The overlooked weak link in election security

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Jack Gillum
 

Connecting state and local government leaders

By Jack Gillum

|

More than one-third of counties overseeing toss-up congressional elections have email systems that could be vulnerable to hacking, a ProPublica survey finds.

More than one-third of counties that are overseeing elections in some of the most contested congressional races this November run email systems that could make it easy for hackers to log in and steal potentially sensitive information.

A ProPublica survey found that official email accounts used by 11 county election offices, which are in charge of tallying votes in 12 key U.S. House of Representatives races from California to Ohio, could be breached with only a user name and password — potentially allowing hackers to vacuum up confidential communications or impersonate election administrators. Cybersecurity experts recommend having a second means of verifying a user’s identity, such as typing in an additional code from a smartphone or card, to thwart intruders who have gained someone’s login credentials through trickery or theft. This system, known as two-factor verification, is available on many commercial email services.

“Humans are horrific at creating passwords, which is why ‘password’ is the most commonly used password,” said Joseph Lorenzo Hall, the chief technologist at the Center for Democracy and Technology in Washington, D.C., who has pushed for security fixes in the voting process. This means increasingly we need something other than passwords to secure access to our accounts, especially email, which tends to undergird all our other accounts.”

The email vulnerabilities emerged in ProPublica’s survey of election security in 27 counties encompassing all or part of roughly 40 congressional districts that the Cook Political Report has said are toss-ups. These contests could determine if Democrats take control the U.S. House of Representatives, where the party needs to pick up about two dozen seats to flip the current Republican majority. Of the 12 districts in counties with less protected email systems, Republicans are seeking re-election in 10. The other two are open seats where incumbents are stepping down.

Much attention has focused on the potential to hack voting machines. In the “Voting Village” at the Def Con security conference this summer in Las Vegas, hackers sought to compromise a handful of machines. But lax protections for internet-connected systems like email servers may pose just as serious a threat.

The lack of two-factor verification may have helped Russian hackers ultimately gain access to the Democratic National Committee’s network in April 2016, according to a federal indictment. Prosecutors say a Democratic campaign employee unwittingly put her password into a spearphishing email – a targeted message meant to dupe users into sharing their login information. Russian hackers also tricked John Podesta, Hillary Clinton’s campaign chairman, into handing over his password, enabling an embarrassing leak of his emails weeks before the election.

Even a program created by the Kansas secretary of state’s office to prevent voter fraud was vulnerable to snooping, ProPublica reported last year. The program, Crosscheck, sought to identify voters casting ballots in more than one state by comparing the rolls across states. But its files were hosted on an insecure server, and program officials regularly shared user names and passwords—many of them overly simplistic—for the site by email as late as 2017. Crosscheck paused operations in 2018 because of concerns about security and accuracy, and it is unclear when it will begin matching rolls again. The Kansas Secretary of State’s office did not return a request for comment.

A different kind of cyber-attack in 2016 manipulated the software code behind Illinois’ voter-registration system to expose the personal details of thousands of people. Matt Dietrich, a spokesman for the state board of elections, said the flaws that allowed the penetration have been fixed. Special counsel Robert Mueller charged 12 Russians this past July in connection with an unspecified breach that Illinois officials said was very likely the attack on the voter registration database.

“This wasn’t about to steal votes, but to create havoc,” Dietrich said. “If you can steal a voter database, and then go in and mess up the poll books that election judges rely on to check off voters, that’s going to be the story: That the United States can’t run a competent election.”

Using a checklist developed by Harvard’s Belfer Center for Science and International Affairs, ProPublica asked county election officials about their email systems, as well as about cybersecurity protections for voting machines and computers that check in voters at polling sites. Voter registration is generally handled at the state level, while counties administer elections and are responsible for protecting voting machines and verifying end-of-night vote tallies that determine winners.

Funded by local taxes, counties are generally run by elected commissioners and often have centralized IT staff overseeing email services for departments ranging from the medical examiner to public works. As a result, elections officials have to compete for IT resources and attention.

Most of the counties interviewed said they had bulletproofed their computer systems and voting equipment. Joel Miller, an election official in Linn County, Iowa, said the county has recently put in place two-factor authentication requirements for its email systems. “We all need minimum standards for network security,” he said. “We weren’t up to date until recently.”

The counties with vulnerable email systems ranged in population from Orange County, California, with 3.1 million people to Olmsted County, Minnesota, with 155,000. Orange County elections director Neal Kelley said he’d prefer to have two-factor authentication. It hasn’t been implemented yet, but is “on the short horizon,” he said. There are two toss-up House races in Orange County.

Noah Praetz, the director of elections for Cook County, Illinois, except the city of Chicago, said his office “lacks a little bit of control” when it comes to changing IT systems because the county-run network serves more than 24,000 employees. He said the county government doesn’t require two-factor authentication for employees to log into emails.

One county reported two problems. Fayette County, Kentucky, which includes Lexington, told ProPublica its electronic voting machines don’t produce a separate paper trail for voters to verify their choices. Nor does it use two-factor authentication on its email system. Fayette, one of the state’s largest counties, is home to a chunk of Kentucky’s 6th congressional district, where a once-safe Republican incumbent is facing an unexpectedly competitive challenger.

Don Blevins, the Fayette elections chief, told ProPublica his county is not at risk for an email hack that would affect voting or registration. “I don’t question that two-factor authentication is better,” he said, but added, “Since we don’t use email to conduct voting, nor voter registration, then the level of security is moot.”

Besides Orange, Olmsted, Cook, and Fayette, the counties without two-factor authentication were: Arapaho County, Colorado; Linn County, Hennepin County, and Dakota County, Minnesota; Hamilton County, Ohio; King County, Washington; and Harris County, Texas.

Some counties have secured their emails but had other shortcomings. Shawnee County, Kansas, said it doesn’t yet have countermeasures to stop hackers from bringing down its website by overloading it with malicious traffic. If such a denial-of-service attack takes the site offline, election commissioner Andrew Howell said, officials would instead publish election results on social media.

Five of the 27 counties surveyed did not respond to multiple emails or phone calls from ProPublica: Polk County, Iowa; St. Louis County, Minnesota; Ocean County and Essex County, New Jersey; and Oneida County, New York.

U.S. law enforcement officials and cybersecurity experts have been working with states in the months leading up to the November midterms to improve election security. States are using some of the $380 million in newly earmarked federal funds to test for vulnerabilities and recruit and train IT staff, according to congressional testimony from the National Association of Secretaries of State.

Fixing technical problems isn’t cheap, and county governments have had to make hard choices when prioritizing spending. Tammy Patrick, a former election administrator in Arizona and now a senior adviser at the nonprofit Democracy Fund, said counties may consider it more urgent to replace outdated voting machines than to fix email systems.

That said, even short-lived IT security problems may have a corrosive effect on public trust in the accuracy of ballot results. “The last thing you want to do on Election Day is face problems you could have easily dealt with before then,” Hall, the technologist, said. “Officials will dismissively say, ‘It hasn’t happened to us.’ But with that attitude, you’re building a castle on sand.”

Ally Levine, Lilia Chang and Blake Paterson contributed to this report.

NEXT STORY: Balancing security with accessibility: Properly managing information and high-value assets

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.