Advertisement

EXCLUSIVE: Pandemic stalling election security fixes

The coronavirus is stalling some efforts to improve election security across the country and delaying efforts to install basic security measures on hundreds of local election websites, an exclusive analysis by the National Investigative Unit has found.

Advertisement

The novel coronavirus pandemic is stalling some efforts to improve election security across the country, delaying efforts to install basic security measures on hundreds of local election websites, interviews with top leaders and an exclusive analysis by the National Investigative Unit has found.

Election security is a topic on the agenda for the annual summer conference of the National Association of Secretaries of State which convenes virtually later this week, the last scheduled NASS conference for all of the nation’s top election officials before the general election.

To assess the resiliency of county election websites in states nationwide, the Hearst Television National Investigative Unit asked McAfee Security to once again analyze more than 2,000 web pages where voters may turn to for information about voting, registration, election administration, precincts, poll hours and other suffrage details.

While no American uses those local election websites to cast a ballot, citizens do rely on the information to be accurate so they can exercise their right to vote. A lack of simple security tools, cyber experts and government agencies say, could leave those webpages vulnerable to manipulation, possibly disenfranchising voters who are misled.

The new McAfee analysis found little progress overall in securing those websites with encryption – identified by the letters ‘https’ in the URL – and with a federally-validated domain, like .gov, since the worldwide cyber firm’s initial analysis for the NIU conducted in January.

‘They don’t understand’

Steve Grobman is McAfee’s chief technology officer and led the election website analysis.

To demonstrate for this report how a lack of those two web security tools makes sites easy to spoof, Grobman created a real-looking election website – walled off in a "sandbox" so actual voters would not stumble upon it – modeled on a website used by a county in Georgia. He then plastered election misinformation on the simulated site, including a $19 COVID poll tax, to illustrate the threat.

Stitch
McAfee Security Chief Technology Officer Steve Grobman interviewed by Chief National Investigative Correspondent Mark Albert; Hearst Television

“All this information is fake, but it might give them the wrong information,” Grobman warned, which may cause voters to “just not vote at all.”

When asked why, in light of the vulnerability and potential repercussions, more counties across the U.S. weren’t fixing them by installing encryption and migrating to the .gov domain, Grobman answered simply, “I think they don't understand how critical it is."

Pandemic ‘put us behind’

Indeed, some of the 15 election officials interviewed on-camera for this story conceded the pandemic had delayed efforts to strengthen election security on those websites, although many state-level leaders revealed they don’t have the authority to unilaterally mandate it.

Stitch
Fifteen state election officials are interviewed by Chief National Investigative Correspondent Mark Albert on July 7, 2020; Hearst Television

Iowa Secretary of State Paul Pate, who serves as the outgoing president of NASS, acknowledged, “COVID has put us behind." New Mexico Secretary of State Maggie Toulouse Oliver said, “we were making progress … but then the pandemic hit.” Michael Adams, secretary of state in Kentucky, said bluntly, "We got a lot of work to do."

Some secretaries implied other issues, such as COVID-19-related disruption, may be a higher priority right now. Securing county election websites, “may not be the most important things,” Nebraska Secretary of State Bob Evnen said.

Missouri’s chief election official, Secretary of State Jay Ashcroft, emphasized more robust security mechanisms are in place elsewhere, for example on state-run election infrastructure, like registration databases. "It's improper to assume that the underlying networks that need to be secure are not secure,” Ashcroft said in the interview.

Dramatic progress

Local election websites in his state did make dramatic progress since the first McAfee analysis in January when only 34.2% of pages had encryption; now, 84.2% do, the cyber company found. Much less improvement was made in use of the .gov domain, however, rising from 6.1% of county election websites to 14%.

The state with the biggest gains was Ohio, with 100% of county election pages now using ‘https’ to secure its sites, up from 61.4% in January, and the only state with all of its counties currently doing so. Pages on .gov rose more sharply, up from just 17% six months ago to 87.5% now.

Frank LaRose is the secretary of state in Ohio and spearheaded the improvements because, he explained, the threat is real.
"One of the most damaging things that our foreign adversaries can do is, is diminish voter confidence by hacking an elections website,” LaRose said in an interview.

Some states far behind

But some states are far behind.

Mississippi is one of the worst states for having encryption and .gov on local election websites, McAfee found. As of July 1, only 17.1% of its counties used encryption for their local election pages and only six percent were on a .gov domain.

"We don't have the authority to force" counties to increase security, explained Secretary of State Michael Watson. He called it "a great question," why more counties have not prioritized those changes.

California did make a little progress on adding encryption, rising to 74.1% of local election websites, up from 65.5% in January. But it made no progress in overall use for .gov, still at 13.8%, or 8 of its 58 counties, the data show.

Alex Padilla, California’s secretary of state, blamed it on “a matter of resources.” He said while he can’t force counties to change, he intends to stress “voter education is paramount.”

Georgia to seek new deadline

In Georgia, which saw disastrously long lines in some places for its June primary, the secretary of state promised in an interview that he'll seek a deadline from each individual county for better security on their election websites.

"We need to get from them a date on when they plan on having it implemented,” Secretary Brad Raffensperger vowed. “It's very important that we also help the county commissioners understand … how important elections are.”

In addition to election security, nearly all of the leaders said in interviews they worry about poll workers deserting at the last minute because of COVID-19 health worries, of postal delays due to a pandemic-fueled crush of absentee ballots, and of an impatient public, increasingly anxious if election results aren't known for days – including for the winner of the marquee presidential race.

Mark Albert is the chief national investigative correspondent for the Hearst Television National Investigative Unit, based in Washington D.C. April Chunko and Tim Tunison contributed to this report.

Know of election security problems or voter suppression? Have a confidential tip? Send information and documents to the National Investigative Unit at investigate@hearst.com.