Weeks before the 2016 election, federal officials started making mysterious calls to the head of elections in Inyo County, California. They asked her to contact them if she noticed anything unusual. But they wouldn’t elaborate.
“I asked them: ‘How am I going to be able to protect against it if I don’t know what it is?'” said the official, Kammi Foote.
Now Foote communicates regularly with federal officials. They came to her small county of about 10,000 registered voters to analyze the security of her ballot system. She participates in state and federal information-sharing groups that didn’t exist two years ago and is getting a sensor that can help detect unwanted intrusions.
“I’m feeling optimistic,” Foote said about the Nov. 6 election. “I feel like the entire field of election administration has grown and matured in their ability to understand the cyber component and cyberthreats.”
Election officials and federal cybersecurity agents alike tout improved collaboration aimed at confronting and deterring election tampering. Granted, the only way to go was up: In 2016, amid Russian meddling, federal officials were accused first of being too tight-lipped on intelligence about possible hacking into state systems and later for trying to seize control from the states.
Officials from Homeland Security, the department tasked with helping states secure elections, say the midterms will be the most secure vote in the modern era. They said they haven’t yet seen the type of infiltrations that happened in 2016.
Still, cybersecurity experts aren’t so sure that improved security and local-federal cooperation will be enough, given the breadth of threats that electoral systems may face.
States run elections, a decentralized process that makes it harder for anyone to conduct a nationwide attack on the electoral system. The downside is there is no national playbook. The 10,000 or so election jurisdictions use a combination of paper ballots scanned into computers, entirely computerized ballots stored online and old-school paper ballots, marked and hand-counted by humans.
With the realization that Russian-backed agents were interfering with the 2016 vote, then-Homeland Security Secretary Jeh Johnson designated election systems as “critical infrastructure,” a change that allowed the federal government more leeway to help states. There is no evidence that votes were altered in 2016, but intelligence officials say all 50 states had some type of intrusion, though only a few were compromised, like in Illinois, where records on 90,000 voters had been downloaded.
Johnson’s decision irked some local officials concerned about the federal government meddling in their elections.
“We don’t like to be told what to do without any say,” said John Merrill, Alabama’s secretary of state.
Federal officials concede the beginning was rocky. “Communication was not a key element of the initial rollout,” said Christopher Krebs, Homeland Security’s cybersecurity chief. “When I look at where we are right now, the single most important factor that has been established with our state and local partners is trust.”
States are managing antiquated machinery, built by a few unregulated and secretive vendors. The outdated software is highly vulnerable to cyberattacks. Online voter registration databases are frequent targets.
Election systems are constantly under fire — efforts to steal sensitive data, disrupt services and undermine voter confidence.
“We experience thousands of attempts every day,” Vermont Secretary of State Jim Condos said. In one example, he said his state recently reported that it had blocked two intrusion attempts into its online voter registration database. The federal government, using data from the sensors, traced the attempts to addresses that originated in Russia.
State election officials aren’t cyber experts and government jobs don’t pay enough to attract high-level private-sector information technology workers.
To assist states, Homeland Security offered them vulnerability assessments and help responding to incidents — so far, 37 states have signed up. Secretary Kirstjen Nielsen has urged states to make their systems auditable. Her department has funded “Albert sensors,” systems that can detect attempts to hack into networks. So far, 31 states and 61 counties have installed sensors.
“They are valuable because they give visibility to us, to DHS about what’s going on,” said John Gilligan, executive chairman of the Center for Internet Security, a cybersecurity venture funded by government, academia and the private sector.
State officials say the sensors, while limited, work to paint a picture of what’s happening across the country.
“It doesn’t offer a specific defense,” said Noah Praetz, elections director for Cook County, Illinois. “But it does offer the potential for information.”
Cybersecurity experts warn, however, that the Albert sensors won’t detect all forms of intrusion.
“If something more sophisticated gets in … it’s going to be very, very difficult to detect them,” said Bob Stasio, a former National Security Agency supervisor.
The department this year created the Elections Infrastructure Information Sharing and Analysis Center to help state and local election jurisdictions share information on cyberthreats and security. The Center for Internet Security runs it, and more than 1,100 counties in all 50 states are signed up.
Foote, of Inyo County, said her partnerships with other states have increased her trust of federal officials. She reached out to colleagues in Colorado when she invited federal agents into her county.
“I was still nervous about it,” she said. “But when they got here, what really set my mind at ease was these were not partisan, ideologue people. These are the rank-and-file. They’re experts in cybersecurity.”
Federal officials are handing out security clearances to state and local officials so some can read in on classified briefings, but so far, fewer than 100 have been given. And local officials still know very little about what happened in 2016.
“I never received any information and still — to this day — I have no inside access to anything more than what’s reported in the media and the general public on what those threats are,” Foote said.