How States and Counties Improved Cybersecurity for the 2018 Elections
After the 2016 general election, states, counties and cities became increasingly concerned about the cybersecurity of election systems. A subsequent FBI investigation revealed Russia plotted to hack U.S. voting systems, scanning and attempting to disrupt operations, according to Politico.
While officials assure Americans such hacking could not change vote tallies, cyberattacks have at least exposed voter information or knocked systems offline. During a primary in Knoxville, Tenn., in May, administrators watched as a cyberattack knocked out a website for election results.
“Technicians recognized the attack: a distributed denial of service, or DDOS, in which a server is overwhelmed by a crushing wave of requests, slowing it to a halt,” Vox reports.
“One county technician, dumbfounded by the whoosh of code rocketing across the screen, somberly took out his phone and began to film it. The assault was being launched from 65 countries, a legion of zombie computers pressed into service by the attack’s architects. Finally, the barrage intensified so much that after 15 minutes, the server succumbed and crashed,” the report adds.
States didn’t hesitate.
“Eight states have passed cyber-related bills in 2018 to protect voting systems, according to data from the National Conference of State Legislatures. Cyber initiatives are also the number one way states are prioritizing $380 million in leftover federal funding appropriated in March to improve election security, with 41 states planning to spend over a third of their grants on cyber efforts, according to a report by the U.S. Election Assistance Commission,” Bloomberg Law reports.
MORE FROM STATETECH: Find out how network segmentation can protect voting infrastructure!
Some States Deploy Specific Cybersecurity Measures
Illinois, for example, received about $13 million in federal grant funding to protect its voter systems.
“The Illinois National Guard is bringing in hundreds of cybersecurity experts to help ensure the integrity of the midterm elections and prevent the compromise of election results. In addition to partnering with outside agencies, Illinois election officials said they have installed greater firewall protections for voter records and election results. Clerks and election judges have also received ‘detailed cyber training,’” Security Today reports.
A feature in StateTech magazine details how three states, including Illinois, Colorado and Utah, bolstered cybersecurity defenses for voting systems.
“States have increased their investments in cybersecurity measures for their election IT systems, including purchases of multifactor authentication, perimeter sensors, email filtering and monitoring, threat scanning, information sharing systems and more,” StateTech reports.
In Colorado, the state required counties to have endpoint protection software including advanced malware prevention software for any machine that accesses the voter database. Colorado provided Sophos software to its counties at no charge.
And “in Utah, where state IT resources are scanned between 200 million and 300 million times daily, various election offices have also doubled down on technology. Election offices have the benefit of Palo Alto Networks intrusion detection and firewalls as well as Cisco firewalls,” in addition to Splunk for checking logs.
MORE FROM STATETECH: Discover why your state should use the NIST Cybersecurity Framework!
How States Should Look at Security in Midterm Elections and Beyond
While some measures take effect in time for midterms, many states have long-term plans that involve incremental increases in cybersecurity over time. States receive assistance in this long-term planning through the extended availability of U.S. Election Assistance Commission grants, which do not expire for several years.
For instance, “Pennsylvania, which uses a mix of voting machine styles, including paperless touchscreens, plans to use 100 percent of its $13.5 million award on new equipment, though a statewide replacement of every machine in time for the 2020 election is expected to cost $125 million,” StateScoop reports.
What more might states and counties do to increase cybersecurity? Some experts called for stronger measures, including multifactor authentication in voting.
“A simple security measure of two-factor authentication used to protect emails, bank accounts and social media pages could help safeguard county computers from potential hacker stealing login information,” KSTP 5 in Minnesota reports.
An initial assessment of how well states and counties have done so far will surely be made after election day on Nov. 6.
This article is part of StateTech's CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.