The June 2016 breach of the state’s voter database remains the warning sign for election system vulnerability, with national security experts now saying all 50 states had been targeted for Russian intrusion.
(TNS) — Three years after Illinois’ voter registration database was infiltrated by Russian hackers, Illinois and local officials are spending millions to upgrade the cyberdefenses protecting voters and their ballots leading up to the 2020 election.
“It’s gone from being among the concerns to the paramount concern,” said Jim Allen, spokesman for the Chicago Board of Election Commissioners. “Now, every election official across the country is engaged in some level of a security program.”
Efforts to prevent foreign hacking range from hiring Internet security specialists to, in the case of Chicago and Cook County, making plans to buy new polling machines.
The June 2016 breach of the state’s voter database remains the warning sign for election system vulnerability, with national security experts now saying all 50 states had been targeted for Russian intrusion. At least 21 states reported being contacted by addresses associated with Russia, largely by scanning public websites, but Illinois’ data breach was the most significant.
All told in Illinois, personal information involving 76,000 voters was viewed, including names, addresses, partial Social Security numbers, dates of birth and driver’s license numbers. State election officials contacted the victims and provided steps to take on identity theft. No one contacted the state attorney general’s office to say his or her information had been compromised.
While the database was compromised, the state’s ballot count was never in jeopardy.
The breach has been highlighted amid congressional calls seeking new federal funding to secure elections across the country; former special counsel Robert Mueller’s recent testimony on election interference warning that the Russians are “doing it as we sit here”; and a subsequent U.S. Senate intelligence committee report on the scope of the hacking.
State officials dispute some of the statements made about the extent of the Illinois breach in the heavily redacted Senate intelligence panel’s report released last month.
The report quoted Department of Homeland Security staff as saying of the Illinois hack that “Russia would have had the ability to potentially manipulate some of that data, but we didn’t see that.” Of Illinois, the DHS staff said that “the level of access that they gained, they almost certainly could have done more. Why they didn’t ... is sort of an open-ended question.”
But state election officials said the report overstated what the Russians accomplished in breaching Illinois’ database.
“That is completely counter to everything that we have ever been told and to what we know,” Matt Dietrich, spokesman for the State Board of Elections, said of the assertion that the Russians could have manipulated the voter data.
“We know where they got in and we know what the permissions were once you broke into that area. It wouldn’t have allowed you to change or edit or delete any data," he said. “We saw what they tried to do unsuccessfully.”
State election officials acknowledge that hacking attempts to their systems continue to this day but say they so far have been rebuffed.
The 2016 hacking attack in Illinois initially was so small-bore that no one at the State Board of Elections noticed anything until nearly three weeks after it began. Then it picked up in volume and unusual spikes of activity were noted involving the server containing the database containing information about millions of Illinois voters.
The hole in the system was the state’s online voter registration application website, which allowed people to sign up to be eligible to cast a ballot. State elections officials shut down the site on July 13, 2016, but malicious queries, blocked by a firewall, show the state board’s Internet addresses continued to be hit five times per second, 24 hours a day, for the next month.
Working with state Internet technology officials, the FBI and the Department of Homeland Security, security enhancements to the online voter registration website were completed and the system was put back online two weeks after being shut down.
The Department of Homeland Security assessed “with high confidence that the penetration was carried out by Russian actors,” and Mueller in July 2018 issued indictments against a dozen Russian military intelligence officers. Though the indictments dealt largely with the hack of Democratic Party computers in the 2016 presidential contest, they also involved the breach at the State Board of Elections.
In the aftermath of the Illinois hack and in preparation for last year’s midterm elections, the state announced it would spend nearly $14 million as part of a five-year program to improve the state’s election system cyberdefenses.
But in many respects, despite the successful Russian hack, the decentralized nature of elections in Illinois is one of the main deterrents to having its vote totals hacked.
Voting in Illinois is conducted by 108 election authorities, the county clerks or election panels in the state’s 102 counties as well as six special election commissions in Chicago, Bloomington, Danville, East St. Louis, Galesburg and Rockford. It is the individual election authorities, not the state board, that run the polls and tally the ballots.
Voting machines are randomly tested to ensure their accuracy prior to the election, with voting equipment and memory cards locked before balloting occurs.
On election days, polling places are staffed by five judges representing both major parties in each of the approximately 10,000 voting precincts in Illinois. Poll watchers also are eligible to be present. After the polls close, election judges process the ballots in the presence of all the judges and any authorized poll watchers.
Results from each precinct are totaled by each election jurisdiction without the use of the Internet.
Moreover, there is a paper trail for each ballot cast regardless of the type of balloting system used. After elections, the systems go through a random audit process.
Despite expressing confidence in the actual voting process, state election officials acknowledge that the bulk of the voting machinery in Illinois is at least 15 years old. It would cost $175 million to replace the machines with more modern, secure devices that are easier to audit.
“Fifteen-year-old voting equipment. It’s brittle but not broken. It’s not so much vulnerable to attack but failure, and you’re scavenging other parts from other machines,” said Chuck Scholz, the former Quincy mayor who chairs the eight-member, bipartisan State Board of Elections.
State election officials are looking for federal funding to allow local authorities to purchase upgraded machines, while Chicago and Cook County officials are moving ahead with acquiring new voting machines and want to have them in place before the March primary at a cost of about $60 million.
State officials are spending nearly $14 million — $13.2 million of it from the federal government — under a five-year program begun last year aimed at protecting local election authorities from vulnerabilities, most involving the voter database.
One major fear is that access to local voter databases could become compromised and allow voter information to be altered in a way that would disenfranchise people from casting ballots on election days. Illinois law does, however, allow for the casting of provisional ballots on election days if voter data became compromised.
Nine specialists known as “Cyber Navigators” have been hired to work with election officials in separate geographic zones to determine potential problems and fix them. Currently, the navigators are in the process of following up on risk assessments with the local election authorities in partnership with the state’s Department of Innovation and Technology.
In addition, the state has a goal of having all voting authorities hooked up to the Illinois Century Network, a secure closed-circuit system to distribute digital voter registration information, as opposed to using the Internet. Currently 21 election authorities are hooked up to the network, with the rest scheduled to be on it before the March primary to keep the voter registration database information closed from hackers.
The state elections board also has a staff member attached to the Illinois State Police’s statewide terrorism and intelligence center to assist the cybernavigators in sharing information from the federal and state government with local election authorities on potential risks and how to combat them.
“The challenge now is following up on the risk assessment,” said Scholz, the state elections board chairman. “It’s a good program. We use training exercises that are state-of-the-art. The (county) clerks want our help.”
As was the case in the 2018 midterms, the board also expects to have the assistance of the Illinois National Guard for the 2020 balloting. Scholz, who’s familiar with the Guard from its help to Quincy when the Mississippi River floods, said it has 135 cybersecurity experts available.
Scholz said the Guard wasn’t needed last year but has the potential “within an hour to have boots on the ground in a county clerk’s office” if problems develop.
Chicago and Cook County have jointly hired a cyberprotection expert and have added layers of contingency planning, said Allen of the city’s election board.
“Everybody across the country does penetration testing and tests intrusion detection software that checks every computer in the network,” Allen said. “None of us are going to guarantee 100% we’ve built these fortresses that are impenetrable. But you try to build your defenses so you can detect any kind of issue and recover from it.”
Disinformation is also a concern
Even as state election officials across the nation are looking to Washington for more money, an issue so far stalled by partisan gridlock, they note that political concerns go beyond the voting machinery to include requests that they deal with election disinformation of the sort Russia employed in 2016.
“Several members of Congress have brought up things beyond our constitutional purview — the disinformation campaign,” Scholz said, noting that the agency’s job is to supervise the registration of voters and the administration of elections throughout the state.
While there would be First Amendment questions over how much a state agency could get involved in rhetoric involving candidates, Scholz said there are several areas where the board could act on disinformation involving the election process.
The board could, for example, take action if someone tried to suppress voter turnout by putting out false statements about polling places being closed or trying to confuse people about the date of the election.
Just days before the midterm last year, the state board issued a release urging voters not to be “fooled” by being offered the chance to vote online. Online voting does not exist anywhere in the United States.
“Voters should be aware that any app, website, social media account or text message purporting to offer online voting is fraudulent and should be reported immediately to the Illinois State Board of Elections. Those reports will be forwarded to law enforcement for investigation,” the release said.
Scholz said he’s confident the cyberdefenses will prove effective.
"We’re going to make every effort working with all of our partners to have a safe election in 2020,” Scholz said.
©2019 the Chicago Tribune. Distributed by Tribune Content Agency, LLC.