Officials: Cyber defenses needed for elections
Hackers previously attempted to breach Wisconsin’s systems
MADISON - Russian hacking attempts grabbed headlines this week, but they weren’t the Wisconsin elections agency’s first cyber attack with an international flavor.
For a day in August 2011, an older version of the state’s elections website and several other state sites were knocked out of commission by a cyber vandal. The elections site had its homepage plastered with the phrase “hacked by sovalye“— a phrase that appeared to refer to the Turkish word for “knight.”
Since then, the state government as a whole has gotten more serious about protecting itself from internet attacks — efforts that may have paid off last year amid Russian attempts to influence, or undermine confidence in, the November elections.
“Hacking was not taken as seriously as it is now,” retired state elections head Kevin Kennedy said of the shifting in thinking over the past decade. “There’s been a real focus on security protections.”
But despite the progress, election officials and outside experts say more could be done to ensure the state voter database and local voting machines are protected.
In a reminder of the stakes, the federal Department of Homeland Security told Wisconsin officials last week that this state was one of 21 around the nation targeted by “Russian government cyber actors.”
DHS officials initially said the hackers tried to attack WisVote, the state’s voter registration system. Unlike voting machines in this state, WisVote can be accessed through the internet.
State officials questioned Tuesday whether the technical information shared by federal officials really showed an attempt to hack WisVote at all.
Homeland Security officials initially appeared to agree, adding on Tuesday that the state’s labor department had been the actual target. But they later clarified that they still believe the Russians had the eventual goal of reaching the state’s election system.
Hackers were looking for “vulnerabilities in networks that may be connected to (elections) systems or have similar characteristics in order to gain information about how to later penetrate their target,” Homeland Security spokesman Scott McConnell said Thursday.
Any hack attempt stymied
So far, however, officials see no evidence hackers were successful here.
For instance, there’s been no indication here that large numbers of voters were taken off of registration rolls as happened in North Carolina — a problem that quickly generated complaints there.
“Oh, my God, we would have heard about it,” said Dane County Clerk Scott McDonell, a Democrat.
There’s been scrutiny of the November election outcome in Wisconsin, where President Donald Trump narrowly beat Hillary Clinton and became the first GOP presidential candidate to win the state since 1984.
After the election, Green Party presidential candidate Jill Stein paid $1.8 million to force a recount of the nearly 3 million ballots cast in the presidential election. At least 58% of those ballots were recounted by hand — the remainder by machine — with no hacking found and a change in the final outcome that amounted to just 0.06% of the votes cast.
In Wisconsin, local clerks are prohibited by the state Elections Commission from connecting their voting machines — or the computers used to program those machines — to the internet to help ensure they aren’t hacked.
Local clerks like McDonell also test voting machines privately and in a public event before election day and the state does limited spot checks of local machines after the voting. All machines used in the recent recount also went through a second public test.
Paper trail
In addition, Kennedy said, voting machines in Wisconsin come with either a paper ballot or paper receipt that can be used in recounts to ensure that the machine accurately recorded the votes electronically.
“It’s not credible. It’s not what’s happening,” McDonell said of concerns that voting machines in Wisconsin could have been hacked. “The threat from Russia is real, but they’re always going to go after the easy thing.”
In Wisconsin, the easiest elections target appears to be the statewide voter registration database, WisVote, which is connected to the internet and used by thousands of local elections officials as well as the general public.
To harden that system against attacks, state elections officials this week discussed encrypting WisVote and supplementing the current password requirement for logging in with a second code that would be sent as an email or text message.
David Cagigal, the state’s chief information officer, told the state Elections Commission that attempts to hack Wisconsin systems had been thwarted but that he believed part of Russia’s goal was to create suspicion about the nation’s voting infrastructure.
“I believe they achieved the suspicion,” he said.
Eric Nelson, an IT consultant in Wisconsin, also pointed out that the state has checked for contacts from suspicious internet addresses flagged by the federal government. But there are likely more devices and addresses used by the hackers that federal officials either didn’t identify or didn’t share, said Nelson, who independently identified the attempted Russian hacking of two government websites his firm runs for Bayfield County and the City of Ashland.
Next steps
Experts say more could be done to guard against these attacks, both in Wisconsin and nationally.
Kennedy, the former Wisconsin election official, said he saw voting machine vendors as the biggest vulnerability for the state’s system, noting that some local clerks still rely on private companies with security measures in place that are less clear than those required of clerks.
These vendors help prepare ballot updates that are physically loaded onto machines and provide at least a potential point of entry for malicious code.
“That’s where we really need to focus,” Kennedy said.
University of Michigan computer scientist J. Alex Halderman wrote in a November 2016 column that he and his students have reprogrammed voting machines in a lab to spit out false electoral results.
“Many states continue to use machines that are known to be insecure — sometimes with software that is a decade or more out of date — because they simply don’t have the money to replace those machines,” wrote Halderman, who served as an expert witness for the Stein campaign in Wisconsin.
James Norton, a former U.S. Homeland Security official in then President George W. Bush’s administration, said states and the federal government need to respond to these latest threats with the kind of comprehensive effort seen in the 2002 Help American Vote Act, a response to the problems in the 2000 presidential election.
Governors around the country need to push for action from Congress, which has done little on its own to address the issue, said Norton, who is now a cyber security consultant and lecturer at Johns Hopkins University.
“The trouble with cyber security is there really isn’t anyone in charge,” he said.