More than One-Third of Counties that are Overseeing Elections in some of the most Contested Congressional Races this November run Email Systems that could make it easy for Hackers to Log-In and Steal potentially Sensitive Information.

A ProPublica Survey found that Official Email Accounts used by 11 County Election Offices, which are in charge of Tallying Votes in 12 Key U.S. House of Representatives Races from California to Ohio, could be Breached with only a Username and Password, potentially allowing Hackers to collect Confidential Communications or Impersonate Election Administrators. Cybersecurity Experts recommend having a Second means of Verifying a User’s Identity, such as typing in an additional Code from a Smartphone or Card, to thwart Intruders who have gained someone’s Log-In Credentials through Trickery or Theft. This system, known as Two-Factor Verification, is available on many Commercial Email Services.

“Humans are horrific at creating passwords, which is why ‘password’ is the most commonly used password,” said Joseph Lorenzo Hall, the Chief Technologist at the Center for Democracy and Technology in Washington, D.C., who has pushed for Security Fixes in the Voting Process. This means increasingly we need something other than Passwords to Secure Access to our Accounts, especially Email, which tends to undergird all our other Accounts.

The Email Vulnerabilities emerged in ProPublica’s Survey in 27 Counties encompassing all or part of roughly 40 Congressional Districts that the Cook Political Report has said are Toss-Ups. These Contests could determine if Democrats take Control the U.S. House of Representatives, where the Party needs to pick up about 24 Seats to Flip the current Republican Majority. Of the 12 Districts in Counties with less Protected Email Systems, Republicans are seeking Re-Election in 10. The other Two are Open Seats where Incumbents are stepping down.

Funded by Local Taxes, Counties are generally run by Elected Commissioners and often have Centralized IT Staff Overseeing Email Services for many Departments. As a result, Elections Officials have to Compete for IT Resources and Attention.

Most of the Counties interviewed said they had bulletproofed their Computer Systems and Voting Equipment. Joel Miller, an Election Official in Linn County, Iowa, said the County has recently put in place Two-Factor Authentication Requirements for its Email Systems. “We all need minimum standards for network security,” he said. “We weren’t up to date until recently.”

The Counties with vulnerable Email Systems ranged in population from Orange County, California, with 3.1 Million People to Olmsted County, Minnesota, with 155,000. Orange County Elections Director Neal Kelley said he’d prefer to have Two-Factor Authentication. It hasn’t been Implemented yet, but is “on the short horizon,” he said. There are two toss-up House Races in Orange County.

Noah Praetz, the Director of Elections for Cook County, Illinois, except the City of Chicago, said his Office “lacks a little bit of control” when it comes to changing IT Systems because the County-Run Network serves more than 24,000 Employees. He said the County Government doesn’t require Two-Factor Authentication for Employees to Log into Emails.

One County reported Two Problems. Fayette County, Kentucky, which includes Lexington, told ProPublica its Electronic Voting Machines don’t produce a separate Paper Trail for Voters to Verify their Choices, do a Recount, or Audit the Election. Nor does it use Two-Factor Authentication on its Email system. Fayette, one of the State’s Largest Counties, is home to a chunk of Kentucky’s 6th Congressional District, where a once-safe Republican incumbent is facing an unexpectedly Competitive Challenger.

Don Blevins, the Fayette Elections Chief, told ProPublica his County is not at Risk for an Email Hack that would affect Voting or Registration. “I don’t question that two-factor authentication is better,” he said, but added, “Since we don’t use email to conduct voting, nor voter registration, then the level of security is moot.”

Besides Orange, Olmsted, Cook, and Fayette, the Counties without Two-Factor Authentication were: Arapaho County, Colorado; Linn County, Hennepin County, and Dakota County, Minnesota; Hamilton County, Ohio; Harris County, Texas: and King County, Washington.

Some Counties have Secured their Emails but had other Shortcomings. Shawnee County, Kansas, said it doesn’t yet have Countermeasures to stop Hackers from bringing down its Website by Overloading it with Malicious Traffic. If such a Denial-of-Service Attack takes the Site Offline, Election Commissioner Andrew Howell said, Officials would instead Publish Election Results on Social Media.

Five of the 27 Counties surveyed did not respond to multiple Emails or Phone Calls from ProPublica: Polk County, Iowa; St. Louis County, Minnesota; Ocean County and Essex County, New Jersey; and Oneida County, New York.

U.S. Law Enforcement Officials and Cybersecurity Experts have been working with States in the Months Leading up to the November Midterms to improve Election Security. States are using some of the $380 Million in newly earmarked Federal Funds to Test for Vulnerabilities and Recruit and Train IT Staff, according to Congressional Testimony from the National Association of Secretaries of State.

Fixing Technical Problems isn’t cheap, and County Governments have had to make hard choices when Prioritizing Spending. Tammy Patrick, a former Election Administrator in Arizona and now a Senior Adviser at the Nonprofit Democracy Fund, said Counties may consider it more urgent to Replace Outdated Voting Machines than to fix Email Systems.

Even Short-Lived IT Security Problems may have a Corrosive Effect on Public Trust in the Accuracy of Ballot Results. The last thing you want to do on Election Day is face Problems you could have easily Dealt with before then. Officials will Dismissively say, ‘It hasn’t happened to us.’ But with that Attitude, you’re Building a Castle on Sand.










NYC Wins When Everyone Can Vote! Michael H. Drucker