Learning 2016's Lessons, Virginia Prepares Election Cyberdefenses

Enlarge this image toggle caption Pam Fessler/NPR Pam Fessler/NPR

This fall's statewide elections in Virginia and New Jersey are the first big test of security measures taken in response to last year's attempts by Russia to meddle with the nation's voting system.

Virginia was among 21 states whose systems were targeted by Russian hackers last year for possible cyberattacks. While officials say the hackers scanned the state's public website and online voter registration system for vulnerabilities and there's no sign they gained access, state authorities have been shoring up the security of their election systems.

One of the most drastic steps was a decision by the Virginia Board of Elections earlier this month to order 22 counties and towns to adopt all new paper-backed voting machines before November. The board decided that the paperless electronic equipment they had been using was vulnerable to attack and should be replaced.

"Got thrown a curve ball," says David Bjerke, director of election in Falls Church, a city in northern Virginia that was among those affected.

Within days, Falls Church ordered a new voting system that combines paper ballots with optical scan machines. The paper ballots are filled out by voters, scanned and then stored in a locked bin and can be counted later if the machine-scanned tally is questioned.

Bjerke says this should make voters more confident that the election is secure, although he admits in his small town — which has only 10,000 registered voters — most people believe the threat of a foreign nation hacking their system is pretty remote.

"Hey, we don't have to worry about it. It's not like they're going to target us," he says many voters think. But, he adds, "unfortunately, we've seen localities get targeted."

He notes a leaked National Security Agency report that Russian intelligence agencies sent malicious e-mails last year to more than 100 local election offices as part of a phishing attack. There's no evidence any of those offices were compromised.

Then this summer, hackers at a convention in Las Vegas easily broke into some of the paperless voting machines used in Virginia, which is one reason the state banned them so abruptly.

"In terms of cybersecurity, it's something we worry about here every day and every night," says Edgardo Cortes, Virginia's commissioner of elections.

Cortes says he isn't worried so much about hackers changing votes as he is about someone causing confusion at the polls by tampering with something like the voter registration lists.

To prepare for such possibilities, Cortes and others in his office met in Richmond two weeks ago with representatives of the state police, the state IT agency, county registrars, emergency managers and others to go over Election Day contingency plans that prioritize making sure voters can continue casting ballots no matter what. In the past, such pre-election meetings have focused on potential incidents like hurricanes and power failures, but this year there's a new sense of urgency.

"We over the past year and a half in elections have seen a big change in the need for security around elections and the threats that are out there against election systems," Cortes told the group, emphasizing the importance of sharing emergency contact information and knowing what everyone's role will be in the event of a disruption.

And that's always a possibility. There's no evidence any votes were affected, but Russian hackers last year were able to gain access to Illinois' statewide voter registration database, and the username and password of an election worker in Arizona.

This year, Virginia gave its local registrars special cybersecurity training, on things such as how to detect a phishing attack and protect passwords.

The state is also working more closely with federal authorities. Bob Kolasky, acting deputy undersecretary for the National Protection and Programs Directorate at the U.S. Department of Homeland Security (DHS), says his agency is now in weekly contact with election officials in Virginia and New Jersey.

"And as they ramp up toward the election, we're obviously looking to see if there's any signs of anything which would cause a need for increased attention," he says.

Kolasky says he hasn't seen any such signs yet, but promises that if there are, the agency will be more open to sharing data than it was last year. States complained they were denied important information about threats to their election systems, making it more difficult for them to ensure they were secure.

DHS is also in the process of getting security clearances for the top election official in each state so they'll have access to classified intelligence about cybersecurity threats.

Election security watchdogs say they're encouraged, especially by Virginia's decision to get rid of its paperless machines. Still, Susan Greenhalgh, of a group called Verified Voting, says using paper ballots is only the first step, and that they need to be counted to detect tampering.

"We need to use them to audit the election results. It's like we can have a seatbelt in our car but unless we actually strap in, that seat belt doesn't give us any safety," she says.

Virginia plans to start conducting such post-election audits, but not until after next year's election.

In the meantime, Falls Church officials have a more immediate concern — informing voters who are used to casting their ballots electronically that they'll now have to use paper and pen.