Election systems security under increasing scrutiny

Between outdated technology, Russian hacking threats, tight budgets, the president’s promises to investigate voter fraud and incomplete information about federal assistance for securing voting systems, local elections officials have their hands full.

In Bexar County, Texas, which is saddled with the oldest elections technology in the state, officials scour eBay for Zip disks, the storage media the county’s system uses to help merge results.

"I'd be dead in the water without our technical support people looking online to buy the pieces and parts to keep us going," Jacque Callanen, the county’s elections administrator told the Associated Press.

Similarly outdated systems are common across the country, but municipalities probably will not be able to foot the bill for new systems without help from their state legislatures, which are also strapped for cash.

Nor is the federal government likely to offer monetary help. The last time it funded electoral infrastructure upgrades was after the 2000 election when Florida’s “hanging chad” issue  caused problems with the presidential recount. The $4 billion that was allocated to states under the 2002 Help America Vote Act is largely gone, AP reported.

Without money to replace aging, obsolete systems, elections officials must do the best they can to secure their existing systems, many of which are intense scrutiny because of investigations surrounding Russian interference in U.S. elections.

At a panel at the recent RSA Conference on  “Electoral Dysfunction,” talk swirled more specifically around the issue of the hacking of the Democratic National Committee and the potential interference of other countries in the recent U.S. presidential election last fall.

Bruce McConnell, global vice president at the EastWest Institute and a former deputy under-secretary for cybersecurity at the Department of Homeland Security, said that the DHS “under-valued voting… and did not pay enough attention to the cyber risk.” In his current role, McConnell is working with governments in other countries, including Russia, to come to agreements on rules for cyberspace.

Pamela Smith, president of Verified Voting, a non-partisan non-profit group that follows elections issues, pointed to the disparate, disjointed and often outdated nature of voting technology throughout the country. Cases in point: Some voting jurisdictions are using Windows XP systems that are more than a dozen years old; only half of states use actual ballots to double-check votes; and one-quarter of jurisdictions do not have “verifiable” results, she said, adding: “After 2016, we know breaches here are not theoretical anymore.”

For many voting jurisdictions, however, there is a lack of resources to support greater information security support. “There’s often no IT person or expertise to run the systems they have… and they’re using unencrypted email for returning ballots,” Smith said. “We want to reduce the use of practices that cannot be secured… There are resources and opportunities, but they are not mandated. We cannot say we have secure elections.”

McConnell agreed. “There are no security standards at this point, and it is possible that there is a need for regulation," he said. "My view is that we need to get there sooner rather than later.”

While it has become challenging to secure voting systems in “far-flung jurisdictions with small teams and few resources… it’s also harder to hack an infrastructure that is widespread and disconnected,” said Mark Weatherford, senior vice president and chief cybersecurity strategist for vArmour, and (like McConnell) a former deputy undersecretary for cybersecurity at DHS.  

The next step for hackers, he said, may well be to attack central systems that contain voter records.

DHS has offered to help elections officials shore up their systems after former DHS Secretary Jeh Johnson called for the designation of election systems as critical infrastructure. That designation granted state election assets -- including voter registration databases, voting machines, polling places, centralized vote tabulation locations and storage facilities -- the same DHS protections as are provided to energy utilities, the transportation sector and the other critical infrastructure sectors.

Under the designation, Johnson said, state governments can ask DHS for help to secure their election infrastructure and will receive prioritized assistance requests, added protections and access to information on vulnerabilities.

On March 7, Sen. Claire McCaskill (D-Mo.) sent a list of questions to DHS Secretary John Kelly asking for clarification on those services, according to FCW, a sister site to GCN.

Specifically, McCaskill wanted to know:

• How many state and local governments have asked for DHS assistance.
• If states and localities will have to pay for the services provided by DHS.
• What specific tools DHS can provide states and localities.
• Whether DHS will require additional resources to fulfill its duties under the designation.
• If states are legally liable if they choose not to implement recommendations made by DHS.

Additionally, she asked why the designation extends to both physical and electronic infrastructure if DHS is only offering cyber-related protection and if the designation will continue under the Trump administration.

Although some states have taken DHS up on its offer to provide cybersecurity scans of some of their systems, others oppose federal assistance with what they consider solely a local responsibility.

That opposition ratcheted up in January when Georgia Secretary of State Brian Kemp asked for an investigation into what he called "doorknob rattling," or unauthorized scans and unsuccessful attempts to penetrate his state’s firewall by DHS in the run up to the election last fall. In February, Indiana and Idaho also reported similar scan attempts on their facilities in the same period, according to an article in FCW.

Karen Epper Hoffman contributed to this article.