By Danny Restivo & Christopher Biermann (Posted 11/6/17)
In late September, the Department of Homeland Security (DHS) notified election officials in 21 states they were targeted by Russian hackers during the run-up to the 2016 election. While DHS officials previously said cybercriminals had attempted to breach state databases, they never identified the states. After contacting election offices in all 50 states, the Associated Press confirmed the states; they include swing states like Florida, Ohio, Pennsylvania, Wisconsin and Virginia. Other states targeted were Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, Illinois, Iowa, Maryland, Minnesota, North Dakota, Oklahoma, Oregon, Texas and Washington.
While the hackers did not manipulate voting machines, they did access voter registration files in two states. In Illinois, they breached a voter database and compromised the identities and personal information of 90,000 voters. In Arizona, hackers stole the username and password of a single election official. Nineteen other states reported they were targeted but no information was breached.
The DHS announcement raised the ire of elected officials charged with investigating claims of Russian meddling in the 2016 election.
“It’s unacceptable that it took almost a year after the election to notify states that their elections systems were targeted, but I’m relieved that DHS has acted upon our numerous requests and is finally informing the top elections officials in all 21 affected states that Russian hackers tried to breach their systems in the run up to the 2016 election,” said Sen. Mark R. Warner (D-Va.), vice chairman of the Senate Intelligence Committee.
In lieu of mounting public pressure, local and state officials, including the National Association of State Secretaries (NASS), have begun working with the FBI, the Department of Homeland Security and other federal agencies to improve communications between local, state and federal entities. Since former President Barack Obama designated elections as critical infrastructure in 2016, states can now access federal cybersecurity tools and intelligence briefings from federal agencies. On October 15, the DHS organized a meeting with top election officials from around the country. The 28-member group called the Government Coordinating Council hashed out communication lines between local, state and federal agencies.
In September, the U.S. Election Assistance Commission—the federal commission created by Congress following the 2000 election controversy—along with the National Institute of Standards and Technology, announced an overhaul of voluntary guidelines for states purchasing new voting equipment. The guidelines aim to create a trail for electronic votes, data interoperability among voting systems, logging of user access for election tools and limits on who gets access and under what circumstances. These measures tighten up physical security by making sure any attempt to tamper with voting gear leaves evidence. The goal is to improve security and reliability for non-government vendors involved in the election process, specifically the small number of companies that manufacture polling equipment. All these initiatives intend to support state governments overseeing the election process. Several state secretaries have voiced concern over perceived encroachment by the federal government but remain committed to securing the integrity of their elections.
“The DHS designation of our election systems as critical infrastructure was a controversial move that NASS opposed last February,” said NASS President Connie Lawson, who serves as Indiana’s Secretary of State. Her statements came after EAC guidelines were released and the Government Coordinating Council convened earlier this month. “However, we have worked hard with DHS and the EAC to set up this coordinating council and ensure that the designation does not have a negative impact, thereby helping to increase public confidence in our elections process,” Lawson said.
The U.S. does not have a federalized voting system—relying instead on 9,000 different voting jurisdictions and more than 185,000 individual precincts. Under these circumstances, some believe a successful hacker will have a limited effect on the vote, but questions regarding the vulnerability of voting records, registration and vote tallying-machines linger.
In June, more than 100 cybersecurity professionals, election administration, bipartisan lawmakers, professors, tech and business experts, sent a letter to congress on behalf of the National Election Defense Coalition. The NEDC urged congress to take action to secure elections and maintain confidence in the democratic process. They offered three recommendations:
- Establish voter-verified paper ballots as the official record of voter intent.
- Safeguard against internet-related security vulnerabilities and assure the ability to detect attacks.
- Require robust statistical post-election audits before certification of final results in federal elections.
“While there has been encouraging progress to improve election security in recent years, too many polling stations across the nation are still equipped with electronic machines that do not produce voter-verified paper ballots. Many jurisdictions are also inadequately prepared to deal with rising cybersecurity risks,” the letter read. “We are writing to you as members of the computer science and cybersecurity communities, together with statisticians and election auditing experts, to convey our concern about these and other vulnerabilities in our voting system and to urge you to take the following simple, straightforward, and cost-effective actions to set meaningful standards to protect American elections.”
In early October, Sen. Ron Wyden (D-OR) wrote a letter to election technology manufacturers. Wyden asked the companies to detail their protocols, and whether they used outside experts who follow best practices. He sent letters to Dominion Voting, Election Systems & Software, Five Cedars Group, Hart InterCivic, MicroVote and Unisyn Voting Solutions. Wyden also sent letters to two voting system test laboratories accredited by the U.S. Election Assistance Commission.
“As our election systems have come under unprecedented scrutiny, public faith in the security of our electoral process at every level is more important than ever before,” Wyden said in his letter. “Ensuring that Americans can trust that election systems and infrastructure are secure is necessary to protecting confidence in our electoral process and democratic government,”
In April, Rep. Hank Johnson (GA-D) reintroduced the Election Infrastructure and Security Promotion Act of 2017 (H.R. 1907). The bill would require the Department of Homeland Security to maintain a critical infrastructure designation for all voting systems, while also limiting the purchase of any new systems that do not provide voter-verified paper ballots. It would force compliance with standards developed by the National Institute of Standards and Technology for operational security and ballot verification. Johnson’s bill, which has 34 Democratic co-sponsors, would also establish programs that promote research and innovation in voting technologies. While federal lawmakers and agencies provide assistance, several states have initiated their own programs to strengthen security.
In September, Republican Secretary of State Mac Warner announced a partnership with the West Virginia Air National Guard to assess election systems and monitor cyber security. The State Division of Homeland Security and Emergency Management has helped facilitate a partnership, which aims to “to anticipate, to prevent, and monitor criminal and terroristic activities in the state.”
“We will use every resource available to protect our democratic process, ensure voting accuracy, protect voter’s private information, and give the confidence that our state agencies are working together to combat every threat,” Warner said, West Virginia has a host of state and federal seats open in 2018, including a U.S. Senate seat.
Illinois experienced the most serious voting records breach in September. As a result, the state legislature approved a law on October 26 requring notification of cybersecurity breaches to residents within five days. The bipartisan legislation also requires government organizations or agencies to report breaches to the Chief Information Security Officer in the state technology office within 72 hours. However, the CISO can withhold information regarding a breach if an investigation deems it necessary. Illinois has also passed laws mandating cybersecurity training for state employees while announcing a strategy designed to unify cybersecurity operations across 62 state agencies.
The Commonwealth has a gubernatorial race in 2017 that could significantly impact the nation’s political landscape. Virginia was among those targeted by Russian hackers in 2016. While authorities say nothing was breached, election officials have begun taking steps to mitigate vulnerabilities. In September, the Virginia Board of Elections ordered 22 counties and towns (VA has 95 counties) to adopt paper-backed balloting machines before the November 2017 election because of outdated electronic machines. The decision stems from a 2017 cybersecurity convention in Las Vegas when hackers breached the state’s voting system. Governor Terry McAuliffe had tried to replace the Commonwealth’s outdated voting machines in 2014, but the Republican-controlled legislature had cut funds from the state budget. Virginia has also provided cybersecurity training to detect phishing attacks and protect passwords. The state has also begun working with federal agencies, including the DHS.
In mid-July, Colorado became the first state to enact a post-election auditing system that cyber security experts have long-supported. Known as a “risk-limiting” audit, the Colorado State legislature approved a law in 2009 mandating the procedure, but after several years of testing, it extended the deadline to 2017. The audit allows state officials to sample and compare paper ballots to electronically cataloged results of those ballots.
In a risk-limiting audit, state officials select a sample of paper ballots — usually the margin of the outcome — and compare them using statistical methods to ballots cast electronically. The audits aim to determine whether a comprehensive recount is justified. Digital security experts have applauded Colorado’s program for its accuracy, as well as its state-focused approach, which does not include federal oversight. Colorado will publish its auditing software under a free license so other states can download and modify for their own use.
Rhode Island has taken several steps to shore up election security. In April, the state hired its first cybersecurity officer. The new officer, Mike Steinmetz, will develop a comprehensive state strategy and serve as Governor Gina M. Raimondo’s cybersecurity advisor. In September, the Rhode Island state legislature approved a bill giving the Board of Elections power to conduct risk-limiting audits, similar to the initiative in Colorado. In mid-October, cybersecurity experts convened a forum to share tools and expertise on how to guard against cyberattacks.
In late September, Washington director for elections said the state was embarking on a pilot program to improve the elections process. The program, which will partner with the DHS and the Multi-State Information Sharing & Analysis Center, aims to improve the assessment of vulnerabilities and identify mitigation plans; improve the sharing of information; improve the reliance on DHS for local in person support, and reporting of incidents or threats. Washington has employed a paper-based system which includes voter verifiable audit trials. There’s also an emphasis on having pre and post-election audits as well as independent testing.
While state and federal agencies work to improve security at the polls, President Donald Trump has launched a Voter Integrity Commission to investigate claims of voter fraud. However, a lack of evidence has sparked intense pushback from both Democrats and Republicans who want to keep the focus on foreign meddling in election process. The Commission also threatens to undermine state efforts by requesting sensitive voter information, further increasing vulnerabilities, as well as reallocating scarce resources. “As states try and create programs to enhance security, some cash-strapped governments may require federal assistance,” says Eric Martins, DMGS Managing Director. Martins added “however, if the White House is focused on voter fraud allegations, states in desperate need of secure IT infrastructure could become incredibly vulnerable for future elections.”