Despite the federal government’s rush to provide funds to states to beef up their elections security in time for midterms, one think tank says it may not be enough to stave off cyber attacks or meddlers.
The Center for Strategic and International Studies (CSIS) issued a report this week slapping swing states with an “F” grade for their elections cybersecurity just days before the midterms. The average grade for all states is an unimpressive “C-,” according to the CSIS report. And 80 percent of CSIS’ experts consider Russia a “number one cyber threat” to U.S. election security this year.
Part of the problem is 99 percent of votes cast in the United States are counted by computers, and only 27 states require a voter-verified paper audit trail (VVPAT). Almost half the country risks the integrity of the 2018 midterms by relying on computers to cast and count votes, and numerous reports have found that those computers are very easy to hack.
Forty states have invested a total of $75 million federal and state funds in their election systems. According to the report, “this includes 26 states that have conducted security assessments and implemented cybersecurity upgrades, 20 states that have invested in enhanced cybersecurity training for election officials, 15 states that have upgraded or replaced voting equipment, and nine states that are expanding post-election audits.”
Furthermore, “41 states and 68 counties have also installed DHS’s Albert intrusion detection sensors to protect their election systems, and in August, DHS held a three-day tabletop exercise with 44 states to practice coordinated responses to a range of simulated cyber attacks on election day. Meanwhile, the FBI has established programs to provide cybersecurity training and support to campaigns and election officials.”
CSIS calls this a step in the right direction, but claims it is still inadequate. States’ efforts are being concentrated on improving security in time for the 2020 presidential election, which means midterms security is falling by the wayside. While $800 has been allocated to the states for 2020 election security, they only received $75 million for the midterms.
Media coverage regarding the state of elections security for the 2018 midterms has been extremely negative: most headlines focus on everything states and local jurisdictions haven’t done, and how too little federal funds were allocated for elections security this year. And according to CSIS, the problem isn’t just a lack of resources, it’s also a lack of expertise.
Stuart Madnick, a professor of information technology and engineering systems at MIT’s Sloan School of Management, told InsideSources that especially on the municipality level, information technology (IT) staffs are severely unprepared for most cyber threats.
“At the state level, cybersecurity is moderate and varies state to state,” he said. “When you get down to the municipality level, you’ve got many where nobody really has experience and the IT department is two to three people, spread doing 20 different things. The smaller ones have nowhere near the resources needed.”
Underfunded, understaffed municipalities become huge liabilities during elections simply because they don’t have the expertise or the resources to handle a cyberattack.
Furthermore, he said, it’s sometimes almost impossible to tell whether you’re being attacked or whether your system is simply malfunctioning. Many cyberattacks are so sophisticated that municipalities with little expertise may have no idea they were attacked.
“It’s called security by obscurity,” Madnick said. “If the good guys can’t find the flaws, the bad guys must not be able to. Almost any system if someone is sufficiently motivated, can be broken into.”
Because they’re underfunded, don’t have enough people or the right people, state and local officials often want to turn a blind eye to possible problems with their systems.
For example, Madnick said, “India was going to put massive electronic voting machines throughout the country a couple years ago, and a U.S. researcher showed how easy it was to hack into, and so they put him in jail, because the machines are supposed to be restrictive, and officials don’t want to know because they’ve invested tens of thousands of dollars in this. He was eventually let out.”
If the U.S. doesn’t fundamentally restructure how it puts on elections, the security problem will only worsen.
“If the state takes a more direct role in the election process, that would tend to make it a bit more professional,” Madnick said. “It would probably cut out some of the low hanging fruit. The idea of municipal governments being manipulated is not new.”