[A]mid recent reports about vulnerabilities to U.S. election systems, Vermont Secretary of State Jim Condos says local voters won’t see many changes at their polling places in 2018. But that doesn’t mean his office isn’t paying close attention to cybersecurity.
“We are constantly looking at it,” Condos said. “We monitor our systems on a daily basis.”
Condos said his office solicited a third-party risk assessment of its physical and electronic data systems in 2015. Although he wouldn’t share specifics of the audit — calling that a security risk — he said the process led his office to build new firewalls around several of its web apps and institute regular penetration tests. Those are simulated hacks aimed at revealing vulnerabilities in its IT systems.
“Anybody who tells you they’ve done everything they need to do today — I don’t want to say they’re lying to you, but tomorrow’s a different day,” Condos said. “The bad actors are constantly evolving.”
A New York Times report published Saturday detailed how a number of states are shoring up their voting systems after foreign hacking attempts in 2016. Several state governments plan to update problematic voting machines, move voter information to more secure databases, or implement more advanced post-election auditing systems.
Condos said Vermont’s election systems are already “way ahead of the curve.” Polling places use paper ballots, which minimize vulnerability to electronic hacking and provide physical evidence for recounts.
The state also conducts audits within 30 days after each election: Votes are recounted in six towns to reveal any discrepancies between the paper ballots and Election Day tallies.
In the 2016 election, about 80 percent of the state’s ballots were scanned, with the remainder tallied by hand, according to Condos. Vermont polling places in 2016 counted scanned ballots using AccuVote OS (optical scanner) machines manufactured by Premier/Diebold, according to Verified Voting.
“For someone to hack into these systems, they’re going to have to do a whole lot of work for very little benefit,” Condos said. Before Election Day, a hacker would have to “break into every town clerk’s office, break into their vault where they keep the memory chips, then reconfigure the chips, put it all back together, and get out before anyone knows it.”
Town clerks are required to document the “chain of custody” for memory chips each time they’re removed from vote-counting machines for any reason, Condos said. Each chip is also tested within 10 days before each election and again the morning of Election Day, before the first ballot is scanned.
Voting machines that connect to the internet via either a wired or wireless connection are particularly vulnerable to hacking, according to the DEFCON report. Condos said none of Vermont’s vote-counting machines are networked.
One factor leading to new attention on local voting systems is the Department of Homeland Security’s designation of election systems as critical infrastructure early this year. As a result, DHS, along with the Election Assistance Commission, is forming an intergovernmental council that will assist state election officers with risk mitigation.
Condos said an initial step will be for him and his counterparts to receive federal security clearances so DHS can share more timely and specific information about threats to election systems.
For example, Condos pointed to the three-month lag between initial testimony that 21 states were targeted by Russian hackers during the 2016 election and the eventual release, in September, of details about those attempts.
Because those threats related to a specific voting software system, Condos said, “we were 99.9 percent sure” that Vermont was not among the 21 states targeted. But state officials could not take action until the September disclosure.
As part of the new collaboration, Homeland Security will offer electronic monitoring and penetration testing to states’ systems. Condos said the department already completes regular “cyber hygiene” scans in Vermont, which have not raised any alarms so far.
Gov. Phil Scott announced the creation of a state cybersecurity task force last week, citing “over 3.3 million potentially malicious cyberattacks against our information resources” since January.