X

Election security is a mess, and the cleanup won't arrive by the midterms

Many experts believe a proper fix for election security won't come until at least 2021.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
7 min read
Joe Raedle / Getty Images

For many, the most intense race leading up to Election Day won't be among politicians. It'll be the mad, final scramble by county officials and tech companies to make sure your votes are safe from hackers.

But with the slow pace of funding, unprepared campaigns and lack of cooperation among counties, many cybersecurity experts wonder if they'll reach that finish line by the first Tuesday in November.

An election director in Illinois, for instance, still hasn't received any federal funding for cybersecurity. A security expert who traveled across the country to train campaigns found shockingly inadequate protection.  

County election support specialists check voting machines for accuracy at the Miami-Dade Election Department headquarters on August 8 in Doral, Florida.

County election support specialists check voting machines for accuracy at the Miami-Dade Election Department headquarters on Aug. 8 in Doral, Florida.

Joe Raedle / Getty Images

Protecting the integrity of the US voting system has been a national priority since hacks by Russia in 2016 interfered with the election that year, yet the nation still isn't ready. While tech companies like Facebook have worked to fight fake news, state election systems have seen little change over the last two years. That means the November elections are just as susceptible to cyberattacks as they were in 2016, opening the door to renewed interference in America's democratic process.

The red flags have popped up in recent months. Alex Stamos, Facebook's former security chief, said in August that it was too late to protect the 2018 US elections. He doubled down on it in September, saying that security for campaigns and elections hasn't improved since 2016.

That year, Russian hackers wreaked havoc on the US presidential election by breaking into the campaign of Democratic candidate Hillary Clinton and pushing a major propaganda effort by trolls on social media. They also stole data on thousands of voters in Illinois, and targeted other states as well.  

Watch this: Adam Schiff is worried there's a lot more election interference coming

Those hacks drove the point home to Capitol Hill: Something needed to be done about election security. Congress approved a $380 million spending bill that would provide state election officials with funding to improve cybersecurity. The Department of Homeland Security gave all 50 states some form of security assistance.

"These folks have been thinking about this for a long time, and they do a lot with not a lot of resources," Jeanette Manfra, the DHS' top cybersecurity official, said at the Defcon hacker conference in Las Vegas, commenting about federal aid for local election officials. "Now they're on the front lines trying to deal with a lot of issues, and they can't do it alone."

But for many communities across the country, one of those issues is something that no amount of money can buy: time.

Outline of the state of Illinois on a computer screen showing cybersecurity threats.

Illinois is one of the few states that publicly acknowledged its voter database was hacked. Election officials have been clamoring for more funding to improve cybersecurity.

Matt Anderson / Getty Images

Show me the money

The $380 million election security grant would be great for people like Noah Praetz, the director of elections in Cook County, Illinois -- if only he could actually get his hands on some of the funds awarded.

A $13 million grant was provided to Illinois' state board of elections in May. But by September, no county official had received a penny, despite multiple pleas. That's a striking concern considering that Illinois is the only state to publicly acknowledge that its voter records had been hacked in 2016.

"It does us no favors to be squirreling away money, especially when we know we could spend it to secure ourselves right now," Praetz said. "It's highly frustrating."

Watch this: Hackers take on new voting machines at Defcon

The Cook County situation illustrates the broader dilemma of procedural or bureaucratic hurdles getting in the way of local election organizers receiving the necessary funds.

While Praetz would like to hire IT staff or buy new voting machines able to get security updates, the state legislature in Illinois required that the State Board of Elections create a Cyber Navigator program, which half of the funds would be used for.

The Cyber Navigator program hired nine security experts to consult with the 108 counties in Illinois on best security practices and to review their vulnerabilities. Any county that doesn't participate in the program, according to the legislation, wouldn't be able to receive any funds from the grant.

"We didn't know that that strict language was going to be in the budget bill before it was too late for us to do anything about it," said Matt Dietrich, an Illinois State Board of Elections spokesman.

By September, the board was still in the process of hiring all nine cyber navigators, with less than two months until Election Day. While only half of the federal grant was supposed to pay for the program, the election board is also holding onto the other half of the funds until the cyber navigators recommend what to spend it on.  

Praetz said the program has done nothing to help election security so far. He noted that his county didn't need the navigators to guide them as much as others, since most officials already know what security problems their own district needs to address. His county has already been doing that using taxpayer money, he added, boosting its recovery and detection capabilities.

Even with its late start, Dietrich is confident the program will be able to secure elections in Illinois. They'll start with the smaller, rural counties and focus on the ones that need help the most, he said.

"It is a rush, and time is of the essence, but honestly, we didn't even know how much we were getting until May," Dietrich said. "Even then we were late in the cycle."

It wasn't until late September that Illinois' board of elections announced it would release $2.9 million in grants directly to counties that participate in the cyber navigator program.

As of the start of October, Praetz said his county still hasn't seen that money.

But he's optimistic he could get that money in time -- at least enough to pay for one of the items off his wish list by November.

The DNC's digital war room in 2016.

The DNC's digital war room in 2016. Two years later, many campaigns for the midterm election still aren't prepared for cybersecurity threats.

Marguerite Reardon/CNET

Out of their depth

Maciej Ceglowski is heading from San Francisco to Alaska, where he's scheduled to train campaign staffers on cybersecurity.

He founded Tech Solidarity, a political organization, after Election Day in 2016, concerned about the digital literacy and security of lawmakers. He's briefed at least 15 campaigns on election security since last November, and from what he's seen, not much has changed since 2016.

"The biggest shock is finding campaign managers who are still using Yahoo Mail," Ceglowski said. The service had every single one of its accounts compromised in the largest hack in history. "If you're going to point to any one email service that nobody within a mile of politics should use, it's Yahoo, and yet they're still using it."

Oath, which owns Yahoo, said state-sponsored hackers target all industries, not just Yahoo, as hackers have targeted Gmail and Facebook in the past as well. 

"At Oath, we take these threats seriously and invest in an attacker-centric security operation across all of our products and platforms, with dedicated teams engaging in continuous threat monitoring, penetration testing and investigation," a spokesman said in a statement.

Ceglowski said that while campaigns are much more aware of the problem now, the advice they're getting isn't exactly useful.

Staffers receive reading material, weekly webinars and discussions about security, but none he's talked to have had an actual person come in to explain how to stay secure. The campaigns he's spoken with said they feel "out of their depth" with cybersecurity, and they often have trouble following the advice they do receive.

Ceglowski leaves his phone number with campaigns after he's briefed them, and a few times he's gotten calls when staffers made mistakes setting up their Gmail accounts.

"Campaigns are in this impossible position where they get a lot of technical materials and they're being set up to fail," he said. "You can't just dump this very urgent problem in someone's lap without giving them hands-on help or elementary training."

Despite the bad state of security for campaigns, he's optimistic the training will make a difference -- even with the time crunch. He's still contacting as many campaigns as he can find and offering the help for free.

"The window of opportunity is closing because we're deep into election season, but I don't think that means we sit back and say, 'Oh well, we'll wait until 2020.'"  

No quick fix

Two years can seem like a long time, but to overhaul deeply rooted security problems, it's not enough, experts say.  

Facebook's issues, including harassment and election interference, could take three years to fix, and that's by CEO Mark Zuckerberg's own estimates. Equifax, which suffered a massive data breach last year, also gives itself that same estimate of three years to fix its security issues.

It takes a long time to adjust security culture, even for companies where executives have complete control of what needs to change and how it needs to be done. It's much more complicated when you think about how state elections are run and how the standards vary state by state, and even county by county. There are 3,141 counties across the US.

Unlike with the European Union's GDPR, a law addressing data privacy, there's no all-encompassing standard for securing the election process. Operations are left up to state and county officials. The closest thing to a standard are the Voluntary Voting System Guidelines from the US Election Assistance Commission, and as the name indicates, they aren't mandatory.

Even if efforts to improve election security had started on Jan. 1, 2016, it would take until at least 2021 to fix things, said Chris Wysopal, the chief technology officer at security research firm Veracode.

"These are major changes. This is something that should start now and it's going to take five years, probably, to do," Wysopal said. "At this moment, we can only really do response and detection. We're not great at prevention."

The changes he's seen so far have been basic, simple security awareness training that every company needs to go through. Wysopal said it's much more important to establish fundamental changes for election security.

That means asking questions like "Are the voting machines that counties buy up to standard?" and scrutinizing software that campaigns use. You'll have to be patient if you want to see real change.  

"You can make it much harder for an attacker between now and November if you're determined," said Patrick Sullivan, the director of security at internet computing company Akamai. "But change on a fundamental level, that's going to take years to shift architecture."

Election security: Everything you need to know about election security in the 2018 US midterm elections.

Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.