How Colorado voting became a cybersecurity leader long before Russians tried to hack it

Colorado offers extensive election official cybersecurity training, paper ballots, and a strong auditing system, giving it top marks in election security.

How Colorado voting became a cybersecurity leader long before Russians tried to hack it

This article is part of TechRepublic's series on how states across the US are approaching the cybersecurity threat to the 2018 midterm elections. Read each installment:

or download the entire series as a free PDF.

Colorado was one of 21 states targeted by Russian operatives during the 2016 election. But unlike many others, the state has spent years implementing top-tier cybersecurity measures and audits to prevent hackers from entering its systems and interfering with the election process.

Colorado receives top marks in the three most important election security categories, according to a February report from the left-leaning Center for American Progress comparing the election security of all 50 states:

  1. Adhering to minimum cybersecurity standards for voter registration systems
  2. Carrying out elections with paper ballots
  3. Conducting robust post-election audits

"Long before the Russians were attempting to hack into voter registration databases, we in Colorado were already really concerned about things like phishing, intrusion attempts on the voter registration database, and so forth," said Colorado elections director Judd Choate.

SEE: Security awareness and training policy (Tech Pro Research)

In 2013, the state began requiring two-factor authentication to log into the voter registration database: A login name and password, as well as a token that changes numbers every minute.

"Each one is different, and the idea is that it prevents people who shouldn't be in our system from getting into our system, and getting the credentials that are able to make changes to people's records," Choate said.

Since news of Russian election meddling in 2016 hit, Colorado doubled down on its election security measures, Choate said. "We're really tightening up, and shoring up things like our firewalls and our network security," he added. "We have various ways in which we check and maintain the activity that happens in our voter registration database. We know every single change that's made, and we know by who. We keep track of all of the activity that happens in that database. If anything did end up to be wrong, we could track how that happened down to an IP address."

SEE: Can Russian hackers be stopped? Here's why it might take 20 years (cover story PDF) (TechRepublic)

The election office is also using software to track social media activity around the election, which is a fairly new approach, Choate said. "If somebody is on social media saying that they have hacked into our system, we may know that that's not the case, but the people that are reading that on social media might not know," he added. "We get alerts about what people are saying on Twitter, Facebook and then also things like Instagram, so that we can have some idea about the conversation that's happening out there."

By doing this, the state isn't interested in suppressing First Amendment rights, of course, Choate said. But if inaccurate information is being spread, the election office wants to be able to combat it. For example, if someone tries to spread a lie that Election Day has been moved, the office wants to clarify the truth, he said.

In addition to following many election security best practices, Colorado requires all voting machines to be tested to the Election Assistance Commission Voluntary Voting System Guidelines prior to being purchased and used in the state, according to the Center for American Progress report. Nearly every county has updated voting machines.

SEE: Network security policy template (Tech Pro Research)

"The fact that the state requires election officials to carry out pre-election logic and accuracy testing on all machines that will be used in an upcoming election is also commendable," said Danielle Root, voting rights manager at the Center for American Progress.

The Colorado Secretary of State Office also has the advantage of an IT department of 42 people, making it the largest department in the office, Choate said. "We're more of an IT shop that does business and elections than an elections and business shop that has an IT section," he added.

The IT department has doubled over the past decade, and is still growing even as others remain static. "Because of that, we do a lot of our own development and database management, and have a big security staff as well," Choate said.

War games

Colorado received about $6.3 million in grant money from Congress as part of a 2018 spending bill to address cybersecurity issues through the Help America Vote Act (HAVA), and matched it at 5% with another $300,000. Some of that funding went to a major tabletop exercise called "war games" in September, in which the state election office ran hypothetical worst-case scenario drills with 166 county election officials in preparation for potential cyberattacks or other interference attempts during the midterms.

For example, they tested what would happen if the voter registration database went down, in terms of how to issue a ballot and register people. They also walked through the response to a database hack that exposes the personally identifiable information (PII) of every resident in a county, as well as how to handle a situation in which the heater in a vote-counting room goes out, and the repair crew lacks security clearance.

"The most important thing that you as a state can effectuate beyond doing the technical is to make sure that the people who have some control over your voter registration database are properly trained," Choate said. "They understand the importance of the work that they do, and they can employ good strategies to make sure that their behavior doesn't lead to an intrusion of their database."

SEE: Incident response policy (Tech Pro Research)

Election officials also undergo a certification program with a security course requirement. The course, a SANS training, is updated every six months to stay relevant, Choate said.

"Training election officials to be prepared for and able to recognize Election Day problems is of utmost importance under the current threat environment," Danielle Root said.

When it comes to specific threats, "we're always worried about phishing because that's kind of the easiest point of entry," Choate said. While two-factor authentication makes that more difficult, it's still on officials' radar. The office has weekly meetings about emerging potential threats and points of concern and areas to improve security, he added.

The gold standard in auditing

In 2017, Colorado became the first state to carry out mandatory risk-limiting post-election audits, which are widely considered the gold standard, according to the Center for American Progress.

Risk-limiting audits involve manually checking a sample of ballots, and providing statistical evidence that the election outcome is correct. They have a high probability of correcting a wrong outcome, according to the US Election Assistance Commission. A risk-limiting audit could lead to a full manual recount if there is not enough evidence to prove that the reported outcome is correct, the commission stated.

SEE: Cybersecurity and the 2018 Midterms (TechRepublic Flipboard magazine)

"Only a few states use the particularly good state-of-the-art audit methods called risk-limiting audits," said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology, who developed the auditing methodology in his post-doctoral research.

Risk-limiting audits are required in Colorado, Rhode Island, and Virginia, according to the National Conference of State Legislatures. Ohio and Washington provide counties with the option to do this audit. Beginning in 2020, California counties may conduct a risk-limiting audit instead of a traditional post-election audit.

These audits are key for identifying any problems or interference that may have occurred during voting.

"We focused up until 2016 almost exclusively on vote count changing attacks--things that attacked the actual voting system," Lorenzo Hall said. "But 2016 essentially taught us that there are so many other things that can either directly or indirectly affect the outcome of an election."

Also see

CBS News

Image: iStockphoto/marekuliasz