After 2016 hacks, Ariz. vote system is upgraded
Federal intelligence officials sounded an alarm Thursday that the Russian government’s attempts to disrupt U.S. midterm elections through cyberwarfare remain “pervasive” and ongoing.
Arizona’s voter-registration system was targeted in at least two 2016 hacking attempts connected to Russia. So, what has the state done to protect the state’s elections system since then?
Secretary of State Michele Reagan, Arizona’s chief elections officer, said the state is “light-years” ahead of where it was two years ago, in terms of protecting voter information.
The state has developed stronger password safeguards to protect voter records, and it is developing a new
statewide registration database.
Reagan said Thursday’s warning from the Trump administration’s intelligence team is also a step in the right direction because it signals federal agencies — which she has complained gave states conflicting threat warnings — are on the same page.
“It shouldn’t be a big shock to anyone that bad actors are still trying to get into the system,” Reagan said. “I can’t believe that it took everyone that long to acknowledge it.
“What do they say? ‘Recognizing is the first step.’ ” Reagan said she and other secretaries of state from around the country received a similar briefing from Kirstjen Nielsen, secretary of homeland security, at a conference in Philadelphia last month.
On Thursday, Nielsen and other intelligence officials spoke at a White House press briefing and warned Russia, and perhaps other foreign actors, are looking to undermine American democratic values.
“We acknowledge the threat, it is real, it is continuing, and we’re doing everything we can to have a legitimate election,” National Intelligence Director Dan Coats said.
Reagan said while hacking attempts targeting Arizona’s statewide voter database in 2016 were unsuccessful, her office has beefed up security to safeguard the information of more than 3.6 million voters.
“We got lucky,” Reagan said during an interview with The Arizona Republic in late March. “We had a real wake-up call with that.”
Among the improvements, Reagan’s office spent $10,000 to create a “multifactor” login system that requires county elections officials, who input voter data, to use both a password and a key-fob device to gain access.
She said her office now assigns some passwords to employees in county elections departments to ensure they meet minimum security standards.
“Some of our counties had ridiculous passwords like ‘password 1,’ ” Reagan said. “And I’m not kidding.”
She said other changes were made to limit what text can be entered into the database to numbers and letters, blocking the use of symbols that can be used to inject malicious code.
Reagan said those efforts will help secure the state’s outdated system until it can switch to a new registration database before the 2020 election.
Arizona plans to spend about $2.9 million, including some federal Help America Vote Act funds, on the new database. A technology consulting firm, Sutherland Global, is developing it.
Reagan said the move is long overdue, given that its database was built 20 years ago.
“It’s certainly not state-of-the-art,” she said in March. “Ours is pretty old and pretty unstable. (The database) is kind of holding together right now on a wing and a prayer.”
Reagan said the new system will be “built with cybersecurity in mind.”
State government keeps all kinds of sensitive information, from Social Security numbers to driver’s-license information, medical records and tax records.
Outside forces attempt to attack Arizona government websites every day. Those attempts are tracked by the Department of Administration, which oversees the state’s computer systems but not voting systems or voter-registration information.
For example, a November 2016 threat report, obtained from the department last year by The Arizona
Republic under the state’s public-records law, showed that alerts from malicious activity spiked four days before the Nov. 8 election and in the two days following.
It is unclear what to make of the spikes. Similar trends occurred the following month.
State records do not explain the spikes, and state officials will not talk in detail about attempted intrusions, citing security reasons.
“These types of attacks are not necessarily correlated to any particular event,” Mike Lettman, the state chief information security officer, said Thursday.
There have been a flurry of conflicting reports, from Reagan and federal officials, about alleged Russian hacking attempts involving Arizona’s voter-registration database.
But reports of at least two distinct attempts have been acknowledged.
In September 2017, Reagan’s office said the Department of Homeland Security notified Reagan that Arizona’s voter-registration system was targeted by Russians during 2016. The DHS said it was one of 21 states where Russians attempted to hack elections systems.
Her office has since said Russian hackers targeted a local government system, which The Republic confirmed was the Phoenix library, not the statewide voter-registration database, in that instance.
The DHS, however, has stood by its statement that Arizona was one of the states where networks “were the target of Russian government cyber actors seeking vulnerabilities and access to U.S. election infrastructure.”
In a separate instance, state officials said the FBI notified them in summer 2016 that a hacker had obtained a Gila County election official’s username and password and tried to log in to the voter-registration database.
State officials said the login information was obtained after a county employee opened an email attachment infected with malicious software.
Matt Roberts, a spokesman for Reagan’s office, said the database’s security system prevented the hacker from logging in. State officials took the voter-registration system offline for about 10 days due to that incident.
“We don’t think they knew what they had, because all they tried to do was sell (the login and password) on the ‘dark web,’ ” Reagan said Thursday of the hackers in that incident.
Roberts said the hacker used a server in Russia, but the FBI couldn’t confirm whether the hacker was tied to the Russian government or simply a cybercriminal.
In hindsight, Reagan said, the Gila County incident made her view the cybersecurity of voter information more seriously, adding, “That’s when I decided to become very proactive on this issue.”
However, she said she wants voters to remember that hackers have targeted registration information, not vote tabulations or election results.
“We have to continually remind people that this is not their vote being hacked,” Reagan said. “That just is not possible when their vote isn’t online.”
On Capitol Hill, it seems Democrats have taken a more alarmist view of election security than Republicans.
Last month, Democrats in the House Administration Committee released a report identifying what they view as the 18 most vulnerable states to election breaches. Arizona was among that group.
In particular, the report faulted Arizona on two fronts. “Arizona’s post-election audit law counts a fixed number of ballots instead of looking to audit a statistically significant number of ballots, thereby making it ineffective at confirming an election result,” the report said.
Also, electronic poll books in Arizona don’t undergo pre-election tests. Officials who use the electronic devices aren’t required to have paper voter registration lists at polling places.
The report said Arizona has requested $7.5 million in election assistance funds, though it wasn’t clear how the state plans to use all of the money. Reagan’s office said part of that money is being used for the new statewide voter-registration database.
Earlier this week, Senate Republicans blocked a Democratic amendment to provide $250 million to beef up election security this year.
The money would have been doled out in grants through the Federal Election Assistance Commission and helped, among other things, replace outdated voting equipment and increase cybersecurity efforts.
The amendment failed Wednesday on a 50-47 vote, well short of the 60 it needed to pass. Only one Republican, Sen. Bob Corker of Tennessee, voted for the grant.