For many, the most intense race leading up to Election Day won’t be among politicians. It’ll be the mad, final scramble by county officials and tech companies tofrom hackers.
But with the slow pace of funding, unprepared campaigns and lack of cooperation among counties, many cybersecurity experts wonder if they’ll reach that finish line by the first Tuesday in November.
An election director in Illinois, for instance, still hasn’t received any federal funding for cybersecurity. A security expert who traveled across the country to train campaigns found shockingly inadequate protection.
Protecting the integrity of the US voting system has been a national priority since hacks by Russia in 2016 interfered with the election that year, yet the nation still isn’t ready. While tech companies like Facebook have worked to fight fake news, state election systems have seen little change over the last two years. That means the November elections are just as susceptible to cyberattacks as they were in 2016, opening the door to renewed interference in America’s democratic process.
The red flags have popped up in recent months. Alex Stamos, Facebook’s former security chief, said in August that it was too late to protect the 2018 US elections. He doubled down on it in September, saying that security for campaigns and elections hasn’t improved since 2016.
That year, Russian hackers wreaked havoc on the US presidential election by breaking into theand pushing a major propaganda effort by trolls on social media. They also stole data on thousands of voters in Illinois, and targeted other states as well.
Those hacks drove the point home to Capitol Hill: Something needed to be done about election security. Congress approved a $380 million spending bill that would provide state election officials with funding to improve cybersecurity. The Department of Homeland Security gave all 50 states some form of security assistance.
“These folks have been thinking about this for a long time, and they do a lot with not a lot of resources,” Jeanette Manfra, the DHS’ top cybersecurity official, said at the Defcon hacker conference in Las Vegas, commenting about federal aid for local election officials. “Now they’re on the front lines trying to deal with a lot of issues, and they can’t do it alone.”
But for many communities across the country, one of those issues is something that no amount of money can buy: time.
Show me the money
The $380 million election security grant would be great for people like Noah Praetz, the director of elections in Cook County, Illinois — if only he could actually get his hands on some of the funds awarded.
A $13 million grant was provided to Illinois’ state board of elections in May. But by September, no county official had received a penny, despite multiple pleas. That’s a striking concern considering that Illinois is the only state to publicly acknowledge that its voter records had been hacked in 2016.
“It does us no favors to be squirreling away money, especially when we know we could spend it to secure ourselves right now,” Praetz said. “It’s highly frustrating.”
The Cook County situation illustrates the broader dilemma of procedural or bureaucratic hurdles getting in the way of local election organizers receiving the necessary funds.
While Praetz would like to hire IT staff or buy new voting machines able to get security updates, the state legislature in Illinois required that the State Board of Elections create a Cyber Navigator program, which half of the funds would be used for.
The Cyber Navigator program hired nine security experts to consult with the 108 counties in Illinois on best security practices and to review their vulnerabilities. Any county that doesn’t participate in the program, according to the legislation, wouldn’t be able to receive any funds from the grant.
“We didn’t know that that strict language was going to be in the budget bill before it was too late for us to do anything about it,” said Matt Dietrich, an Illinois State Board of Elections spokesman.
By September, the board was still in the process of hiring all nine cyber navigators, with less than two months until Election Day. While only half of the federal grant was supposed to pay for the program, the election board is also holding onto the other half of the funds until the cyber navigators recommend what to spend it on.
Praetz said the program has done nothing to help election security so far. He noted that county officials don’t need the navigators to guide them, since most officials already know what security problems their own district needs to address. His county has already been doing that using taxpayer money, he added, boosting its recovery and detection capabilities.
Even with its late start, Dietrich is confident the program will be able to secure elections in Illinois. They’ll start with the smaller, rural counties and focus on the ones that need help the most, he said.
“It is a rush, and time is of the essence, but honestly, we didn’t even know how much we were getting until May,” Dietrich said. “Even then we were late in the cycle.”
It wasn’t until late September that Illinois’ board of elections announced it would release $2.9 million in grants directly to counties that participate in the cyber navigator program.
As of the start of October, Praetz said his county still hasn’t seen that money.
But he’s optimistic he could get that money in time — at least enough to pay for one of the items off his wish list by November.
Out of their depth
Maciej Ceglowski is heading from San Francisco to Alaska, where he’s scheduled to train campaign staffers on cybersecurity.
He founded Tech Solidarity, a political organization, after Election Day in 2016, concerned about the digital literacy and security of lawmakers. He’s briefed at least 15 campaigns on election security since last November, and from what he’s seen, not much has changed since 2016.
“The biggest shock is finding campaign managers who are still using Yahoo Mail,” Ceglowski said. The service had every single one of its accounts compromised from the largest hack in history. “If you’re going to point to any one email service that nobody within a mile of politics should use, it’s Yahoo, and yet they’re still using it.”
Oath, which owns Yahoo, said that election security is an industry-wide threat, and something that’s not just their problem.
“At Oath, we take these threats seriously and invest in an attacker-centric security operation across all of our products and platforms, with dedicated teams engaging in continuous threat monitoring, penetration testing and investigation,” a spokesman said in a statement.
Ceglowski found the problem was that while campaigns are much more aware of the problem now, the advice they’re getting isn’t exactly useful.
Staffers receive reading material, weekly webinars and discussions about security, but none he’s talked to have had an actual person come in to explain how to stay secure. The campaigns that he’s spoken with said they feel “out of their depth” with cybersecurity, and often have trouble following the advice after.
Ceglowski leaves his phone number with campaigns after he’s briefed them, and a few times he’s gotten calls when staffers made mistakes setting up their Gmail accounts.
“Campaigns are in this impossible position where they get a lot of technical materials and they’re being set up to fail,” he said. “You can’t just dump this very urgent problem in someone’s lap without giving them hands-on help or elementary training.”
Despite the bad state of security for campaigns, he’s optimistic these trainings will make a difference — even with the time crunch. He’s still contacting as many campaigns as he can find and offering the help for free.
“The window of opportunity is closing because we’re deep into election season, but I don’t think that means we sit back and say, ‘Oh well, we’ll wait until 2020.”http://www.techhnews.com/wp-content/uploads/2018/10/election-security-is-a-mess-and-the-cleanup-wont-arrive-by-the-midterms.com”
No quick fix
Two years can seem like a long time, but to overhaul deeply rooted security problems, it’s not enough, experts say.
Facebook’s issues could take three years to fix, and that’s by CEO and founder Mark Zuckerberg’s estimates. Equifax, which suffered a massive data breach last year, also gives itself that same estimate of three years to fix the company’s security issues.
It takes a long time to adjust security culture, even for companies where executives have complete control of what needs to change and how it needs to be done. It’s much more complicated when you think about how state elections are run and how the standards vary by each state.
Unlike data privacy and a bill like the European Union’s GDPR, there’s no all-encompassing standard for securing the election process. Operations are left up to state officials and among counties. The closest thing to a standard is the Voluntary Voting System Guidelines from the US Election Assistance Commission, which isn’t mandatory.
The task of improving security becomes even more difficult when there are 3,141 counties across the US that don’t all have to meet the same standards. Even if the set of changes started on Jan. 1, 2016, it would have taken until at least 2021 to fix, said Chris Wysopal, the chief technology officer at security research firm Veracode.
“These are major changes. This is something that should start now and it’s going to take five years, probably, to do,” Wysopal said. “At this moment, we can only really do response and detection. We’re not great at prevention.”
The changes he’s seen so far have been basic, simple security awareness training that every company needs to go through. Wysopal said it’s much more important to establish fundamental changes for election security.
That means asking questions like “are the voting machines that counties buy up to standard?” and scrutinizing software that campaigns use. You’ll have to be patient if you want to see real change.
“You can make it much harder for an attacker between now and November if you’re determined,” said Patrick Sullivan, the director of security at cybersecurity company Akamai. “But change on a fundamental level, that’s going to take years to shift architecture.”
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Blockchain Decoded: Techhnews looks at the tech powering bitcoin — and soon, too, a myriad services that will change your life.