WaPo: The Cybersecurity 202: We surveyed 100 security experts. Almost all said state election systems were vulnerable.

WaPo: The Cybersecurity 202: We surveyed 100 security experts. Almost all said state election systems were vulnerable.

By Derek Hawkins

The midterm elections are less than six months away, but an overwhelming 95 percent of digital security experts surveyed by The Cybersecurity 202 say state election systems are not sufficiently protected against cyberthreats. 

We brought together a panel of more than 100 cybersecurity leaders from across government, the private sector, academia and the research community for a new feature called The Network — an ongoing, informal survey in which experts will weigh in on some of the most pressing issues of the field. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.) Our first survey revealed deep concerns that states aren’t prepared to defend themselves against the types of cyberattacks that disrupted the 2016 presidential election, when Russian hackers targeted election systems in 21 states.

“We are going to need more money and more guidance on how to effectively defend against the sophisticated adversaries we are facing to get our risk down to acceptable levels,” said one of the experts, Rep. Jim Langevin (D-R.I.), who co-chairs the Congressional Cybersecurity Caucus.

Congress in March approved $380 million for all 50 states and five territories to secure their election systems, but Langevin says he wants more. He introduced legislation with Rep. Mark Meadows (R-N.C.) that would provide election security funding to states if they adhere to new federal guidelines for identifying weaknesses in their systems and auditing election results. “I hope Congress continues to work to address this vital national security issue,” Langevin said.

Each state is responsible for running its own elections, and many state officials view attempts by the federal government to intervene with skepticism — if not outrightopposition. But some experts said the magnitude of the threats from state-sponsored adversaries is too great for states to deal with alone.

“Given the gravity of the nation-state threats we face, much more needs to be done at every level — including a strong declarative policy that this activity is unacceptable and will trigger a strong response,” said Chris Painter, who served as the State Department’s top cyber diplomat during the Obama and Trump administrations.

Dave Aitel, chief executive of Immunity Inc. and a former National Security Agency security scientist, went further: “Protecting systems from cyberthreats from nation-states can really only be done on a national level. It’s insane we have state-level control of these systems.”

Experts generally agreed that most states are more secure than they were in 2016. Officials have undertaken a variety of measures to improve security — including conducting vulnerability tests of computer networks and voting machines and hiring new IT staff.

But securing this kind of technology isn’t easy. “ ‘Election systems’ are massive, distributed IT systems with thousands of endpoints and back-end systems that hold and process large volumes of highly sensitive data,” said Jeff Greene, senior director of global government affairs and policy at Symantec. “Protecting such systems is no small feat, and election systems are no different. While [the Department of Homeland Security] and the state and local governments have in recent years dialed up their efforts, there are no easy fixes.”

Several experts said that state voter registration databases are particularly vulnerable — and make an appealing target for attackers who want to sow confusion and undermine confidence in the voting process.

“The voting machines themselves are only part of the story,” said Matt Blaze, a cryptographer and computer science professor at the University of Pennsylvania. “The ‘back end’ systems, used by states and counties for voter registration and counting ballots, are equally critical to election security, and these systems are often connected, directly or indirectly, to the Internet.”

There’s no evidence that Russian hackers actually changed any votes in 2016, but they did probe online voter rolls and even breached the statewide voter database in Illinois.“Few if any state and local IT departments are equipped to protect this infrastructure against the full force of a hostile intelligence service, and these systems are very attractive targets for disruption,” Blaze said.

“The level of expertise is quite uneven” across the states, added Daniel Weitzner, founding director of the MIT Internet Policy Research Initiative who was U.S. deputy chief technology officer for Internet policy during the Obama administration. “Of particular concern is the voter registration systems. Imagine how much fear, uncertainty and doubt [that] Russia or any other malicious actor could sow if they raise questions about the accuracy of the voting rolls. That’s every bit as bad as actually changing votes, and much easier to do.”

Jay Kaplan, co-founder of the cybersecurity firm Synack, notes a bright spot: The Election Assistance Commission has a national voting system certification program to independently verify that a voting system meets security requirements.

“However, testing for this certification is completely optional,” said Kaplan, who held previous roles in the Defense Department and at the National Security Agency. “States can set their own standards for voting systems…. As such, some states are significantly more buttoned up than others. The reality is states are understaffed, underfunded, and are too heavily reliant on election-system vendors securing their own systems.”

On top of that, millions of Americans will vote this year on old, hack-prone digital machines that produce no paper trail. Without a paper record, it’s nearly impossible to audit the final vote tally. Federal officials and expertsrecommend scrapping such machines in favor of paper ballots.

Too many states “have taken a less than strategic approach and once again waited too long to start addressing vulnerabilities within their processes and technology,” said Mark Weatherford, a former deputy undersecretary for cybersecurity at the Department of Homeland Security in the Obama administration and chief information security officer in both California and Colorado.

“Additionally, because of significant investments in electronic voting technology, it’s difficult for non-technologists to acknowledge economic sunk costs and re-prioritize current funding to address these … problems,” said Weatherford, a senior vice president and chief cybersecurity strategist at vArmour.

Nico Sell, co-founder of the software maker Wickr, put the problem into perspective: “We will teach the kids how to hack the election system this summer at r00tz at Def Con,” she said. (r00tz is an ethical hacking program for children between 8 and 16 years old held in Las Vegas alongside the Def Con security conference.)

Many experts are worried that states lack the resources to build their defenses in time for the midterms, even with more federal assistance. “What isn’t clear is where our defenses and resiliency have improved if at all,” said Jessy Irwin, head of security at Tendermint. “This is a difficult problem to solve, and it takes something we don’t have enough of to get 50 states and a few territories flying in formation: time.”

Less than five percent of experts who responded to the survey said they were confident that state election systems were well protected.

Cris Thomas, who goes by the name Space Rogue and works for IBM X-Force Red, said that while registration databases, websites and other systems may still be vulnerable, “the election systems themselves are sufficiently protected.”

And the patchwork nature of U.S. elections is actually a bonus when it comes to deterring would-be attackers, said one expert who spoke on the condition of anonymity.

“State balloting systems are diverse and decentralized. They’re administered by some 3,000 counties, making it difficult for malicious actors to uniformly attack voting infrastructure on a vast scale,” the expert said.

That expert was satisfied with the efforts by state and federal officials to secure the vote. “Public and private authorities are taking steps to defend against nation-state attacks. The recent omnibus spending bill provides monies to states for election security; threat data are being shared between states and federal agencies (albeit probably slowly and tentatively); and election officials are utilizing best practices, such as conducting post-election audits and not connecting voting machines to the Internet,” the expert said.

“But bolstering our cyberdefenses, however fundamental, will only take us so far,” the expert added. “The White House needs to authorize agencies to disrupt cyberattacks and information operations at their sources and up the ante for prospective attackers as part of America’s broader deterrence posture.”

As another expert who participated in the survey put it:“The high level of interest has led to more eyes on the process, which itself helps deter would-be hackers.”