We broke the news in May that the U.S. ranks fifth in the world in terms of election cybersecurity behind Sweden, Northern Ireland, Germany and Italy. Realistically, the only other major power on the list is Germany so the fact that the U.S. election system is behind three other countries who face minimal relative threats should be a great concern to lawmakers and citizens alike.
The worst past of the report is the two major parties in the United States don’t even patch their systems effectively – both score under 80, while the Green Party scored 100.
Granted – it is a smaller party with less to secure but still.
A new report from the Brennan Center for Justice gives us even more details on the current state of voting cybersecurity. Joseph Marks points out in the Washington Post that Congress has allocated $380 million to states to shore up weaknesses but it is turning out too be far too little.
The report focuses on a few states.
Alabama spent and allocated $6,468,413 on voter registration database and computer upgrades as well as postelection audits and addressing identified cyber vulnerabilities.
It does not have enough to secure its outdated legacy voting equipment such as the AutoMARK voting system used in 66 counties. These machines lack basic cybersecurity essentials such as hardware access deterrents for ports. There is also no budget for cyber training to election security tools according to the local election official, Bullock County Court of Probate Judge James Tatum. He said, “While Huntsville and Birmingham can afford these [replacement] costs, when you’re talking about rural counties, we simply can’t afford these costs no matter how much they would improve our election security. For example, we would be responsible for paying for training. Of course, we have to compensate our poll workers for their time when they come to training. We can’t afford it. Rural counties are all in need of some additional resources.”
Arizona is spending and allocating $7,836,859 for voter registration and database replacement, security assessments, information sharing via communications channels and cybersecurity subgrants to local election officials.
Money is lacking to train local election officials who do not have their own IT staffs. In addition, there is a need to replace outdated voting machines which could run on Windows XP and 2000.
Illinois is in a similar situation. Matt Dietrich of the State Board of Elections explained that Illinois needs significant additional funding to undertake a statewide replacement of its aging voting systems. He estimated the likely cost to be $175 million. “Many of our local jurisdictions used the [original] HAVA grants to modernize their outdated voting systems. But those systems are now 15 years old and in need of replacement.”
Louisiana faces a multimillion dollar gap to replace its voting machines as well as addressing identified cyber vulnerabilities. Oklahoma and Pennsylvania are also in a similar situation.
The threats are quite real.
Recently, WV Secretary of State Mac Warner held a discussion about cybersecurity at the West Virginia Secretary of State Regional Office in Clarksburg – not long after Harrison County’s courthouse computer systems were reported to have been hit with ransomware.
According to Secretary Warner, this type of cyber-attack shows hackers are becoming more interested in state and local government voting systems, making it more important than ever to keep our systems secure.
Secretary Warner would also like people to know that election systems and voter registration databases in West Virginia were not impacted by what happened at the Harrison County courthouse.
Jason Christ writing at StateTech advises states can use outsourced assistance from MSPs and MSSPs. “The MSS approach enables agencies to strengthen their cyber posture while maximizing security spend and augmenting in-house security staff when budgets are tight and the ability to find and hire talent is difficult. Because MSS is service-based, it shifts spending from capital to operational expenditures, providing a consistent cost structure to help agencies manage cyber budgets more effectively.” He said.
The senate has shown concern about the issue and a bill pending would deliver state and local governments new and needed resources for cybersecurity, state chief information officers say.
It is extremely easy for a motivated group of hackers to target state and local officials by going through the various websites of the cities and counties looking for election officials. They can then research the people they find and devise social-engineering attacks to acquire their login credentials. From there, they can gain network access and determine the type of voting machine. Such a hacker would have at these voting machines in their possession and understand how they work. They would then be able to take over the machine and do whatever they like with vote totals.
This is likely already happening.
The challenge is, many states still haven’t implemented cybersecurity training which could have slowed the progress of such attacks. Even if a windfall of money is spread throughout the country, the damage could already be done if hackers already have access to voting machines.
This of course assumes they are or have been connected to a network with Internet access.
It seems from this report that many election officials haven’t taken this concern into account and that should worry us all.
In doing our part, we have put together two critical documents which can help your city or state become cybersecure: Cybersecurity Essentials and a Guide to Securing the 2020 Election. If you would like an analysis of your voting infrastructure, IT systems and network as well as a guide to securing it, please contact Apex Technology Services ASAP.