Amid concerns over election hacking and other voting interference, Utah's polling systems have been put to the test by the Department of Homeland Security just ahead of the June 26 primary.
The Homeland Security Department, which is responsible for domestic cybersecurity and protecting other critical infrastructure, carried out so-called “penetration tests” to check for weak spots in Utah's voting systems. The federal department has offered the risk assessments to any state ahead of primaries and midterm elections. So far, 17 states have taken them up on the offer.
“DHS has tools to scan all the systems, for a non-technical term, to rattle the windows and check all the locks on the doors and to see if we have vulnerabilities anywhere," said Justin Lee, director of Utah’s state elections.
A main focus of Homeland Security’s work will be examining the security around Utah’s voter registration database, which holds the information of approximately 1.5 million registered voters. Unlike individual voting machines, the database is online and accessible to all 29 county elections clerks, whose own IT policies can vary.
“Across the board, I think counties are understanding this is part of our job now. We have to think about security,” Lee said. “We can’t just run things the way we always have.”
A department spokesman declined to comment on individual state tests. Lee said the federal team has likely concluded Utah’s assessment, and will share results with the state soon.
Last year, federal officials informed 21 states of attempts by Russia to target their voting system during the 2016 presidential election. Utah was not on that list, but neighboring Arizona and Colorado were.
The number of states breached is likely much higher, said Jake Braun, director of the cyber policy initiative at the University of Chicago and former White House Liaison to the Department of Homeland Security during the Obama administration.
The department was able to flag the hacking through a cybersecurity hub called the Multi-State Information Sharing and Analysis Center. Utah is a member of the group and has intrusion detection sensors on the state government’s network to scan for threats.
As not every state has these sensors yet, Braun said, homeland security officials aren’t capable of knowing the scope of Russia’s interference. He said it’s “illogical” that more states aren’t taking the department up on their offer to do check-ups ahead of midterms.
“Normally you’d have to pay a consulting firm a ton of money to do this," Braun said. "And these guys are some of the best hackers in the U.S. government, and the fact that they’ll come out and bang away on your system for free and give you a report on what to fix is a great service."
At a Senate hearing in February with top Department of Homeland Security officials, California’s Democratic Sen. Kamala Harris questioned whether the department was moving fast enough to assist states before their primaries.
"The delay is that the risk and vulnerability assessment capability is also servicing critical infrastructure sectors,” Christopher Krebs, an undersecretary at the department, testified. “So what we’ve done is put at the top of the pile the state and local election officials right now."
Utah will get $4 million in federal grant money this year to beef up its security. The funding is part of $380 million Congress set aside to help states protect their voting systems.
Justin Lee, Utah’s elections chief, expects the money to come through sometime in July. Officials will use the grant to upgrade the state’s voter registration database and update some of its older voting machines.
With Utah’s high-profile U.S. Senate race this year involving Mitt Romney, who as a presidential candidate in 2012 called Russia a top geopolitical foe, state officials are not taking anything for granted, Lee said.
"We’re never going to get complacent. We’re never going to say ‘There’s no way anyone can hack us,’" he said.
Braun said if states were forward thinking, they would also consider outsourcing their database altogether to a more secure platform.
“They should put their voter registration database in the cloud and let Amazon or Microsoft or Google secure it," he said. "Because they will do a million times better job than the state ever will.”
Even with the best information technology practices, states can’t spend the type of money on security that these companies do, Braun said.
In the meantime, states should at the very least be practicing what Braun called basic "cyber hygiene,” such as using paper ballots and running risk-limiting audits. That’s where clerks hand count a small but statistically significant number of ballots to make sure the machines weren’t hacked.
Putting better security in place may not be enough to block the Russians, Braun said, but can stop a lot of other hackers who might be looking for a way in through the back door.