FCW's 2018 Election Security FAQ
Are the midterm elections at risk of being hacked? Has security improved since 2016? And what, exactly, have DHS and the states been doing? Separate the signal from the noise with this one-stop overview of election-security concerns.
Are the midterm elections at risk of being hacked? Has security improved since 2016? And what, exactly, have DHS and the states been doing? Separate the signal from the noise with this one-stop overview of election-security concerns.
What does the threat look like?
What has Congress done since 2016?
How did states use that money? Is it enough?
Were voting machines hacked in 2016?
Which states are most vulnerable?
What steps has the federal government taken since 2016?
Why are states reluctant to accept the federal government’s help?
Are states facing increased cyber attacks on election infrastructure?
What does the threat look like?
The Department of Homeland Security has broken down the myriad threats facing U.S. elections into three broad categories:
- the hacking of election infrastructure (voting machines, voter registration systems, election management systems, electronic pollbooks);
- strategic hacking and leaking efforts targeting political campaign teams; and
- large-scale disinformation and misinformation campaigns aimed at influencing voter behavior before they head to the polls.
What has Congress done since 2016?
Not a lot. Congress repurposed $380 million of leftover funding from the 2002 Help America Vote Act into grant funding for states to improve election security. States collectively invested an additional $19 million in matching funds for the same purpose.
States could use the grants to replace old voting machines, upgrade election-related computer systems to address vulnerabilities identified by DHS, implement post-election audits, provide cybersecurity trainings for state and local election officials and other activities that are specifically tailored to addressing cybersecurity needs.
Legislators also drafted a number of bills to address security holes identified during the 2016 election, such as the Secure Elections Act and the PAVE Act, which would implement a series of standardized requirements for voting machines, such as paper backups for electronic voting machines and corresponding risk-limiting audits. Another bill, the Honest Ads Act, would provide more visibility and transparency for the kind of social media ad buys that were allegedly leveraged by Russia to target specific voters and spread disinformation in 2016.
None of those bills have passed either chamber of Congress. The bipartisan Secure Elections Act came the closest, but support from Senate Republicans faltered after states and the White House lobbied for changes, arguing that provisions mandating specific audits and voting equipment represented “federal overreach.”
Read more FCW coverage on this issue:
- More Senate Dems back alternative to Secure Elections Act
- Secure Elections Act sponsors eye lame duck session
- Election security bill stalled in the Senate
- Senators duel over audit requirements in election security bill
How did states use that money? Is it enough?
According to the Election Assistance Commission, 41 states used 36.3 percent of those funds to directly improve election cybersecurity. An additional 27.8 percent of the funding went to purchase new voting equipment while another 13.7 percent went to upgrade voter registration systems. Only 5.6 percent of the funds were used to implement post-election audits. However, it’s important to understand that these upgrades and expenditures are expected to take place over the course of the next 2-3 years; relatively little of the work is being completed before the midterm elections.
It’s also important to understand that this $400 million is just a drop in the bucket compared to what states and election security experts say is needed to fix the problem, estimated to be somewhere around $1.5 billion. Additionally, the amount of funding dispersed each state received was based on the size of its voting age population, not according to greatest need or most vulnerable infrastructure.
According to an analysis by the nonprofits Brennan Center for Justice and Verified Voting, five of the 13 states that rely in whole or in part on paperless electronic voting machines – the kind most vulnerable to being hacked – received less than a quarter of the funding that would be needed to fully replace them. More than half of the 46 states that responded to a Government Accountability Office survey released in April said they don’t offer any funding or grant money to local jurisdictions to buy new voting machines.
“Speaking on behalf of myself and my state, yes, I do strongly believe that ongoing funding is necessary and that there's a consistent source of funding," New Mexico Secretary of State Toulouse Oliver told Congress in July. "Election security is not a one-time issue."
In preliminary budget documents, Congress made another $380 million available for 2019, but those funds were zeroed out by the Republican majority, which argued that states still hadn’t finished spending the initial tranche of money.
Read more FCW coverage of this issue:
- Congress poised to put up $380 million for election security
- Most jurisdictions satisfied with voting machines, GAO finds
- House zeroes out $380 million in voting security funding for FY19
- Officials push for more election security dollars
Were voting machines hacked in 2016?
The most accurate way answer is that we don’t know. The intelligence community’s assessment after the 2016 election did not find any evidence that actual vote tabulations were changed, but the relative lack of attention paid to the issue -- combined with the widespread use of paperless voting machines and uneven post-election auditing -- mean that a successful breach might not have been detected. DHS officials have said they do not believe hackers ever gained the ability to access or change vote totals.
Intelligence agencies and Special Counsel Robert Mueller’s investigation into Russian interference have uncovered evidence that dozens of state election systems, including voter registration databases, were scanned by Russian hackers looking for vulnerabilities, but scanning is not hacking. Cybersecurity experts liken it to reconnaissance, the digital equivalent of casing a home before a robbery. At least one state, Illinois, did suffer a breach of its voter registration system.
Regardless of what did or did not happen in 2016, experts are almost unanimous in their assessment that voting machines are riddled with cybersecurity vulnerabilities. Many of those vulnerabilities require physical access to the machines, while others can be exploited remotely or through the compromise of the corresponding software that is used to program and update ballot information. A group of security researchers at DefCon, one of the largest annual gatherings of hackers in the world, released a report examining 30 different voting machines. All were compromised in relatively short order by volunteers with a fraction of the resources that nation states can bring to bear.
“The number and severity of vulnerabilities discovered on voting equipment still used throughout the United States today was staggering,” the report stated.
So foreign nations will definitely go that route in 2018, right?
Not necessarily. Despite the wide range of security vulnerabilities facing voting equipment, there are a few major factors that may deter them from going this route. First, the federated nature of U.S. elections means that each county and jurisdiction do things differently, from the type of voting machines they use to chain of custody protocols to the cyber precautions taken.
The distributed and decentralized nature of elections “is both good and bad for cybersecurity,” according to a security playbook developed for state and local election officials by the Harvard Belfer Center. While decentralization makes it difficult “for a single cyber operation to compromise multiple jurisdictions,” the report states, “disparities in cybersecurity resources and experience across jurisdictions creates vulnerabilities.”
Additionally, the sheer number of eyes watching for signs of vote hacking in this election, combined with increased resources to detect malicious activity, may make targeting election infrastructure an exceptionally risky endeavor for nation states.
Then what are the concerns this cycle?
While much of the focus in election security has focused on the IT infrastructure used to run elections, federal officials are at least as worried about the impact of coordinated online influence campaigns. Such efforts are generally cheaper, provide nation states with plausible deniability and can be effective at amplifying existing political tensions in ways that can boost or suppress voter turnout for targeted groups.
Officials also believe that political campaigns – often hastily put together on shoestring budgets – represent the soft underbelly of election cybersecurity. Such operations rarely have sophisticated IT security protocols or dedicated cybersecurity staffers, particularly at the early stages of campaign season. While private-sector and nonprofit groups are trying to change that by offering free IT security services to political campaigns, a number of candidates and sitting members of Congress have reported attempts by hackers -- some successful -- to penetrate their communications this cycle.
Even campaigns with the best resources can be caught flatfooted by the evolving tactics of hackers targeting their staff and associates.
“We brought on a security guy because we knew the Chinese had hacked other campaigns, but we thought it was an espionage threat, not an information operation, not a doxing threat,” said Robby Mook, who ran Hillary Clinton’s presidential campaign in 2016. “That’s why…I just worry that some of these managers are going into the 2020 campaign building out for the 2016 campaign and not thinking holistically about all those threats.”
Read more FCW coverage on this topic:
Which states are most vulnerable?
While cybersecurity researchers have been able to find exploitable vulnerabilities in nearly every type of voting machine, they are particularly worried about states that rely on paperless Direct Recording Electronic machines. These machines are not only highly hackable, but their lack of paper trail – even as a backup – means it will be nearly impossible to conduct an effective post-election audit capable of discovering if voting tabulations have been changed, since a hacker who compromised the machine or machines would also have the ability to alter the electronic image that auditors use to compare vote totals.
New Jersey, Louisiana, Pennsylvania, Indiana, George, South Carolina, Mississippi, Kansas, Texas, Tennessee, Kentucky, Delaware and Arkansas all rely in whole or in part on such machines.
Christopher Krebs, undersecretary of the National Protection and Programs Directorate, said DHS has factored the “unique risk profile” that DRE machines pose, but the level of support they provide is largely dependent on what those states are requesting from the federal government.
“It’s always going to depend on what they need from us,” said Krebs. “But sitting back, we are also aware that there are some states that may, because of the risk profile, require a different level of support, so we factor those things in.”
Read more FCW coverage on this topic:
- DHS, states drill on election security
- States aren’t shifting voting tech, despite ballot security concerns
- Senate Intel offers election security guidelines
What steps has the federal government taken since 2016?
The Department of Homeland Security has been the most active federal agency on election security issues since election systems were designated as critical infrastructure in 2016. The department’s cyber wing, the National Protection and Program’s Directorate, has spent the past two years building up information sharing and threat detection capabilities around election systems that largely didn’t exist in the lead-up to the 2016 elections when intelligence agencies were just starting to gain awareness of the threat.
“Unfortunately in 2016, we had to build relationships when we were in a bit of a hurricane,” Bob Kolasky, a DHS official who now runs the newly created National Risk Management Center, said earlier this year. “[Since 2016], DHS has been deliberate to put resources and information – building partnerships, building processes to share information and building making tools available to support state and local election officials.”
More data and better communication with states, localities and election system vendors represent the heart of where DHS has invested its time over the past two years. The agency has conducted vulnerability scans and assessments for state governments, substantially beefed up its deployment of sensor tools designed to pick up suspicious cyber scanning or intrusion attempts of state election systems and a new election related Information Sharing and Analysis Center established in February now has more than 1,000 members sharing information back and forth.
In all, DHS says it now has working relationships with all 50 states and more than 1,000 localities to strengthen election cyber defenses ahead of Nov. 6. It has set up other forms of communication, such as virtual chat rooms, to broaden its real-time communications with county level officials leading up to and past election night.
DHS, the Department of Justice and the Federal Bureau of Investigation have all stood up new task forces focused on combatting foreign influence campaigns, with the FBI taking the operational lead.
The Election Assistance Commission, meanwhile, is developing new voting system standards that include improved technical guidance around cybersecurity, but those standards must be voluntarily adopted by states and voting machine manufacturers, and aren’t expected to impact state purchasing decisions until 2020 or 2022.
The military, more specifically U.S. Cyber Command, recently received a broader mandate to protect election infrastructure as part of the Trump administration’s new cyber strategy.
Finally, the White House, which has been criticized at times for not doing enough to secure the election system from foreign interference, issued an executive order that gives intelligence agencies 45 days after an election to report whether there is evidence that a foreign government conducted a campaign to interfere in U.S. elections. After such a finding, a range of economic, diplomatic and travel sanctions can be imposed.
Officials have also said that in select circumstances, they retain the option of alerting the public about an ongoing campaign before election day, as DHS Secretary Jeh Johnson did in October 2016 with regards to Russia. However, the difficulties around attribution as well as a concerted desire to make states the public face of most election security mean that federal agencies will often be funneling the necessary intelligence or technical advice to relevant state or local officials and letting them take the lead as the trusted authority for election related communications.
Read more FCW coverage on this issue:
- 3 ways DHS is helping states with election security
- DHS says teamwork is improving election security
- Trump order imposes consequences on election meddlers
- As foreign meddling mounts, DHS projects confidence in election system resilience
Why are states reluctant to accept the federal government’s help?
Each state has its own approach to working with the federal government, and many of them have embraced the partnership model. However, the federal government’s designation of election systems as critical infrastructure and the increased chatter about the inability of states to meet cybersecurity threats from nation states have left some worried.
Many state election officials believe they do a thankless job running an incomprehensibly complex elections process with multiple mandates and little in the way of consistent funding from either states or the federal government. Some also believe that despite the unprecedented threat they faced, most states performed admirably in 2016.
“All the discussion in the media [after 2016] had to do with the one state that was breached,” said Vermont Secretary of State Jim Condos, who serves as president of the National Association of Secretaries of State. “There were 20 states that were not breached. There were 20 states that defended well. They did their job and that is a story that’s been missing in some of this discussion.”
DHS, meanwhile, has responded to those concerns by making a conscious effort to make states the public face of election security efforts, with communications about the latest threats, election-related misinformation and other areas being routed through Secretaries of State offices.
Why doesn’t the federal government just step in and take over to protect our elections? Isn’t this a matter of national security?
The federal government has zero experience administering elections, whereas states and localities have been doing it for hundreds of years. While many policymakers have advocated for Congress to make better use of its constitutional authority to “make or alter” election-related regulations, very few are calling for a federal takeover or believe it would improve election administration.
Members of Congress in both parties – even those steeped in the specifics of the threat facing elections – have expressed a deep reluctance to pass any legislation that would upend the preeminent role that states and localities play in administering elections.
Read more FCW coverage on this topic:
- Senate Intel chair doesn’t plan legislative push on election cyber
- Senator presses White House to improve election cyber protections
Are states facing increased cyber attacks on election infrastructure?
NBC News reported that an internal intelligence assessment found “a growing volume of cyber activity targeting election infrastructure in 2018” and that intensifying attacks from unknown parties were detected as recently as October.
Krebs, the undersecretary for NPPD, has since pushed back on that claim, attributing the higher levels activity to better reporting and information sharing between states, not a substantive increase in hacking attempts. Krebs and other U.S. officials have consistently said that intelligence and technical sources show the level of activity targeting election infrastructure is well below what was seen in 2016, but that a ramp up is “one click away” and election officials should prepare accordingly.
Recently, President Donald Trump and members of his administration have said China is attempting to interfere in the upcoming mid-term elections. Is that true?
It depends on how one defines “election interference.” Intelligence agencies and DHS continue to say that they have no evidence indicating China is actively targeting election infrastructure the way the Russians are thought to have done in 2016. Those officials have said that China, like other countries, conducts influence campaigns and those campaigns could theoretically influence voter behavior, but they are often described more as attempts to influence American public opinion in ways favorable to Chinese policies, through advertisements and media buys, not online disinformation campaigns targeting specific election outcomes.
FireEye, a well-respected cybersecurity threat intelligence firm with a long history of attributing cyber attacks back to nation states, said in October that it has yet to see examples of online activity linked to Chinese hackers that attempts to manipulate specific issues or shape electoral outcomes. Other cybersecurity firms such as Crowdstrike and Symantec have reinforced that view.