A Blog by Jonathan Low


Sep 22, 2018

The Cyberthreats That Most Worry Election Officials

The states in green provide no paper backup to electronic voting - and some of them, including Texas and Pennsylvania are among the biggest in the US. JL

Alexa Corse reports in the Wall Street Journal:

Hackers could tamper with voter records and sow confusion about who’s allowed to vote. Paperless voting machines could fail—and there aren’t always paper backups that provide a record of votes. Malicious social-media accounts could spread false voting information online, such as fake instructions on how to vote.The biggest concern isn’t that a foreign adversary like Russia would alter ballots. They’re worried about elections losing legitimacy. “We will never have another uncontested presidential election. The seed of doubt has been sown.”
As Election Day gets closer, one issue looms large for voters and election officials alike: cybersecurity.
Hoping to quell fears about foreign hackers and repel potential threats, many states and counties are beefing up their plans to deal with cyberattacks. They’re shoring up systems to protect their voter databases and hiring security experts to assess the strength of their defenses. They’re coordinating with social-media organizations to stamp out deliberately fraudulent messages that could mislead voters about how to cast a ballot. And they’re banding together to share information and simulating how to respond to potential emergencies.
One simulation-based exercise, held by the Department of Homeland Security in mid-August, gathered officials from 44 states, the District of Columbia and multiple federal agencies, the DHS says.
“There absolutely is more emphasis on contingency planning” since 2016, says J. Alex Halderman, a professor of computer science at the University of Michigan.State election officials say voters should feel assured that voting systems are secure. And U.S. intelligence officials emphasize that there is no evidence that hackers changed any votes in 2016. But some officials say their biggest concern isn’t that a foreign adversary like Russia would alter ballots. They’re worried about elections losing legitimacy.
“I do worry that we will never have another uncontested presidential election,” says Connecticut Secretary of State Denise Merrill, a Democrat. “The seed of doubt has been sown.”
Shane Schoeller, the county clerk in Greene County, Mo., says he feels as though there is little room for error or setbacks.
“You’re either renewing that confidence or you’re taking that confidence away as that election is conducted,” says Mr. Schoeller, a former Republican speaker pro tem of the Missouri House of Representatives.
Here are some of the cyber concerns that election officials are wrestling with.
1. Hackers could try to tamper with voter records and potentially sow confusion about who’s allowed to vote.
Many states require that voters register in advance and provide information such as name, home address and party affiliation. Those details are stored in voter-registration databases.
The databases generally aren’t connected to the machines used to tabulate votes. But some experts worry about whether hackers might try to break into the databases and alter the data, making it seem as though some people aren’t allowed to vote—potentially leading to big confusion at polling places.
In a bipartisan report issued earlier this year, the Senate Intelligence Committee concluded that Russian-affiliated hackers accessed voter-registration data in a handful of states during the 2016 election cycle. There is no evidence any such data was altered, the report said.
A spokeswoman for the committee declined to comment on its continuing investigation. Moscow has denied hacking and using fraudulent social-media accounts to undermine the 2016 and 2018 elections.
For the midterms, Matthew Masterson, a senior cybersecurity adviser at the Department of Homeland Security, says he’s helping state and local officials secure voter data. That includes official databases, as well as copies of the data, which may be put on tabletlike devices called e-poll books, sometimes used by poll workers to check in voters.
In addition, many states are moving to bolster the security of their voter-registration systems. For example, Vermont and Minnesota have added two-factor authentication, which uses a second passcode to enhance security, say officials from both states.
Meanwhile, states have a low-tech alternative available if poll workers can’t verify someone’s eligibility: The voter fills out a provisional ballot that includes some personal information, and officials figure out the voter’s eligibility later, often after Election Day.
Still, some observers worry that there may be a problem with provisional ballots that hackers could try to exploit. Those ballots may take a while to fill out, which could lead to longer lines at polling places, says Joseph Lorenzo Hall, chief technologist at the nonprofit Center for Democracy and Technology. Some voters may not be able to wait, or may not be willing to provide personal details on the form, Mr. Hall says.
“Say it’s a hotly contested midterm election” in a small congressional district, says Mr. Hall. If bad actors were to improperly modify the records for, hypothetically, 10% of a bloc of voters, he says, those people might not complete a provisional ballot and leave without voting—which, he worries, theoretically might swing the race to a certain candidate.
2. Paperless voting machines could fail—and there aren’t always paper backups that could provide a paper record of votes cast if technological issues arose.
Paperless machines—which at least one county in each of 13 states will use for most voters this year, according to the Verified Voting Foundation—were once considered state of the art. But now security experts are recommending paper ballots or machines with paper backups to counteract any potential bad actors who might try to tamper with the machines’ software.
“You have to have a way of checking that the software has not been hacked and that there’s no errors,” says Marian Schneider, president of Verified Voting, a Philadelphia-based nonprofit that has long advocated for a “paper trail” of votes.
The Senate Intelligence Committee’s bipartisan report endorsed that idea. Many voting machines “do not have a paper record of votes as a backup counting system that can be reliably audited, should there be allegations of machine manipulation,” the report said.
In March, Congress allocated $380 million for states to upgrade their election systems. And some states are already moving away from paperless machines. Even before that federal funding was available, Virginia fully retired its paperless, touch-screen electronic voting machines ahead of its November 2017 election. Other states, such as Pennsylvania and Louisiana, have begun the replacement process.
Some state election officials emphasize that electronic voting machines generally aren’t connected to the internet and thus are less susceptible to remote hacking. Officials also say it’s common to conduct various tests before and after elections on many types of voting machines, along with restricting physical access to the machines and installing protective seals on them.
Still, at the DEF CON computer-security conference in Las Vegas this summer, hackers penetrated some voting machines and other election equipment as part of a demonstration. Some makers of voting machines responded, saying it was unrealistic that malicious actors would have so much access during an election.
State election officials from several states that use paperless voting machines say they are taking postelection security measures.
For instance, Louisiana Secretary of State Kyle Ardoin says officials confirm that the number of people who checked in on Election Day matches the number of votes cast, among other measures. A spokesman for Mr. Ardoin adds that there have been very few discrepancies, and that in those cases, officials didn’t find any evidence of deliberate tampering.
3. Malicious social-media accounts could spread false voting information online, such as fake instructions on how to vote.
Election officials want to use social media to educate voters—and want the bad guys to stay off it. U.S. intelligence officials, for instance, charge that Russia has used fraudulent social-media accounts to spread divisive political messages during the 2016 and 2018 election cycles.
So, several state election officials say they are beefing up their crisis-communications capabilities. For instance, some officials say that, unlike in 2016, they now have contacts at Facebook and Twitter they can call to report posts containing deliberate disinformation about how to vote.
Spokesmen for Facebook and Twitter say they will work to remove any reported posts that violate their rules, such as deliberately spreading disinformation about how to cast a ballot.
In 2016, for example, some Twitter accounts spread messages encouraging Democrats to vote by text, which isn’t allowed in any state. Those messages included photoshopped images that looked similar to genuine material from Hillary Clinton’s campaign.
The company worked to remove those tweets after news reports identified them. It later said those posts didn’t have “obvious Russian origin.”
A Twitter spokesman says the company also regularly advises election officials—as well as candidates, among others—about best practices, such as using strong passwords.


Post a Comment