States across the nation are ramping up their digital defenses to prevent the hacking of election systems in 2018.
The efforts come in the wake of Russia’s interference in the 2016 presidential election, which state officials say was a needed wake up call on cybersecurity threats to election systems and infrastructure.
“We’ve upgraded all of our security,” said Michele Reagan, the Arizona secretary of state. “Some of the things I can’t talk about because, of course, we don’t want to give the bad guys a road map.”
Arizona was one of several states whose election systems Russian hackers are believed to have targeted ahead of the presidential election. The state was forced to shut down its voter registration system for several days last summer, after a hacker gained access to a computer connected to the database.
The hacker never gained access to the actual voter database, but the incident spurred fears that data could have been stolen or, worse, altered.
“That we are constantly worried about,” Reagan, a Republican, said of the prospect hackers could alter voter names or other data. “You’d throw chaos on Election Day.”
Since then, Arizona has focused on implementing multi-factor authentication for its systems, ensuring employees have strong passwords, and adapting other “best practices” recommended by the federal government.
The state has also moved to ensure there’s a “command center” in place to run an election in the event of a massive problem with their data systems, Reagan said.
Much of the attention on Russia’s 2016 operation initially focused on Moscow’s use of disinformation and cyberattacks against the Democratic National Committee.
But lawmakers on Capitol Hill have increasingly raised alarm about Russia’s efforts to target state and local election systems. In June, DHS officials testified before the Senate Intelligence Committee of evidence that Russia targeted election-related systems in 21 states.
While none of the systems targeted were involved in vote tallying, the issue has heightened concern about the risk to voter registration databases and, separately, digital voting machines. It is also viewed broadly as undermining confidence in the democratic process—which the U.S. intelligence community said was Russia’s chief aim.
One of the targeted states was Illinois, which suffered a breach of its voter registration database by Russian hackers and announced a number of security enhancements last August after discovering the breach. Illinois introduced new password requirements, mandated two-factor authentication for all database users, and added password encryption.
Time reported in June that the hack of the Illinois database resulted in 90,000 records being stolen, including many containing the last four digits of voters’ Social Security numbers.
States are implementing some measures quietly, refusing to disclose the steps they’re taking on digital security for fear of offering clues to cyber criminals or nation-state hackers. They insist they have and will continue to take cybersecurity seriously, as threats mount.
“I can say that we’ve been valiantly fighting the cybersecurity battle here in Illinois for decades, and will continue to do so in the future,” Kenneth Menzel, general counsel at the Illinois State Board of Elections, told The Hill in an email.
“We’re really not going to be in a position to discuss specific items (as we do not wish to tip our hand publicly as to the details of defenses, as that would only help those who might be interested in attacking us in the future).”
Russia’s election meddling triggered a strong response from the Department of Homeland Security, which lent voluntary cybersecurity assistance to 33 state election offices and 36 local election offices ahead of Election Day. In January, the department also designated election infrastructure as critical infrastructure, opening polling places, voter registration databases, and voting machines to federal protections.
But that decision has sparked tension between the federal government and state and local officials, many of whom oppose the move. Still, information newly revealed by Congress shows two states and six local governments took up the help, asking DHS to conduct cyber hygiene scanning of systems this year.
In Arizona, which has not taken up DHS’ aid, Reagan said that her IT staff receives weekly updates from their federal counterparts at the department.
Security experts are still divided over the extent of hacking risks to actual voting machines. Some say that because many different voting machines are used across the country and because they are not connected to the internet, that would make any large scale attack hard to carry out.
“It makes it a less scalable and actual target to influence the outcome of an actual election,” said Josh Corman, director of the Atlantic Council’s Cyber Statecraft Initiative.
But others contend that digital voting machines are vulnerable and could be targeted to influence actual election outcomes.
“Some election functions are actually quite centralized,” Alex Halderman, a University of Michigan computer science professor, told the Senate Intelligence Committee in June. “A small number of election technology vendors and support contractors service the systems used by many local governments. Attackers could target one or a few of these companies and spread malicious code to election equipment that serves millions of voters.”
Further highlighting the issue, at the DEF CON cybersecurity conference in Las Vegas last weekend, security experts successfully hacked into 30 different voting machines brought in for participants to experiment.
Corman, who was at the conference, noted that the hackers required physical access to actually infiltrate the machines and, once hacked, the machines showed signs they were hacked.
Still, he said the demonstration showed the need for state officials to be wary of new technologies they procure and for device makers to improve physical security.
“This, to me, is raising the visibility and need to take this seriously,” he said.
Most states use a combination of paper ballots and scanners to record digital votes, meaning that a paper record exists and can be audited. Some, however, use only paperless voting machines.
Cybersecurity experts like Halderman have advocated for the use of what are known as risk-limiting audits, a method that checks election outcomes by comparing a random sample of paper ballot results, if they exist, to their corresponding digital versions.
Last month, Colorado hired a Portland-based startup to develop software for the state to conduct risk-limiting audits starting with off-year elections in 2017.
The state made the decision to begin implementing these audits before the revelations about 2016 hacking, but Dwight Shellman, manager of county regulation and support at the Colorado Department of State, said that the decision “bear[s] on the issue” of growing cybersecurity concerns.
“The bottom line is, this is the world we live in now,” Shellman said. “This is the new threat landscape.”
State officials are confident in the cybersecurity of their voting infrastructure, but say they don’t dismiss the threat. Reagan said that her IT staffers detect and block thousands of unwarranted attempts to access state computer systems each day.
“I can guarantee you right now, someone is trying to hack into them,” Reagan said. “We have to be right every single time. The bad people only have to be right once.”