Election officials at the state and local levels are unhappily coming to terms with the idea that more funding probably isn’t coming for securing electoral systems from hacks this fall. But with help from the Department of Homeland Security, their confidence appears to be growing about how well they will perform on Election Day.
Those officials are the front-line soldiers in the battle to combat Russian and any other cyber interference aimed at the midterm elections.
In turn, they are becoming cybersecurity managers, according to Noah Praetz, director of elections in Cook County, Ill. He warned that $380 million in recent federal assistance to the 50 states “is not nearly enough to do a technology refresh” to update all of the antiquated elections systems across the country, but it has helped put state cyber experts “on the street” in five counties across Illinois.
“It’s kind of like Andy in Mayberry being sent to deal with a foreign invasion,” he joked.
DHS official Jeanette Manfra, speaking at a recent cyber conference, said the department is collaborating with states to shield voter registration from manipulation, ensuring the machines that tally votes are secure, and helping ensure that “unofficial tallies” released before the final election results aren’t altered to sow confusion and discord.
The department is sharing information and sending officials and technical experts into the field to help, she said.
“I yearn for the days when we just worried about the electric grid going down,” she quipped.
Other state and local officials say they too are already mobilizing and innovating.
Amber McReynolds, director of elections in Denver, Colo., said her jurisdiction has already shifted to paper ballots at the demand of voters, and that amid resource constraints, voting officials have partnered with Denver’s technology office to find cybersecurity improvements.
Neal Kelley, chief of elections and registrar of voters in Orange County, Calif., said training has increased but that phishing — in which employees are fooled into clicking on email links containing malware — remains a major challenge. Overall, he cited paper ballots and third-party auditing as the two most important steps election officials can take.
So how are the states and locals doing?
A father-and-son team that voluntarily took on a massive election cybersecurity research project and presented findings at the August DEF CON cyber conference in Las Vegas found improvements in the security of both campaign and state-government election sites, along with a need for more work to be done quickly and at scale.
Kevin and Joshua Franklin obtained lists of thousands of congressional candidates and all state election websites, and ran them through their “ElectionBuster” tool. They followed up with a “responsible disclosure” policy of informing the affected parties of results.
Joshua Franklin has worked as an IT professional on elections security for the state of Georgia, the U.S. Election Assistance Commission and the National Institute of Standards and Technology. His father Kevin is a 30-year IT veteran who has worked for Lockheed Martin, NASA and now for a financial institution.
“If there is data to be breached” in the political process, Joshua said, “it has happened.” The team expressed surprise at how much personal information is collected and sold as part of the political process.
Their analysis found that about 68 percent of House campaigns’ websites received an “A” or a “B” for cybersecurity, while 80 percent of Senate candidates’ sites received an “A” and 12 percent earned “B’s.”
“Most campaign [operations] are very small with little or no IT expertise,” Kevin Franklin said.
The team gave about 70 percent of state voter registration sites an “A” or “A+”, and nearly 22 percent a “B.”
“The situation is improving but there are still common-sense things to do,” Joshua Franklin said. States and localities also need more resources, he said.
Senate efforts to advance election security legislation hit a roadblock in August amid concerns among states and localities about federal mandates, lack of money, and apparent disdain from the White House.
It seems unlikely that a significant election-security bill will emerge from the Senate anytime soon, and the House GOP leadership has steered clear of the issue so far. It’s also unclear how Congress could provide more funding to states that could be used meaningfully at this stage, two months before Election Day.
