Bexar County’s election systems have never been hacked, and even in the event of a breach, there are checks and balances in place to make sure cybercriminals cannot change voting results, the County’s elections administrator said Thursday with less than three months until the November elections.
“I have 100 percent confidence in the integrity of our systems,” Bexar County Elections Administrator Jacquelyn Callanen said.
Callanen said the County’s protocols entail airtight security in the room where elections administration officials program and tabulate the votes. A limited number of staff members has access to that room, she said.
The voting booths are also offline and not connected to each other. Elections administration officials extract the results from each of the machines, Callanen said.
“We send that to the State should there be any discrepancies, should someone have changed the numbers,” she said. “It is highly unlikely they have the raw data.”
The vote is recorded and stored in three different places on the voting booth device. From there, the results are printed off and given to a staff member, who enters the data and sends it to the Texas Secretary of State’s office.
But the results the Secretary of State releases on election night are unofficial until canvassed – a process that involves certifying the results at the local level. For example, a county election would have to be approved by the Bexar County Commissioners Court. The official tallies are then sent to the State both electronically and by mail and formally certified when the governor accepts them, Callanen said.
Russian government hackers may have targeted 21 election-related online networks, such as websites, during the 2016 presidential election, according to written testimony from Samuel Liles, the former acting director of the U.S. Department of Homeland Security’s cyber division. According to the Associated Press, DHS notified Texas it had been targeted.
However, that does not mean the hackers entered the system, manipulated votes, or compromised data. Earlier this year, the Texas Secretary of State asserted “there is no evidence that any voting or voter registration systems in Texas were compromised before the 2016 Election or in any subsequent elections.” DHS in March confirmed no proof exists that Russian hackers changed votes.
Despite that, there is increasing alarm over the relative ease with which election-related systems can be infiltrated.
On Aug. 10, in a simulated election at the hacking convention DEFCON 26, an 11-year-old boy infiltrated a replica of Florida’s state election website within 10 minutes and changed the results. In all, 39 children age 6 to 17 tried to hack copies of the Secretary of State websites for six swing states at DEFCON’s Voting Village. Thirty-five of them were successful.
State and local electronic election systems are improving but are under increasing siege, a local voting systems security expert said Wednesday during a cybersecurity conference.
Vulnerabilities in the election process have put U.S. democracy at stake. But the hacks are less about Russian dictators favoring one American presidential candidate over another and more about sowing division among the American electorate and weakening the democratic process, said Jacob Stauffer, vice president of operations for local security firm Coherent Cyber.
“[Russia’s hacks were designed] to cause dissent among the whole process and cause an integrity issue, ultimately,” Stauffer said. “They want us to fight against each other, and you know what? They’re winning. Russians are very good at what they do, and they’re going to continue to be good at what they do.”
Stauffer and his company often earn contracts to test and “break” security in electronic voting systems. The former U.S. Department of Defense civil servant spent a decade evaluating voting systems in California.
He said Coherent Cyber has consulted with Bexar County on security enhancements and provided reports on voting system equipment it considered purchasing.
While the State prescribes voting systems standards, local jurisdictions are responsible for administering and executing them. For example, Texas has seven accredited systems that officials are permitted to use to administer elections.
Many officials purport to have “hack-proof” systems because their tabulation machines are not connected to the internet, but Stauffer said there are often blind spots that lead to potential doors hackers can enter.
Stauffer said his team once discovered Bexar County had a modem that connected to a public telephone line.
“If the environment is right, I could get into that system and laterally move where I need to go,” he said.
Some voting systems internally contain a cellular modem that can be activated with a small phone surveillance device known as a StringRay, which costs anywhere from $500 to $1,000. Stauffer said the devices, which mimic cellular towers, can intercept any information coming from the wireless telecommunications-connected voting machines – allowing hackers to monitor and possibly change votes.
But the news isn’t all bad, Stauffer said.
The federal government in March doled out $380 million in Help America Vote Act, or HAVA, grants to states to improve election security. The State of Texas received about $23 million of that allotment and will match 5 percent for a total award of $24.4 million.
Callanen said the State will use a “lion’s share” of the funds to harden its statewide voter registration database known as TEAM, or the Texas Elections Administration Management system.
“Then they’ll come back and say, ‘This is what’s left for the counties,’” she said. “When we got the first round of HAVA money, they allocated it based on the number of precincts each county had. I would think they could use that same [equation].”
States can use that funding to create a system for auditing vote tallies after elections, provide cybersecurity training for state and local election officials, establish best practices for cybersecurity around election systems, and upgrade election-related computer systems, according to the U.S. Election Assistance Commission.
But in a July 18 letter to the U.S. Election Assistance Commission, Texas Secretary of State Rolando Pablos wrote the $23 million disbursement is not nearly enough to replace voting systems statewide. According to the letter, the State used more than $150 million in HAVA funds from 2003 to 2012 to acquire new election equipment.
“Any significant effort to replace voting equipment throughout the entire state of Texas, or any other state of comparable size, would require a substantially larger federal commitment in order to make a meaningful impact on subsidizing the costs to the counties in their efforts to modernize their voting equipment,” Pablos wrote.
The Secretary of State’s office is set to release a line-item breakdown of its plan for using the 2018 HAVA money. The letter states generally that the funds will be used to accomplish the following goals: provide security services so that election officials in the state can address auditing and cybersecurity needs, enhance its TEAM database, and help counties negotiate with vendors on acquiring new voting equipment.
Federal, state, and local officials have recently worked on joint exercises to improve election system security. Federal commissions have developed guidelines for administering security around elections, and newer systems are beginning to encrypt votes, Stauffer said.
Stauffer said he hopes more scrutiny will be applied to common sources of vulnerabilities: Wi-Fi infrastructure at election sites and software such as TeamViewer, which allows for remote information technology administration.
Poor election systems cybersecurity poses a threat to democracy not just in the U.S. but around the world, he said.
“We have a tendency of getting very myopic in our viewpoint,” Stauffer said. “We see all the stuff coming from Fox News, CNN, MSNBC about voting systems being hacked and how Trump is now the president of the United States because of it.
“Okay, but what about the big picture? What is really happening in this case? Who are the threats that are actually making this happen? What are they are using to get into our networks?”