Defending the 'front line' against election fraud
Connecting state and local government leaders
Counties and local municipalities need help -- and funding -- to defend their election systems from security threats.
At the DefCon hacker conference in Las Vegas in July, hackers were able to successfully breach a wide range of election systems equipment. But Noah Praetz, director of elections in Cook County, Ill., told members of the federal Election Assistance Commission at an Aug. 16 public meeting that the real-world voting-security situation is not quite so dire.
At DefCon, "a lot of the equipment used was old, and the hackers' access [to internal workings of the machines] isn't a reality," Praetz said. Additionally, most of the jurisdictions in this country use paper ballots or have a paper trial, he said, whereas the DefCon hackers' "critiques of the machines were aimed at the machines that don't have either."
In order to limit threats, Praetz said all elections should have a paper trail, which nearly 80 percent of jurisdictions currently do.
Cook County has invested in "applied forensic" tools to make sure machines are counting ballots accurately, he said. His board of elections tested the 2016 voter data three times to ensure that nothing was hacked.
That sort of sustained attention will be needed going forward, he stressed. Since former Department of Homeland Security Secretary Jeh Johnson designated state elections assets as U.S. critical infrastructure in January, Praetz said he sees counties and cities as the front line for defending against election fraud.
"There is no substitute for on-the-ground expertise, but with this new threat space, we are going to need more assistance," he said.
Praetz and other election official also encouraged counties and cities to share information on voter fraud incidents. "The threats are fast and breaches are becoming more common," Praetz said. "The hope of staying ahead should come from sharing information."
Last month, for example, the EAC conducted a planning exercise in New York City that resulted in some surprising results that remain classified.
"I found the meeting very informative, enlightening and frightening," Commission Vice-Chairman Thomas Hicks said of the New York meeting. "I would encourage every state to hold a similar meeting with election officials, emergency management folks and IT officials."
In terms of next steps following the critical infrastructure designation, EAC Executive Director Brian Newby said DHS is focused on preparing for the 2018 elections.
"For us, show time is Jan. 1," he said, "and we need to have further discussions about the way cybersecurity threats will be communicated [versus the way that we did it before.]"
Part of the challenge of securing election systems is the limited money still available from the Help America Vote Act (HAVA) of 2002, which provided funds to states for equipment, guidance and policy development.
While nearly $3.5 billion was awarded to states and territories, there is just $4.3 million in allocated funds that states have yet to request, according to the EAC's 2016 grants expenditure report.
"The requirements of HAVA are not a one-time expense," EAC Director of Grants and Oversight Mark Abbott said. Elections officials must "replace the equipment that is aging out, and they are looking for new funds -- whether it is federal financing through HAVA or state financing."
The EAC commissioners also heard testimony on the 2016 Election Administration and Voting Survey released in June. The biannual EAVS report includes information about the election process, including data on registration, turnout, absentee voting and polling places.
The EAVS found that state motor vehicle facilities remain the most popular place individuals chose to register to vote at 32.7 percent, but online registration increased dramatically over the past four years, making up 17.4 percent of the total.
Editor's note: This article was changed Aug. 17 to correct Mark Abbott's title and the location of the New York planning exercise.
NEXT STORY: LA launches Cyber Lab to share threat data