Minnesota works to secure elections after 2016 Russian attempted hack

Election judges Mary Maynard and Mary Wickersham cast test ballots on voting devices, fed them into vote-counting machines and verified the results last week during St. Louis Park's pre-election accuracy testing.

"Citizenship at the ground level," Maynard called the routine and required public ritual.

The St. Louis Park test run was also a volley on the front lines of the battle to increase the odds that the Nov. 6 election is tamper-proof. Two years ago, on Aug. 19, 2016, Russian entities scanned but were unable to break into Minnesota's election system. Attempted hacks were detected in 21 states.

Since then, the federal government has taken a more prominent role in securing elections, Secretary of State Steve Simon has been given "secret" clearance so he can receive intelligence briefings about potential threats, and local officials and voters are more attuned to the risks.

After Russia's 2016 meddling, "people figured out that this is real, it requires constant attention and this is a race without a finish line," Simon said. "You have to stay one step ahead of the bad guys."

There have been obstacles to reaching that goal. Minnesota is the only state that hasn't gotten its share of $380 million in election security grants that Congress approved in March.

The state planned to use part of its $6.6 million grant to rewrite computer code for the statewide voter registration system, which was developed in 2003 and 2004. But authorization to do so was in a spending bill that Gov. Mark Dayton vetoed in May, a casualty of a broader dispute between the DFL governor and Republican legislative leaders.

Another setback: The Secure Elections Act, sponsored by U.S. Sen. Amy Klobuchar, D-Minn., stalled in the Senate this year. It would have ensured that the U.S. Department of Homeland Security quickly share information about cybersecurity threats with local officials and provide money to states to enact cybersecurity measures and upgrade voting machines.

Klobuchar also sponsored a pending bill that would require election service providers to disclose foreign ownership.

The threat remains high. "We certainly see active targeting" of information technology systems "that support election infrastructure," said Matt Masterson, a senior cybersecurity adviser at the Department of Homeland Security.

NBC News reported Oct. 15 that three different methods were used in August in an failed effort to hack Vermont's voter registration database.

On Oct. 19, federal prosecutors charged a Russian woman with involvement in efforts to create political divisions in the 2016 and 2018 elections. She is the 27th Russian to face criminal charges stemming from election interference.

More safeguards are needed, said Camille Fischer, a fellow at the nonprofit Electronic Frontier Foundation, which defends civil liberties in the digital world. Too many states use outdated voting machines, perform inadequate postelection audits and lack the cybersecurity expertise to ensure safe elections, she said.

"It's quite sad how little has happened" since 2016, she said.

Jeremy Epstein, a voting system security researcher who has advised the Virginia General Assembly, the District of Columbia City Council and others on the issue, agreed. "We've gone from maybe an F to maybe a C minus," he said.

Minnesota had a head start on the bad guys: Unlike Delaware, Georgia, Louisiana, New Jersey and South Carolina, it uses paper ballots that create a tangible record of all votes. It also backs up electronic voter rosters on paper.

Election equipment vendors are certified by the state, which requires local postelection audits of random precincts. The state then does postelection accuracy reviews in 32 precincts — four in each of the state's eight congressional districts. If results are transmitted by modem on Election Day, they are encrypted and a paper summary of all votes must also be submitted. Ballots and other documents must be securely stored for 22 months after elections, then destroyed.

Although it's "impossible to create a system that's 100 percent impenetrable … we're doing what we need to do to address the threat," said Ginny Gelms, who manages Hennepin County elections. The county is now using multi-factor authentication to boost election system security.

On Jan. 6, 2017, election systems were designated critical infrastructure, making safety concerns a priority for the Homeland Security Department. That opened the door to intelligence briefings for Simon — which Masterson said are offered weekly in the 45 days before the election — and new technical testing.

Homeland Security conducted remote cyber hygiene scans this year to identify possible problems in Minnesota and other states, Masterson said, then several Homeland Security technicians visited the state for risk and vulnerability assessments. The goal, Simon said, was to "probe and pry and prod" the system to identify potential problems.

"We got a very good report card but not a perfect one," he said. "They came up with a to-do list" that is confidential but one the state has fully implemented, he said. As a result, Simon has "a very high degree of confidence" that Minnesota can successfully "detect and repel" any future intrusions.

That doesn't eliminate the need for improvements before the 2020 presidential election.

Simon hopes the Legislature will give him approval to spend that $6.6 million in federal grant funds early in 2019. He would like to spend part of it to hire a "cybernavigator" who could advise counties, cities and townships on ways to tighten security. That's how Illinois is using part of its grant.

The secretary of state's other priorities include upgrading antivirus software and buying more licenses to scan all of its public-facing websites for vulnerabilities.

Max Hailperin, a computer scientist and Gustavus Adolphus College professor emeritus, is a member of a working group that includes legislators and is working with Simon to identify spending priorities. He hopes the state will upgrade its systems to do "anomaly detection at the level of seemingly authorized changes" to the voter database.

Gelms wishes more money were available to train election officials and workers. Chelsea Helmer, Duluth's city clerk, would like to see the Minnesota Legislature approve "ongoing, dedicated funding for election equipment and support for local entities."

Simon, choosing his words carefully because of his access to intelligence information, said that there have so far been "no documented instances of an intrusion for me to report."

He added, however, that he's been advised "to expect more of this from more sources."

That troubles Mark Halvorson, a founder of Citizens for Election Integrity Minnesota, a nonpartisan and nonprofit group. He has confidence in the state's voting infrastructure, he said, but he worries "that we will lose our focus and sense of urgency and … move into a level of complacency."

Epstein's biggest concern is the use of social media to manipulate public opinion, he said. "One person's lies are another person's truth."

Masterson said he frets about ensuring that state and local officials receive the information and support they need and about retaining "the confidence of the American public."

Hailperin worries that doubts about the validity of elections will create confusion and erode trust. If the public feels that their votes are meaningless, he warned, "that would be the end of democracy."