Public, election offices may be kept in the dark on hacks
If the FBI discovers that foreign hackers have infiltrated the networks of your county election office, you may not find out about it until after voting is over. And your governor and other state officials may be kept in the dark, too. There’s no federal law compelling state and local governments to share information when an electoral system is hacked. And a federal policy keeps details secret by shielding the identity of all cyber victims regardless of whether election systems are involved. Election officials are in a difficult spot: If someone else’s voting system is targeted, they want to know exactly what happened so they can protect their own system. Yet when their own systems are targeted, they may be cautious about disclosing details. They must balance the need for openness with worries over undermining any criminal investigation. And they want to avoid chaos or confusion, the kind of disruption that hackers want.The secrecy surrounding foreign hacks is not a hypothetical issue. The public still doesn’t know which Florida counties were breached by Russian agents in the 2016 election. Rick Scott, Florida’s governor in 2016 and now a U.S. senator, was not told at the time and didn’t learn most of the details until this year. And the threat to electoral systems is real. Federal officials believe Russian agents in 2016 searched for vulnerabilities within election systems in all 50 states. And the nation’s intelligence chiefs warn that Russia and other nations remain interested in interfering in U.S. elections. Meanwhile, experts worry the White House hasn’t highlighted the threat as President Donald Trump argues it’s OK for foreign countries to provide damaging information on his political rivals, a matter now the subject of an impeachment inquiry led by House Democrats. In general, it’s up to electoral agencies to disclose when they’ve been hacked. That, plus the federal policy protecting the identity of cyber victims, could mean that state election officials might not be told immediately if one of their local election offices experiences a breach. In addition, the whole situation could be considered classified as part of a federal investigation. At least two states — Colorado and Iowa — have implemented policies to compel local officials to notify the state about suspected breaches involving election systems. “Every American in this nation deserves to have a democracy they can believe in, and when there is not good communication on cyber incidents … it does create a lack of confidence in the system,” said Colorado Secretary of State Jena Griswold. “Luckily we have been able to work around the void of federal policy that has been leaving our nation in a precarious spot.” But Department of Homeland Security officials say privacy is needed to ensure that officials come forward and share valuable threat information, such as suspect IP addresses. Some election officials could be hesitant about public disclosures, concerned their agencies would be portrayed in a negative light. They could opt to handle any breach alone. That could create dangerous delays in sharing information, said Jeanette Manfra, assistant director for cybersecurity at Homeland Security’s new cyber agency. Homeland Security acts as the middleman between the intelligence community and the states. In general, communication and coordination on election security have improved in the last two years. “We’ve worked over the years to be able to declassify even more and to do it faster,” Manfra said. “It’s still not a perfect process.” Due to the criminal nature of cyber breaches, law enforcement officials may seek to withhold releasing certain information long after the incident. When Florida’s current governor, Ron DeSantis, was briefed this year on the 2016 cyber breaches, he said he signed an agreement preventing him from identifying the affected counties. The secrecy surrounding Florida helped spur bipartisan legislation that would compel reporting among federal, state and local officials and to voters potentially affected by a breach. Rep. Stephanie Murphy, a Florida Democrat, co-sponsor of the bill, said she believes voters are the victims, not the election office, and that not disclosing information about election-related breaches could undermine public confidence. In June, a majority of Americans expressed at least some concern that voting systems are vulnerable to hackers, according to a poll from The Associated Press-NORC Center for Public Affairs Research. “It’s hard for me to assess if what people are doing in response is sufficient when I don’t know the full scope of the problem,” Murphy said. “And I think that’s the same issue with voters: How can they feel comfortable or confident that this next election will be free and fair?” Yet election officials want to ensure they have a good understanding of what happened before going public so they don’t contribute to the confusion that the hackers may be trying to achieve. Cyber intrusions are inherently complicated, taking time to understand and contain. There is also a concern of inadvertently releasing information that could invite further compromises or undermine an investigation. “It is important to be as transparent as possible, but as with any crime, the full details of an investigation are not discussed,” said Paul Pate, Iowa’s Republican secretary of state. “It’s a balancing act that needs to be measured on a case-by-case basis.” In 2017, California election officials quickly disclosed the state had been notified by federal officials that its election systems were among those scanned by Russians the year before. Five days later, they had to correct the announcement after discovering the scans involved a non-election system. Secretary of State Alex Padilla, a Democrat, said it was an important lesson in making sure all the facts were there, especially considering the public is not familiar with cybersecurity terminology. In the summer of 2016, hackers accessed Illinois’ voter registration database, and officials moved fast to shut down the system and isolate the threat. State officials knew the move wouldn’t go unnoticed and felt it was important to notify the public. It became clear only later that Russian agents were involved, and the breach was part of an
US election integrity depends on security-challenged firms
It was the kind of security lapse that gives election officials nightmares. In 2017, a private contractor left data on Chicago’s 1.8 million registered voters — including addresses, birth dates and partial Social Security numbers — publicly exposed for months on an Amazon cloud server. Later, at a tense hearing, Chicago’s Board of Elections dressed down the top three executives of Election Systems & Software, the nation’s dominant supplier of election equipment and services. The three shifted uneasily on folding chairs as board members grilled them about what went wrong. ES&S CEO Tom Burt apologized and repeatedly stressed that there was no evidence hackers downloaded the data. The Chicago lapse provided a rare moment of public accountability for the closely held businesses that have come to serve as front-line guardians of U.S. election security. A trio of companies — ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver and Hart InterCivic of Austin, Texas — sell and service more than 90 percent of the machinery on which votes are cast and results tabulated. Experts say they have long skimped on security in favor of convenience, making it more difficult to detect intrusions such as occurred in Russia’s 2016 election meddling. The businesses also face no significant federal oversight and operate under a shroud of financial and operational secrecy despite their pivotal role underpinning American democracy. In much of the nation, especially where tech expertise and budgets are thin, the companies effectively run elections either directly or through subcontractors. “They cobble things together as well as they can,” University of Connecticut election-technology expert Alexander Schwartzman said of the industry leaders. Building truly secure systems would likely make them unprofitable, he said. The costs of inadequate security can be high. Left unmentioned at the Chicago hearing: The exposed data cache included roughly a dozen encrypted passwords for ES&S employee accounts . In a worst-case scenario, a sophisticated attacker could have used them to infiltrate company systems, said Chris Vickery of the security firm Upgard, which discovered the data lapse. “This is the type of stuff that leads to a complete compromise,” he said. ES&S said the passwords were only used to access the company’s Amazon cloud account and that “there was no unauthorized access to any data or systems at any time.” All three of the top vendors declined to discuss their finances and insist that security concerns are overblown. ES&S, for instance, said in an email that “any assertions about resistance to input on security are simply untrue” and argued that for decades the company has “been successful in protecting the voting process.” STONEWALLING ON SECURITY Many voting systems in use today across the more than 10,000 U.S. election jurisdictions are prone to security problems. Academic computer scientists began hacking them with ease more than a decade ago, and not much has changed. Hackers could theoretically wreak havoc at multiple stages of the election process. They could alter or erase lists of registered voters to sow confusion, secretly introduce software to flip votes, scramble tabulation systems or knock results-reporting sites offline. There’s no evidence any of this has happened, at least not yet. The vendors say there’s no indication hackers have penetrated any of their systems. But authorities acknowledge that some election mischief or malware booby traps may have gone unnoticed. On July 13, U.S. special counsel Robert Mueller indicted 12 Russian military intelligence operatives for, among other things, infiltrating state and local election systems. Senior U.S. intelligence officials say the Kremlin is well-positioned to rattle confidence in the integrity of elections during this year’s midterms, should it choose to. Election vendors have long resisted open-ended vulnerability testing by independent, ethical hackers — a process that aims to identify weaknesses an adversary could exploit. Such testing is now standard for the Pentagon and major banks. While the top vendors claim to have stepped up their cybersecurity game, experts are skeptical. “The industry continues to stonewall the problem,” said Bruce McConnell, a Department of Homeland cybersecurity czar during the Obama administration. Election-vendor executives routinely issue assurances, he said, but don’t encourage outsiders to inspect their code or offer “bug bounties” to researchers to seek out flaws in their software. Sen. Ron Wyden, an Oregon Democrat, has long criticized what he calls the industry’s “severe underinvestment in cybersecurity.” At a July hearing, he accused the companies of “ducking, bobbing and weaving” on a series of basic security questions he’d asked them. ES&S told The Associated Press that it allows independent, open-ended testing of its corporate systems as well as its products. But the company would not name the testers and declined to provide documentation of the testing or its results. Dominion’s vice president of government affairs, Kay Stimson, said her company has also had independent third parties probe its systems but would not name them or share details. Hart InterCivic, the No. 3 vendor, said it has done the same using the Canadian cybersecurity firm Bulletproof, but would not discuss the results. ES&S hired its first chief information security officer in April. None of the big three vendors would say how many cybersecurity experts they employ. Stimson said that “employee confidentiality and security protections outweigh any potential disclosure.” SLOPPY SOFTWARE AND VULNERABILITY Experts say they might take the industry’s security assurances more seriously if not for the abundant evidence of sloppy software development, a major source of vulnerabilities. During this year’s primary elections, ES&S technology stumbled on several fronts. In Los Angeles County, more than 118,000 names were left off printed voter rolls. A subsequent outside audit blamed sloppy system integration by an ES&S subsidiary during a database merge. No such audit was done in Kansas’ most populous county after a different sort of error in newly installed ES&S systems delayed the vote count by 13 hours as data uploading from thumb drives crawled. University of Iowa computer scientist Douglas Jones said both incidents reveal mediocre programming and insufficient pre-election testing. And voting equipment vendors have never seemed security conscious “in any
Poll finds partisan divide in concerns for election security
With the midterm elections less than a month away, a strong majority of Americans are concerned the nation’s voting systems might be vulnerable to hackers, according to a poll released Wednesday. That is roughly unchanged from concerns about election security held by Americans just before the 2016 presidential election, but with a twist. Two years ago, it was Republicans who were more concerned about the integrity of the election. This year, it’s Democrats. The survey from The University of Chicago Harris School of Public Policy and The Associated Press-NORC Center for Public Affairs Research found that Democrats have grown increasingly concerned about election security while Republicans have grown more confident. By 58 percent to 39 percent, Democrats are more likely than Republicans to say they are very concerned about hackers affecting U.S. election systems. That represents a flip from the results of a similar survey taken in 2016. The same partisan divide exists in the confidence Americans hold in the accuracy of vote tallies for the upcoming midterm elections. Republicans are more confident, a reversal from 2016. Nearly 8 in 10 Americans are at least somewhat concerned about potential hacking, with 45 percent saying they are extremely or very concerned. Just 22 percent have little or no confidence that votes will be counted accurately. Those results are similar to a poll conducted in September 2016. “People are right to be concerned,” said Lawrence Norden, a voting system expert with The Brennan Center for Justice at New York University School of Law. “The critical thing I hope people understand is that there are lots of things that can be done to deal with cyberattacks on our election infrastructure, and there has been a lot done since 2016.” Federal, state and local election officials have scrambled over the past two years to shore up cybersecurity defenses of election systems, improve communications about potential cyber threats and reassure the public that all steps are being taken to protect the vote. Congress has funneled $380 million to states to help cover the costs of adding cybersecurity personnel, conduct training and upgrade equipment. Much of that is in response to the 2016 presidential election. U.S. intelligence officials say Russian operatives launched a multipronged effort to interfere with the 2016 election, including a sophisticated social media campaign, the hacking of Democratic National Committee emails and the electronic scanning of state election networks. Illinois’ voter registration system was breached, but authorities say no information was altered or deleted. This year, the nation’s intelligence agencies warned that Russia and others remain interested in interfering in U.S. elections, but have emphasized that they have detected no targeting of election systems on the level seen ahead of the 2016 vote. Nearly 80 percent of Americans say they are at least somewhat concerned about the hacking of voter registration systems, voting equipment and final election results, with at least 4 in 10 saying they are extremely or very concerned about each. Among the biggest concerns of cybersecurity experts is the use, in some states, of touchscreen voting machines that do not produce a paper record. Other such machines do allow voters to verify their selections and create a paper trail for a reliable audit of election results. A U.S. Senate report earlier this year urged states to replace their paperless machines, which were used by roughly one of every five voting jurisdictions nationwide in the 2016 election. Five states — Delaware, Georgia, Louisiana, New Jersey, and South Carolina — are expected to rely on electronic machines without paper receipts during the upcoming midterm elections. At least eight others will use those machines in some counties. The poll found that just 21 percent of Americans saying they are extremely or very confident in paperless machines and another 45 percent saying they are somewhat confident. By comparison, 88 percent expressed at least some level of confidence in electronic voting machines that provide a paper receipt and 84 percent for paper ballots scanned into a machine. The $380 million sent to states from the federal government was not enough to cover the costs of replacing all such machines. Jennifer Blomqvist, a 47-year-old administrative assistant from Decatur, Georgia, said she is concerned voting systems remain vulnerable to hackers and would support a system in Georgia that produced a paper record. “As long as they are electronic, anybody and everybody can go in and hack,” Blomqvist said, adding she still hopes all votes will be counted accurately. “I want to trust the system, for as old as it is.” The survey also found limited support for online voting (28 percent in favor) and for the exclusive use of mail-in ballots (19 percent in favor). Younger voters, those age 18 to 29, are more supportive of online voting than older adults. Even so, less than half of young adults favored online voting. Three states — Colorado, Oregon and Washington — conduct all elections with mail-in ballots, but there is not widespread support for it. Just 19 percent of adults favor such a system, with 58 percent opposed. ___ The UChicago Harris/AP-NORC poll of 1,059 adults was conducted Sept. 13-16 using a sample drawn from NORC’s probability-based AmeriSpeak panel, which is designed to be representative of the U.S. population. The margin of sampling error for all respondents is plus or minus 4.3 percentage points. Republished with permission from the Associated Press.
