Election security: Lessons from 2016

Featured eBooks
Changes in State and Local Government Workforces
NASCIO Special Report 2024
A New Era of Social Media Regulation
Insights & Reports
Unlocking digital potential: Strategies for modernizing government services
Presented By Adobe
Download Now
Unlocking public sector potential
Presented By NTT DATA
Download Now
By Derek B. Johnson
 

Connecting state and local government leaders

By Derek B. Johnson

|

Regardless of what did or did not happen in 2016, experts are almost unanimous in their assessment that voting machines are riddled with cybersecurity vulnerabilities.

Were voting machines hacked in 2016?

The most accurate way answer is that we don’t know. The intelligence community’s assessment after the 2016 election did not find any evidence that actual vote tabulations were changed, but the relative lack of attention paid to the issue -- combined with the widespread use of paperless voting machines and uneven post-election auditing -- mean that a successful breach might not have been detected. Department of Homeland Security officials have said they do not believe hackers ever gained the ability to access or change vote totals.

Intelligence agencies and Special Counsel Robert Mueller’s investigation into Russian interference have uncovered evidence that dozens of state election systems, including voter registration databases, were scanned by Russian hackers looking for vulnerabilities, but scanning is not hacking. Cybersecurity experts liken it to reconnaissance, the digital equivalent of casing a home before a robbery. At least one state, Illinois, did suffer a breach of its voter registration system.

MORE INFO

The disinformation game.

Wyden wants better cyber protections for lawmakers, staff.

3 ways DHS is helping states with election security.

DHS says teamwork is improving election security.

Trump order imposes consequences on election meddlers.

As foreign meddling mounts, DHS projects confidence in election system resilience.

FCW's Election Security FAQ

This article is drawn from a larger look at election-security concerns. Read more.

Regardless of what did or did not happen in 2016, experts are almost unanimous in their assessment that voting machines are riddled with cybersecurity vulnerabilities. Many of those vulnerabilities require physical access to the machines, while others can be exploited remotely or through the compromise of the corresponding software that is used to program and update ballot information. A group of security researchers at DefCon, one of the largest annual gatherings of hackers in the world, released a report examining 30 different voting machines. All were compromised in relatively short order by volunteers with a fraction of the resources that nation states can bring to bear.

“The number and severity of vulnerabilities discovered on voting equipment still used throughout the United States today was staggering,” the report stated.

Despite the wide range of security vulnerabilities facing voting equipment, there are a few major factors that may deter foreign nations from going this route. First, the federated nature of U.S. elections means that each county and jurisdiction do things differently, from the type of voting machines they use to chain-of-custody protocols to the cyber precautions taken.

The distributed and decentralized nature of elections “is both good and bad for cybersecurity,” according to a security playbook developed for state and local election officials by the Harvard Belfer Center. While decentralization makes it difficult “for a single cyber operation to compromise multiple jurisdictions,” the report states, “disparities in cybersecurity resources and experience across jurisdictions creates vulnerabilities.”

Additionally, the sheer number of eyes watching for signs of vote hacking in this election, combined with increased resources to detect malicious activity, may make targeting election infrastructure an exceptionally risky endeavor for nation states.

Officials also believe that political campaigns -- often hastily put together on shoestring budgets -- represent the soft underbelly of election cybersecurity. Such operations rarely have sophisticated IT security protocols or dedicated cybersecurity staffers, particularly at the early stages of campaign season. While private-sector and nonprofit groups are trying to change that by offering free IT security services to political campaigns, a number of candidates and sitting members of Congress have reported attempts by hackers -- some successful -- to penetrate their communications this cycle.

Even campaigns with the best resources can be caught flatfooted by the evolving tactics of hackers targeting their staff and associates.

“We brought on a security guy because we knew the Chinese had hacked other campaigns, but we thought it was an espionage threat, not an information operation, not a doxing threat,” said Robby Mook, who ran Hillary Clinton’s presidential campaign in 2016. “That’s why…I just worry that some of these managers are going into the 2020 campaign building out for the 2016 campaign and not thinking holistically about all those threats.”

Federal responses

DHS has been the most active federal agency on election security issues since election systems were designated as critical infrastructure in 2016. The department’s cyber wing, the National Protection and Programs Directorate, has spent the past two years building up information sharing and threat detection capabilities around election systems that largely didn’t exist in the lead-up to the 2016 elections when intelligence agencies were just starting to gain awareness of the threat.

“Unfortunately in 2016, we had to build relationships when we were in a bit of a hurricane,” Bob Kolasky, a DHS official who now runs the newly created National Risk Management Center, said earlier this year. “[Since 2016], DHS has been deliberate to put resources and information -- building partnerships, building processes to share information and building making tools available to support state and local election officials.”

More data and better communication with states, localities and election system vendors represent the heart of where DHS has invested its time over the past two years. The agency has conducted vulnerability scans and assessments for state governments, substantially beefed up its deployment of sensor tools designed to pick up suspicious cyber scanning or intrusion attempts of state election systems, and a new election-related Information Sharing and Analysis Center established in February now has more than 1,000 members sharing information back and forth.

In all, DHS says it now has working relationships with all 50 states and more than 1,000 localities to strengthen election cyber defenses ahead of Nov. 6. It has set up other forms of communication, such as virtual chat rooms, to broaden its real-time communications with county level officials leading up to and past election night.

DHS, the Department of Justice and the Federal Bureau of Investigation have all stood up new task forces focused on combatting foreign influence campaigns, with the FBI taking the operational lead.

The Election Assistance Commission, meanwhile, is developing new voting system standards that include improved technical guidance around cybersecurity, but those standards must be voluntarily adopted by states and voting machine manufacturers, and they aren’t expected to impact state purchasing decisions until 2020 or 2022.

The military, more specifically U.S. Cyber Command, recently received a broader mandate to protect election infrastructure as part of the Trump administration’s new cyber strategy.

Finally, the White House, which has been criticized at times for not doing enough to secure the election system from foreign interference, issued an executive order that gives intelligence agencies 45 days after an election to report whether there is evidence that a foreign government conducted a campaign to interfere in U.S. elections. After such a finding, a range of economic, diplomatic and travel sanctions can be imposed.

Officials have also said that in select circumstances, they retain the option of alerting the public about an ongoing campaign before election day, as DHS Secretary Jeh Johnson did in October 2016 with regards to Russia. However, the difficulties around attribution as well as a concerted desire to make states the public face of most election security mean that federal agencies will often be funneling the necessary intelligence or technical advice to relevant state or local officials and letting them take the lead as the trusted authority for election related communications.

NEXT STORY: Phishing protection boosts mobile security

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.