OLYMPIA – Exercises that simulate a hacking attempt. Assistance from the U.S. Department of Homeland Security, with higher-level security clearances for top state officials. A Washington National Guard contingent ramping up to go on alert.
In years past, you might have mistaken these preparations as defense against a foreign invasion.
But in Washington, in 2018, this is what officials are doing to safeguard the state’s elections systems.
Roughly a year after Russia’s interference in the 2016 presidential elections, federal officials announced that Russian hackers had targeted the election systems of at least 21 states, including Washington.
In Washington’s case, hackers scanned voter-registration systems looking for weak spots. No breach was made.
But now Washington officials face a landscape of threats as they prepare for the Aug. 7 primary and Nov. 6 general election – and what will likely be a divisive 2020 presidential election.
The efforts come as states across the nation work to shore up their voter-registration rolls, vote-tabulation systems and election procedures.
Washington is widely considered to have one of the more secure elections systems, in part because its mail-in balloting means the state has a paper record for almost every vote cast. Those ballots can always be recounted, if any question emerges.
Still, national experts agree Washington has some spots that could be compromised by hackers, such as votes returned by email from members in the military, and a voter-registration system run by the state Department of Licensing that recently ran into trouble.
The Washington Secretary of State’s office, which oversees elections, has ramped up its efforts to deal with interference by foreign nations and criminal hackers.
Secretary of State Kim Wyman has teamed up with the U.S. Department of Homeland Security (DHS) and is pushing for more resources for her office and the counties, which administer elections, to beef up their information-technology capabilities and training.
Federal and state officials say hackers aren’t targeting Washington at this moment, but that could change as this year’s elections approach, as well as the next presidential election.
The threat isn’t just about keeping elections secure, Wyman said. It’s also about keeping voters’ faith in their democracy.
“The frightening thing for me is that there are those that are trying to undermine democracy at its foundation,” said Wyman. “That if they can cast doubt on the outcome of an election, people start to lose confidence in our election system.”
Wyman’s office is expected to soon sign an agreement to allow Washington Air National Guard cybersecurity experts to help with anti-hacking efforts. The arrangement, the first of its kind in Washington, is expected to be finalized this month.
Col. Gent Welsh, commander of the Washington Air National Guard’s 194th Wing, says his people will bring in an added layer of expertise to look at the system before November’s general election.
The units involved come from what Welsh described as “probably nation-leading cyber squadrons” that have worked with the U.S. Department of Defense.
The group will consist of about a dozen people, including guard members who in their day jobs work at Microsoft, Amazon or security companies, he said.
“If you’ve got a military-grade adversary,” said Welsh, “it makes sense to bring in military-grade assets.”
Viruses, email votes
In 2016, the Russian hackers who targeted the 21 states did indeed breach at least one election system, in Illinois.
News reports have suggested a half-dozen additional states – though not Washington – may also have had their systems compromised.
Washington has one big security advantage: Unlike many other states, it never adopted voting systems that depend wholly or predominantly on computer software.
The state’s paper mail-in ballots serve as a concrete record for officials to go back and recount.
“In terms of cybersecurity threats, it seems that vote-by-mail states are a lower risk,” said Marian Schneider, president of nonprofit Verified Voting Foundation, which advocates for accurate and secure elections.
That doesn’t mean Washington is immune to hacking from foreign governments or criminal interests.
Elections-security experts point to potential weak spots, such as ballots that can be returned via email.
Any voter in Washington can download and return a ballot by email, according to Wyman. But in those instances, nonmilitary voters are supposed to send in a paper ballot as a backup.
That might happen, for example, if a voter forgets about the election and can’t get their paper ballot in on time, said Wyman. The voter would download and email an electronic ballot from the county elections office or the Secretary of State’s website, and then later send in the paper ballot.
But members of the military can return a ballot only by email – which can be considered the official record. Emailed ballots can be manipulated by hackers, or used to insert a virus aimed at the state’s elections systems once it is opened, said Susannah Goodman, director of voting integrity for the nonprofit advocacy group Common Cause.
Goodman called those email votes “the lowest-hanging fruit” for potential hackers to target, and said some states limit their use to only members of the military serving in hostile zones.
Wyman said her office is considering ways to limit email-only ballots, perhaps to military members serving overseas.
“We’re basically soliciting, ‘Please send us an email with an attachment that we could open,’?” said Wyman. “And I just think that has some risk to it that probably isn’t worth it anymore.”
Another potential weak spot arose earlier this year.
In February, state officials announced a software problem in the Washington Department of Licensing motor-voter system that caused thousands of people to be left off the voter rolls.
The glitch largely involved people who changed names on their driver’s licenses and received a new driver’s license number. Thousands of registrations weren’t transmitted to the Secretary of State’s voter rolls.
That problem wasn’t the result of hacking, but it showed how issues with electronic databases can mess up the elections system.
Wyman’s office is now doing daily audits of motor-voter data, as well as more extensive audits before elections, to make sure the voter rolls are accurate, said Lori Augino, director of elections for the Secretary of State’s office.
Other challenges remain.
While Washington has postelection audits to make sure votes are tabulated correctly, Goodman said they need to be stronger and currently “would not likely detect serious tampering.”
State lawmakers this spring approved a bill, HB 2406, that includes efforts to begin strengthening such audits.
Russia not only threat
Last month, about 250 state and county election officials met in Spokane for their annual conference. Augino, federal officials and others helped conduct exercises there designed to simulate hacking attempts.
In one scenario, an elections supervisor picked up in a parking lot a thumb drive labeled election-night results – but the drive contained a virus to attack the elections system.
It gave county officials a chance to ponder how a problem like that might be detected and minimized, Augino said.
The Secretary of State’s office has secured about $8 million in federal grants to safeguard elections and replace old elections infrastructure.
Among other things, that money will go toward staff training and equipment to strengthen cybersecurity monitoring and firewalls for both Wyman’s office and county elections offices, she said.
Some of the money also will expand the Secretary of State’s IT team, which currently has two people, Wyman said. That will allow the team to help elections officials in Washington’s smaller counties.
Even before the 2016 ballots were cast, the Secretary of State’s Office began working with DHS and FBI to detect and repel hacking attempts.
Wyman’s office began sharing information with the two agencies about possible threats, including the IP addresses, or identifying information, of computers engaged in suspicious activity.
DHS continues to send weekly notices about threats to states, said Matt Masterson, an elections adviser for the agency. In Washington, DHS also does regular scans of election websites to detect possible weak spots that hackers could exploit, Masterson said.
Meanwhile, Augino is one of about 15 state officials serving on a national coordinating group between state and federal officials. She and Wyman have both received higher security clearances so federal officials can share cybersecurity information.
While officials might be thinking of Russian interference, that nation isn’t the only possible perpetrator, said Edgardo Cortis, election security adviser for the Brennan Center for Justice in New York.
“It may be Russia today, but we don’t really know what could be coming down the pike,” said Cortis. “China’s a very sophisticated actor, maybe North Korea.”
“But you also have criminal actors out there too,” he added.
Meanwhile, Wyman’s office plans to roll out a new statewide voting-software system next spring, with hopefully enough time to work out the bugs during the 2019 primary and general elections.
“And then that way we can get two elections under our belt before we go into the presidentials,” she said.
Subscribe to the Morning Review newsletter
Get the day’s top headlines delivered to your inbox every morning by subscribing to our newsletter.