A week ago, the Senate Intelligence Committee released a report confirming the extensive effort on the part of Russian operatives to attack election systems across the country during the 2016 election. The bipartisan report found all 50 states were targeted. It describes “an unprecedented level of activity against state election infrastructure,” largely seeking to identify areas of vulnerability. The report bolsters calls for the federal government to provide states with additional resources to enhance security.
Unfortunately, Mitch McConnell, the Senate majority leader, has resisted efforts to make the funding available, though the House already has acted and federal money allocated two years ago has been spent. The report makes plain the need, noting that while some states have been highly focused on developing a strong culture of cybersecurity, others have made little progress.
New Jersey, for instance, does not generate an auditable paper trail at any of its counties, the state now with three pilot programs.
What about Ohio? The state is among those at the front. In June, Frank LaRose issued a directive to all county boards of elections, building on past steps by setting in motion several new requirements for upgrading security. The secretary of state stressed the value of redundancy, of layering numerous, complementary and reinforcing approaches.
That explains the secretary calling for the installation of Albert intrusion devices on the networks of all 88 boards. This equipment monitors electronic traffic flow and provides security alerts when the network is violated. The Security Information and Event Management Logging system (SIEM) brings a greater level of sophistication. It collects data from network devices, servers and other elements, trapping the information in a “black box,” allowing officials to see the activity of an intruder.
Both tools are provided by the secretary of state’s office through federal dollars. They are complemented by another layer of protection regarding email. Boards of elections already have taken steps to prevent phishing, attackers sending deceptive email to trick a user into allowing their entry. Now the secretary wants boards to use only a .us or .gov domain name — plus tap services that help to identify whether an email is legitimate, the security sequence similar to the additional layer required by banks.
The secretary also has required boards to request a set of services from the Department of Homeland Security, again, to achieve crucial redundancy. The services include assessing the level of vulnerability by trying to hack into a board network and conducting a “cyber threat hunt,” an in-depth review to see whether a network has been compromised. Add to the requirements more training and criminal background checks of employees and vendors or contractors.
Is all of this too much? A pilot program involving three counties, Hocking, Miami and Wood, has shown good results. The concern isn’t so much that hackers would alter vote totals, the voting apparatus offline, as it is messing with voter registration data. Recall the recent episodes in Baltimore and Atlanta, attackers essentially locking up city government data. Imagine such an event on the eve of a presidential election, the potential for disruption, not to mention a loss of public confidence in election systems, or the core of democratic governance.
That has been a leading message of Robert Mueller, the special counsel who investigated the Russian cyberattack. In his congressional testimony last week, he repeated his warning about Russia trying again in a “sweeping and systematic” way, something that “deserves the attention of every American,” as he has put it. Thus, it is good to see the secretary of state’s office at the lead in building a culture of security. Now the U.S. Senate needs to join the effort.