Fearful they would be accused of attempting to sway the presidential election, Obama administration officials shut down plans to share a list of cybersecurity precautions with state election officials responsible for protecting voting machines and databases, the McClatchy News Service reports today.
The unsettling report describes how a team of volunteer cyber experts working for the federal Election Assistance Commission and the National Institute of Standards and Technology (NIST) put together a five-page list of security suggestions for the states only to have NIST officials pull the plug on their work in August, 2016.
The decision left state voting and voter registration systems wide open for what one computer security expert consulted by McClatchy termed the electronic equivalent of the Pearl Harbor attack that brought the U.S. into World War II.
In this case, of course, the attackers were computer hackers backed by the Russian government rather than Japanese sailors and pilots. U.S. intelligence agencies have concluded the cyberspies penetrated or attempted to breach election systems in at least 20 states. There is no evidence they were able to switch votes or alter vote counts, but experts warn that they gained insights into U.S. voting systems that will allow them to mount more devastating attacks in future elections.
Common Cause is among a variety of advocacy groups lobbying state officials across the country to step up their cybersecurity precautions, including shifting to voting systems that produce a paper record of every ballot cast. Only about one-fourth of the votes cast last year had paper backups, the McClatchy report notes; officials say paper records provide the most reliable way to verify machine tallies.
A year after the NIST decision to suppress them, the list of security guidelines still has not been shared with the states, McClatchy reported. And even if it was provided, many states probably would opt not to use it.
While presidents are elected in a nationwide vote, elections are run by states and localities using different voting hours and days, a wide range of voting equipment, and operating under wildly varying rules. Many, if not most state election officials are wary of federal intrusions into their domain and insist their voting systems are protected against cyberattacks because they’re not connected to the internet.
“We’re not really cyber at all, except for our voter registration databases, which have nothing to do with the actual tallying of votes,” Denise Merrill, Connecticut’s secretary of the state, testified last April. At the time, Merrill was president of the National Association of Secretaries of State, a group that includes most state election administrators.
Cyberexperts scoff at Merrill’s assessment. They agree that hackers have a variety of ways to penetrate voting systems – offline as well as on the internet.
McClatchy reported that “If a vote-counting system is on an internal network in which any component is hooked to the internet, it creates ‘an exploitable’ situation for hackers.” The suppressed guidelines urged states and counties to map their networks to be sure they are fully offline and to take other precautions to avoid infection.
“Beyond the voting machines themselves, other dangers lurk,” the McClatchy report added. James Scott, co-founder of the Institute for Critical Infrastructure Technology, told the news service that the secretaries of state were warned last year that hackers probably would try to infect vote-tallying equipment through the vendors that sell the machines to state election agencies.
“We told them and we told them,” he said. “We showed them two schematics of exactly where the attacks would come from” well before the election.
Scott said hackers could embed malware in a routine software upgrade before it was distributed to states and localities for installation in their machines. The bad code would then infect a central vote-tallying machine and instruct it to switch votes.
Office: Common Cause National
Issues: Voting and Elections