While candidates were stumping the campaign trail this summer, Nebraska’s election officials, system vendors and partners in the federal government were silently reinforcing the state’s election security.
The behind-the-scenes work has created an election system that should inspire confidence among voters going to the polls on Tuesday and beyond, according to state election officials and cyber security experts involved.
Although Nebraska wasn’t targeted in the lead up to the 2016 presidential election, digital fingerprints tracing back to Russian hackers were found probing for vulnerabilities on systems maintained by Election Systems & Software, which manages Nebraska’s Statewide Voter Registration System from its headquarters in Omaha.
The unsuccessful attempt “galvanized us into upping our game,” said Chris Wlaschin, the company’s vice president of systems security, whose resume includes experience at several federal agencies, including the Defense Intelligence Agency and Department of Defense.
Nebraska and ES&S have joined the Election Infrastructure Information Sharing & Analysis Center, a consortium of states, election vendors and agencies like the Department of Homeland Security and the Center for Internet Security to provide real-time reporting on cyber threats and attacks made against so-called critical infrastructure programs.
“Those partnerships were not in place prior to 2016, but now they are, and we are benefiting from them,” Wlaschin said.
It also led ES&S to become the first private entity to install an “Albert” sensor, which tracks traffic coming into and out of Nebraska’s voter database around-the-clock from a Center for Internet Security operations facility in Albany, New York.
Before 2016, only 14 states were using Albert monitors to safeguard their election systems. Heading into the 2018 midterm elections, 36 states are now using the Albert system to scan for the digital signatures of bad actors, according to the Elections Assistance Commission.
The Albert system isn’t a “silver bullet,” Wlaschin said. It can’t prevent cyber attacks from occurring, but if it picks up on usual activity within the system, the Center for Internet Security will immediately notify both ES&S and the Nebraska Secretary of State’s Office.
“It will detect and report on any attempt to hack into the voter registration environment, report any malicious activity, and give us a chance to protect our data and close any vulnerability before something bad can happen,” Wlaschin said.
Since going online, there have been no reports of suspicious activity regarding the Statewide Voter Registration System, he added.
As an added security measure, Nebraska also implemented a two-factor authentication process this summer for any state or county election official with access to the Statewide Voter Registration System, according to Deputy Secretary of State Wayne Bena.
The system, paid for by $807,000 in federal funds, requires users to enter their username and password and then input a randomly generated token assigned to them. Without the unique token, the username and password won’t work.
“This is something Secretary (John) Gale has wanted to do for quite some time, but we didn’t have the resources to do until now,” Bena said, referring to a $3.5 million appropriation of funds the state received as part of the Help America Vote Act passed by Congress earlier this year.
The Secretary of State’s Office has also used its share of the $380 million in federal funds to purchase new Americans with Disabilities Act-compliant equipment for certain county election offices, while it is planning to use the remainder of its money over the next five years.
Wlaschin said ES&S, the largest manufacturer of voting machines in the U.S., has also worked to ensure the security of its software and hardware meets federal standards.
That’s a rigorous process, according to Brian Hancock, the testing and certification director at the Election Assistance Commission, which has reviewed elections systems manufactured by ES&S and other companies since 2006.
New products are taken apart and examined by technicians, engineers and cyber security experts at labs in Huntsville, Alabama, and Denver to determine if they meet 1,400 separate requirements in a standards document maintained by the EAC, Hancock said.
System modifications or updates to products must also be certified before they can be pushed out to users, Hancock said. Those testing campaigns are quicker, but still rigorous, focusing on how the update affects functionality as well as how well it integrates into the existing system.
Hancock said the EAC has certified 16 different ES&S products used across the country, adding today’s election systems “are light-years ahead of where they were” when the agency first began its certification process more than a decade ago.
“These systems, across the board, have improved significantly,” Hancock said. “That isn’t to say there aren’t still problems, they are machines and there is a lot of room for improvement in all areas.”
Wlaschin said ES&S’ focus on election cyber security “is better than it’s ever been” in the wake of 2016, and in standing beside the Nebraska Secretary of State’s Office, the company is dedicated to ensuring Nebraskans’ votes are safe and counted.
Bena said the new partnerships will only continue to grow after the 2018 election cycle: “This doesn’t end on Election Day.”
“We’re going to continue to enhance the ways we keep these elections secure,” Bena said.
For Hancock, who oversees the federal government’s efforts to ensure voting equipment and software is functional and secure, the expanded efforts and partnerships have only engendered more confidence in the voting process.
“I’m a voter, too, so it makes me feel better,” he said.