County boards of elections in Ohio are bringing in experts to size up whether their computer systems are vulnerable to hackers.
In the wake of 2016 campaign email hacking by Russia, the U.S. Department of Homeland Security declared election IT to be “critical infrastructure.” This year, the Ohio Secretary of State Jon Husted directed counties to improve cybersecurity.
Now boards have until Oct. 15 to submit security audits to the state. The directive from Husted’s office requires boards to try to fix major problems by Election Day in November.
“Certainly the goal is to have any threats assessed and remedied prior to November’s election, which is a very, very aggressive timeline,” Aaron Ockerman, the director of the Ohio Association of Election Officials, said. “But that being said, I think it demonstrates the importance of the topic.”
Last year, the secretary of state’s office said DHS told them that Russia-linked hackers tried to find weaknesses in Ohio’s election system in 2016. The state said the attempt lasted less than a second, the hackers did not break inside and the system is secure.
This year, the state is making $4.9 million available for counties to hire “pathfinders”—IT firms or experts at local community colleges—to conduct the assessments.
The money is coming out of a $12 million federal award Ohio received to prepare for future elections. In all, the federal government approved $380 million for states this year, the latest disbursement under the Help America Vote Act of 2002.
The state wants boards to follow a cybersecurity guidebook published by the nonprofit Center for Internet Security. The book, which lists dozens of ways counties can protect against hacking, serves as the road map for pathfinders’ audits.
Candice Hoke, a co-director for the Center for Cybersecurity & Privacy Protection at Cleveland-Marshall College of Law, said Ohio and the federal government are taking some positive steps.
But she said she has concerns about counties’ resources and know-how.
“The biggest concern that I have is the lack of security knowledge within the boards of elections for making good judgments about how to use those moneys, including which kinds of firms to hire,” Hoke said.
As for the security assessments, Hoke said they should have happened sooner.
“Right now, yes, we are in catch-up mode,” Hoke said. “October is way too late. We’re already in the midst of receiving voted absentee ballots by mid-October. So it’s way too late.”
Portage County as Role Model for Best Practices
Portage County offers one example of how local election officials are trying to guard against hacking and other online disruptions. The county contributed best practices to CIS’s cybersecurity guidebook.
At the board’s office recently, director Faith Lyon opened a door into the room where a computer will tabulate November’s results. That PC, Lyon said, is not connected to the web.
“No internet. No connectivity whatsoever,” she said. “These are actually single-source. They’re not even connected into our county system within our office.”
The election board’s computer server is separate from the rest of Portage County’s government systems, Lyon said. Staff don’t have internet access at their desks, a decision Lyon said was made years ago.
“We literally have two computers in our office that have internet connectivity,” she said.
On election night, staff use those computers to send vote totals to the secretary of state’s office and to upload them to the board’s website.
To get the data from the tabulation computer onto the ones with internet, the board uses thumb drives—lots of them.
“One direction, one use each thumb drive,” Lyon said. “So on an election night, we can easily go through 20, 30 thumb drives, and they are never used again. They are literally disposed of after our disposal period.”
By using the drives only once, the board tries to reduce the risk that malware could hop from the internet back onto the vote tabulation computer.
Involvement With Homeland Security
Security assessments aren’t the only way Ohio is preparing.
Boards have been role-playing worst-case scenarios in tabletop exercises funded by the federal government.
A number of election officials met for exercises in July in Independence, Lyon said. She said officials practiced how they would respond to a compromised registered voter database, contaminated USB drives, the spread of phony election information and other problems.
The state has also directed boards to join the Election Infrastructure Information Sharing and Analysis Center, or EI-ISAC, an initiative supported by the Department of Homeland Security. EI-ISAC sends email newsletters to boards with resources and alerts about potential threats.
DHS has offered Ohio’s largest counties free “Albert sensors,” which detect potential intrusions into computer systems. Spokesmen for the boards of elections in Franklin and Cuyahoga counties confirmed the boards are using the sensors.
“What you’re trying to do is build something that’s called defense in depth,” Matt Masterson, a senior advisor at DHS, said. “You build layers of security such that you make it difficult for a malicious actor to get full access to any given system.”
Masterson, who used to work in Husted’s office, said boards should also watch out for human error—such as staff falling for phishing attacks by clicking malicious links in emails.
“One of the things we offer state and county officials is a multi-week phishing campaign assessment where we will send progressively more sophisticated phishing emails to the participants and then share back click rates,” Masterson said.
Masterson, Hoke and other experts say boards should focus on becoming resilient, such as by backing up data. That way, if anyone does try to disrupt the election, the system can bounce back.