County boards of elections in Ohio are bringing in experts to size up whether their computer systems are vulnerable to hackers.
In the wake of 2016 campaign email hacking by Russia, the U.S. Department of Homeland Security This year, the Ohio Secretary of State Jon Husted .
Now boards have until Oct. 15 to submit security audits to the state. The directive from Husted鈥檚 office requires boards to try to fix major problems by Election Day in November.
鈥淐ertainly the goal is to have any threats assessed and remedied prior to November鈥檚 election, which is a very, very aggressive timeline,鈥 Aaron Ockerman, the director of the Ohio Association of Election Officials, said. 鈥淏ut that being said, I think it demonstrates the importance of the topic.鈥
Last year, the secretary of state鈥檚 office said in Ohio鈥檚 election system in 2016. The state said the attempt lasted less than a second, the hackers did not break inside and the system is secure.
Local governments have suffered cyberattacks in recent years. In 2013, hackers compromised personal information . Last year, .
This year, the state is making $4.9 million available for counties to hire 鈥減athfinders鈥濃擨T firms or experts at local community colleges鈥攖o conduct the assessments.
The money is coming out of a $12 million federal award . In all, the federal government approved $380 million for states this year, the latest disbursement under the Help America Vote Act of 2002.
The state wants boards to follow published by the nonprofit Center for Internet Security. The book, which lists dozens of ways counties can protect against hacking, serves as the road map for pathfinders鈥 audits.
Candice Hoke, a co-director for the Center for Cybersecurity & Privacy Protection at Cleveland-Marshall College of Law, said Ohio and the federal government are taking some positive steps.
But she said she has concerns about counties鈥 resources and know-how.
鈥淭he biggest concern that I have is the lack of security knowledge within the boards of elections for making good judgments about how to use those moneys, including which kinds of firms to hire,鈥 Hoke said.
As for the security assessments, Hoke said they should have happened sooner.
鈥淩ight now, yes, we are in catch-up mode,鈥 Hoke said. 鈥淥ctober is way too late. We鈥檙e already in the midst of receiving voted absentee ballots by mid-October. So it鈥檚 way too late.鈥
Portage County as Role Model for Best Practices
Portage County offers one example of how local election officials are trying to guard against hacking and other online disruptions. The county contributed best practices to CIS鈥檚 cybersecurity guidebook.
At the board鈥檚 office recently, director Faith Lyon opened a door into the room where a computer will tabulate November鈥檚 results. That PC, Lyon said, is not connected to the web.
鈥淣o internet. No connectivity whatsoever,鈥 she said. 鈥淭hese are actually single-source. They鈥檙e not even connected into our county system within our office.鈥
The election board鈥檚 computer server is separate from the rest of Portage County鈥檚 government systems, Lyon said. Staff don鈥檛 have internet access at their desks, a decision Lyon said was made years ago.
鈥淲e literally have two computers in our office that have internet connectivity,鈥 she said.
On election night, staff use those computers to send vote totals to the secretary of state鈥檚 office and to upload them to the board鈥檚 website.
To get the data from the tabulation computer onto the ones with internet, the board uses thumb drives鈥攍ots of them.
鈥淥ne direction, one use each thumb drive,鈥 Lyon said. 鈥淪o on an election night, we can easily go through 20, 30 thumb drives, and they are never used again. They are literally disposed of after our disposal period.鈥
By using the drives only once, the board tries to reduce the risk that malware could hop from the internet back onto the vote tabulation computer.
Involvement With Homeland Security
Security assessments aren鈥檛 the only way Ohio is preparing.
Boards have been role-playing worst-case scenarios funded by the federal government.
A number of election officials met for exercises in July in Independence, Lyon said. She said officials practiced how they would respond to a compromised registered voter database, contaminated USB drives, the spread of phony election information and other problems.
The state has also directed boards to join the , an initiative supported by the Department of Homeland Security. EI-ISAC sends email newsletters to boards with resources and alerts about potential threats.
DHS has offered Ohio鈥檚 largest counties which detect potential intrusions into computer systems. Spokesmen for the boards of elections in Franklin and Cuyahoga counties confirmed the boards are using the sensors.
鈥淲hat you鈥檙e trying to do is build something that鈥檚 called defense in depth,鈥 Matt Masterson, a senior advisor at DHS, said. 鈥淵ou build layers of security such that you make it difficult for a malicious actor to get full access to any given system.鈥
Masterson, who used to work in Husted鈥檚 office, said boards should also watch out for human error鈥攕uch as staff falling for phishing attacks by clicking malicious links in emails.
鈥淥ne of the things we offer state and county officials is a multi-week phishing campaign assessment where we will send progressively more sophisticated phishing emails to the participants and then share back click rates,鈥 Masterson said.
Masterson, Hoke and other experts say boards should focus on becoming resilient, such as by backing up data. That way, if anyone does try to disrupt the election, the system can bounce back.
Copyright 2021 90.3 WCPN ideastream. To see more, visit . 9(MDA5NTM4MTIyMDE0MTg3NDc2MTVlZjdmNQ001))
