State Election Infrastructure Is Still Vulnerable, Report Finds

The 2020 presidential election is more than 14 months away, but some experts are warning that state governments face an uphill battle in defending election infrastructure from cyberattacks. 

According to a recent report, “Defending Elections: Federal Funding Needs for State Election Security,” many election security projects at the state level are either unfunded or underfunded. The report calls on the federal government to provide more funding for state-level election security measures ahead of next year’s election. 

“In administering our elections, states face security challenges of unprecedented magnitude,” the report concludes. “They are, in many cases, ill-equipped to defend themselves against the sophisticated, well-resourced intelligence agencies of foreign governments. States should not be expected to defend against such attacks alone. Our federal government should work to provide the states with the resources they need to harden their infrastructure against cybersecurity threats.”

The paper was authored by a bipartisan group of organizations including the Brennan Center for Justice, the Alliance for Securing Democracy, the R Street Institute and the University of Pittsburgh Institute for Cyber Law, Policy, and Security.

“State and local election officials need support from the federal government,” Liz Howard, a lawyer in the Brennan Center’s Democracy Program, former deputy commissioner for the Virginia Department of Elections and a co-author of the report, says in a Brennan Center blog post. “They are on the front lines, yet many, especially those in rural localities, simply lack the resources to implement additional election security projects to further strengthen our election infrastructure.”

MORE FROM STATETECH: Discover how vulnerability scans can help secure election systems. 

States Take Steps to Secure Election Infrastructure

The report explores election security in six key states — Alabama, Arizona, Illinois, Louisiana, Oklahoma and Pennsylvania — that it says “represent different regions of the country, varied population sizes, and the full range of election security needs.” It documents how the states have used the 2018 federal election security grants and their needs for additional election security funding. Here are some of the steps taken by the states the report studied: 

• Alabama is investing $3 million to “improve its voter registration database and its security features through upgrades, such as two-factor authentication, to ensure that voter data is secure and reliable.” Alabama also designated $2.3 million for various cybersecurity improvements and fixes.
• Arizona is working to replace its voter registration database with one with additional security; the state partnered with a private vendor to conduct an assessment of the “current IT infrastructure, focusing on critical election systems”; it is increasing information sharing and working directly with local election officials on cybersecurity projects.
• Illinois is setting up a cyber navigator program, with navigators responsible for geographic zones across the state who “will work with local election officials to train relevant personnel and to lead risk assessments and evaluations, among other things.” Essentially, these navigators will act like county CISOs and the evaluations “will help officials identify vulnerabilities and determine where additional resources may be needed to shore up cyber defenses.”
• Louisiana officials have allocated all of the state’s federal election security grant toward the purchase of new voting systems. However, the report says, “those funds are insufficient to cover the cost of replacing paperless machines statewide” and “federal grant funds may cover less than 10 percent of total costs associated with obtaining and deploying a new, paper-based voting machine fleet across the state.”
• Oklahoma election officials, working with state and federal partners, “have identified multiple discrete projects, such as the relocation of their servers to a secure server bunker, implementation of two-factor authentication for access to the state Virtual Private Network (VPN), and remote antivirus protection management.”
• Pennsylvania is using grant funding to replace paperless voting machines. However, “those funds (approximately $14 million with the state match added) are insufficient to cover the cost of replacing paperless machines statewide.”

At a bare minimum, the report concludes, states “should develop the ability to verify election results in the case of a breach.”

Outdated voting machines are just one attack vector for Russia and other malign foreign actors, the report notes. Also vulnerable are voter registration databases, electronic poll books, vote capture devices, vote tally systems and election night reporting systems.

“The states included in this study have begun the hard work of upgrading dated infrastructure, setting aside funds for postelection audits, and addressing cyber vulnerabilities,” the report notes. “But there is more they can do with additional resources.” 

Meanwhile, a small group of states has started testing a virtualized network-intrusion system, known as Albert sensors, that until recently had only been available in the form of a physical appliance.

“Five states and territories, led by Nebraska, have started using Albert sensors that run on a virtual server to detect attempted intrusions of their voter registration databases,” StateScoop reports. 

The software-based version of the Albert system came about as a result of the collaboration between the states, “Election Systems & Software, which produces the voter registration system used by Nebraska and the others, and CIS, which operates the Elections Infrastructure Information Sharing and Analysis Center, the federally funded entity through which state officials, local officials and the U.S. Department of Homeland security exchange alerts about election security,” StateScoop reports.