First of all, if you haven’t already voted, please vote!
Time did a nice piece on election security (see link at the end). In a somewhat self-serving statement, Homeland Security Secretary Kirstjen Nielsen said that she FELT confident that this year’s election would be the most secure election we have ever had. Ignoring for a moment that the paper ballots that we used for the first 150 plus years of our country are probably way more secure than what we are doing now and while I appreciate her feelings, they really don’t give me a lot of confidence.
That being said, we probably have improved the security of the election process since the last presidential election. If she had said that we have the most secure election we have ever had since 2016, I would probably agree with her, but that would not offer a good sound bite.
Secretary Nielsen said that no matter that the U.S. Intelligence community and law enforcement officials sounded the alarm last month about ONGOING efforts by Russia, China and Iran to influence our elections, that is different. Her view of election security is limited to hacking of voting machines, not changing the outcome of the election.
While my rant above is possibly a bit harsh, it does point out something that is important.
We need to be concerned about changing the outcome of the election, whether that is by hacking voting machines, spreading disinformation or voting early, voting often, as it was said about Chicago under Mayor Daley. What matters is that this is our election and not Russia’s. Or China’s.
It is good that we haven’t seen any sustained effort by foreign powers to hack voting machines. That, to me, is the absolute hardest way to change the election. Maybe hacking the central tabulating system at the County or State level might make sense, but hacking individual machines – that is a lot of work.
Time says that 44 states and the District of Columbia did participate in a three day exercise this past summer to put election systems to the test. Part of the exercise was to test the Fed’s ability to share hacking data with local election officials. All that seems like a good thing.
Since the Feds, under President Obama, declared election systems critical infrastructure, over the objections of many local officials (fearing that the feds were saying that they were not doing a good job), the Feds created an Information Sharing and Analysis Center or ISAC for Election Infrastructure as a formal way to share information all around. Another good idea.
1,300 of the 8,880 local election jurisdictions are participating in this system. Why the rest are not is scary. Maybe these should publish their membership list so the voters can vote on that!
The Feds have developed a threat detection system that they use called Einstein. All Federal Internet connections use it and while it is not perfect, it is way better than was was being done before. Einstein has a cousin called Albert (cute huh?) that the Feds have given (or sold, it is not clear) to 43 states to help them detect threats. These two are similar in function but completely different implementations. Still both achieve the same goals – look at Internet traffic and try to ferret out the bad guys. See this article in Fedscoop for info on Albert.
The Feds also offered to conduct a penetration test of election infrastructure for the states. Only 21 states asked for help. While some states do their own pen tests, if you can get another one for free, exactly why wouldn’t you accept? Unless you were worried.
DHS is also doing remote weekly scanning for 36 state and 94 local governments and providing them with vulnerability reports.
The fact that everyone has not asked for help is just an indication that, for politicians, ego often wins.
Oregon solved the problem (as does Colorado). Oregon uses paper ballots. Hack that from Russia! Of course there are counting machines, but hopefully they are not on the Internet.
I do believe, in spite of the above, that we have IMPROVED the security of election systems somewhat since 2016, but there is a long way still to go. The ExpressPoll-5000 voting machine still uses a root password of “password” and a master administrator password of “pasta” . That’s got to be pretty secure, no?
And of course, we really have not done much about the disinformation campaigns, which are way easier than hacking a voting machine and, apparently, pretty effective.
The Cybersecurity 202 newsletter talks about disinformation campaigns like Twitter “news” that says that Immigration officials will be at polling stations to check citizenship status which might deter legal immigrants that don’t want to be hassled or hacks to local election or news sites. We have also seen disinformation email campaigns telling people to go to the wrong place to vote. DHS says check your information source, but sometimes that is easier said than done.
What do you think?
Information for this post came from Time.