Ahead of midterms, states scrambling to fend off cyberattacks
| WASHINGTON
With the 2018 midterm elections fast approaching, security experts are warning that the nation鈥檚 election infrastructure will once again come under assault by hackers seeking to undermine American democracy.
But here鈥檚 an underappreciated fact: We鈥檙e already under attack.
鈥淲e average 100,000 scans on our [computer] systems a day,鈥 Missouri鈥檚 secretary of state, Jay Ashcroft, told a recent Senate panel examining election security. He was referring to unauthorized probing of the networks.
Why We Wrote This
The security and reliability of voting systems are fundamental to democracy. Congress and many states are moving to address vulnerabilities 鈥 but experts say they are not doing nearly enough.
Mr. Ashcroft and other state election officials were asked how often they detect attempts specifically to break into voter-registration and other election-related systems.
鈥淓very day,鈥 responded Vermont鈥檚 secretary of state, Jim Condos. 鈥淲e probably receive several thousand scans per day.鈥
Steve Simon, Minnesota鈥檚 secretary of state, compared the frequent attempted cyber-intrusions he sees to a car thief casing a parking lot.聽鈥淸The car thief] goes there a day or two in a row, and takes out binoculars and observes traffic patterns, and he tries to figure out, is there a way in?鈥 Mr. Simon told the senators.
鈥淭here are a lot of people casing a lot of parking lots,鈥 he said.
Last year, US intelligence and election-security experts issued grim warnings that alleged Russia-backed meddling during the 2016 election was merely a 鈥渨ake-up call.鈥
Now, four months from the 2018 midterm elections, it鈥檚 unclear if the US is ready for another round of election-related attacks in the cyber-shadows.
鈥淭here is a vast improvement over where we were in 2016,鈥 says Lawrence Norden, an election expert at the Brennan Center for Justice in New York. 鈥淭here has been so much more discussion and training done over the last year and a half than there ever was around cybersecurity.鈥
But, he adds, it is not nearly enough.
In March, Congress passed an election-security measure to provide a one-time grant of $380 million to state officials to upgrade and harden their election infrastructure.
While the money is welcome, analysts say it is only a starting point to address the full spectrum of vulnerabilities exposed during the 2016 election season.聽
鈥淭his is a national security issue,鈥 Norden says. 鈥淚n that context, $380 million is almost nothing. That is what we spend on a single Air Force jet in some cases.鈥
A paper record
For example, in 2016, 14 states were using voting machines incapable of producing a voter-verified paper record. Many of those states want to upgrade to a more secure voting system that would use paper ballots that can be hand-counted if there is a suspected breach or failure of tabulation software. But since the turmoil of 2016, only one of those states, Virginia, has made the transition to a more secure voting system.
Part of the reason for the delay is cost. It can cost tens of millions of dollars to outfit an entire state with new voting machines. Estimates are that Pennsylvania, a key swing state, may have to spend up to $60 million to replace its voting machines. Under the new federal grant, Pennsylvania is set to receive $13.5 million.
Officials in New Jersey and Georgia are actively exploring ways to buy new voting machines that support paper ballots. But they haven鈥檛 done so yet.
鈥淚t is disappointing that, given that there is pretty much uniform agreement among security experts that these systems need to be replaced, that we couldn鈥檛 manage to do it before the 2018 election,鈥 Norden says.
Moreover, he and others are quick to point out that paper ballots alone won鈥檛 be enough to protect US elections.
Michigan has used voter-verifiable paper ballots with its voting machines since 2004. But last year, the state spent $40 million to purchase the newest version of its voting machines, with upgraded software and more robust security features. The upgrade involved replacing 5,000 machines in 4,300 voting precincts state-wide, according to state officials.
鈥淲e want to stay two steps ahead of the bad guys,鈥 says Fred Woodhams, a spokesperson in the Michigan secretary of state鈥檚 office. 鈥淲e are pleased about where we are, but we still have more work to do.鈥
Mr. Woodhams says Michigan was allocated $10.7 million of the $380 million in federal election security funds earlier this year. The state plans to use much of that money to hire a cybersecurity contractor to conduct a comprehensive review of the state鈥檚 election system.
鈥淭hey will be looking at the whole system globally and at the local level as well,鈥 he says. 鈥淏ecause there are a lot of systems that interface with each other, we wanted to see how everything works together, and where the vulnerabilities are.鈥
As in many states, Michigan鈥檚 election system is decentralized. Elections are conducted at the local level by 83 county clerks and 1,520 city and township clerks. While decentralization makes it harder for a hacker to disrupt or swing an election, it also makes it harder to provide a uniform defense against cyberthreats.
The same issue arises in Minnesota, where elections are run at the county level, but only nine of the state鈥檚 87 counties are large enough to support a full-time, year-round clerk, according to Minnesota officials.
Security experts note that many election offices across the country, particularly in rural areas, do not have a single information technology specialist on staff, let alone someone trained in the latest cybersecurity threats and counter-techniques.
Following the 2016 election, many state and local election officials complained that the national government failed to provide them with real-time warnings about ongoing efforts to hack into their systems. In some cases, local officials didn鈥檛 learn of the attacks until 10 months later.
Since then, the Department of Homeland Security has set up an organization called the Election Infrastructure Information Sharing and Analysis Center. If state officials agree to participate, they can install monitors on their election networks to track and identify any potential threats. The center would then share recovered information and provide a warning system for other states.
Risk-limiting audits
Given the complexity of identifying and addressing election vulnerabilities, many election specialists advocate the use of audit techniques to help verify election results and identify hacking attempts.
Estimates are that 32 states have regulations or procedures for post-election audits. But many of these audits aren鈥檛 structured to detect a tabulation software flaw, or aren鈥檛 rigorous enough to uncover a deliberate hack, experts say.聽
The most robust audit available uses statistics to examine a random sample of paper ballots to verify the computer-driven tabulation of votes. Because it relies on a hand-count of a relatively small number of ballots (at least initially), these so-called risk-limiting audits provide a reliable way to double-check computerized election results.聽
The science has been proven and the cost is not substantial. But in 2018, Colorado will be the only state in the country using this technique to verify its elections.
鈥淭here is pretty much universal agreement that this is an important security measure to detect and perhaps recover from attacks on electronic voting systems,鈥 Norden says. But he acknowledges: 鈥淭here has been very little progress made on that front.鈥
Rhode Island is set to conduct risk-limiting audits starting in 2020. Pilot programs have been undertaken in Indiana and Orange County, Calif.
For the first time in 2018, Michigan will be conducting an audit of election results, by physically counting paper ballots in randomly selected precincts in each county.
鈥淭his is an avenue that might give assurance to people who are concerned about cybersecurity issues,鈥 Woodhams says. 鈥淓very voter in Michigan will be using a paper ballot, so at the end of the day, even if everything goes wrong, we still have a paper ballot to take out and look at by hand if we have to.鈥
But while Michigan is ahead of many states, Woodhams acknowledges that protecting an election from outside interference will be an ongoing process.
鈥淐ybersecurity isn鈥檛 something where you can declare victory and move on,鈥 he says. 鈥淚t is something you work on every day.鈥
