Despite Election Security Concerns, 'Vulnerabilities Abound'

Hacking is not the only problem. Misinformation campaigns and the refusal of politicians to admit defeat all serve to undermine voter confidence. Now, states also need to anticipate new threats.

by Alan Greenblatt, Governing / November 15, 2019

Ten days after he lost his re-election bid, Kentucky GOP Gov. Matt Bevin conceded the election.

Bevin admitted defeat on Thursday following a recanvass of the vote, which he had requested and didn’t change the outcome. Beginning Nov. 5 — the night of the election — Bevin had complained that his narrow loss to Democrat Andy Beshear was due to irregularities.

Bevin’s unsubstantiated complaints showed that there is more than one way to undermine confidence in elections. Although election officials worry about hacking into voting machines and registration rolls, they also worry that claims about potential problems make it harder for the public to accept the outcome of elections — especially if their preferred candidate has lost.

“If I wanted to undermine the democratic system, all I really need to do is create doubt in the mind of whatever team loses,” said Michael Miller, a political scientist at Barnard College. “It’s very concerning that we’ve begun to focus on which team do [hackers] hurt, Republican or Democrat. It could be your team today, but it could be the other team tomorrow.”

Miller said election vulnerabilities keep him up at night. A report from the U.S. Senate Intelligence Committee this summer found that Russian actors had likely attacked all 50 states, scanning voter information, if not changing any registration data.

Last year, Congress devoted $380 million for grants to states to bolster election security. Secretaries of state and outside groups are now pressing Congress to send more as part of a stopgap spending bill. The House has approved $600 million in additional spending, while a Senate committee approved $250 million in July. 

“There needs to be a lot more federal money, because I don’t think the states on their own will come up with it,” said Marc Lawrence-Apfelbaum, senior adviser on foreign interference and online threats at the Campaign Legal Center.

Disputes between different levels of government — federal, state and county — about who should pay for election upgrades are nothing new. But they’ve taken on new urgency ahead of the 2020 election, when additional foreign interference is almost assured.

States have taken numerous steps to harden their election defenses. For instance, the number of states relying on paperless voting machines is expected to drop to eight for next year’s elections, down from 14 in 2016.

Every state is participating in safety exercises through the Elections Infrastructure Information Sharing and Analysis Center. Among other things, they’re undergoing “white hat hacking tests,” in which their systems are tested against potential intrusion.

States are sharing more resources with counties. Ohio recently issued a directive calling on counties to switch their URLs to dot-gov addresses. “It seems small, but it’s really important in an environment of disinformation, where you have that trusted source that’s a dot-gov account,” said Matt Masterson, a senior cybersecurity adviser with the federal Department of Homeland Security.

States are also training local officials not to fall for phishing scams that could let in online intruders. “We have found one of the most effective ways of getting people to click is a Chick-fil-A gift card,” said Tennessee Secretary of State Tre Hargett.

Misinformation and Distrust

Along with warning about hacks, election officials are also concerned about misinformation campaigns, through social media or other means. On election night in Kentucky, thousands of social media accounts spread misinformation, much of it generated by bots. One widely shared tweet claimed to have destroyed ballots cast for Bevin. “Just shredded a box of Republican mail in ballot,” it read. “Bye bye Bevin.”

The governor himself sought to cast doubts on the veracity of the election. At a news conference the day after the election, he claimed thousands of absentee ballots had been illegally counted, while other voters had been turned away from polling places. He offered no proof. With Bevin’s blessing, a newly formed group called Citizens for Election Integrity held a news conference Wednesday at the state capitol. They offered scant examples of fraud, all of which were quickly debunked.

The recanvass, in which county election officials rechecked their math and vote totals, ended up with not a single vote being changed. Bevin lost by 5,189 votes, or less than 0.5 percent of the total. "I'm not going to contest these numbers that have come in," he said Thursday.

Still, his initial unwillingness to accept the results heightened concerns that politicians who lose close races may routinely to cry foul, leading their supporters to question the outcomes.

For similar reasons, election officials tend to avoid fretting too openly or too often about security. They don’t want to raise alarms too loudly and have voters think that results can’t be trusted. “It’s legitimate for election officials to downplay the concerns publicly while being obsessed with them privately, which I think is what’s actually going on,” said Miller, the Barnard professor.

“I have no doubt that for the vast majority of election officials, if not all, security is their prime concern,” Miller continued. “They also recognize that if they’re out there saying there are big security concerns every day, it really does lead to problems about people accepting the legitimacy of democratic outcomes.” 

Vigilance at the County Level

According to the Senate Intelligence Committee report, Russian hackers were able to exploit the seams between federal and state authorities. State officials were largely not prepared in 2016 to deal with threats from international sources.

Now, states need to anticipate new threats. Masterson, the federal cybersecurity expert, points to an incident in 2017, when hackers defaced a North Carolina state elections board website with the message “I Love Islamic state.”

“Imagine the impact on voter confidence of simply defacing a website,” Masterson said. “There’s no impact on voting integrity, but the impact on voter confidence is very real.”

It’s long been considered a strength that the U.S. election system is so diffuse, with responsibility spread among thousands of counties. But the problems with such a system may be starting to outweigh the strengths, said New Mexico state Sen. Daniel Ivey-Soto.

Under the federal Help America Vote Act of 2002, states are required to maintain a single database of voters. But even though a secretary of state might sponsor the software, the hardware on which data is actually entered likely belongs to county clerks. “Because they don’t own it, they don’t control the atmosphere where it’s utilized,” Ivey-Soto said. “Security is whatever that local government has on their county IT network. The vulnerabilities just abound in that process.”

The smaller the jurisdiction, the more vulnerable it may be, Masterson suggested. “Frankly, the softer the target, the more likely the attack for ransomware, to make a quick buck,” he said.

In most counties, elections represent the biggest IT asset. That doesn’t guarantee security, by any means. While 28 percent of IT spending in the private sector is devoted to cybersecurity, in government the average is only 3 percent, according to Jeff Ford, chief technical officer for the Indiana Legislative Services Agency.

“We’ve got one county that will tell you their IT staff is also the janitor at the courthouse,” said Hargett, Tennessee’s secretary of state. “There’s a lot of need out there.”

Staffing and Purchasing Problems

Hargett noted that for all the worries about remote hacking, physical security remains important. “You’d be amazed how many times you have to say, ‘Do not put passwords on a Post-it note,'” he said.

Elections are inherently a tricky business. Aging machines are hauled out of storage for use a couple of times a year, or every other year. “Show me another place where you have your best workers come in for a couple of days every two years,” Hargett said. 

While elections are held only occasionally, the threats keep changing. Hargett said his department as a whole has to ward off 3,000 cyberattacks a day. Attacks are constant and increasingly sophisticated. 

States should consider amending their approach to the election equipment marketplace, Lawrence-Apfelbaum suggested. Vendors aren’t able to sell new machines very often. (Some voting equipment still in use is old enough to qualify for a driver’s license.) And — in contrast to the near-constant updates on cellphones and software — voting machines are seldom updated. Any updates take a long time to get certified, which costs vendors time and money. 

Then there’s the problem of companies potentially going under. Ivey-Soto pointed out that three companies dominate the voting machine market, each with its own proprietary systems. “What if a company goes kaput?” he asked. “Why is this so proprietary? There should be a requirement of open source.” 

Los Angeles County has its own open-source system in place and certified for next year’s elections. The design effort took nearly 10 years and cost $300 million. Not many jurisdictions can afford to take such a route on their own.

Platforms & Programs