States Face Challenges on the Road to Better Election Security

The realization that Russia interfered in the 2016 presidential elections sent states and the federal government scrambling to secure the process, but it hasn’t been easy and is likely to get harder.

by Alan Greenblatt, Governing / July 19, 2018
Maryland state Senate President Thomas V. Mike Miller, left, and House Speaker Michael Busch at a press conference about an FBI briefing they received about Russian links to a company that maintains part of the state election board's voter registration platform. (AP/Brian Witte)

Last week, Maryland officials announced that the FBI had informed them that ByteGrid LLC, an election vendor that handles the state's voter registration, election management and election night results sites, is financed by a fund whose manager is Russian and whose top investor is a Russian oligarch.

Over the weekend, a Russian woman named Maria Butina was arrested and appeared in court Monday on charges that she was a Kremlin agent who worked to infiltrate the National Rifle Association and other conservative groups in an effort to influence U.S. politics.

And on Tuesday, Vice reported that Election Systems & Software, a major voting machine manufacturer and software vendor, conceded in a letter to U.S. Sen. Ron Wyden that it had installed remote-access software on its machines between 2000 and 2006.

"Installing remote-access software and modems on election equipment is the WORST decision for security short of leaving ballot boxes on a Moscow street corner," Wyden, an Oregon Democrat, tweeted on Tuesday. "Congress MUST pass my bill to require paper ballots and audits."

While taking these threats seriously -- and finding out new information on seemingly a daily basis about vulnerabilities to attack -- state and local election officials stress that they have made great strides in making voting systems safer over the past year and a half.

"We're certainly in much better shape than we were in 2016 across the country," says Condos, the new president of the National Association of Secretaries of State.

There's no proof that any actual votes were changed by hackers in 2016, but the whole menu of Russian attacks -- fake social media profiles, political ads on the internet, hacking into Democratic Party emails -- has undermined public confidence. Actual voting infrastructure, such as voting machines and voter registration rolls, are often conflated in media accounts with these other types of attacks on the political process as a whole.

"It can be dangerous to confuse these topics," says Lawrence Norden, a voting expert at the Brennan Center for Justice at New York University. "It's often difficult for the public to understand the threat we're dealing with."

Cutting against the message of risk, however, is the skepticism that President Trump has repeatedly expressed about Russia being responsible for election interference, despite the conclusions of federal intelligence agencies and the Senate Intelligence Commmittee.

"The warning signs are there," Dan Coats, the federal director of national intelligence said Friday, referring to foreign cyberattacks. "The system is blinking."

Trump reiterated his doubts on Monday at a joint news conference with Russian President Vladimir Putin. He backtracked to some extent on Tuesday, but his dismissals have made it more difficult to reach consensus in Congress about the need to pass enhanced election security legislation.

"A lot of people are hesitant to get into this because they don't want to take too hard a stance on this Russian collusion issue one way or another," says Daniel Savickas, legislative outreach manager for FreedomWorks, a free-market advocacy group in Washington.

One bill, the Secure Elections Act, has bipartisan support. Several of its Republican cosponsors serve on the Senate Intelligence Committee, where they've had access to extensive documentation regarding Russian interference. The bill would increase information-sharing between state and federal officials, offer states technical assistance, and promote paper ballots and audits. It's received hearings as recently as last week but as yet doesn't appear to be near a vote.

"I would hope that after the 2018 election, the ball will get moving on this bill," Savickas says.

The indictments last week offered new details of the apparent Russian plot to interfere with the 2016 elections.

"It confirmed this digital Watergate of Russians hacking into the Democratic Party apparatus," says Liz Kennedy, senior director for democracy and government reform at the Center for American Progress, a progressive think tank in Washington.

Although the indictment portrayed a more widespread and multifaceted effort than had previously been reported, it didn't contain many revelations about breaches of election infrastructure. It did include at least one major new piece of information, though: Russians managed to access sensitive personal information of 500,000 voters registered in one state, believed to be Illinois -- far more than was previously understood. DHS officials have said that Russians tried but failed to access records in 20 other states.

"Previously, with the intrusions, it looked like whoever was trying to get in was trying to get caught, to play with people's heads," says Charles Stewart, a political scientist at MIT who studies election data and systems. "The fact that they stole information makes it look more like identity theft."

Some States More Vulnerable Than Others 

Democrats on the U.S. House Administration Committee released a report last week highlighting election vulnerabilities in 18 states.

Some state officials questioned the methodology of the report, noting, for instance, that states were downgraded if they hadn't applied for federal assistance even though the deadline for applying for grants with the Election Assistance Commission hadn't passed.

House Democrats gave their lowest marks to five states -- Delaware, Georgia, Louisiana, New Jersey and South Carolina -- that rely exclusively on electronic tallies, using machines that generate no paper record.

Last week, former South Carolina state Sen. Phil Leventis and businessman Frank Heindel filed a lawsuit complaining that their state's election system has "deep security flaws," arguing that its 14-year-old voting machines are vulnerable to hacking. A spokeswoman for the South Carolina Election Commission says the agency has asked the legislature for funding to replace the machines.

Earlier this year, Congress authorized $380 million for states to improve their election systems. According to the Election Assistance Commission, the bulk of the grant requests it's received from states would be devoted to new equipment purchases and cybersecurity.

State election officials are trying a variety of approaches to increase security. No two states are following the exact set of policies, but common approaches include firewalls, real-time monitoring of internet traffic, blacklisting known internet protocol addresses that are problematic, post-election audits and requiring local officials to use two-factor authentication when logging into state systems.

"This is not going to be a one-size-fits-all solution," says Kennedy of the Center for American Progress. "We have to recognize that there are continuing vulnerabilities in our election structure, and we are learning more about new vulnerabilities that continue to come to life.

The Problem With Vendors

No matter how many steps government officials take to improve their own security efforts, they face potential exposure if they're using vendors whose efforts are more lax. This week's revelations about the national vendor Election Systems & Software and Maryland's vendor, ByteGrid LLC, highlight that.

Maryland Gov. Larry Hogan, Senate President Thomas V. Mike Miller and House Speaker Michael Busch sent a joint letter to DHS on Friday asking for federal assistance in evaluating the security of the state's election system.

"When the FBI comes in and tells you that they have information that there might be Russian money involved in the vendor you have for your electoral system, you take notice," Busch told CNN on Monday.

Some states are altering their contracts with election vendors to stipulate that they have to perform penetration and vulnerability tests.

"Larger counties have IT experts they can rely on directly," says Stewart, the MIT professor. "Smaller jurisdictions are already contracting out so much of what they do. There's always one kind of soft underbelly of the operation, and it's that -- it's the mom-and-pop election vendors who are helping out the small counties."

As part of its meeting in Philadelphia over the weekend, the National Association of Secretaries of State convened new councils, one devoted to government entities at different levels and the other to vendors. Both remain works in progress. State election directors were asked at this meeting to get all their vendors to join in this effort. But so far, achieving widespread participation among vendors -- or even figuring out who all the election vendors are -- has been challenging.

'A Future Attack Could Be More Sophisticated'

At the meeting, federal Homeland Security Secretary Kirstjen Nielsen suggested that her department is not detecting as many cyber-probings this year as it had in 2016. It's possible that the midterm election will see less foreign interference than the presidential campaign, although no one is resting easy about that.

Certainly no one thinks the Russians will sit out the 2020 campaign. Last week's indictments of Russian officials made it clear that some of their efforts began fairly late in 2016.

"That reinforces a concern that many others have raised before, that a future attack could be more sophisticated and damaging," says Norden, deputy director of the Brennan Center's democracy program. "Whoever did this will have more information and potentially more planning time, next time."

Something goes wrong, somewhere, with every election. There's always a glitch. When 118,000 voters were accidentally left off polling place rosters in Los Angeles County for the California primary election last month, speculation immediately turned to hacking.

That wasn't the case. But election officials know they have a bullseye on their back and that the possibility of foreign intrusion into the electoral process threatens to undermine confidence in elections and their outcomes. A major goal of foreign interference, Norden says, is not necessarily to support a particular party or candidate but to discredit the whole idea of democracy and elections.

"A successful attack against any of them has the potential to impact the confidence of the entire election system," he says.

Knowing exactly what to do to keep the bad guys out remains a bit of a shot in the dark. But election officials are far more vigilant than they were at this time two years ago and recognize that this is an evolving threat.

"A computer's a computer," says Vermont Secretary of State Condos, "and every computer can get hacked."

This story was originally published by Governing.