Illustration: Sarah Grillo/Axios

State elections officials struggle with some of the basics of office cybersecurity, according to a new report from cybersecurity auditor NormShield.

Why it matters: With the 2020 elections looming, there is a massive push to button down election cybersecurity.

Details: NormShield audited how state election authorities in all 50 states, D.C. and the territories handled common security tasks not related to the specialized equipment used in elections. NormShield only evaluates what it can see externally, without breaching a system.

  • NormShield uses letter grades to denote how skilled a hacker would have to be to exploit red flags they found. "A C grade means an average hacker could take advantage," said Bob Maley, chief security officer at NormShield and a former chief information security officer for the state of Pennsylvania. "You'd want to see A or B grades for elections boards."
  • In a July scan, by the NormShield metrics, an average hacker would be able to breach 27 state's systems. States had particular trouble with keeping patches up to date — nearly averaging the lowest possible grade in tests — and in preventing stolen credentials from showing up on the dark web, although states by and large performed well in other areas of testing.
  • NormShield informed states of what they found, giving them a chance to mitigate vulnerabilities, and performed a new scan in August. In the follow-up scan, states preformed dramatically better, though 13 states would still be vulnerable to an average hacker.

The reason the patch management grades suffered: Election boards' web servers use older operating systems and programs that are at or near their end of life.

  • A hacked website may not sound as critical as a hacked voting machine, but it could create confusion about voting locations, times and procedures.
  • In July, 4 states used Windows Server 2003, which Microsoft ceased releasing security patches for in 2015; 4 states used a version of the Apache web server that hasn't been patched since 2017; and 9 states used unsupported versions of the NGNIX web server.

Leaked credentials can be a problem, Maley said, even if they don't provide access to official accounts. Election officials shouldn't be using their official email addresses to sign up for personal online accounts.

  • "I actually saw leaked credentials from one state's CISO," said Maley.

Go deeper

Biden: The next president should decide on Ginsburg’s replacement

Joe Biden. Photo: Drew Angerer / Getty Images

Joe Biden is calling for the winner of November's presidential election to select Ruth Bader Ginsburg's replacement on the Supreme Court.

What he's saying: "[L]et me be clear: The voters should pick the president and the president should pick the justice for the Senate to consider," Biden said. "This was the position the Republican Senate took in 2016 when there were almost 10 months to go before the election. That's the position the United States Senate must take today, and the election's only 46 days off.

Trump, McConnell to move fast to replace Ginsburg

Photo: Alex Wong/Getty Images

President Trump will move within days to nominate his third Supreme Court justice in just three-plus short years — and shape the court for literally decades to come, top Republican sources tell Axios.

Driving the news: Senate Majority Leader Mitch McConnell and Senate Republicans are ready to move to confirm Trump's nominee before Election Day, just 46 days away, setting up one of the most consequential periods of our lifetimes, the sources say.

Updated 4 hours ago - Politics & Policy

Coronavirus dashboard

Illustration: Sarah Grillo/Axios

  1. Global: Total confirmed cases as of 10 p.m. ET: 30,393,591 — Total deaths: 950,344— Total recoveries: 20,679,272Map.
  2. U.S.: Total confirmed cases as of 10 p.m. ET: 6,722,699 — Total deaths: 198,484 — Total recoveries: 2,556,465 — Total tests: 92,163,649Map.
  3. Politics: In reversal, CDC again recommends coronavirus testing for asymptomatic people.
  4. Health: Massive USPS face mask operation called off The risks of moving too fast on a vaccine.
  5. Business: Unemployment drop-off reverses course 1 million mortgage-holders fall through safety netHow the pandemic has deepened Boeing's 737 MAX crunch.
  6. Education: At least 42% of school employees are vulnerable.