Stories

Elections officials flub some basic security tasks

illustration of an election sign in the shape of a lock
Illustration: Sarah Grillo/Axios

State elections officials struggle with some of the basics of office cybersecurity, according to a new report from cybersecurity auditor NormShield.

Why it matters: With the 2020 elections looming, there is a massive push to button down election cybersecurity.

Details: NormShield audited how state election authorities in all 50 states, D.C. and the territories handled common security tasks not related to the specialized equipment used in elections. NormShield only evaluates what it can see externally, without breaching a system.

  • NormShield uses letter grades to denote how skilled a hacker would have to be to exploit red flags they found. "A C grade means an average hacker could take advantage," said Bob Maley, chief security officer at NormShield and a former chief information security officer for the state of Pennsylvania. "You'd want to see A or B grades for elections boards."
  • In a July scan, by the NormShield metrics, an average hacker would be able to breach 27 state's systems. States had particular trouble with keeping patches up to date — nearly averaging the lowest possible grade in tests — and in preventing stolen credentials from showing up on the dark web, although states by and large performed well in other areas of testing.
  • NormShield informed states of what they found, giving them a chance to mitigate vulnerabilities, and performed a new scan in August. In the follow-up scan, states preformed dramatically better, though 13 states would still be vulnerable to an average hacker.

The reason the patch management grades suffered: Election boards' web servers use older operating systems and programs that are at or near their end of life.

  • A hacked website may not sound as critical as a hacked voting machine, but it could create confusion about voting locations, times and procedures.
  • In July, 4 states used Windows Server 2003, which Microsoft ceased releasing security patches for in 2015; 4 states used a version of the Apache web server that hasn't been patched since 2017; and 9 states used unsupported versions of the NGNIX web server.

Leaked credentials can be a problem, Maley said, even if they don't provide access to official accounts. Election officials shouldn't be using their official email addresses to sign up for personal online accounts.

  • "I actually saw leaked credentials from one state's CISO," said Maley.