the report, by tiers of vulnerability: