Kentucky, Indiana move to keep elections safe from cyber threats
“I worry just a bit, but I’m not really concerned,” Brasch said after voting at the Louisville-Jefferson County Election Center. “I would be real surprised if any foreign entity wants to hack on our local elections,” he added. “We’re just not germane in that sense. Presidential (elections) obviously would be more of a target.”
Across Kentucky and Indiana, this spring’s primaries are the first major elections since federal authorities disclosed Russian efforts to target voting systems in 21 states during the 2016 presidential campaign. And although there is no evidence that any votes were altered, the revelations have prompted officials in both states and across the U.S. to place a new emphasis on election security.
Kentucky has been working with a security consultant since last summer and recently announced a partnership with the U.S. Department of Homeland Security to train local election officials about online and other threats. Homeland Security representatives were in Indiana for last week’s primary elections.
In Louisville, next week’s primary elections will mark the debut of $3.2 million in new voting equipment, including touch-screen machines that will complement traditional paper ballots. Even with the changes, none of the equipment is connected to the internet or holds data susceptible to online attacks, said Nore Ghibaudy, spokesman for the Jefferson County Board of Elections.
“You cannot hack into a system that’s not hackable to the rest of the world,” he said. “That’s why in Jefferson County, I think your vote is definitely secure.”
All voting machines in Jefferson County produce paper records, including the new ExpressVote devices that allow voters to choose candidates on a screen. But other counties in Kentucky and Indiana still use paperless voting equipment, a practice that elections observers say could prevent accurate audits once voting has ended.
The left-leaning think tank Center for American Progress gave Kentucky a “D” grade, and Indiana an “F,” in a report published in February on election security in the U.S. It cited the lack of a paper trail from voting machines in both states as one reason for the low ratings.
The Republican-led U.S. Senate Intelligence Committee, which is investigating Russian meddling in the 2016 elections, has recommended that states replace old and vulnerable election equipment and ensure that new voting machines can create a paper trail.
The panel also has urged states to tap federal funds to boost cybersecurity by hiring additional computer experts or using contractors, and paying for election audits.
Congress set aside $380 million earlier this year in election security funds for states. While applauding the move, the Brennan Center for Justice at New York University’s School of Law noted that the money wouldn’t be enough to replace paperless voting machines in most states that now use them, including Kentucky and Indiana.
Alison Grimes, Kentucky’s Secretary of State and chair of the state Board of Elections, said she agrees with that analysis.
“We know the equipment that we are using throughout the nation – not just in Kentucky – is dated, some upwards of 15-plus years,” she said. “That takes money. Just like roads to build, it takes money to repair our election equipment.”
The elections board will now require that all new voting equipment bought in Kentucky create a hard copy of each ballot. While every county offers electronic voting machines for people with disabilities, a “handful of counties” rely exclusively on equipment that leaves no paper trail, Grimes said.
Among them is Fayette County, home to Lexington, Kentucky’s second-largest city. Fayette moved to its current system in the early 2000s because of concerns that people could tamper with paper ballots, said County Clerk Don Blevins Jr.
Blevins said he agrees with the push to have a paper backup for all new voting machines. But the state elections board’s mandate “puts us in an awkward position,” because replacing all of Fayette’s equipment would cost $4 million to $5 million, he said.
Local governments ultimately must pay for new voting machines. In Louisville’s case, for example, election officials used federal and city funds to cover the cost of the new equipment.
Individual counties must decide when to replace their equipment, but the state elections board only will certify machines that leave a paper trail. In the meantime, Grimes said state officials will decide how best to spend the federal funds to “protect the infrastructure of Kentucky now.”
Kentucky was not one of the 21 states identified as targets of Russian interference in the 2016 elections. Hackers did breach voter registration databases in Illinois but weren’t able to manipulate the 76,000 records that were accessed, the Associated Press reported.
Kentucky already is working with a consultant, CyberScout LLC of Scottsdale, Ariz., under a $150,000 annual contract with the elections board to identify voting and elections weaknesses. In a statement, Grimes’ office said the company’s assessment isn’t yet complete but declined to say if there’s been any discussion about extending the contract when it expires in June.
Like other states, Kentucky also has asked the Homeland Security Department to perform a risk assessment of the elections systems. That’s expected to be completed this month.
And in April, Grimes unveiled a partnership with federal authorities to train county clerks and local election officials about online and other threats to elections. The training includes emphasizing password protection and other basic security practices.
“The techniques that we have foreign adversaries using to meddle and disrupt and cause chaos – these aren’t new techniques,” Grimes said. “They just are being applied in a new scenario.”
In an ever-changing arena of cyberwarfare, there are plenty of possible risks. In the case of Kentucky and Indiana, the threats to election data are reduced because equipment isn’t connected to the internet, said Roman Yampolskiy, professor of computer engineering and computer science at the University of Louisville.
But Yampolskiy, who directs U of L’s cybersecurity lab, said hackers could find other ways to disrupt or control computers and other devices used by elections officials. Those could include harmful software placed on a machine when it’s manufactured, as well as “phishing” attacks that seek to get people to click on malicious links sent my email.
“All of us are subject to social engineering attacks,” Yampolskiy said. “If somebody wants to get access, they will design a good phishing attack where somebody will click something and give away safety.”
In Indiana, Secretary of State Connie Lawson spends “at least an hour a day on this topic and on many days much more,” she wrote in an essay for the Brookings Institution in February. She emphasized that, as in Kentucky, none of the state’s voting equipment is connected to the internet.
Lawson also said in the essay that Indiana has started training county and state workers to recognize phishing attempts.
There was no “unusual activity” detected during last week’s primaries, Valerie Warycha, Lawson’s chief of staff, said in an email.
In Floyd County, Ind., computer technicians have put a “tighter control” on the email system and beefed up advisories about email safety, said Christy Eurton, the county clerk.
Voters there use a touch screen to make their selections, which are then printed out onto a paper ballot that is scanned and tabulated. The system mirrors the new equipment being rolled out in Louisville.
And, like her counterparts across the Ohio River, she insists the voting process is protected from hackers.
“I can tell you until I’m blue in the face that our system is not connected to the internet. It’s not,” she said. “There’s not a keyboard, there’s not a laptop that goes with the voting systems.”
“In essence,” she said, “we still are a paper ballot system.”