Listen to the article (AI powered narration)

Published on September 22, 2020

After it became apparent that the General Staff of the Russian Army (GRU) targeted over 21 states’ voter registration databases, U.S. authorities snapped into action. No votes were altered during the 2016 presidential election; however, experts believe that Russian operatives didn’t want to alter votes, per se. Their main goal was to sow public distrust of the American election system.

U.S. Election Security Czar Shelby Pierson, who incidentally was the National Intelligence Manager for Russia back in 2016, claims that the 2018 midterms were a success. However, the 2016 Russian cyberattacks were likely a dress rehearsal for 2020. According to Pierson, the government is ready for the forthcoming attacks; the Office of the Director of National Intelligence (ODNI) has the economic resources it needs, and there aren’t any roadblocks to future funding.

Although Congressional dollars are available to states through the 2002 Help America Vote Act (HAVA), there may not be enough to go around. In their recent report, America’s Voting Machines at Risk, Lawrence Norden and Christopher Famighetti contend that it will cost upwards of $1 billion to replace antiquated voting machines. Moreover, much of these costs will fall upon the shoulders of states and counties. While examining recent safeguards for the upcoming U.S. elections, two case studies may prove to be illuminating.

Case Study: Illinois

The Land of Lincoln got hit particularly hard by the GRU in 2016, as Russian operatives targeted state databases, local databases, and individuals within the State Board of Elections (SBOEs). A SQL injection was inserted into a section of the Illinois registration site where voters listed their driver license numbers. Before officials spotted the malicious code in their database, the hackers were able to extract information of roughly 76,000 of Illinois’ eight million active registered voters. This event led to the arrest of a dozen GRU members.

In the aftermath of the July 2016 attack, Illinois used $7m out of their $13.9m HAVA funding to create the Illinois Cyber Navigator Program. Although far from a panacea, this program provides all 108 counties in Illinois with grants, cybersecurity training, advice for machinery upgrades, and periodic risk assessments. There is also a partnership with the National Guard, whereby the National Guard’s cybersecurity experts are on call during election days. Thankfully, Illinois election clerks did not need to invoke such assistance in the 2018 midterms.

Case Study: Florida

Seeing as Florida is a critical swing state, it is no wonder the state was targeted during the lead up to the 2016 election. According to the Special Counsel’s report, GRU operatives successfully targeted VR Systems, a Tallahassee-based elections technology software vendor; ultimately, they used an effective spear phishing campaign to access email accounts for 120 Florida officials.

Using $19.2m worth of HAVA funds, Florida election officials hardened their network, made changes to their post-election audits, and have subsequently mandated the use of complex passwords and multi-factor authentication. Florida’s election security again made it into the news cycle in 2018 after it was reported that an 11-year old boy at DEFCON hacked into a replica of the Florida election site in under ten minutes. That said, it is quite probable that the replica site was not as robust as the actual Florida site.

Preventative measures across the nation

1. Communication across regions
Although it may seem counterintuitive, the fact that the U.S. is made up of so many disparate cyber networks works in the nation’s favor. Speaking on the CBSNews podcast “Intelligence Matters,” Pierson explains this phenomenon.

Pierson says, “I think you’ve heard people say that because we have 9,000 jurisdictions and this patchwork of different vectors and capabilities across the states […] that might actually be a blessing in disguise because it makes those vectors very diverse and very difficult [to penetrate].” In short, having different systems at the local, state, and federal levels actually bolsters the United States’ election security; however, it’s imperative that these different jurisdictions communicate with one another.

After two Florida counties’ elections were breached in 2016, the FBI failed to brief state election officials for over two years. Admitting that was a mistake, the Feds now make it part of their official policy to immediately inform top state and local election officials in the event of a breach. The government’s new policy of communication across various regions will serve as a bulwark against cyberattacks in 2020.

2. Risk-assessment audits
By hiring independent third parties to conduct thorough risk assessment audits of election infrastructure, the U.S. can prevent successful attacks. Sometimes, technology software vendors resist giving auditors access to their systems because they worry about intellectual property being stolen. As scholars from Stanford’s Cyber Policy Center explain in their June 2019 Securing American Elections white paper, “Vendors who provide the hardware and software for elections, generally resist third-party inspection of source code on the grounds that allowing outsiders such access compromises their intellectual property. ” However, there is a simple solution for this issue: during independent code inspections, vendors should merely ensure that the third-party auditors sign non-disclosure agreements.

3. An increase in paper ballot initiatives
According to the National Conference of State Legislatures, more states are using paper ballots and other ways to keep track of paper trails. Fourteen states require paper ballots and voting tabulation via optical scans. The District of Columbia and 17 other states mandate that there be a verifiable paper trail for all voting machines. Although not all of the states have gone this route, it is surely a step in the right direction. In regard to the aforementioned case studies, Florida requires paper ballots, and Illinois requires all of their voting machines to have permanent paper records.

Conclusion

In addition to risk assessment audits, communication across jurisdictions, and an increase in paper ballot initiatives, there are other steps vendors and election administrators can take to bolster election security. Addressing vendor-level attacks, vendors should be sure to meet the EAC’s Voluntary Voting Systems Guidelines (VVSG). Additionally, election software vendors should conduct bug bounty programs, allowing white hat hackers to identify vulnerabilities. Also, from a public policy standpoint, it’s important that the government continues to qualify election security as “critical infrastructure.” Lastly, it’s worth considering whether it makes sense to extend the voting period in America, as this would give election officials more time to fix any issues that may arise.

John Donegan

John Donegan

Enterprise Analyst, ManageEngine

John is an Enterprise Analyst at ManageEngine. He covers infosec, cybersecurity, and public policy, addressing technology-related issues and their impact on business. Over the past fifteen years, John has worked at tech start-ups, as well as B2B and B2C enterprises. He has presented his research at five international conferences, and he has publications from Indiana University Press, Intellect Books, and dozens of other outlets. John holds a B.A. from New York University, an M.B.A. from Pepperdine University, an M.A. from the University of Texas at Austin, and an M.A. from Boston University.

 Learn more about John Donegan
x