Just days before a pivotal midterm congressional election, dozens of jurisdictions around the country go to polls without a paper backup for electronic voting systems. The shortfall comes despite nearly two years of warnings from cybersecurity experts that in the absence of a paper backup system, voters’ intentions cannot be verified in case of a cyberattack that alters election databases.
Fourteen states will conduct the midterm elections where voters will register their choices in an electronic form but will not leave behind any paper trail that could be used to audit and verify the outcome.
Delaware, Georgia, Louisiana, New Jersey and South Carolina have no paper backup systems anywhere in the state. Nine other states have several jurisdictions without a physical alternative to electronic records — Arkansas, Florida, Indiana, Kansas, Kentucky, Mississippi, Pennsylvania, Tennessee and Texas.
Experts have urged states to have backup systems after officials from U.S. intelligence agencies and the Department of Homeland Security said that Russian entities scanned election systems in at least 21 states before the 2016 election in an attempt to breach. Seven states had their computer systems breached to various degrees, officials have said. Illinois has said its voter registration system was breached. But officials have said no votes were altered.
Election Security Expert: ‘It’s Really Only a Matter of Time’
“It’s fair to say that 2016 changed the threat environment we face, pitting state and local election officials against nation-state actors who scan for vulnerabilities and were successful in accessing one state’s voter rolls,” U.S. Election Assistance Commission Chairman Thomas Hicks said at an Oct. 3 event on election security. “These same actors made additional attempts to infiltrate states’ elections systems ahead of the 2018 midterms, and by all accounts, they will be back for 2020.”
Technology companies and U.S. law enforcement agencies have described various attempts by Russian entities to interfere in the midterms, but not all of them are related to the security of election machinery operated by states. Many of the attempts by adversaries are aimed at influencing American voters or targeting individual political campaigns through fake social media campaigns.
In August, Microsoft said it had seized six internet domains belonging to Russian hackers and linked to the country’s military intelligence agency. The domains mimicked Republican-leaning think tanks and were being used to send phishing emails to lawmakers’ offices.
Two months earlier, the company disclosed it had found and disabled three spear-phishing campaigns mounted by the Russian military intelligence agency that targeted three 2018 candidates. Microsoft didn’t name the candidates, but Rolling Stone magazine reported that Hans Kierstad, a Democrat, who participated in California’s open primary to challenge Republican Rep. Dana Rohrabacher and lost, was targeted by Russian entities. Rohrabacher has expressed strong pro-Russia views and the FBI is said to have warned him that Moscow saw him as an intelligence source.
In another case, the website of Knox County, Tennessee, crashed on primary day in May, after being targeted by a denial of service attack — an attempt to overload the website with multiple requests until it crashes. An investigation found that the attack was staged by computers located around the world, including in the United Kingdom, Ukraine, China, Russia and Canada, according to Knox News, a local newspaper. No country or entity was identified as being behind the attack and no votes were altered, the newspaper reported.
The Justice Department on Oct. 19 said it was charging Elena Khusyaynova, a 44-year-old Russian woman, with conspiracy to defraud the United States.
The woman from St. Petersburg, Russia, had served as the chief accountant of “Project Lakhta,” a foreign influence operation funded by Russian oligarch Yevgeniy Viktorovich Prigozhin and two companies he controls, Concord Management and Consulting LLC and Concord Catering, the Justice Department said. Prigozhin is a close confidant of Russian President Vladimir Putin.
The woman had participated in an effort to conduct “information warfare against the United States,” the Justice Department said. “This effort was not only designed to spread distrust toward candidates for U.S. political office and the U.S. political system in general, but also to defraud the United States by impeding the lawful functions of government agencies in administering relevant federal requirements.”
In response to the Russian efforts, the U.S. Cyber Command, overseen by the Pentagon, has begun targeting individual Russian operatives and warning them that their activities aimed at disrupting American elections are being monitored, The New York Times reported Oct. 23.
Separately, the Department of Homeland Security is monitoring signs of malicious activity on election-related computers in 42 states, Undersecretary Christopher Krebs told reporters Oct. 23. The department also is bracing for a sudden attack on election systems in the days before or on Nov. 6, Krebs said.
“We are continually thinking about what could happen between now and Nov. 6, for the last-minute sort of attacks or capabilities the adversary can deploy,” Krebs said. “We are getting really aggressive through red-teaming concept and threat modeling” to figure out ways in which election systems and related computer networks could come under attack, he said. The red team refers to a concept used by the U.S. military in which officials assume an adversarial role to test defenses.
While Congress in March approved a $380 million federal grant to states to boost the security of their election systems, state officials say it was long overdue and was money left over from a 2002 law and not new money in light of the vulnerabilities identified in state election systems during the 2016 election.
Lawmakers proposed dozens of bills since January 2017 to address election security but failed to pass any legislation that would require states and local jurisdictions to have paper ballots as backup to digital voting systems.
One bill that had the bipartisan backing of Sens. James Lankford, an Oklahoma Republican, and Amy Klobuchar, a Minnesota Democrat, and was about to be taken up by the Senate Rules and Administration Committee in August was put on the back burner after Alabama GOP Sen. Richard C. Shelby and the White House raised objections. They said the bill threatened to insert the federal government into the election process, which is a responsibility the Constitution gives to the states.
But states that have beefed up their election systems with the help of the federal grants say they have created backups, trained their staff in best cybersecurity practices and plan to audit the results.
“Some of the measures that we have taken to improve election security for November include expanding our post-election audit process, and training for our local election officials,” Meagan Wolfe, the Wisconsin Elections Commission administrator, said at the Oct. 3 event. “So in Wisconsin, we require audits of randomly selected voting equipment of every general election since 2006. For the 2018 primary, we piloted an additional program that was aimed at verifying ballot totals.”
In the state of Washington, election officials have upgraded security systems on existing election computers that were first installed in the early 2000s, said Kim Wyman, the secretary of state and its top election official.
The beefed up systems will be used in the 2018 midterms, Wyman said at the October event. The state will unveil new computer systems in 2019 that will be used in the 2020 presidential and congressional races, she said.
Michigan has spent about $40 million to improve security on its election systems, Joe Rozell, commissioner of Oakland County, the state’s second-most-populous county, said. Oakland County is home to Pontiac and other Detroit suburbs.
The state is “doing this comprehensive election security training, as well as post-election audits,” Rozell said. The state has conducted post-election audits in the past and plans to continue those while trying a new, more rigorous form of auditing election results, he said.
“We’ve begun that process, as well as a complete overhaul of our state’s voter registration system,” Rozell said. The old voter roll system dated from the mid-1990s, and has now been completely upgraded, he said.
Correction, Oct. 31, 2018, 1 p.m. | An earlier version of this story misquoted Meagan Wolfe of the Wisconsin Elections Commission.
Watch: New Trump Ad Declares The Future ‘Isn’t Guaranteed’