Amid the blue and red banners dotting social media, mailers, billboards, flyers and just about everything else, Election Day is finally here. After all the guesswork and polls, Americans don’t know which way the political winds are going to blow or whether security measures taken by many states are going to hold…or whether some sort of nightmare will unfold.
Are Russians creeping around social media trying to influence voters? Is a wily and well-placed political operative using privileged access to tinker with a voter registration database? Or is a hacker exploiting a vulnerability in a voting machine or data storage system to manipulate voting data? Or did some harried developer simply leave a database exposed to the public?
“The 2018 midterms are the most secure elections we’ve ever held, thanks to the efforts of election officials around the country,” said David Becker, executive director and founder of the Center for Election Innovation & Research. “While there’s no finish line in election security, states are partnering with the federal government on cybersecurity like never before. There is zero evidence to suggest votes were changed in 2016, and voters should feel confident their votes today will be accurately counted.”
Becker’s words echo those of Department of Homeland Security (DHS) Secretary Kirstjen Nielsen who called the midterms “the most secure election” the country has ever had last week at a Council on Foreign Relations meeting on election security.
That doesn’t mean everything is running smoothly or that Election Day will wrap up without a hitch, devoid of cybersecurity issues. After all, the U.S. election “system” is actually a set of state and local systems, diverse and dispersed. While this means there is no single vulnerability that hackers can exploit to bring the whole she-bang down, it also means states are without a national standard or requirements to serve as guidelines for officials, who mostly don’t have deep cybersecurity knowledge or training.
Just days before an already contentious governor’s race in Georgia drew to a close, the Republican candidate, Georgia Secretary of State Brian Kemp, accused the Democratic Party of Georgia of “a failed attempt to hack the state’s voter registration system.”
Kemp’s office said it would comment on the probe. “I can confirm that the Democratic Party of Georgia is under investigation for possible cyber crimes," Kemp’s press secretary, Candice Broce, said in a release. "We can also confirm that no personal data was breached and our system remains secure."
The allegations, which were made without evidence, were immediately denounced by Democrats and called into question by security pros who pointed to numerous previous vulnerabilities in the state’s election system that some contend the Kemp’s office ignored.
Democratic Party of Georgia Executive Director Rebecca DeHart, in a statement, called Kemp’s allegations “a political stunt” that underscores why he shouldn’t be overseeing the election.
“Does the Georgia Secretary of State have the forensics capability and expertise necessary to investigate their own potential breach?” former Facebook CPO/CISO Alex Stamos tweeted.
And on the eve of the midterms, Facebook, which has been actively shutting down inauthentic accounts, said in an alert the FBI had discovered online activity that may be linked to foreign actors.
“Our very early-stage investigation has so far identified around 30 Facebook accounts and 85 Instagram accounts that may be engaged in coordinated inauthentic behavior,” Nathaniel Gleicher, Facebook’s head of cybersecurity policy, wrote. “We immediately blocked these accounts and are now investigating them in more detail.”
Gleicher said while the company usually waits until it’s deeper into an investigation to make a public announcement, the close proximity to the midterm elections prompted Facebook to detail the facts and actions taken thus far. The company will provide updates, it said, as to whether these accounts are affiliate with the Russia-based Internet Research Agency (IRA), recently indicted by Special Counsel Robert Mueller or other foreign players.
States throughout the day have reported issues, including malfunctioning and crashing voting machines and broken scanners in New York City that shut down voting machines.
“Today’s incidents with malfunctioning voting machines was inevitable -after all we have a seriously flawed system. Whether we’re worried about foreign interference or hacking a state election website by an 11 year old, the fact is election security is vulnerable,” said Mike O’Malley, vice president of strategy at Radware. “Unfortunately, today’s election outcomes may end up being impacted by a failing voting infrastructure. It is unreasonable to expect local municipalities to be self-sufficient in protecting themselves against sophisticated nation state cyberattacks, as we have seen in Knox County, Tenn.”
O’Malley said that “antiquated software, programming issues, and interference questions are all part and parcel to having an outdated voting system based on a patchwork of thousands of county election networks” and combined with a “consistent history of voter rolls being hacked, county clerk offices being penetrated, all make today completely unsurprising.”
After Russia meddled in the 2016 presidential election and a long litany of incursions, influence campaigns and vulnerabilities unfolded, most states, even those like Georgia where the election official in charge had declared the voting systems safe, stepped up, using federal funding to bolster security. The government doled out $380 million in Help American Vote Act (HAVA) funds to states to use as they see fit.
Spending spree
Louisiana, one of five states with paperless voting machines, will use the nearly $5.9 million it received to replace its 10,000 or so direct-recording electronic machines (DREs). Interim Secretary of State R. Kyle Ardoin had estimated the state needs $60 million to replace all of the machines. The winning bid by Dominion Voting Systems put a $95 million price tag on the project with machines costing $68 million and maintenance (which would have come from the Secretary of State’s budget) making up the remaining $27 million. But the bidding process was mired in controversy and politics – with Dominion’s challenger, Election Systems and Software, formally claiming it was rigged.
The company held the contract from August to early October when Gov. John Bel Edwards yanked it. "I hereby determine that it is in the best interest of the state to rescind the award made to Dominion Voting Systems," Louisiana's Chief Procurement Officer Paula Tregre said in a statement at the time, going on to tell the AP that "without these certification standards, no adequate evaluation of the proposed voting systems could be made."
In Florida, whose election system was thrust into the national spotlight for the “hanging chad” incident during the controversial 2000 presidential election, counties use voting machines that don’t provide paper records. It also doesn’t require robust post-election audits, according to a report from the Center on American Progress, which also took issue with the state allowing voters overseas to return their ballots electronically by fax. The more than $14.5 million approved funding is unlikely to fix all of the state’s election security woes but various counties have put their money to use bolstering firewalls, purchasing hardware and software to bolster security and adopting multifactor authentication, among other measures.
Arizona Secretary of State Michele Reagan commissioned a top to bottom study of the state’s election security posture the results of which were released in October. The 15-page report, compiled by Gartner, came up with a series of recommendations, including leveraging modern identity and access management technologies to control access to election systems based on user identity and strengthening processes, documentation and standards to facilitate comprehensive management, maintenance and use of current-state technology, that will bolster election security.
While the spending spree has started, most states reserved the bulk of their dollars to bolster security in the next two years leading up to the 2020 presidential election.
Both state and federal officials will be vigilant as the midterms pass. On election night Nielsen and her DHS crew will operate a “virtual war room,” bringing together members of the intelligence community, political parties and others “so as things evolve…we can respond.” And that means passing information along to states and counties as necessarily regardless of security clearance. “Many folks have clearance and those that don’t, we’ve made it clear, we will share,” she said. “I won’t let clearances stand in the way.”
Facebook, too, has created its own war room, including “two dozen experts from across the company – including from our threat intelligence, data science, software engineering, research, community operations and legal teams,” Samidh Chakrabarti, director of product management, civic engagement, at the social media company, said in a blog post. “Our goal: to get the right subject-matter experts from across the company in one place so they can address potential problems identified by our technology in real time and respond quickly.”
Chakrabarti explained that when “everyone is in the same place, the teams can make decisions more quickly, reacting immediately to any threats identified by our systems, which can reduce the spread of potentially harmful content.” The war room’s “dashboards offer real-time monitoring on key elections issues, such as efforts to prevent people from voting, increases in spam, potential foreign interference, or reports of content that violates our policies,” Chakrabarti said.
National Guard cybersecurity units in three U.S. states – Wisconsin, Washington and Illinois – have been summoned up to provide support for the midterms in case of a cybersecurity event.
“Wisconsin voters should feel confident that the Wisconsin National Guard’s team is ready if needed to provide assistance on Election Day,” Maj. Gen. Donald Dunbar, adjutant general of Wisconsin, said in a release. “The governor’s executive order simply allows us to deploy those resources quickly.”
It is unclear how many other states, if any, are using the Guard to potentially fend off cybersecurity incidents, but some security pros say it’s a good idea that should be widely adopted.
“The activation of these National Guard cybersecurity units begs the question, if we have such defenses available and they are effective, why don't we deploy them more widely?” asked Paul Bischoff, privacy advocate at Comparitech.com. “Other states should be doing the same, particularly swing states. It seems more appropriate to do so now more than ever, and perhaps it should be a routine protocol for general elections from now on, barring any violations of privacy, the voting process, or free speech.”
Spotting problems
Eagle-eyed election officials and security pros will be looking for a bevy of warning signs indicating something’s amiss or that bad actors have asserted themselves, including:
Nation-state influence campaigns.“The other threat that is much more difficult to combat and more pernicious is the influence of foreign government,” Nielsen said, explaining that while the U.S. has “seen continued attempts to scan [systems], like a burglar walking around your house and checking the windows” as well as some attempts at intrusion, there is no evidence a foreign power has been successful. “As of today, there’s no activity we’ve attributed to a foreign power.”
She distinguished between the efforts of China, which she said is “playing a long game,” in a prolonged attempt to change attitudes and influence policy, and Russia, which is “much more brazen and noisy, trying to disrupt the here and now.”
Voter database hacks. Kurtis Minder, CEO at GroupSense, which has been monitoring elections since before 2016, pointed out thatlast week New York State's 2018 voter database was stolen and leaked online. “Although the information in the database alone is not dangerous, if combined with information acquired elsewhere, it could allow for voter suppression or identity theft,” said Minder. “What this reveals more than anything is the flagging state of electionsecurity efforts.”
SC Media will be adding to this story as Election Night unfolds.