Linn County, Iowa, Elections Officials Expect More Cyberattacks

After acknowledging the voter registration system was targeted by hackers in Nov. 2016, officials expect it to happen again.

by James Q. Lynch, The Gazette / November 2, 2017
Shutterstock

(TNS) -- CEDAR RAPIDS, Iowa — Maintaining the integrity of the election process is a bit like an arms race, according to a cybersecurity professional who reviewed Linn County’s voter registration system.

“Cybersecurity is an ever-present challenge,” Aaron Warner, CEO of ProCircular in Coralville, said during an election cybersecurity webinar Tuesday with Linn County Auditor Joel Miller. Whatever steps Miller and other election officials take to maintain the security of election systems, Warner warned that bad actors who attempted to hack United States voting system in November are trying to stay one step ahead.

“We believe we’ve never been hacked, that we’ve never had any issues occur that would affect the integrity of our elections,” Miller said, but he acknowledged that Iowa’s voter website was the target of would-be hackers.

“Not only were we a target of hacking, but we can expect to be a target of hacking in every congressional election from this day forward,” Miller said. “And not just by Russians, but maybe by the North Koreans or whoever else who has something against our country.”

The November election was a wake-up call for many election officials, Miller said. Immediately following the election, all reports were favorable. Later, it was learned that hackers, presumably Russians, had scanned the Iowa Secretary of State’s public-facing website — which is not connected to the voter information system.

“I think us in the election community, at least from what I’ve seen, were pretty surprised by the efforts that were made,” Miller said. “I don’t think any of us had any idea in November that we were even a target of being hacked. So, yeah, I think they are ahead of us in that respect.

“I think we are astounded by that and now we’re playing catch-up,” Miller said.

Warner talked about how some of his staff participated in the Voting Machine Hacking Village at Def Con 25, an annual gathering of people involved in cybersecurity, including many government agencies, as well as hackers. It took convention participants 90 minutes to begin penetrating the voting machine security.

In one case, a default password for a voting machine was found by Googling it. Warner said. In another, hackers found that a machine had not been decommissioned properly, leaving information on more than 650,000 voters, including Social Security numbers, exposed.

Many of the 25 machines tested by convention participants had parts made in China, which Warner also saw as a vulnerability.

In the wake of the election and an accidental release of some voter information in Linn County, Miller had ProCircular conduct a review of cybersecurity procedures in his office. That’s left him in a bit of a quandary because Miller wants to share what he learned with other election officials, but not with the public, which would include potential hackers.

“Our desire is to be open and transparent,” Miller said. “Yet if I, for example, am open and transparent with the results of my recent cybersecurity study I’ve just given them the blueprint to defeat the system.”

He had the Board of Supervisors adopt a resolution making details of the election infrastructure confidential. That allows him to share information with colleagues, but not make the report available for public inspection. Iowa law allows that in cases of public records that relate to safety and security.

“We still want people to get out and vote,” Miller said. “We want you to engage in the process, become an informed voter and vote, and bring your friends and relatives to the polling places as well.”

©2017 The Gazette (Cedar Rapids, Iowa) Distributed by Tribune Content Agency, LLC.