Cybersecurity and Democracy Collide: Locking Down Elections

The virtual guarantee of foreign meddling in the 2020 election poses a challenge to state and local officials, IT staff included, to protect American democracy. Experts say the keys to success will be cybersecurity, paper trails, risk-limiting audits and inter-agency communication.
by Andrew Westrope, Government Technology | October 8, 2019 AT 6:00 PM
National Cybersecurity and Communications Integration Center
DHS elections security staff monitor myriad data sources at the National Cybersecurity and Communications Integration Center on Nov. 6, 2018, the day of the midterm elections. Reuters

When asked at a congressional hearing if Russia would attack U.S. election systems again in 2020, Special Counsel Robert Mueller was unequivocal: “It wasn’t a single attempt,” he said. “They’re doing it as we sit here, and they expect to do it during the next campaign.”

Presidential campaigns are now underway, and election systems are still vulnerable. From voter registration databases to result-reporting websites to the voting machines themselves, researchers have identified soft spots across the system for hackers to exploit, meaning cybersecurity is now a front line of defense for American democracy.

There are many parties working on this problem — secretaries of state, the Department of Homeland Security (DHS), EI-ISAC (Elections Infrastructure Information Sharing and Analysis Center), various nonprofits and private companies — and a few common refrains between them. They’re all pushing for paper ballots, vulnerability screenings, staff training, contingency plans, audits and, above all, more consistent funding. And they all have the same basic message for state and local officials: The security of our elections is riding on you.

New hacks, old systems: Lessons of 2016

The day after Mueller’s testimony in July, the Senate Intelligence Committee released a 67-page report parsing Russia’s calculated attacks on election infrastructure, reinforcing Mueller’s conclusions at length. The good news was, the committee did not believe Russia manipulated vote tallies on Election Day, although it conceded that its actual insight into that determination was “limited.”

The bad news: The scope and precision of Russia’s attacks were worse than what had been widely reported. DHS now believes all 50 states were systematically studied for vulnerabilities, in a Russian operation that started in 2014, if not earlier. This involved surreptitiously retrieving data from voter registration databases, scanning state election systems and gaining access to at least two of them.

According to international reports, Russia has used a similar playbook of cyberwarfare on Ukraine, Bulgaria, Estonia, Germany, France, Austria and elsewhere in recent years. The overarching objective, as far as DHS can tell, has been to influence results, sow discord and undermine people’s faith in democratic elections. A declassified Intelligence Community Assessment from January 2017 found that Russian diplomats had even planned to publicly challenge the validity of the 2016 election if Hillary Clinton won, preparing a social media campaign centered around the hashtag #DemocracyRIP. It also found that Russians maintained access to certain elements of several state or local election systems up to that point, although none involved vote tallying.

Suffice to say Russia succeeded in causing widespread concern, to the extent that agencies like DHS and EI-ISAC have spent the past three years planning for 2020 and pinpointing vulnerabilities. They found many.

In a briefing before senators in August 2018, then-DHS Undersecretary for the National Protection and Programs Division Chris Krebs said top vulnerabilities included the administration of voter registration databases and the tabulation of data, the former being easier to attack.

Election+Systems+and+Software+

Forty-one states and more than half of U.S. voters use equipment from ES&S Systems, shown here at a National Secretaries of State convention in Philadelphia. / APImages.com


The Senate Intelligence Committee’s report in July offered several examples. In April 2016, a malicious cyberactor accessed a state’s voter registration database because a county employee had opened an infected email attachment, which then stole the employee’s credentials and posted them online for hackers to use. In another instance, in late 2018, Russian cyberactors penetrated Illinois’ voter registration database, accessed up to 200,000 registration records and retrieved an unknown amount of voter data. They could have deleted or changed the data, but investigators found no evidence they did so.

With examples like these in mind, EI-ISAC Director Ben Spear emphasized to Government Technology the importance of considering the whole election ecosystem when assessing its pressure points.

“When it comes to the adversary, they’re not necessarily looking to explicitly change votes or change results, but create the perception that something might have happened,” he said. “And while we talk about nation-state threats and things like that, the most common threats that anyone is going to see are the same across the SLTT [state, local, tribal and territorial] sector, so they’re dealing with the same ransomware, the same financially motivated malware, the same phishing … so [officials] should be collaborating with each other.”

National Cybersecurity and Communications Integration Center

In congressional testimony earlier this year, Special Counsel Robert Mueller recommended "swift" action to protect the integrity of U.S. elections systems. / APImages.com


Voting machines

Assessing voting machines, the Senate report contains an almost entirely redacted section on Russian activity directed at vendors, noting that malicious cyberactors had “scanned … a widely used vendor of election systems.” The fact that most voting machines come from the same handful of manufacturers doesn’t help, because it means the compromise of just one or two manufacturers could have a massive influence.

Of course, weaknesses differ depending on the machine and how the adversary accesses it, but the consensus today is that electronic voting machines, or direct recording electronic systems (DREs), are most vulnerable. Susan Greenhalgh, vice president of programs for the advocacy group National Election Defense Coalition, said DREs came into favor after the Help America Vote Act (HAVA) in 2002, aimed at improving access for the disabled and elderly.

“There were a lot of computer scientists who said, ‘Hey, that’s not a good idea, because these machines could be hacked and you might never know, if somebody knows what they’re doing,’ so there’s been a movement for a while to urge states to adopt paper voting machines. This happened well before 2016,” she said. “We’re told over and over again that voting machines aren’t connected to the Internet. That is not correct. Voting machines have wireless modems that connect to the Internet, and election officials say, ‘We only do it briefly at the end of the night,’ but that doesn’t matter. If you know anything about cybersecurity, you know that is enough for somebody to plant malware in a system.”

One computer scientist raising warnings has been J. Alex Halderman of the University of Michigan, who warned a Senate committee in 2017 that cybersecurity experts found a wide range of “severe vulnerabilities” in both DREs and optical scanners that would allow saboteurs to alter votes. Earlier that year, an annual hacker conference in Las Vegas found that WinVote machines were most easily manipulated.

Lock It Down

A Senate Intelligence Report released in July offered a laundry list of recommendations for state and local election systems:

  • Work with DHS to identify weak points in networks
  • Undertake security audits of voter registration databases
  • Institute two-factor authentication for user access to state databases
  • Install monitoring sensors like DHS’ Albert on state systems
  • Make voter registration database recovery part of continuity-of-operation plans
  • Update software in voter registration systems
  • Create paper backups of registration databases
  • Consider a voter education program to make sure voters check their registration info before Election Day
  • Replace outdated and vulnerable voting systems
  • Re-examine safeguards against people inserting fraudulent paper ballots

Voting equipment manufacturer ES&S has also disclosed that election-management systems, not specifically voting machines, in close to 300 jurisdictions contained software that made them vulnerable in 2016. The software hadn’t been installed in new machines since 2007, but the company said 41 states and more than 50 percent of voters use ES&S equipment.

In 2016, five states were using only DREs with no paper trail, and another nine states were using at least some DREs with no paper trail. Experts consulted for this story were unanimous that every voting system going forward should have a paper trail.

All hands on deck

The potential upshot of cyberattacks is a productive reaction. Iowa Secretary of State Paul Pate, who is also president of the National Association of Secretaries of State, said he feels like he saw one, as election cybersecurity became an “all hands on deck” issue nationwide.

“Probably the biggest change since 2016 [is] that we had focused so much of this on the top, meaning federal and state centralized, but now what we’ve seen is definitely an expansion to the most local level of government,” he said. “It’s pretty clear that it’s a high priority of ours, and it’s clearly become a major issue in the last two election cycles, and it’s not going to go away. What you’re seeing is a lot more public dialog about it than in the past.”

In 2018, Congress appropriated $380 million through HAVA for states to improve cybersecurity and replace vulnerable voting machines. In Iowa, that has meant rapid deployment of malware detection systems, traffic-detecting “Albert” sensors from DHS, and other protective technologies and system reviews. Pate’s department also hired a cyberservices coordinator to work with CIOs and local jurisdictions, especially ones with limited resources, to connect them with services they need.

“With … the final payment of the HAVA money we just received a little over a year ago, that has been focused on cyber. In our case, in Iowa, we are using more than half of that to provide support services directly to the counties,” he said. “That money has been very productive in that regard.”

Speaking for DHS, Cybersecurity Strategy and Integration Program Manager Geoff Hale said after the 2016 election, his department took steps to ensure state and local officials had the ability to receive up-to-date information and alerts about threats and vulnerabilities of their systems.

In 2018, despite the initial protestations of most states, DHS declared U.S. election infrastructure “critical infrastructure,” making the federal government partially responsible for it. As part of this designation, DHS launched a Government Coordinating Council focused on elections, which made a list of IT and election officials to notify in case of a threat. DHS also started working with states on trend analysis, threat intelligence and vulnerability testing, deploying Albert sensors to monitor Web traffic and provide intrusion detection for voter registration databases.

DHS’ critical-infrastructure designation also led to the creation of EI-ISAC, a branch of MS-ISAC that handles information for election officials and provides no-cost cybersecurity services to state and local governments.

Director Ben Spear said EI-ISAC started with conversations with election officials, then system assessments, then Albert sensors in all 50 states.

“That’s been a great accomplishment … having a better understanding of the threat landscape,” he said. “We also provide forensic response. We provide a lot of free information and vulnerability profiling, which is different from the vulnerability assessments DHS provides. It’s not as deep but provides some great information from folks.”

Separate from EI-ISAC, Spear said the Center for Internet Security also has a best-practices unit that collaborated with local election officials, federal partners and advocates on a handbook for election infrastructure security.

Voting+machine

Many voting machines have not been patched for more than a decade. / Shutterstock.com


How to reinforce the front lines (and the back)

With governments, nonprofits and technology vendors on high alert going into 2020, the list of ways for state and local officials to “improve cyberhygiene,” as DHS puts it, is long and diverse.

DHS’ Geoff Hale said his department’s efforts at the local level will be focused on helping people understand their susceptibility to phishing scams, as well as incident-response planning and vulnerability scanning. First and foremost, he said, local governments should sign up to become members of EI-ISAC if they’re not already, and avail themselves of its resources.

EI-ISAC’s Spear stressed the importance of having an emergency response plan, which is required for election officials in many states, and for IT officials to start building a communicative relationship with their local election officials if they haven’t already.

“At the local level, it’s more common for the local IT to be the actual IT responsible for elections, and we encourage that they are engaged with their election officials,” he said.

Consistent with DHS’ efforts, Secretary of State Pate said the most needed investments are not hardware or software, but training and awareness. He also recommended that larger counties with more in-house expertise adopt a “good neighbor” policy, helping smaller jurisdictions around them, which he said has benefited rural communities in Iowa.

Pate added that all states should utilize the designated Homeland Security liaison to which they are entitled, and ask Congress for a more consistent source of funding.

“The best advice I can give Congress is that they should be working with the state jurisdictions to identify where we need to prioritize our resources,” he said. “I think most of us secretaries are in agreement — it would be ideal to have a more consistent funding stream for these types of cyberprotections. … What happens in five years when the money’s not there? The state will have to … raise taxes or whatever they need to do to pay for that cybernavigator that I hired, because the HAVA money will be gone.”

In lieu of funding, several nonprofits, advocacy groups and private companies are stepping up to offer resources such as free software tools. Microsoft, for example, launched its own Defending Democracy Program and partnered with Galois, a security tech company, on an open-source software development kit called ElectionGuard. Available for free on GitHub, ElectionGuard proposes to help election officials and technology vendors make voting systems end-to-end verifiable (E2E-V), meaning they cannot be cheated without detection because they allow voters and third-party organizations to confirm that votes were unaltered and properly counted.

Protect Democracy, a nonpartisan nonprofit in Washington, D.C., has also released a free app called VoteShield, now used by more than a dozen states, which uses basic statistics and machine learning to analyze changes in voter registration databases and flag unusual activity.

Susannah Goodman, director of election security for the grass-roots watchdog organization Common Cause, praised these tools but stressed the importance of a legible paper trail no matter what.

“Unless the voter reviews the ballot, then that ballot isn’t useful in becoming the permanent record of that voter’s choices. You want to create a situation where the user interface is easy, and it’s user-friendly for the voter to review the physical paper ballot. That’s a step that usability experts across the board have [supported],” she said. “If the state law allows you to have backup paper ballots, have emergency ballots on hand. Understand that the e-poll books are great, but they do fail. … There always needs to be a plan B, and that resilience needs to be baked into everything. Not only does that help with run-of-the-mill problems … but it absolutely helps with the nation-state threat, because these systems are so resilient, if something happens that screws it up, and there’s a plan B, it’s fine.”

With the idea of procedural security and backups in mind, the Senate Intelligence Committee report released in July gives a series of recommendations. For the federal government, it wants a policy of serious retaliation for future attacks, more discussion about cybernorms, and creating clear channels of communication with state and local officials.

The committee also recommended that states commit to risk-limiting audits, and require their machines to be certified by the U.S. Election Assistance Commission or compliant with the EAC’s Voluntary Voting System Guidelines. It said the components most in need of immediate cybersecurity fixes were voter registration databases, and election-night reporting websites run by the states — again, to prevent hacks that wouldn’t affect vote tallies but might cause confusion.

To sum up the responsibilities that now lie with state and local governments, Gen. John Allen of the Brookings Institution said this to the National Association of Counties in 2017: “I always felt pretty proud, being a Marine, that I could say I was part of the first line of defense of the United States of America, and that I had spent most of my life defending the institutions of American democracy … I now think that you, the leaders of the counties of America, in many respects are the front line of defense of the most profoundly essential institution of American democracy.”