WaPo’s Cybersecurity Preview of June 5 Primary
[Image via padailypost]
It’s primary Election Day in several states today – and the Washington Post’s Cybersecurity 202 blog has a state-by-state pre-election look by Derek Hawkins at cybersecurity issues in those states. Take a look (NOTE: all emphasis is in the original):
Tomorrow is a big test for election security coast to coast, as eight states including California hold primaries in one of the most consequential voting days since the presidential election.
It’s the largest block of states to do so before the November midterms, and election officials hope they have the right safeguards in place to stave off the kinds of cyberattacks that occurred in 2016. That year, Russian hackers targeted election systems in 21 states.
“We’ve done everything that we could think of doing — not to just assess what happened in 2016 but to fortify our defenses,” California Secretary of State Alex Padilla told me.
“Cybersecurity concerns are equally top-of-mind in the primary as they are in November,” he said. “We’re not considered a swing state, but we’re still California and from a security standpoint a high-value target, so we’re taking it very seriously, to protect our election process and the integrity of elections.”
Yet the states holding primaries on Tuesday run the gamut when it comes to election security. California and New Mexico, for instance, are widely considered ahead of the curve, having already adopted the paper ballot systems with easily verifiable results and post-election auditing recommended by experts. Several states have hired and trained new staff, upgraded computer networks or brought in technical experts to test their systems for weaknesses. But other states are further behind. Voters in New Jersey and Mississippi, for example, will be casting ballots Tuesday on aging electronic machines that experts widely agree should be scrapped because they’re hackable and their results can’t be audited.
Officials say they’ll be watching closely for any indications of interference, such as voters showing up to the polls to find their registrations were altered or outages on websites that post election night results.
“My staff and all 33 New Mexico county clerks have worked hard to ensure that proper security protocols are in place so that Election Day goes smoothly,” New Mexico Secretary of State Maggie Toulouse Oliver told me in an email. “I’ll keep the lines of communication open with our county clerks, relevant federal agencies and other state election officials so there is a coordinated and effective response to any attempts to interfere in New Mexico’s elections.”
And there’s reason to be optimistic: Election officials who have worked on shoestring budgets for years are receiving local, state and federal money — including a $380 [million] infusion from Congress — for cybersecurity improvements. And officials at all levels of government are partnering with private-sector researchers to share expertise and information about cyberthreats in ways they never have.
That’s all good news going into Tuesday, said David Becker, director of the Center for Election Innovation and Research, a nonprofit working to improve election administration. “It’s a test of all the work that has been done to date,” he said, “and fortunately that work is significant.”
Here’s a rundown on what each state holding elections Tuesday is doing well — and how they might improve:
CALIFORNIA
What it’s doing well: California is one of several states that are emerging as models for election security nationwide. It uses paper ballots and machines that produce paper trails that can be audited — exactly what election security experts recommend. It’s also moving toward a vote-by-mail system, with millions of Californians mailing in ballots ahead of Election Day. Becker, of the Center for Election Innovation and Research, says this offers an important “early warning system” for voting irregularities: “Because so many voters vote by mail, if there were problems, we would likely see that and detect it well before Election Day,” he said. Additionally, the state’s online voter registration database is one of the newest in the country, so it doesn’t require the potentially costly security updates that others do.
What it could do better: A survey of election security in all 50 states released this year by the Center for American Progress recommended that the state expand its post-election auditing to include provisional ballots. It also recommended ending its practice of allowing electronic absentee voting from overseas, which experts warn poses privacy and security risks.
NEW JERSEY
What it’s doing well: New Jersey officials say they’ve taken extra precautions to secure their voting machines, which are entirely electronic, including outfitting them with tamper-evident seals and requiring criminal and security background checks for anyone who works on them. They’ve also held security training sessions for election workers, installed anti-virus software on election management computers and brought in Department of Homeland Security officials to conduct vulnerability tests. Additionally, the state has a government office devoted to sharing threat information with local governments and the private sector.
What it could do better: New Jersey is one of five states that votes solely on direct recording electronic voting machines, or DREs, which produce no paper trail and are vulnerable to hacking. This is a top concern for election security experts because the machines offer no way to verify the vote count beyond what the machines tally. A recent analysis by the Brennan Center, a nonpartisan think tank, found that it would cost more than $40 million to replace the machines. A full replacement could be years away.
ALABAMA
What it’s doing well: Alabama is in some ways ahead of the curve. The election between Democrat Doug Jones and Republican Roy Moore to fill Attorney General Jeff Sessions’s Senate seat drew international attention — and close intervention from the federal government. Christopher Krebs, DHS’s top cybersecurity official, visited the state to assist in election security ahead of the vote last November. Beyond that, Alabamians vote almost entirely on paper ballots, which experts widely agree are the safest voting method.
What it could do better: Alabama doesn’t require post-election audits to verify voting results. Alabama was also among the states whose systems were targeted in 2016, but as of early May it was one of just two that hadn’t requested a security review by DHS.
IOWA
What it’s doing well: In Iowa, people vote almost entirely on paper ballots. After the state had its election systems targeted in 2016, Iowa Secretary of State Paul Pate last month convened an election cybersecurity working group made up of officials from the Department of Homeland Security, U.S. Elections Assistance Commission, Iowa National Guard, county officials and IT professionals, among others. The group will advise Pate’s office on how to protect election systems. The state is also one of a handful of states that received a security checkup from DHS.
What it could do better: Iowa requires post-election audits, but not the kind favored by most experts. The state could improve, experts say, by using “risk-limiting audits,” in which a sample of ballots are counted by hand and compared to machine tallies. Experts widely agree that only these such audits are comprehensive enough to detect a cyberattack.
NEW MEXICO
What it’s doing well: New Mexico earns high marks among election experts because it uses paper ballots and because it’s one of just three states that use risk-limiting audits. The state has welcomed assistance from the federal government’s cybersecurity pros. And although it wasn’t among the states targeted in 2016, it has received a security check from DHS.
What it could do better: The Center for American Progress gave New Mexico an overall positive review, but said it should consider requiring backup paper voter registration lists at polling places and prohibit electronic absentee voting.
MISSISSIPPI
What it’s doing well: Secretary of State Delbert Hosemann recently noted that his office uses two-factor authentication, encryption and firewalls to protect the state’s election management computer system, all of which experts say is important. The state had also hired third-party companies to try to penetrate the state’s voter registration system, but none had succeeded, he told the Jackson Free Press last month.
What it could do better: Mississippi votes almost entirely on DREs that can’t be audited. Experts say those need to be replaced, and Hosemann has indicated that the state will use some of its $4.5 million in federal election assistance funding to do that. But the Brennan Center notes that it will cost at least $9.2 million to replace every machine statewide. It’s not clear when a full replacement could come.
MONTANA
What it’s doing well: Montana votes on paper ballots. And like California and other Western states, many Montanans vote by mail.
What it could do better: Montana requires some post-election auditing, but only in counties that use ballot tabulators, not statewide. The Center for American Progress said in its report that such audits aren’t a satisfactory way to verify the results and recommenders switching to risk-limiting audits.
SOUTH DAKOTA
What it’s doing well: South Dakota is another paper ballot state. Votes are delivered by mail or in person and counted and logged on machines that aren’t connected to the Internet. Along with New Mexico, it’s also one of 17 states that bar electronic absentee voting.
What it could do better: South Dakota doesn’t require any post-election audits, which experts say are essential to ensure voter confidence, especially in the wake of 2016.
Pre-election rundowns like this aren’t unusual – but usually they cover things like voter ID, registration deadlines, early voting and vote-by-mail. Don’t be surprised if this kind of piece becomes familiar if not de rigeur going forward. Good luck to everyone participating in today’s primaries on both sides of the table … stay tuned!