National News

No State Gets an A in Election Security, but West Virginia Is on the Hunt

Posted May 8, 2018 7:34 p.m. EDT
Updated May 8, 2018 7:38 p.m. EDT

CHARLESTON, W.Va. — The next election in the Mountain State was still weeks away. But 5,000 miles from West Virginia’s capital city, in a suburb northwest of Moscow, someone was already scouting for ways to get into the state’s election computer network this spring.

That someone’s IP address, a designation as a “malicious host,” even a tiny Russian flag — it was all there on a computer display in an office just across the Kanawha River from the state’s gold-domed capitol. And he had company.

“See, right here, a Canadian IP address is trying to go into online voter registration,” said the West Virginia Air National Guard sergeant who was tracking the would-be intruders, pointing at the screen. “Here’s someone from Great Britain trying to do the same. China is trying to get into the home page — trying to, but they’re getting blocked.”

As West Virginians cast ballots Tuesday in a primary election, no one was certain if states have done enough to protect against a repeat of 2016, when Russian hackers attacked election systems in 21 states and even penetrated one voter-registration database.

But the odds that West Virginia would be able to fend off any attackers, or detect and correct any damage, are far better now than they were two years ago. West Virginia is neither wealthy nor particularly tech-savvy, but since 2016 it has embraced election cybersecurity with an enthusiasm that many other states have yet to muster.

“We had a lot of county clerks saying, ‘Why are you talking so much about cybersecurity? The Russians aren’t going to attack us,'” the state’s chief election official, Secretary of State Mac Warner, said in an interview. But in an era when election irregularities can be instantly publicized and spread online, he said, any state that does not protect its election systems is inviting an attack.

While meddling by hostile nations is of greatest concern, hundreds and even thousands of other outsiders probe West Virginia’s election computer security almost daily, as they do in other states. It’s usually difficult to tell whether a specific probe comes from a government, a live hacker intent on doing harm, or a computer program that is automatically checking for vulnerabilities.

Warner’s point was driven home only last month when the elections website in Knox County, Tennessee, was immobilized by a so-called distributed denial-of-service attack as the polls closed for a primary election. The attack, which was came from computers both inside and outside the country, slowed the reporting of election returns but did not destroy any data.

Warner, a Republican in his first term as secretary of state, says he has taken the security threat to heart. Last year he sought and received an FBI briefing on the origin and nature of the Russian cyberattacks, and he took a seat on a council of state, local and federal officials that coordinates election-security policies with the Department of Homeland Security.

He has since obtained a security clearance that gives him limited access to intelligence on election-related threats. And he has placed the National Guard sergeant, who has a top-secret clearance, in West Virginia’s Intelligence Fusion Center, a nexus of state and federal law-enforcement and intelligence officials who handle threats ranging from floods to cyberattacks.

Nationwide, experts say, election security still can be a hit-or-miss affair. According to the Brennan Center for Justice at the New York University School of Law, 13 states employ at least some voting machines that leave no paper record of ballots cast, making it impossible to detect fraud. Five of them use paperless machines exclusively. Georgia and Pennsylvania are particularly notorious for relying on voting devices that run ancient, unsecure versions of Windows software and create no paper trail that can be audited.

When the liberal-leaning Center for American Progress graded the states and the District of Columbia in February on seven key aspects of election security, no state earned higher than a B. Five — Arkansas, Florida, Indiana, Kansas and Tennessee — earned Fs.

But that is rapidly changing. “While we’re certainly not all the way there, both awareness and activity in the security field is considerable” among state election officials, said Doug Chapin, the director of the Program for Excellence in Election Administration at the University of Minnesota Humphrey School of Public Affairs. “Maybe we haven’t closed all the holes. But we’re in the process of closing the bigger ones.” States are making progress in replacing outdated paperless voting machines with new, more secure ones that leave a paper trail: Louisiana and Delaware, two of the five states, have sought bids for replacements, and Pennsylvania, the state with the largest number of paperless devices, told its 67 counties last month to order new machines to take their place by the end of 2019.

Efforts to replace all voting machines in another paperless state, Georgia, died when the legislature adjourned in March. Bipartisan federal legislation that would enable states to receive federal grants to improve election cybersecurity is stalled in the Senate, apparently by Republican opposition; a similar Republican-sponsored bill in the House also appears dead in the water.

Many election-security experts say the biggest threat is the one that Russian hackers seemed to focus on in 2016: disrupting an election by scrambling the databases of registered voters that precinct workers rely on to check voters’ eligibility on Election Day. Here, too, states are battening down their computer networks. Some states have installed Department of Homeland Security-approved monitors on state or local computer systems to spot malware and attacks from rogue IP addresses; 33 states undergo weekly “cyberhygiene” reviews conducted remotely by the agency.

Perhaps the biggest unplugged hole, according to Chapin, is the lack of security precautions in smaller jurisdictions — small cities and rural counties where managing elections is a part-time job, often farmed out to local representatives of national makers of election computer systems.

“The old line about a chain only being as strong as its weakest link is true,” Capin said. “One person who gives up access to a server can create tremendous problems for everybody.”

West Virginia’s cyberdefenses began with a built-in advantage: State law requires that hand-countable paper ballots be used in every election. Even if voting machines were altered to try to sway election results, the ballots guarantee that the true outcome of a race could still be determined.

The state also demands other safeguards. Voting machines are tested before and after elections to ensure that a set of mock votes are reported identically; testers also reset the machines’ internal clocks to Election Day to spot any malware programmed to alter results on that one day and then self-destruct.

The other tempting target for hackers, the statewide voter registration database, also is tightly guarded. In 2016, Russian hackers broke into one such database, in Illinois, by exploiting a flaw in a web page that allowed citizens to register or change registrations online. In West Virginia and many other states, the database is “air-gapped” — cut off from public access. Online registrations are hosted on a separate computer, and new data is hand-carried to the main database on a thumb drive. The database does have a vulnerability: Some 300 workers in the state’s 55 county clerk’s offices regularly log in to it to update local registrants’ information. Passwords pilfered from those offices could provide a hostile power with an avenue to change or destroy voters’ information. But there, too, security has been tightened. The county clerks regularly meet by phone for briefings on cybersecurity issues like password management.

Last year Warner participated in cyberwar games — a simulated attack on an American election by a hostile power — staged by the Defending Digital Democracy project at the Harvard University Belfer Center for Science and International Affairs. Warner was so impressed, he said, that he asked the head of West Virginia’s county clerks’ association to attend a reprise of the exercise.

The war games, he said, taught him that even the most secure election system will be attacked and perhaps even cracked — and that “speed of recovery” is the key to keeping voters’ confidence in the results high.

“It gave me a comfort level as a new secretary of state that, yes, we’re going to be attacked, and when it happens, don’t freak,” he said. “You have to have your detection capabilities up to know when it happens. And when it does, close it down.”