The 2016 presidential election and its aftermath laid bare the vulnerabilities in the core of American democracy — the way in which the country votes. Not only were Hilary Clinton’s campaign and the Democratic National Committee hacked, but according to an indictment from Special Counsel Robert Mueller, hackers stole information from an unnamed state election website on 500,000 voters, including their names, partial Social Security numbers, addresses, birthdays and driver’s license numbers. They also targeted, but were unable to get into 20 other states.
This time around, election officials from around the country promised to be better prepared. So, what are they doing to harden the voting infrastructure against cyber attack? And what are they doing to prepare? To answer those questions, we talked to the experts.
The Federal-State Election Divide
First, let’s take a look at how elections are held. The U.S. does not have a single federal system for voting — instead, the each of the 50 states runs their own. Voting technology varies from state to state, with some using paper ballots and others a variety of electronic voting systems. That means there’s not a one-size-fits all way of ensuring that each state is protected against cyber attacks.
Because the election system is considered vital infrastructure, though, the federal Department of Homeland Security (DHS) is responsible for helping secure it. It has no oversight over the elections, but offers training, advice and intelligence to the states. The federal government also distributes hundreds of millions of dollars to help protect elections. In addition, DHS performs risk assessments for the states, as well as penetration testing.
What does DHS think about vulnerabilities in state systems? Christopher Krebs, undersecretary of the National Protection and Programs Directorate, Department of Homeland Security, recently said at a public forum held by the Washington Post, that state election systems suffer from three common vulnerabilities. First, these are not on the most modern systems. Next, they still face patch management and vulnerability management challenges, and patches are sometimes delayed or never applied. Finally, the systems have misconfiguration errors, though the DHS offers training, help and money to the states to fix all that.
What States and Local Governments Are Doing
Thomas MacLellan, Director Policy & Government Affairs for Symantec, says that states take a variety of different approaches to election security because of their differing systems. However, he said, many of them use Albert sensors, developed by the Center for Internet Security, which detect attempts to hack electoral systems, and send alerts to state and federal agencies. MacLellan adds that the states also use intelligence and information provided by the center.
Reuters reports that as of August 7, 36 states had installed the sensors at “elections infrastructure level.” Other states were planning to install them before the election, the news service reported.
MacLellan also points to a war-game-like cyber security and disaster election exercise held by Colorado in September as an example of the kinds of actions that states are taking.
In most of the states, elections are overseen by states’ individual secretary of state. So perhaps the best place to turn to find out what states are doing is the National Association of Secretaries of State (NASS). NASS President Jim Condos is the Vermont secretary of state and has direct hands-on experience on how states and local governments are trying to secure the election.
In Vermont, Condos says, the state performs in-depth penetration testing on its systems, and also contracts with the DHS to have its electoral systems scanned on a weekly basis to find vulnerabilities, something that he says other states do as well. It blacklists known and suspected dangerous IP addresses, and required multi-factor authentication to get into its election management system. It performs daily backups on its voter registration database. And like all other states, it provides training and help to the localities where people vote.
One of the most important ways that Vermont ensures votes are cast and counted properly, he says, may surprise some people.
“Probably the simplest thing we do, and it has nothing technically to do with cyber security, is to use paper ballots,” he says. “We’ve always used them, and years ago we added into our statutes that we must have a paper ballot for every vote that’s cast.”
States have been turning towards paper ballots and away from electronic voting machines for security reasons, he says, especially from direct-recording electronic (DRE) touch screen machines that have no paper backup. Only five states — Delaware, Georgia, Louisiana, New Jersey, and South Carolina — still use DREs that have no paper trail.
Both MacLellan and Condos agree that work needs to be done to protect elections against cyber attacks. But they also say the states have come a long way in a relatively short time with their current protections.
“Election systems are now more cyber secure, especially when you look at where states were from the cyber security standpoint five years ago,” MacLellan says.
As for Condos, it’s an issue he grapples with all the time.
“I go to sleep at night thinking about cyber security,” he says. “Cyber security is like a race without a finish line. It's never-ending. It's ongoing. We have to be ready to evolve and change, because that’s what the bad actors trying to get in are doing.”
If you found this information useful, you may also enjoy:
We encourage you to share your thoughts on your favorite social platform.