States Race to Secure Their Voting Systems Before Hackers Strike Again
American intelligence agencies were watching the 2016 election closely. The month before Election Day, they released a statement warning that they detected efforts by the Russian government to undermine voters’ trust in the election process. Among those efforts was the highly publicized leak of emails stolen from the Democratic National Committee.
But Russia’s attempts at interference didn’t end there. In recent months, officials have sounded the alarm on Russian efforts to more directly influence the election through attempts to hack state electoral systems.
“There were concerns about could the Russians do something with the voter registration rolls, make names disappear, replace some things, and prevent some people from voting,” said former CIA director John Brennan in an interview for Putin’s Revenge, FRONTLINE’s months-long investigation into the origins of Russia’s election meddling.
This June, Bloomberg reported that Russian hackers targeted various systems in 39 states during the summer and fall of 2016.
Then, in September, the Department of Homeland Security (DHS) notified election officials in 21 states that hackers linked to Russia sought access to their voter registration files and public election sites.
“It was a growing list, but it seemed to be a random list,” said Jeh Johnson, the former secretary at DHS, in an interview with FRONTLINE.
The targets included battleground states like Ohio, Florida, Pennsylvania, Virginia, Iowa and Wisconsin.
Election officials in 19 of the states have said that their systems were not breached, and there has been no evidence that voting machines were compromised or votes changed due to the Russian interference.
But in Illinois, officials said hackers did manage to access the voter registration database and view around 90,000 records in the summer before the election. And in Arizona, the password and credentials of an election official were stolen by hackers, according to officials there.
Russian President Vladimir Putin has denied that his government was behind the hacking efforts. Nevertheless, the incidents have exposed critical gaps in the nation’s election infrastructure, according to former intelligence officials and cybersecurity experts, and ignited a tense debate between state and federal officials over how best to secure voting systems ahead of elections in 2018 and 2020.
“We know from more than a decade of research into voting machines and other election equipment that most of the equipment we use in the U.S. is just full of vulnerabilities,” said Alex Halderman, a professor of computer science and an expert in cybersecurity at the University of Michigan. “We know that there are routes that attackers could potentially use to remotely compromise everything from the electronic poll books that are used to check-in voters at the polling place, to the voting machines themselves, to the voter registration systems. These are not well-secured systems.”
Even without hacking into voting machines directly, potential attackers could cause chaos and disruption by tampering with voter registration data, said Halderman, deleting or altering records to cause delays at polling stations or have voters turned away on Election Day.
In the wake of last year’s attacks, states are stepping up firewalls and encryption of their voter databases; boosting password security among election employees; monitoring their networks for threats; and testing any election infrastructure that’s connected to the internet to see how easy it would be for hackers to get in. Many are also creating cybersecurity task forces.
In West Virginia, election officials are hiring a cybersecurity expert from the National Guard. Wisconsin is working to get an employee who works with the state’s voter registration system certified as a “white hat” hacker, someone trained to think like a hacker and test for vulnerabilities.
“Efforts to share cybersecurity best practices of all kinds are absolutely lighting up the elections world right now,” said Wendy Underhill, director of elections and redistricting at the National Conference of State Legislatures, which tracks the issue among states. “Election officials across the nation are doubling down on it, learning from each other, and talking more closely with their IT people and other resources.”
But for all the high-tech measures under way, some states have made the decision to turn back to paper ballots as a safeguard. Unlike many electronic voting machines, paper balloting provides a trail that can be audited if election results come into question.
In September, for example, Virginia decided to end the use of touchscreen voting machines ahead of its election next week. And when Rhode Island got new voting equipment in 2016, it too required machines that used paper ballots.
Rhode Island will soon join Colorado as one of the first states to require advanced, “risk limiting” auditing procedures — considered the gold standard by election security experts — to verify its vote tallies. Currently, 18 states don’t mandate post-election audits at all, and most states have yet to adopt the more rigorous checks.
“Part of the problem we have in government is that technology moves much faster than government does,” said Jim Condos, the secretary of state in Vermont. “No matter what we do today, tomorrow’s a new day, and we’re always looking to the future and how we can stay ahead of bad actors.”
As states grapple with the evolving vulnerabilities in election security, DHS has been working to improve its coordination and communication with them. Election officials in several states said the agency did not directly inform them that their systems had been targeted until 10 months after Election Day.
For example, when Michael Haas, Wisconsin’s chief election official, testified in June before the Senate Intelligence Committee about cybersecurity, he didn’t know his state was among the 21 states targeted by Russian hackers. It turned out that DHS notified the chief information officers in the affected states, but didn’t “consistently” inform senior election officials, according to Bob Kolasky, acting deputy under-secretary at the agency’s National Protection and Programs Directorate.
The department is now working to get election officials security clearances so that they can receive information about threats. “It’s one thing for me to say, ‘You really should take this seriously,’ and it’s another for us to give a brief on why I’m saying you really should take this seriously,” said Kolasky. “What can be shared at a classified level provides more context on the nature of the threat.”
DHS has also designated elections as “critical infrastructure,” in an effort to provide states with federal support in securing elections. But according to Johnson, the move was resisted by some state election officials.
“Surprisingly, we got a lot of pushback from them,” he said. “They perceived a critical infrastructure designation as somehow a federal takeover, or federal regulations. And I spent a lot of time telling them, that’s not what this is. It just simply is prioritizing our assistance if they ask for it.”
In February, the National Association of Secretaries of States passed a resolution opposing the designation, saying that it was passed “without sufficient state consultation or analysis.” The group’s president, Indiana Secretary of State Connie Lawson, said the Homeland Security department should have a role in election security, but that it should be limited.
“I think the federal government can be helpful if they can provide, in a timely way, threat information that states wouldn’t know about if it was going on in another state,” said Lawson. She noted that her state is now one of six working with the department to test a new DHS-funded program called the Multi-State Information Sharing and Analysis Center, which is designed to help monitor networks for anomalous behavior or threats and share that information with election officials.
DHS and states are also working to develop a set of national standards for securing elections from cyber threats. While the standards would be voluntary, experts say creating them is critically important.
Halderman noted that it’s not only Russia that’s capable of interfering in future elections, but also countries like China, Iran and North Korea. “In my opinion, it’s only a matter of time until we do suffer a very, very serious attack on our election infrastructure, unless we get much more serious about securing it.”