State election officials, worried about the integrity of their voting systems, are pressing to make them more secure ahead of next year’s midterm elections. Reacting in large part to Russian efforts to hack the presidential election last year, a growing number of states are upgrading electoral databases and voting machines, and even adding cybersecurity experts to their election teams. The efforts — from both Democrats and Republicans — amount to the largest overhaul of the nation’s voting infrastructure since the contested presidential election in 2000 spelled an end to punch-card ballots and voting machines with mechanical levers. One aim is to prepare for the 2018 and 2020 elections by upgrading and securing electoral databases and voting machines that were cutting-edge before Facebook and Twitter even existed. Another is to spot and defuse attempts to depress turnout and sway election results by targeting voters with false news reports and social media posts.
… Foreign governments that regularly crack the computers of military contractors and federal agencies will not be daunted by the cyberdefenses of voter databases and electronic pollbooks. A determined adversary could compromise voting equipment at many points along the supply chain, from the factory assembler to the election software programmer to the technician who makes a repair or installs a software upgrade. And in an industry dominated by a handful of companies, malicious tinkering could have a broad impact.
“In computer security, you’re talking much more about the capabilities of local jurisdictions,” said Joseph Lorenzo Hall, the chief technology officer at the Center for Democracy and Technology in Washington. “And they vary dramatically, from L.A., which has a small army of folks, to many jurisdictions that don’t even have a full-time person for their election work. To the extent they have an ability to defend against these attacks, it’s quite limited.”
Mr. Hall said election officials need to be even more vigilant, and impose a “zero-trust networking” policy on their agencies. “Don’t assume that because something is locked in a case that it’s safe,” he said. “Assume they’re already in your system, and set up things that will catch them — honey pots, fake data stores. If anyone hits them, then you know someone’s poking around.”