Cybertraining Election Officials For This Year's Voting
If anyone knows how easily voting can be disrupted, it's a county election supervisor in the state of Florida. That's one reason several dozen of them gathered in Orlando recently to discuss ways to protect against the most recent threat — cyberattacks by Russia or others intent on disrupting U.S. elections.
Marion County elections supervisor Wesley Wilcox said he realizes the threat has evolved far beyond the butterfly ballots and hanging chads that upended the 2000 presidential race. And even beyond the lone hacker.
"It's no longer the teenager in his basement eating Cheetos that's trying to get into my system," said Wilcox. "There are now nation states that are, in a coordinated effort, trying to do something."
CIA Director Mike Pompeo is the latest intelligence official to warn the Russians will likely try to interfere in this year's elections, as they did in 2016. And Florida was among at least 21 states that intelligence agencies say had their election systems probed by Russian hackers during the last election cycle.
There's no evidence that any votes were affected, but everyone at the Orlando meeting was well aware that they're now on the front lines of a serious international conflict.
"The reality is all of us are going to be impacted at some point in time by a cyber incident. All of us," Matt Masterson, chairman of the U.S. Election Assistance Commission, told the group. His agency is working with states and localities to beef up election security.
Masterson displayed a news article about hackers targeting nuclear facilities to drive home the significance of the threat.
"I share this because you're now in good company," he said. "As part of the nation's critical infrastructure, you're now in a group with nuclear facilities."
The Department of Homeland Security last year designated elections as part of the nation's critical infrastructure.
Since 2000, most jurisdictions have replaced their old equipment with more computerized systems, including electronic voting machines, vote tabulators and on-line registration systems. Ryan Macias of the Election Assistance Commission said new technology carries new risks and vulnerabilties.
"We have denial of service, which is a disruption attack, your website going down," he said, noting that if that happens on Election Day, it can shake voter confidence, even if no actual votes have been changed.
He said it's also important to make sure that vendors and contractors are using secure systems. And to screen temporary election workers who might have access to sensitive information and passwords.
Ransomware is another problem. "What happens if somebody takes your data, takes your election night reporting data, and holds it ransom on election night?" Macias asked. "What are you going to do? How are you going to recover from that? What are you backup processes?"
The election supervisors and some of their IT staffers broke into small groups to work out their responses to several hypothetical attacks. They had to figure out whom to call first, how to contain the damage and whom to tell about the incident. Should law enforcement be informed?
"Alright, so it appears one of our employees has been successfully phished," Will Boyett, of the Alachua County elections office, said in presenting one of the scenarios.
Phishing attacks are something most of the people in the room are very familiar with. According to a leaked intelligence report, Russian hackers, posing as a Florida vendor, tried to get local election office workers to open e-mail attachments containing malicious software. So far, there's no evidence anyone did.
It was clear that many of those gathering in Orlando already have protections in place and are well aware of the risks. But some county election offices are extremely small, with no IT staff of their own. Dana Southerland runs elections in Taylor County, which has only 13,000 voters. She said she picked up some useful tips, such as changing passwords and being careful about opening e-mails.
"Making sure that it's not a phishing e-mail or something like that. I had no idea what that was until we started having some of these workshops," she said.
Southerland — who is also President of the Florida State Association of Supervisors of Elections and helped organize the session — said perhaps the most important message is that no one is immune from attack, and they have to be prepared.
Copyright 2020 NPR. To see more, visit https://www.npr.org.