Are the state’s elections secure?
Policy changes help, but vulnerabilities remain
Some aspects of how to secure Arizona’s elections from hackers and fraudsters may seem obvious.
Change the passwords on equipment every once and a while, for a start. Oh, and make it complicated, with some numbers and uppercase letters tossed in.
Of course, there is a lot more to fending off cyber attacks.
The Arizona Secretary of State’s Office is writing a new manual for county election officials and its first draft includes additional provisions on security. While experts praise some of those measures as big steps to prevent tampering, they are raising concerns about potential vulnerabilities with other measures.
County officials who administer elections can adopt tighter security standards than those set by the state, but the new election procedures manual will set out the minimum requirements that local officials must follow.
It revises policies last updated in 2014.
Concerns arise about USB sticks, passwords
Among the provisions that raised concerns is a suggestion that a USB stick used to transfer files from one device to another can be re-used if it is cleaned and reformatted.
Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, advised against ever re-using a USB device for such purposes.
Reformatting will not ensure the device is free from malware, he said.
“They’re supposed to be brand new, out of the box every time,” said Marian K. Schneider, president of the national advocacy group Verified Voting. “I don’t know that scanning them with antivirus software is going to be enough.”
Another issue: The proposed manual says that the rosters of registered voters and printers for ballots-on-demand should, “to the extent practicable,” transmit and receive data using security measures such as encryption.
“They’re supposed to be brand new, out of the box every time. I don’t know that scanning them with antivirus software is going to be enough.” Marian K. Schneider
President, Verified Voting
Hall argued for scrapping the caveat about using those standards “to the extent practicable.”
There is no excuse not to use encryption, he said.
The recommended policy for passwords on voting system software is outdated, too, Hall said.
The proposed manual requires passwords contain a mix of characters, such as letters and punctuation marks. Passwords also would have to be changed on a regular basis.
But new standards issued by the National Institute of Standards and Technology say passwords should not have to include a mix of characters. And passwords should not have to be changed arbitrarily, according to the institute’s new standards.
Instead, Hall said to use password managers that can create passwords unknown even to the person using it.
What security experts liked in the manual
But some provisions won praise. The draft, for example, says workers must not connect electronic voting systems to the internet, any wireless communications device or any external network.
That rules out even connecting to a network with a firewall, which has created problems in other parts of the country, Hall said.
In updating the manual, the Secretary of State’s Office scrapped some security provisions because counties no longer use all the same equipment as in 2014.
Electronic security will be a particularly big concern heading into the 2020 election, however.
In August 2016, the FBI notified Arizona of a hacking attempt on the state voter-registration database after a Gila County employee opened an infected email attachment.
The Secretary of State’s Office said in 2017 that the Russian government attempted to hack into the system ahead of voting the last presidential election but did not breach it. Election officials in several states maintain they also were targeted.
The Secretary of State’s Office will submit a final draft of the proposed manual to the Attorney General’s Office for approval before Oct. 1.