Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

01:55 PM
Steve Zurier
Steve Zurier
Connect Directly

8 Steps Toward Safer Elections

Here's some advice from leading authorities on how state and local governments can adapt to an environment where election systems will inevitably be hacked.
10 of 10

Letter from Noah Praetz to fellow Illinois election administrators. Reprinted with permission. Image by Minerva Studio, via Shutterstock.:

April 16, 2018

Fellow Illinois Election Administrators,

Lost in the talk of election hacking, and the state and federal responses, has been the fact that local election officials actually run elections - from beginning to end. And because we run them we are the ones who are tasked with securing the digital systems we rely upon, from websites to vote counting computers. The vulnerabilities to these digital systems are real. And so is the slippery threat from our adversaries. The bad guys just did major damage with a cyberattack against the City of Atlanta. Ask Uber or Equifax, HBO or Sony how difficult digital defense can be.

I am the co-chair of the council US Homeland Security setup in the wake of the interference last year. I sit alongside the president of the National Association of State Election Directors (NASED), the President of the National Association of Secretaries of State (NASS), the Chair of the Election Assistance Commission (EAC), and the head of the National Infrastructure Program Protection Directorate (NPPD). Sitting with those four, I represent the nine locals on the Council and you, the local election officials of Illinois and America. In that job I have advocated long and hard on our behalf; primarily to ensure attention and support gets all the way to the local level.

I have also attended a number of briefings. Make no mistake, we are the troops on the front lines. We have been warned to brace ourselves against expected cyberattacks. I imagine the thought of defending against a nation-state may be difficult - even overwhelming. It has been both for me. Even in an office of our size, Cook County, we decided to hire an Elections Infrastructure Security Officer to make sure we get this right. I know how incredibly tight your budgets are and the huge list of responsibilities you each carry, as executives, experts and line workers. Your capacity and responsibilities amaze me.

There are a number of relatively easy things you can do now to help increase your defenses, and also answer the question which will inevitably come your way:
"What have you done since 2016 to increase your security?"

Please start by doing/considering these five things....

1.) Sign-up for free threat information sharing services:

    A.) The Election Information Sharing & Analysis Center (EI-ISAC). This first of its kind partnership is designed to provide election officials with near real time information sharing and threat analysis with regard to election systems. https://learn.cisecurity.org/ei-isac-registration
    B.) The Illinois Statewide Terrorism Intelligence Center (STIC) - [contact information redacted]
    C.) The Multi-State Information Sharing & Analysis Center (MS-ISAC) (transitioning to Elections-ISAC) https://learn.cisecurity.org/ms-isac-registration

2.) Print, read and understand election security best practice documents

    A.) Center for Internet Security Elections Security Handbook - https://www.cisecurity.org/elections-resources/
    B.) Belfer Center at Harvard University - Defending Digital Democracy Program - Security Playbooks - https://www.belfercenter.org/publication/state-and-local-election-cybersecurity-playbook
    C.) Cook County White Paper on Election Security - "2020 Vision: Election Security in the Age of Committed Foreign Threats" - https://www.cookcountyclerk.com/sites/default/files/pdfs/Election%20Security%20White%20Paper_Praetz_12062017.pdf

3.) Use free technical resources

    A.) US Homeland Security Election Services - https://www.eac.gov/assets/1/6/DHS_Cybersecurity_Services_Catalog_for_Election_Infrastructure.pdf
      <1.) Cyber Hygiene - Free and Fast
      2.) Phishing Campaign - Free and Fast
    B.) Election Assistance Commission Resources - https://www.eac.gov/election-officials/election-security-preparedness/
    C.) Cloudflare - Free Election Website Protections - https://www.cloudflare.com/athenian-project/
    D.) Google - Free Election Website Protections - https://protectyourelection.withgoogle.com/intl/en/

4.) Get cyber security training for you and your staff

    A.) In development from the state and federal resources

5.) Advocate for direct assistance in navigating this cyber minefield

Good luck. We have just over six months until the midterms.



Noah Praetz
Director of Elections
Office of Cook County Clerk, David Orr
69 West Washington Street, Suite 500
Chicago, IL 60602
312.520.2833 mobile
312.603.9786 fax
web: www.cookcountyclerk.com

10 of 10
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
8/14/2018 | 6:58:04 AM
Threat Intelligence
This article hits on a number of important points.  Part of this is basic cyber hygiene practices and it's not clear to me why the election networks themselves should be connected to the public Internet.  Threat intelligence and information sharing are very important.  We are seeing TI and info sharing become more important in guidelines like NIST Cyber Security Framework.  As the article points out a lack of skilled security staff is a challenge.  There is a newer technology called a Threat Intelligence Gateway (TIG) that gives you access to significant amounts of threat intelligence, enables you to integrate ISAC and other TI sources, and allows you to make use of TI to protect your network.  The cool thing about the TIG is that it enables organizations to access and act with enterprise grade TI without needing an army of security analysts.
User Rank: Strategist
8/2/2018 | 12:00:30 PM
Illinois and election integrity are mutually exclusive terms
"What I've been telling everyone as I speak to groups is that we have to run a successful election that people can trust even if we are hacked," says Noah Praetz, director of elections in the Cook County Clerk's Office in Illinois

When 130% more people vote in Cook county than are actually alive one could be preplexed with priorities.
  • Secure voter registration and validate the roles
  • Secure integrity with auditable chain of custody
  • Secure and isolate voting machines from tampering, verifiably.
  • TRAIN the poll personnel on best practices and validate their skills! 
  • Bring in accounting oversight at every step.

These are a few of my favorite things.
User Rank: Apprentice
8/2/2018 | 9:48:47 AM
Re: Untrusted Processing Systems, Self-Certification of Citizenship for Registration & Self-Audits by Secretaries of State Provide Untrustworthy Election Results!
tks for share
User Rank: Moderator
7/30/2018 | 3:32:06 PM
Re: Untrusted Processing Systems, Self-Certification of Citizenship for Registration & Self-Audits by Secretaries of State Provide Untrustworthy Election Results!
Thanks very much Robert for your long comments. I don't have the answer but my expansive hope was that this story would generate some good discussion and sharing of ideas. I just think given the current state of politics in Washington a solution won't come from Washington. Average citizens, state and local governments and security people who know how to solve at least the technical issues need to be more vocal. 
User Rank: Apprentice
7/27/2018 | 7:10:47 PM
Untrusted Processing Systems, Self-Certification of Citizenship for Registration & Self-Audits by Secretaries of State Provide Untrustworthy Election Results!
Outstanding article! Unfortunately, it is just the latest in hundreds of valid articles about U.S. failures to provide trustworthy elections.  Just do web searches on "election fraud" and "elections integrity" to see some of them. 

This is a much more complex issue than the typical "voter fraud" component focused on just the voter registration elements.  Even if a 100% accurate voter registration system was implemented where only valid U.S. Citizens could register, that element would miss the most urgent need for end-to-end audit trails, chain-of-custody records and appropriate background checks on those allowed access to voting machines and within the ballot processing system.

In Nevada, our citizens task force composed of professionals has worked for almost a decade trying to stimulate interest in "Trustworthy Elections" by all levels of government and by both political parties. Check out my profile for my past expertise.

We have demonstrated that "Untrusted Processing Systems, Self-Certification of Citizenship for Registration & Self-Audits by Secretaries of State Provide Untrustworthy Election Results!"

But, so far, we have been unable to get leading government officials to make any significant improvements.  And, detected government failures and suspected fraud is never prosecuted by District Attorneys because they are prohibited from investigating the evidence.

Conduct a web search on "NevadansCAN elections integrity some voting machines allow remote access" to find some of our exhaustive research, documentation and Nevada court hearing records up through the Nevada  Supreme Court on this vital issue. 

We have tried often to amend Nevada statutes to require independent audits of the systems components before, during and after elections (proposed to be done by accredited members of the Association of Certified Fraud Examiners), but leaders of both political parties at all levels have refused to cooperate.  Imaginie if our society refused to have such certified fraud examiner reviews of banking records and government secrets! How could we trust the financial institutions?

Find some of our legislative video testimony by searching on YouTube with the words "elections integrity robert frank"

We have twice contested elections in state courts the results of the Nevada Elections System by following statutes and appealed one particularly improper ruling at the district level to the Nevada Supreme Court and been summarily dismissed. 

The President's and Vice President's federal commission on elections integrity was sabotaged and had to be terminated because of opposition by both parties.  The Federal Elections Commission and Elections Assistance Commission refuse to ensure that at least the federal elections are conducted on trustworthy systems and are independently audited by unconflicted fraud examiners. 

Does anyone have a viable way to "fix" this problem of untrustworthy election systems?  We have exhausted our list of possible ideas for action.  

Robert Frank, Chair, NevadansCAN.com, Las Vegas, Nevada
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-19
An issue was discovered in Tiny Tiny RSS (aka tt-rss) before 2020-09-16. The cached_url feature mishandles JavaScript inside an SVG document.
PUBLISHED: 2020-09-19
** DISPUTED ** Typesetter CMS 5.x through 5.1 allows admins to upload and execute arbitrary PHP code via a .php file inside a ZIP archive. NOTE: the vendor disputes the significance of this report because &quot;admins are considered trustworthy&quot;; however, the behavior &quot;contradicts our secu...
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with unit().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with pair().
PUBLISHED: 2020-09-19
An issue was discovered in the sized-chunks crate through 0.6.2 for Rust. In the Chunk implementation, the array size is not checked when constructed with From&lt;InlineArray&lt;A, T&gt;&gt;.