Weeks before the 2016 election, a suspicious set of digital fingerprints was discovered probing a network maintained by Election Systems & Software, the largest manufacturer of voting machines in the United States.
Nebraska was passed over by Russian hackers in their attempts to meddle in the U.S. presidential election, the Department of Homeland Security confirmed in September, but Omaha-based ES&S was not.
By early October 2016, the third-party election systems vendor operating voting systems in 18 states had received a request from the Omaha office of the FBI to review network logs for any suspicious IP addresses attempting to gain access to its system.
“We worked with the FBI to review logs and found no unauthorized entities were able to get through our firewalls,” said Kathy Rogers, senior vice president of government affairs for ES&S. “There was no impact on our network.”
Homeland Security later concluded that a small percentage of the IP addresses identified as originating from Russian state actors were scanning the ES&S’ systems, but there was no evidence of a compromise.
Nor was there any impact on the vote-tabulation systems, which operate independently of the election management systems and are not connected to the internet, Rogers said. Homeland Security said no votes were altered in the 2016 elections.
The incident has renewed focus on election security in Nebraska and elsewhere, however, as the U.S. intelligence community has warned further attempts to sow chaos may be made in future elections.
As other states came under attack in the summer of 2016, Secretary of State John Gale and other state election officers took part in a conference call in which Homeland Security told them to be on the lookout for a cyberattack and offered states help shoring up their election systems.
Gale said he initially shared the skepticism of other secretaries questioning the federal government's offer to get involved in the elections, which under the U.S. Constitution are run by the states.
"We've always had this decentralized system and a sense among the 50 secretaries of states that decentralization is one of the greatest securities in national elections," Gale said.
But he was also among the earliest to accept help from Homeland Security. Amid a slumping state economy, Gov. Pete Ricketts had asked state agencies to exercise fiscal restraint, leaving a request for $160,000 in new election security hardware unfunded by the Legislature.
“In terms of funding security measures, we certainly did not have funding in our budget to go out and hire a third-party cybersecurity expert to come in and provide us with some level of enhanced security,” Gale said.
Homeland Security agreed to conduct a risk assessment of Nebraska's election systems, but warned the review might not occur until after the general election that year. So Gale turned to Nebraska’s Office of the Chief Information Officer following the August conference call.
That office conducted a medley of internal and external scans to measure the state's election security, Gale said. Internally, the agency scoured email accounts, digital files maintained by the Secretary of State's office as well as shared files between the state and county election officials.
As part of their contracts with the state, ES&S and the other third-party vendors — Nebraska Interactive, which manages many of the state's websites, including the secretary of state's; and BPro Inc., which compiles unofficial vote counts live on election night — also agreed to a scan by the CIO's office.
Nebraska will replicate its 2016 approach in the 2018 midterms, Gale said — with some extra help.
Gale said as part of the ongoing risk assessment, two state officials have been designated to receive immediate notification should Homeland Security detect a cyberattack. The Secretary of State's office declined to identify which officials have been designated to receive the notifications, but did say one has received final security clearance, while the second is awaiting final approval.
A Homeland Security representative has also been assigned to the state and is responsible for coordinating security efforts between the federal government, the Nebraska CIO's office and private vendors, Gale said.
Slow to mobilize its promise to offer risk assessments in the 2016 election cycle, Homeland Security has completed nine ahead of the 2018 election cycle, Nebraska included. A total of 17 states have requested the agency's help, according to the Associated Press.
Matt Hale, an assistant professor of cybersecurity at the University of Nebraska at Omaha, said the state's efforts to coordinate tests between multiple agencies and vendors "should engender a measure of confidence" among Nebraskans.
"It's really important to have a proper risk assessment, knowing what kinds of threats you're facing and knowing whether or not the tests you're conducting are covering those types of threats," he said.
The experiences of 21 states and companies like ES&S targeted by Russian state actors in 2016 should inform some of those security tests moving forward, the former researcher at the Air Force Office of Scientific Research added, at least in part.
In addition to the internal and external scanning, Nebraska and the vendors it uses should have a more complete understanding of how systems are used and by whom and from where. Deviations from normal patterns of behavior, or breaks in routine, would signal something out of place, Hale said.
But Hale also warned of the "zero day" vulnerabilities, the weaknesses not yet discovered.
"You don't know what you don't know," he said.
Further security measures
State officials and election vendors said Nebraskans can be assured their voter registration will be kept secure and their votes accurately counted.
Because Nebraska's elections are conducted on a county-by-county basis using paper ballots, the decentralization and paper trail add two more layers of security, Gale said.
The M100 ballot counters built to federal voting system standards by ES&S and used in most counties in Nebraska are not connected to the internet and are not capable of being tampered with remotely.
"Because voting systems are designated as part of our nation's critical infrastructure, we also partner with the Department of Homeland Security to further security measures and to ensure the latest methods are in place for continuing to provide auditable elections for Nebraskans," Rogers explained.
On election night, as results are updated on a state website designed and operated by BPro, the counties maintain the ballots for 22 months to certify the elections.
BPro's site reports an unofficial total down to the precinct level on election night, according to George Munro, the South Dakota company's government outreach director. The information is securely transmitted to the site by county election officials based on the vote tally.
"Once they update it, those officials can check to see if the system has processed it correctly," Munro said. "There are a number of measures built in to make sure a human is still approving it before it goes live."
Gale said ultimately, Nebraska might escape the attention of Russia and other state actors because of the state's political identity: solidly red.
"We're not a swing state," he said. "We do have a congressional district that is a swing district, so one never knows if that is going to become a target, but by and large, we're a pretty predictable state and we're kind of small.
"We think we're protected by that."
This story was updated May 15, 2018 to correct how long counties must maintain ballots following an election. Counties hold onto ballots for 22 months, not 22 days.