Vigilance in the cybersecurity world is only as strong as its weakest link, which is why the mere thought of anyone within any organization unwittingly clicking on an executable file in an email is enough to keep any low-key IT person awake at night.
The same trepidation holds true for those overseeing elections.
A person would have to have been buried underneath a mountain of discarded Commodore 64 computers for the past three years not to have known about Russia’s purported role in attempting to influence the 2016 election, which was outlined in Robert Mueller’s 448-page report to the U.S. Congress.
The coordinated meddling effort not only involved a sweeping disinformation campaign, but drilled down with hacks into the voter databases.
In Illinois, 76,000 registered voters’ information — addresses, partial Social Security numbers, dates of birth and driver’s license numbers — was compromised in a June 2016 data breach, according to a Chicago Times report.
Florida election computers were targeted through a Russian-engineered spearphishing scam, which involved the email appearing to be from a regular vendor, but containing a malicious Trojan virus. Hackers were able to gain access to at least one of that state’s county election systems, according to a New York Times report.
Russian intruders reportedly made similar attempts on voting systems in all 50 states in 2016, national security experts said.
“The desire to interfere with our elections appears to be fairly well-established by other countries,” said Colin Battersby, data private security lawyer with the Bloomfield Hills-based firm McDonald Hopkins. Battersby specializes in counseling companies that have been victims of data breaches.
“How they’ve done that appears to be an open question to a certain extent … So when there is a technically driven way of collecting votes, there is a possibility of messing with that,” Battersby added. “We’re talking about some issues of significance here. We’re not just talking about personal data anymore; we’re talking about the proper functioning of the country.”
Michigan’s Secretary of State, who oversees elections, hasn’t sat on her mouse pad on cybersecurity.
Election Security Commission enlisted
Secretary of State Jocelyn Benson formed an 18-member Michigan Election Security Commission, which is co-chaired by University of Michigan Science and Engineering professor J. Alex Halderman, who has testified before the U.S. House and Senate committees about the need to guard the U.S. voting system against cyberattacks. Halderman is joined as a co-chair by David Becker, executive director of the nonprofit Center for Election Innovation & Research.
The advisory committee has met four times, holding two public hearings.
The panel will put together a set of recommendations — short- and long-term — by year’s end to erect an impenetrable firewall between those practicing the essential rite of democracy and keyboard connivers.
“We already know that foreign adversaries have already tried to disrupt our elections in the past, they’ve tried to hack into our voter registration databases,” said Jonathan Brater, then Secretary of State legal policy director and now the Michigan Elections Director.
“They’ve had some success in some states in getting into local and state networks, so the idea that there are very sophisticated and powerful actors that are trying to do that is obviously a concern.
“I think that we do have pretty good safeguards now. I think our system is very secure in Michigan overall, but we definitely need to stay vigilant and ahead of the curve, because we know they are still trying to disrupt our elections,” said Brater.
The newly established commission is looking at several issues, including cybersecurity, to ensure best practices when running an election.
Those range from risk-limiting audits, which certify votes are being counted more efficiently, to new technology for reporting unofficial results to county and state headquarters from precincts on election night. The latter would presumably decrease a source of misinformation and conspiracy theory.
“We’re looking at ways to make sure information is being shared accurately and without any potential for interception or interference,” Brater said. “Though (the election night results are) unofficial, the commission is looking at how improvement on that process can be made.”
Paper has its advantages
Votes are cast uniformly in the state, using paper ballots that are fed into and read by an optical-scan machine. The process has a built-in safeguard against hackers, said U-M’s Halderman during an August interview on C-Span.
“Paper might seem retrograde, but it is actually a pretty good defense against election hacking, because it is something that cannot possibly be changed in a cyberattack,” Halderman said in an interview with C-Span’s John McArdle. “So what Michigan still needs to do, as what many other states need to do, is make sure they are using that paper as a form of cyber defense.
“In order to do that, we have to check enough of the pieces of paper, the paper ballots, by having a person inspect them and make sure they agree with the computer systems that give us our election night totals.”
That is where risk limit audits come into play.
The post-election inspection process involves counting ballots in enough precincts to verify the result is correct within a certain margin of error.
If the outcome is decisive, say 20 points or more, auditors would need to count fewer ballots. A tight race where the margin is two points would require more paper ballots being tabulated, Brater said.
“Essentially, (risk-limit audit) allows you not to have to recount every single ballot, but sample enough of them to ensure that, if there was some kind of issue that suggests the machines were not counting the ballots properly, you would catch it by looking at the actual paper ballot,” Brater said. “Of course, you could scale up to a full paper recount if that was necessary.
“The hope is that we would only have to do that in very rare instances.”
Ingham County Clerk Barb Byrum describes a very regimented process on election night and thereafter.
After the polls close, unofficial results are brought to the county. Byrum serves as clerk of the county board of canvassers, which is comprised of two Democrats and two Republicans, who make sure the vote totals jibe with ballots cast before certifying an election. A spoiled ballot or someone simply walking off with one are often reasons for discrepancies.
Audits are routine, Byrum said.
“We have a very secure system, but there are certainly improvements that can always be made, and that is what the Election Security Commission is preparing,” said Byrum, who is on the 18-member panel.
Held at cursor-point
While clerks and others are left to reassure people about the electoral system, municipalities are faced with another computer-generated threat — ransomware attacks.
Several small communities in Texas were targets of a coordinated ransomware attack with demands totaling $2.5 million in August. The municipalities, whose computer files were locked, did not capitulate to the demands.
About half of the 22 communities affected didn’t fully get back online until September.
Those guerilla assaults were pale in comparison to the knockout punch delivered upon Atlanta in March 2018, which paralyzed city utility, parking and court services and cost $17 million to deal with.
Another cyberattack in Baltimore took down computers for that city’s 10,000 employees in May, affecting residents’ ability to pay water bills and traffic tickets among other things, and was expected to run upwards of $18 million to repair.
In both cases, the perpetrators demanded ransoms, which the cities refused to pay.
New Bedford, Mass., found itself the victim of a similar scheme where the perpetrator demanded $5.3 million in the equivalent of Bitcoin after unleashing a virus that encrypted that city’s data files, according to reports. The city offered to pay $400,000 insurance, but the hacker declined. The city recovered its own data.
Money wasn’t the motivation behind the malware attack which shut down computers in the city of Allentown, Pa., in February 2018. The cyberattack cost $1.2 million to remediate.
Money not always the driver
“There is a lot of artificial intelligence out there that is being deployed on a massive scale,” said Jennifer Puplava, an attorney with Grand Rapids-based Mika Meyers, who specializes in intellectual property law and technology law. “Part of the challenge for anyone who has this information, whether it be a government agency or a private business, is that some of these hackers are not in it for the money, they are in it to create chaos.
“These hackers will lie in wait to hack into the system to observe what’s going on and then find a way to deploy a phishing attack or other mechanism to gain further access with the motivation being something other than money.”
Local governments, especially smaller ones, are becoming prime targets, because they are easier to exploit due to inconsistency in updating software and having weak or nonexistent IT departments, Puplava said.
As part of her practice, Puplava counsels public officials on being alert in the Wild West of the Internet. She gave a presentation, titled “Local Governments in the Digital Age” in October at Frederik Meijer Gardens in Grand Rapids Township, stressing the importance of taking precautions.
“It is a lot more difficult to play defense than to play offense,” the attorney said.
Governments should do a risk-assessment inventory, which should include identifying what sensitive information is stored, accessed, used, processed and shared, not to mention how it flows through the municipality’s IT system, Puplava said.
Another key is understanding what data is mission-critical and, when taken offline, could shut down operations.
Technical precautions are a necessity. Antivirus software, data backup, encryption and strong passwords all need to be part of a comprehensive strategy, Puplava said.
The human element
The human element cannot be overlooked in the equation, said Taylor Gast, an attorney with Foster Swift Collins & Smith, who is a member of the International Association of Privacy Professionals. Employee education is paramount to prevent cyberattacks.
Some programs are designed to target employees who are prone to click on email attachments, which can unleash a mountain of mayhem.
“A lot of the better programs tend to have a targeted phishing-fake email and track to see if anyone in the organization is clicking on them and provide targeted follow-up,” Gast said. “And they let people know, ‘Hey you shouldn’t have clicked on this and let’s talk about why you did and let’s talk about how we can prevent this in the future. Was that a link you should have clicked on? Was that an attachment you should have downloaded?’
“Some of them are fairly robust. Some of them may flag the person to let them know about the first time. Maybe the second time, you provide them training and the third time, you may provide something more punitive. Maybe have them attend a 45-minute training session or something.
“Despite all the training in the world, even though it’s all very helpful, everybody makes mistakes,” said Gast. “Unfortunately, a lot of these issues arise from simple human error and none of us are perfect. We all make mistakes. In light of that, we are hoping that organizations understand that they need a plan for when something goes wrong. They need an incident response plan. They need to make sure it’s tailored to their organization and it adequately describes how to act when these incidents arise and how to make the proper decision.”
Ingham County Clerk Byrum believes some cybercrime can be mitigated with simple computer cleanliness.
“I think we need to encourage all users, whether they are election officials or they simply do data input, we need to encourage all individuals involved in elections to practice good cybersecurity hygiene, not to click on links that they don’t know, be careful with passwords, don’t put them on a sticky note and put them on your desk,” she said. “I think a lot of people could probably use reminders.”