Update, June 20:
It appears Wisconsin will become the 28th state to begin using electronic poll books. The Wisconsin Elections Commission on Tuesday voted to have its staff develop the necessary software and then offer it to municipalities. They could use it, if they purchased the hardware needed – laptops and printers. The state has used paper poll books, until now. They are printouts of all registered voters in the ward and their addresses. There are companies that sell the software, but Wisconsin is opting to create its own and save money, in doing so.
Original story: June 12, 2017
WEC’s Reid Magney talks about safeguards to Wisconsin’s voting system. While there are reports that Russia attempted to disrupt last year s U.S. presidential election, including by penetrating a Florida company that provides some communities with software for their electronic poll books, Wisconsin did not notice anything suspicious, according to Reid Magney, spokesman for the Wisconsin Elections Commission.
Wisconsin does not have electronic poll books. All of our poll books are printed on paper. What happened in Florida is that the Russians somehow were able to steal identities or credentials for this voting company, and then (the hackers) sent emails to local elections officials in Florida and to some other states where the company does business – trying to get people to click on malicious links or open word documents that contained malicious software, Magney says. Is Wisconsin moving toward electronic polls books, and if so, how do you (plan to secure them)?
We are moving toward electronic polls books the commission is meeting on June 20 and will get a presentation about electronic poll books. Do we want to build our own system, or do we want to essentially set standards and let vendors meet those standards and then sell their products to clerks in Wisconsin, the way we now do with voting equipment. But any system that gets approved will have to have very strong security, Magney says.
What types of protections are in place in Wisconsin to guard against a (cyber) attack or to detect one, if it is taking place?
We have 1,853 municipal clerks and 72 county clerks whom we partner with in running elections in Wisconsin. We have a statewide voter registration system, which keeps the names and addresses of all the people who are registered to vote and information about the election (such as) where the polling places are, who the poll workers are, who the candidates are, etc. We have a very sophisticated system set up and one that we just essentially rebuilt and re-launched last year. We have excellent security associated with that.
Now the issue is, if someone were to trick somebody who has access to that system into giving up their credentials, it is possible someone could get access to that system. But again, if you are a clerk in a city, that clerk only has access to that city s records, not the whole state s,” Magney says.
Magney says Wisconsin has other safeguards in place to identify if a hacker had entered the system and was doing something malicious. While WEC leaders have not seen or heard evidence of anything like that happening, he says they are reminding clerks to be careful, in light of Russian attempts to attack voting systems.
In Wisconsin, almost 90 percent of ballots are cast on paper, either optical scan paper ballots or hand-counted paper ballots. There are about 10 percent that are cast on touch- screen voting machines and even those have a paper trail to them. So these machines are not connected to the internet and the system is very decentralized. There is no one place that holds the programing to all the machines, so there is no one place where the system is vulnerable it is all very distributed, Magney says.
A 25-year-old Federal contractor was charged Monday with leaking a top secret NSA report detailing how Russian military hackers targeted US voting systems just days before the election. The highly classified intelligence document, published Monday by The Intercept, describes how Russia managed to infiltrate America s voting infrastructure using a spear-phishing email scheme that targeted local government officials and employees. It claims the calculated cyberattack may have even been more far-reaching and devious than previously thought.
The report is believed to be the most detailed US government account of Russia s interference to date. It was allegedly provided to the Intercept by 25-year-old Reality Leigh Winner, of Augusta, who appeared in court Monday after being arrested at her home over the weekend. She was charged with removing and mailing classified materials to a news outlet, DOJ officials said.
Releasing classified material without authorization threatens our nation s security and undermines public faith in government, Deputy Attorney General Rod J. Rosenstein explained in a statement. People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation.
Winner, who works as contractor at Pluribus International Corporation, allegedly leaked the report in early May. A federal official told NBC News that she had, in fact, given it to the Intercept. According to the document, it was the Russian military intelligence that conducted the cyber attacks last year. Specifically, operatives from the Russian General Staff Main Intelligence Directorate, or GRU, are said to have targeted employees at a US election software company last August and then again in October.
While the name of the company is unclear, the report refers to an undisclosed product made by VR Systems an electronic voting services and equipment vendor in Florida that has contracts in eight states, including New York. The hackers were given a cyber espionage mandate specifically directed at U.S. and foreign elections, the report says. On August 24, 2016, the group sent the employees fake emails, which were disguised as messages from Google. At least one of the workers was believed to be compromised.
In late October, the group established an operational Gmail account and posed as an employee from VR Systems using previously obtained documents to launch another spear-phishing attack targeting US local government organizations, the report says. According to the NSA, the hackers struck on either October 31 or November 1, sending spear-fishing emails to at least 122 different email addresses associated with named local government organizations.
They were also likely sent to officials involved in the management of voter registration systems, the report says. The emails were said to have contained weaponized Microsoft Word attachments, which were set up to appear as unharmful documentation for the VR Systems EViD voter database but were actually embedded with automated software commands that are secretly turned on as soon as the user opens the document.
The hack ultimately gave the Russians a back door and the ability to deliver any sort of malware or malicious software they wanted, the report says. In addition, the NSA document also describes two other incidents of Russian meddling prior to the election. In one, the hackers posed as a different voting company, referred to as US company 2, from which they sent phony test emails offering election-related products and services.
The other operation was said to be conducted by the same group of operatives, and involved sending emails to addresses at the American Samoa Election Office, in the attempt to uncover more existing accounts before striking again. It is ultimately unclear what came of the cyberattack, but the NSA report firmly states that the Russians had been intent on mimicking a legitimate absentee ballot-related service provider.
It is unknown, whether the aforementioned spear-phishing deployment successfully compromised the intended victims, and what potential data could have been accessed by the cyber actor, the NSA states of the result of the hacking. While the government employees were only hit with simple login-stealing tactics, experts told the Intercept that such operations could prove even more dangerous than malware attacks in some instances.
VR Systems doesn t sell voting machines, but holds contracts in New York, California, Florida, Illinois, Indiana, North Carolina, Virginia, and West Virginia making it a prime target for those who want to disrupt the vote and cause chaos come election day.
If someone has access to a state voter database, they can take malicious action by modifying or removing information, Pamela Smith, president of election integrity watchdog Verified Voting, told the Intercept.
This could affect whether someone has the ability to cast a regular ballot, or be required to cast a provisional ballot which would mean it has to be checked for their eligibility before it is included in the vote, she said. And it may mean the voter has to jump through certain hoops such as proving their information to the election official before their eligibility is affirmed. At least one US intelligence official admitted to the Intercept that the Russian hackers described in the NSA report could have disrupted the voting process on November 8, by specifically targeting locations where VR Systems products were in use. They cited the simple possibility of compromising an election poll book system, which could cause widespread damage in certain places.
You could even do that preferentially in areas for voters that are likely to vote for a certain candidate and thereby have a partisan effect, explained Alex Halderman, director of the University of Michigan Center for Computer Security and Society. In response to the report, VR Systems Chief Operating Officer Ben Martin told the Intercept: Phishing and spear-phishing are not uncommon in our industry. We regularly participate in cyber alliances with state officials and members of the law enforcement community in an effort to address these types of threats. We have policies and procedures in effect to protect our customers and our company.
Federal and the state governments should emphasize planning for recovering after a cyberattack rather than focusing so much on preventing the attacks, the commander of Washington National Guard s cyber unit has told a Senate committee. Washington state is trying to integrate cybersecurity into its plans for responding to emergencies, Col. Gent Welsh told the Senate Energy and Natural Resources Committee on Tuesday.
The (Washington) National Guard is working with Department of Homeland Security and Federal Emergency Management Agency on developing specifications for actual cyber response teams that can be deployed to help industry, he said. His unit, the 194th Wing of the Air National Guard, is the guard s first non-flying operational wing and has more 1,000 citizen-airmen executing missions in the cyber domain, according to the guard s official website. Many work in sectors of critical infrastructure, such as utilities, Welsh said.
The committee hearing was aimed understanding if energy delivery systems are secure against cyber threats.
Federal efforts have principally emphasized efforts to prevent cyberattacks, rather than anticipate response considerations, Welsh said. He said his unit is working with Washington state on how to respond to attacks. Key to that planning is realizing that while a cyber attack starts in the virtual world, it s likely to have physical impacts on pipelines, electric grids or other critical infrastructure.
When a pipeline blows up, people are going to be affected, Michael K Hamilton, founder of Seattle-based Critical Informatics Inc. and a former policy adviser for Washington state, said in a telephone interview. The National Guard is also working closely with the private sector, Welsh said. Eighty-five percent of U.S. national critical infrastructure is privately owned. The private sector will need help when something bad finally happens, Welsh said.
The state also has established the Public Regional Information Security Event Management to share cyber security information among governments, hospitals, utility companies and other private sector players. Hamilton noted that the state also has lots of grassroots initiatives lots of volunteering work of people and businesses in Washington state, that are putting out programs without state support. He said they address local issues such as 911 services. During the Senate hearing, a number of energy industry representatives said that the Energy Department should make it easier for companies to get adequate security clearances so they can share information with each other and the government about cyber attacks.
Welsh echoed the position, saying there can be no partnership without access.
In an interview after the hearing, he noted that states need to nominate more energy sector officials to receive the federal clearances.