Editorial: Ill-Prepared States Invite Election Hacking

Saturday, May 12, 2018

Vermont and New Hampshire are each due to get about $3 million from the $380 million Congress appropriated in March to enhance election security. While not a huge amount, the money is welcome as all 50 states prepare for mid-term elections that will almost certainly be targeted by malicious hackers intent on creating chaos and undermining Americans’ faith in elections.

Russian efforts to breach the voting systems of about 20 states during the 2016 election cycle have been documented by the Department of Homeland Security and the Senate Intelligence Committee, despite President Trump’s efforts to cast doubt on whether Russian meddling took place. No evidence has been produced suggesting that the hackers succeeded in altering vote tallies or tampering with voter registration information, but there’s every reason to fear that the Russians are of the “if-at-first-you-don’t-succeed, try,-try-again” school. In fact, the Russians’ efforts in 2016 appeared to many experts to be a trial run for a much more extensive effort in the future.

And they may not be alone. Homeland Security Secretary Kirstjen Nielsen felt obliged to warn a group of 80 foreign diplomats, including the Russian ambassador, in a closed-door meeting in March not to meddle in upcoming elections or they would face retaliation. Homeland Security is now conducting risk assessments for 17 states that have requested them, a process that needs to be accelerated and coupled with increased information-sharing with election officials across the country. A number of other states, fearful of federal intervention in a function that has historically been controlled by local and state governments, have turned to the private and nonprofit sectors for security expertise.

Last week The New York Times reported on the extensive efforts West Virginia has made to secure its election infrastructure. Mac Warner, the state’s chief election official, told the Times that some county clerks wondered why so much emphasis was being placed on cybersecurity when “the Russians aren’t going to attack us.” His answer? In the digital age, any state that does not secure its election systems is inviting an attack.

In testimony prepared for a Senate Intelligence Committee hearing this spring, Vermont Secretary of State Jim Condos outlined the measures Vermont has taken to boost the security of its election systems, including physical and cybersecurity risk assessments and adoption in 2015 of a new election management platform that includes built-in security measures. He said that Vermont follows a number of acknowledged “best practices,” including use of paper ballots; daily backup of the voter registration database; daily monitoring of traffic to the election website; blacklisting of known or suspected problem IP addresses; and penetration testing. With the new money, Condos said later, “We will look at how we can ramp up even more security. We’ll look at maybe beefing up our firewalls.”

New Hampshire Secretary of State Bill Gardner was considerably less forthcoming when the Concord Monitor inquired about his plans for using the Granite State’s share of the cybersecurity funds. He argues that the state’s antiquated election technology is precisely what keeps its paper-based system secure.

Gardner’s office also declined to provide information about its security measures to the Center for American Progress, a left-leaning think tank that compiled a detailed state-by-state election security report card that it released in February. Both New Hampshire and Vermont received a “C” (no state got above a “B”). The report card noted that while Vermont does indeed adhere to a number of “best practices,” it needs to strengthen its post-election audit verification procedures, a fault it also found with New Hampshire. Condos told WCAX that he disagreed with some of the report card’s conclusions and had confidence in the state’s system. But he noted that there’s no room for complacency, as digital defenses must be constantly upgraded. “The bad actors have one way of doing it yesterday, a new way to do it today and a new way to attack tomorrow,” he said.

It’s anybody’s guess whether Gardner is taking cybersecurity seriously enough or whether he is still preoccupied with the chimera of “voter fraud.” He claimed that his decision to join President Trump’s spurious and now-deceased election integrity commission was motivated by a desire to restore people’s faith in democratic elections. If so, he ought to take the occasion now to publicly explain what steps he is taking to counter an actual, known and widely acknowledged threat to election security.