This is part two of TechRepublic's series on how states across the US are approaching the cybersecurity threat to the 2018 midterm elections. Look for case studies from other states in the coming weeks. You can read part one, on West Virginia's mobile absentee ballot voting system, here.
Cybersecurity audits and election system updates are underway across Ohio, after the swing state was one of 21 states whose voter registration databases were targeted by Russian hackers in 2016.
In June, the state submitted a plan for the $12.1 million in funds it has received from Congress as part of a 2018 spending bill to address cybersecurity issues through the Help America Vote Act (HAVA). The state will provide an additional $609,301 by March 2020.
The plan included funding for statewide voter registration system database improvements, such as the introduction of multi-factor authentication and enhanced encryption, table-top exercises and training for election officials, and post-election audit requirements.
SEE: Security awareness and training policy (Tech Pro Research)
It also set aside $4.9 million for "Pathfinders," cybersecurity professionals often from state community colleges who act as consultants for county election boards to help them meet federal cybersecurity standards. The Pathfinders are conducting election security assessments in all 88 counties across the state, developing plans for mitigating any vulnerabilities found, and sometimes completing the tasks necessary to fix any issues, according to the Secretary of State's office.
"We continue to invest in technologies that both improve election security and the voting experience," Ohio Secretary of State Jon Husted said in a press release. "This is not a one-time event, it is a continuous process to assess and address potential threats and risks we face. We want voters to be reassured that Ohio is taking the necessary steps to keep our elections secure."
The Department of Innovation and Technology in Illinois is undertaking a similar venture with their HAVA funding, hiring nine technicians as "cyber navigators" to conduct risk assessments and trainings with local election officials.
These are all signs that, compared to 2016, "federal officials and the public are much more aware of existing vulnerabilities in election infrastructure," said Danielle Root, voting rights manager at the left-leaning Center for American Progress. "We found out within the last couple of years just how much interference was happening, both in terms of disinformation and the probing of registration systems."
There is no evidence that vote totals were changed in the 2016 election, Root said. But understanding the extent of the attempted attacks can help states plan for the future.
"Election officials are better prepared for these elections," Root said. "One area we have seen states step up in is doing a better job of training election officials to identify threats, and how to respond to them, at the state and local level."
SEE: Intrusion detection policy (Tech Pro Research)
The work of a Pathfinder
Paul Weingartner, the program chair of computer network engineering tech and cybersecurity at Cincinnati State Technical and Community College, didn't know much about election systems when he was hired as a Pathfinder. But he did know how to perform cybersecurity assessments, which in this case included both cyber and physical security elements, examining PCs, network printers, poll books, access points, and the tamper-evident seals on voting machines.
As a Pathfinder, Weingartner said he spends about 20 to 40 hours working at each site. This involves a physical walk through, an audit, and an explanation of results and remediation opportunities.
"Not all Board of Election offices are lucky enough to have IT resources, especially in the smaller counties," Weingartner said. "For a number of them, they're not entirely sure how they would go about [an audit], and even the terminology is new to them about these things."
No major red flags have appeared in the cases Weingartner has worked, he said. More common issues included insecure wireless printers, he added.
However, there are still concerns of DDoS attacks on local Board of Election websites, which post election results, he said. The Pathfinders are examining how secure those websites are in terms of how information about voter registration practices and polling places are uploaded and secured.
The Department of Homeland Security has also funded the implementation of a monitoring solution called Albert for several of Ohio's larger jurisdictions. These monitors track suspicious internet traffic entering elections IT environments, and report it to a federal agency for analysis.
With cybersecurity audits and remediations coming to a close, Weingartner said he expects things to run smoothly on election day.
"If you had unfettered access to the machine, like anything else, you could do bad things," Weingartner said. "But these machines are kept in locked areas where typically the protocol is for a Democrat and Republic to each have a key, and it's a dual-lock system." All entrances to the room are logged, and there are alarms and cameras in place, he added. "It would be significantly difficult to access the machines to do something," Weingartner said.
SEE: Incident response policy (Tech Pro Research)
Ohio's election practices are stronger than many other states, according to a February report from the Center for American Progress comparing the election security of all 50 states.
Unlike West Virginia, which is currently testing a blockchain-based app voting system for some absentee ballots, Ohio prohibits voters stationed or living overseas from returning ballots electronically. Instead, all voted ballots must be returned by mail or delivered in person, the Center for American Progress report noted.
The state also requires all voting machines to be certified by the US Election Assistance Commission, and uses paper ballots, which are less likely to be tampered with, the report found.
However, Ohio has an interesting post-election audit law, the report found. While audits are required for every presidential primary election and federal general election, jurisdictions are given the option of conducting either a flat-percentage audit, or a risk-limiting audit, which would be based on a statistically significant number to ensure that election outcomes are correct, Root said. "The flat percentage audit isn't great, but we've been told that most jurisdictions do end up carrying out the risk-limiting auditing requirement, which is fantastic," she added.
In June, the Secretary of State earmarked $2.1 million to offset costs for local and state election officials conducting post-election audits through 2020.
"You need the ability to go back and audit the election and make sure everything is done properly," said Juan Gilbert, chair of the department of computer and information science and engineering at the University of Florida, Gainesville, and co-author of the Securing the Vote report from the National Academies of Sciences, Engineering, and Medicine. "We recommend that even if you do have paper ballots and you send them into a machine that tallies, you should still do an audit, and don't just trust that the machine gave you the correct answer."
Another area of improvement is Ohio's ballot accounting and reconciliation requirements, the Center for American Progress report found. Counties are currently not required by law to compare and reconcile precinct totals of countywide results. This is important to do because with any electronic counting method, there is always the possibility of a machine malfunction, Root said.
"There needs to be a sort of hand-to-eye comparison between what the county results are spitting out and what the precincts have sent in for their results," Root said. "One or two votes will be harder to tell. But if you can look at those precinct numbers and see 'Wow, looks like there should be an additional 100,000 votes, what happened?', that can make a real difference in election outcomes."
One non-cybersecurity elections issue in Ohio and likely elsewhere in the US is that the population of election officials is aging, and fewer young people are volunteering to participate, Weingartner said.
"They're desperate for volunteers to help participate in this," he added. "I think that would also provide people a learning opportunity."
- West Virginia moves forward with first mobile voting app, despite fears from security experts (TechRepublic)
- Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse (free PDF) (TechRepublic)
- Did Russia's election hacking break international law? Even the experts aren't sure (ZDNet)
- Cheat sheet: How to become a cybersecurity pro (TechRepublic)
- Election security is a mess, and the cleanup won't arrive by the midterms (CNET)
- What to expect from cyber-attacks during an election year (TechRepublic)
- Campaign 2018: Election Hacking
- These are the hackers targeting the midterm election
- U.S. infrastructure vulnerable to cyberattacks designed to suppress voter turnout
- Why voting machines in the U.S. are easy targets for hackers
- Top state election officials meet amid security concerns
- Intel chief Dan Coats says of cyberattacks, "We are at a critical point"
- Russians relied on bitcoin to finance election hacking, prosecutors say
Alison DeNisco Rayome has nothing to disclose. She does not hold investments in the technology companies she covers.
Alison DeNisco Rayome is a Staff Writer for TechRepublic. She covers CXO, cybersecurity, and the convergence of tech and the workplace.