Despite Russia’s attempt to hack the 2016 U.S. election and the voter registration systems of 21 states, an NBC News investigation reveals that election officials in the most heavily populated counties of three crucial swing states still haven’t received formal training on how to detect and fight attacks. Election officials in three of Pennsylvania’s four biggest counties — Philadelphia, Allegheny and Bucks, which together account for nearly a third of the state’s voters — told NBC News they never received cybersecurity training, which experts say is crucial for officials to identify risks. NBC reached out to election officials in every county in Arizona, Pennsylvania and Michigan and got responses from 60 percent of the counties. Officials from all 15 Arizona counties responded, but only five said their officials had received cybersecurity training. In Pennsylvania, where 42 of 67 counties responded, eight counties said their workers had training. In Michigan, 40 of the state’s 83 counties responded, and only 12 indicated receiving formal training.
… “Phishing attacks are a form of social engineering,” said University of Michigan election security expert J. Alex Halderman. “The one very important thing is to train people about what they are, how to recognize them, and how not to fall for them.”
Halderman, who called phishing attacks “the new normal,” described one that extracts credentials or computer access to allow an attacker to “in the door” of a state’s voter registration database.
“Having access to the voter file means you’re already in the building in a certain sense. You’ve gotten through the outermost security perimeter,” Halderman said. “The question is whether the doors inside are all appropriately locked as well.”