With the Illinois primary just hours away, state election officials are beefing up cyber defenses and scanning for possible intrusions into voting systems and voter registration rolls.
They have good reason to be on guard: Two years ago, Illinois was the lone state known to have its state election system breached in a hacking effort that ultimately targeted 21 states. Hackers believe to be connected to Russia penetrated the state’s voter rolls, viewing data on some 76,000 Illinois voters, although there is no indication any information was changed.
Since then, Illinois election officials have added firewalls, installed software designed to prevent intrusions and shifted staffing to focus on the threats. The state has been receiving regular cyber scans from the federal government to identify potential weak spots and has asked the U.S. Department of Homeland Security to conduct a comprehensive risk assessment. That assessment is scheduled but did not happen before Illinois’s second-in the-nation primary.
“It’s not something where you ever feel completely safe,” Matt Dietrich, spokesman for the Illinois State Board of Elections. “It’s something where you feel like you’re doing your best to protect against what could happen in a cyberattack.”
Federal intelligence agencies determined that the attempted hacking of state elections systems in 2016 primarily targeted voter registration systems, not actual voting machines or vote tallying.
Gaining access to electronic voter rolls can do as much damage, giving hackers the ability to change names, addresses or polling places. Confusion, long lines and delays in reporting election results would follow, all of which undermines confidence in elections.
Cybersecurity experts say it’s crucial for states to shore up vulnerabilities in those systems now, with this year’s midterm elections underway and the 2020 presidential election on the horizon.
J. Alex Halderman, director of the University of Michigan’s Center for Computer Security and Society, said many of the same weaknesses present in 2016 remain.
“I think it’s only a matter of time before we suffer a devastating attack on our election systems unless our federal and state governments act quickly,” he said.
The federal Help America Vote Act, passed two years after the messy presidential recount in Florida, requires states to have a centralized statewide voter registration list, but states vary in how they implement it.
Most collect voter data at the state level and then provide it to local election officials, according to the U.S. Election Assistance Commission. Illinois and five other states do the opposite, collecting voter registration data at the local level and sending it to the state elections office. A few others have a hybrid system.
The chief concern surrounding voter registration systems and the growing use of electronic poll books to check in voters at polling places is how they interact with other internet-connected systems.
Electronic poll books allow polling place workers to verify a person’s registration and related information electronically, rather than having to rely on large paper files.
A downside is that the e-poll books might use a network to connect to a voter registration system, providing a potential opening for hackers.
In other cases, the voter data is transferred from a computer and placed on a device not connected to the internet. That computer is the potential weak link. Security experts said it must be secured and not subject to tampering.
Experts with The Belfer Center for Science and International Affairs at the Harvard Kennedy School said network-connected election systems are vulnerable to attacks and urged officials to take several steps to shore up security, including making sure the underlying server is not connected to the internet and that all changes are logged. Experts say a key component is that election systems can recover quickly in the event of an attack or even an equipment failure, limiting public disruption.
Larry Norden, an expert in elections technology with The Brennan Center for Justice at the NYU School of Law, said the network connections make voter registration systems more vulnerable to hacking than voting machines, which are not directly connected to the internet.
In many states, the department of motor vehicles or some other state agency provides information to the voter registration system as a way to keep the records current. Some states allow voters to register and edit their information on a state website that is connected to the voter database.
All of those provide possible access points that can open the door to hackers.
“Just understanding where the risks are is critical,” Norden said.