ADVERTISEMENT

Election Security in 2020 Comes Down to Money, and States Aren't Ready

The front line to protect the integrity of U.S. presidential election is in an Illinois strip mall, next to a Chuck E. Cheese’s

Election Security in 2020 Comes Down to Money, and States Aren't Ready
ILLUSTRATION: MOLLY ROSE DYSON FOR BLOOMBERG BUSINESSWEEK 

(Bloomberg Businessweek) -- The front line to protect the integrity of the U.S. presidential election is in a Springfield strip mall, next to a Chuck E. Cheese’s restaurant. There, inside the Illinois Board of Elections headquarters, a couple dozen bureaucrats, programmers, and security experts are furiously working to prevent a replay of 2016, when Russian hackers breached the state’s voter registration rolls.

For 2020, Illinois is deploying new U.S. government software to detect malicious intrusions and dispatching technology experts to help local election officials. Even the National Guard, which started its own cyber unit several years ago, is on speed dial for election night if technicians needed to be rushed to a faraway county.

Still, Illinois officials are nervous. The cash-strapped state remains far short of the resources needed to combat an increasing number of nations committing geopolitical breaches. “We’re in an unusual time, and yes, there is concern about whether we have enough to go into 2020 totally prepared for what the Chinese, Russians, or North Koreans or any enemy of the United States may do to influence our elections,” says Governor J.B. Pritzker, a Democrat. “We’re securing our elections with state resources, but there is a federal need. This is a national crisis.”

State election authorities are more prepared than they were four years ago, when they weren’t focused on the threat of voting system hacks. But Illinois’s struggles illustrate how outmatched most states are and how money—and the cyberskills of local authorities—will determine whether election infrastructure from Illinois to Florida will be secure in November 2020. While those two were the only states named in special counsel Robert Mueller’s report as targets of election meddling by Russian hackers, the Senate Intelligence Committee in July concluded there were “extensive” efforts to hack all 50 states.

In 2016, Russia’s cyberforces sent e-mail phishing messages and tested the vulnerabilities of voting systems. Election-security experts fear that was merely practice for a much more aggressive effort, according to the Senate panel’s report. The biggest concern is that foreign actors could change enough votes to swing an election. Experts say that’s almost impossible because machines generally aren’t connected to the internet and votes are counted and audited at thousands of individual polling places. A more plausible concern: Hackers meddle with data that poll workers depend on. If voters’ information is altered or their names removed from registration lists, the result could be anger and chaos that undermine the election’s legitimacy.

Funding remains a key obstacle. In Illinois, officials have said they need about $175 million to rebuild and defend the election apparatus but have received slightly more than 7% of that amount. Like Illinois, most states don’t have enough money to pay for new security measures that experts say are required to ward off increasingly sophisticated attacks, according to state election officials across the country, academics who study election security, and executives at cybersecurity companies.

The scale of the country’s election infrastructure is a big part of the problem. Elections are administered by state and local officials, which means all 50 states must wage their own battles with the U.S.’s geopolitical rivals. Convincing smaller and rural counties with few resources that they too could be targets remains a challenge, says Matthew Masterson, senior adviser on election security at the U.S. Department of Homeland Security. They often lack even basic security measures, such as two-step verification for accessing internal election databases. “They think, ‘Who would want to bother us?’ ” he says.

Since last year, Congress has distributed $380 million to the states, which have used much of that money to install a threat-monitoring system called Albert, a spinoff of a federal surveillance program. But Senate Majority Leader Mitch McConnell has blocked a Senate bill to distribute an additional $600 million for state election security, and state legislatures historically have been stingy in funding efforts. Florida’s Republican governor, Ron DeSantis, said in June that he’d identified $5.1 million to fortify cybersecurity. The state spends more on citrus research and animal control, according to its 2019 budget.

The state’s Republican senior U.S. senator, Marco Rubio, says it makes sense that hackers would continue to target his state. “If you wanted to conduct influence operations in this country by undermining people’s confidence in our election system, Florida would be on the top of your list,” he says. “We’re a large state. We’re a diverse state. We’re politically competitive.”

Russians infiltrated two unnamed Florida counties in 2016, but state officials had no idea the counties had been breached until after the election, when they were informed by federal agents, according to officials close to the investigation who asked not to be identified. Federal authorities aren’t releasing the names of the counties to stave off embarrassment and to encourage local governments to be forthcoming if additional flaws are discovered.

In Illinois, election authorities are at odds with DHS over how successful Russian hackers were in breaching the state’s system. Illinois officials say Russian cybersleuths gained access for almost three weeks, secretly downloading and attempting to alter more than 200,000 registration records before they were caught. They barraged the system with so many commands that the registration site stopped working, says Matt Emmons, who’s overseeing the state’s election security effort. “The general consensus is they wanted us to know what they had done and where they had been.” DHS staff told the Senate Intelligence Committee that the attackers could have done far more damage and maybe did, according to the panel’s report. The differing accounts suggest continuing friction between states and the agency, potentially creating an intelligence gap as the 2020 election approaches.

Officials in Illinois are resorting to some old-school techniques to bolster security at their strip mall headquarters. When European government officials visited in July to determine how U.S. election systems differ from theirs, the state required them to undergo background checks. It was an acknowledgment that preparing for another 2016-style attack isn’t enough. “We’re constantly telling our clients that it’s no longer a matter of ‘if’ you’ll be attacked, but rather a matter of ‘when,’ says Haiyan Song, vice president and general manager of Splunk Inc., a San Francisco-based cybersecurity firm. “That certainly applies to governments in election security, as well.” —With Jonathan Levin and Daniel Flatley

To contact the editor responsible for this story: Dimitra Kessenides at dkessenides1@bloomberg.net

©2019 Bloomberg L.P.