NOWCAST WDSU News at 10pm
Watch on Demand
Advertisement

EXCLUSIVE: Pandemic stalling election security fixes

Analysis finds local election websites still not using basic security measures
Mark Albert
EXCLUSIVE: Pandemic stalling election security fixes

Analysis finds local election websites still not using basic security measures

lets talk about election security less than four months until election day, leaders across the country told us they're racing to recruit more poll workers, get more money for covered related changes and brace for a huge surge in absentee ballots. And in some cases, we found the pandemic is stalling efforts to improve election security. Kobe has put us behind. We were making progress, but then of first the pandemic him well, I want to do on that. In February, on the day of the first in the nation Iowa caucuses, the national investigative unit revealed most local election Web pages across the country lack to basic security measures strongly recommended by the federal government. In cyber experts, encryption and a dunk of domain sounds like a big problem. It is a big problem. Steve Groman is the chief technology officer at McAfee Security, a worldwide cyber firm that checked more than 2000 local election websites. At our request, he told us the lack of those two security tools made sites easy to spoof. As he showed us back then it would be very difficult to determine which one is really wow, and as he showed us now by plastering misinformation like a cove. It poll tax on this really looking election website he created to illustrate the threat. And if you want to vote absentee, it's gonna cost you $19. Of course, all of this information is fake, but it might give them the wrong information or even just not voted all Steve. If it's so easy to spoonful website, why in the world are these counties not fixing them? I think they don't understand how critical it is in old McAfee's new analysis for us of those websites from earlier this year show just tiny single digit progress overall. So we asked the women and men in charge. Why they may not be the most important things gets improper to assume that the underlying networks that are need to be secure are not. Jay Ashcroft is secretary of state in Missouri, where 84% of the state's county election pages are now encrypted up dramatically from 34% in January. Not much progress, though, for dot Gov. Ohio made the most dramatic progress this year. Of all the states in our investigation, Frank Larose is the secretary of state and says he does not doubt the threat. One of the most damaging things that our foreign adversaries conduce do is diminish voter confidence by hacking a elections website. But some states are far behind. Mississippi is one of the worst states for having encryption and dot gov on local election websites, McAfee found even slipping from progress it had made earlier this year. I'm wondering why I'm or Mississippi County election websites are not using them. Yeah, that's a great question, and you don't have the authority to force them to do that. California also went backward, with four counties dumping the federally validated Dunk of domain, to use commercially available dot org's or dot com. Al Expedia is the secretary of state there. Why air your county is not MAWR aggressively embracing these basic election security measures? Matter of reinforces, voter education is paramount. Some leaders accurately point out no one is actually voting on these local election websites. But voters do rely on the information there to be truthful information that could be manipulated without proper security. In Georgia, which saw disastrously long lines in some places for its primary, the secretary of state promised us he'll seek a deadline for better security on county election websites need to get from them a date on when they plan on having that implemented. It sounds like you're gonna hold them accountable. Well, it's very important that we also healthy, county commissioners understand. In addition to election security, nearly all the leaders we spoke with told us they worry about whole workers deserting at the last minute because of health worries of postal delays because of a surge in absentee ballots, and of an impatient public increasingly anxious if election results aren't known for days, including the winner of the marquee presidential race in Washington, I'm chief national investigative correspondent Mark Outward.
Advertisement
EXCLUSIVE: Pandemic stalling election security fixes

Analysis finds local election websites still not using basic security measures
Mark Albert
The novel coronavirus pandemic is stalling some efforts to improve election security across the country, delaying efforts to install basic security measures on hundreds of local election websites, interviews with top leaders and an exclusive analysis by the National Investigative Unit has found.Election security is a topic on the agenda for the annual summer conference of the National Association of Secretaries of State which convenes virtually later this week, the last scheduled NASS conference for all of the nation’s top election officials before the general election. To assess the resiliency of county election websites in states nationwide, the Hearst Television National Investigative Unit asked McAfee Security to once again analyze more than 2,000 web pages where voters may turn to for information about voting, registration, election administration, precincts, poll hours and other suffrage details.While no American uses those local election websites to cast a ballot, citizens do rely on the information to be accurate so they can exercise their right to vote. A lack of simple security tools, cyber experts and government agencies say, could leave those webpages vulnerable to manipulation, possibly disenfranchising voters who are misled. The new McAfee analysis found little progress overall in securing those websites with encryption – identified by the letters ‘https’ in the URL – and with a federally-validated domain, like .gov, since the worldwide cyber firm’s initial analysis for the NIU conducted in January. ‘They don’t understand’Steve Grobman is McAfee’s chief technology officer and led the election website analysis. To demonstrate for this report how a lack of those two web security tools makes sites easy to spoof, Grobman created a real-looking election website – walled off in a "sandbox" so actual voters would not stumble upon it – modeled on a website used by a county in Georgia. He then plastered election misinformation on the simulated site, including a $19 COVID poll tax, to illustrate the threat. “All this information is fake, but it might give them the wrong information,” Grobman warned, which may cause voters to “just not vote at all.”When asked why, in light of the vulnerability and potential repercussions, more counties across the U.S. weren’t fixing them by installing encryption and migrating to the .gov domain, Grobman answered simply, “I think they don't understand how critical it is."Pandemic ‘put us behind’Indeed, some of the 15 election officials interviewed on-camera for this story conceded the pandemic had delayed efforts to strengthen election security on those websites, although many state-level leaders revealed they don’t have the authority to unilaterally mandate it. Iowa Secretary of State Paul Pate, who serves as the outgoing president of NASS, acknowledged, “COVID has put us behind." New Mexico Secretary of State Maggie Toulouse Oliver said, “we were making progress … but then the pandemic hit.” Michael Adams, secretary of state in Kentucky, said bluntly, "We got a lot of work to do."Some secretaries implied other issues, such as COVID-19-related disruption, may be a higher priority right now. Securing county election websites, “may not be the most important things,” Nebraska Secretary of State Bob Evnen said.Missouri’s chief election official, Secretary of State Jay Ashcroft, emphasized more robust security mechanisms are in place elsewhere, for example on state-run election infrastructure, like registration databases. "It's improper to assume that the underlying networks that need to be secure are not secure,” Ashcroft said in the interview.Dramatic progressLocal election websites in his state did make dramatic progress since the first McAfee analysis in January when only 34.2% of pages had encryption; now, 84.2% do, the cyber company found. Much less improvement was made in use of the .gov domain, however, rising from 6.1% of county election websites to 14%.The state with the biggest gains was Ohio, with 100% of county election pages now using ‘https’ to secure its sites, up from 61.4% in January, and the only state with all of its counties currently doing so. Pages on .gov rose more sharply, up from just 17% six months ago to 87.5% now.Frank LaRose is the secretary of state in Ohio and spearheaded the improvements because, he explained, the threat is real. "One of the most damaging things that our foreign adversaries can do is, is diminish voter confidence by hacking an elections website,” LaRose said in an interview.Some states far behindBut some states are far behind.Mississippi is one of the worst states for having encryption and .gov on local election websites, McAfee found. As of July 1, only 17.1% of its counties used encryption for their local election pages and only six percent were on a .gov domain."We don't have the authority to force" counties to increase security, explained Secretary of State Michael Watson. He called it "a great question," why more counties have not prioritized those changes.California did make a little progress on adding encryption, rising to 74.1% of local election websites, up from 65.5% in January. But it made no progress in overall use for .gov, still at 13.8%, or 8 of its 58 counties, the data show. Alex Padilla, California’s secretary of state, blamed it on “a matter of resources.” He said while he can’t force counties to change, he intends to stress “voter education is paramount.”Georgia to seek new deadline In Georgia, which saw disastrously long lines in some places for its June primary, the secretary of state promised in an interview that he'll seek a deadline from each individual county for better security on their election websites."We need to get from them a date on when they plan on having it implemented,” Secretary Brad Raffensperger vowed. “It's very important that we also help the county commissioners understand … how important elections are.” In addition to election security, nearly all of the leaders said in interviews they worry about poll workers deserting at the last minute because of COVID-19 health worries, of postal delays due to a pandemic-fueled crush of absentee ballots, and of an impatient public, increasingly anxious if election results aren't known for days – including for the winner of the marquee presidential race.Mark Albert is the chief national investigative correspondent for the Hearst Television National Investigative Unit, based in Washington D.C. April Chunko and Tim Tunison contributed to this report. Know of election security problems or voter suppression? Have a confidential tip? Send information and documents to the National Investigative Unit at investigate@hearst.com.
WASHINGTON —

The novel coronavirus pandemic is stalling some efforts to improve election security across the country, delaying efforts to install basic security measures on hundreds of local election websites, interviews with top leaders and an exclusive analysis by the National Investigative Unit has found.

Election security is a topic on the agenda for the annual summer conference of the National Association of Secretaries of State which convenes virtually later this week, the last scheduled NASS conference for all of the nation’s top election officials before the general election.

Advertisement

To assess the resiliency of county election websites in states nationwide, the Hearst Television National Investigative Unit asked McAfee Security to once again analyze more than 2,000 web pages where voters may turn to for information about voting, registration, election administration, precincts, poll hours and other suffrage details.

While no American uses those local election websites to cast a ballot, citizens do rely on the information to be accurate so they can exercise their right to vote. A lack of simple security tools, cyber experts and government agencies say, could leave those webpages vulnerable to manipulation, possibly disenfranchising voters who are misled.

The new McAfee analysis found little progress overall in securing those websites with encryption – identified by the letters ‘https’ in the URL – and with a federally-validated domain, like .gov, since the worldwide cyber firm’s initial analysis for the NIU conducted in January.

‘They don’t understand’

Steve Grobman is McAfee’s chief technology officer and led the election website analysis.

To demonstrate for this report how a lack of those two web security tools makes sites easy to spoof, Grobman created a real-looking election website – walled off in a "sandbox" so actual voters would not stumble upon it – modeled on a website used by a county in Georgia. He then plastered election misinformation on the simulated site, including a $19 COVID poll tax, to illustrate the threat.

WDSU-TV
McAfee Security Chief Technology Officer Steve Grobman interviewed by Chief National Investigative Correspondent Mark Albert; Hearst Television

“All this information is fake, but it might give them the wrong information,” Grobman warned, which may cause voters to “just not vote at all.”

When asked why, in light of the vulnerability and potential repercussions, more counties across the U.S. weren’t fixing them by installing encryption and migrating to the .gov domain, Grobman answered simply, “I think they don't understand how critical it is."

Pandemic ‘put us behind’

Indeed, some of the 15 election officials interviewed on-camera for this story conceded the pandemic had delayed efforts to strengthen election security on those websites, although many state-level leaders revealed they don’t have the authority to unilaterally mandate it.

WDSU-TV
Fifteen state election officials are interviewed by Chief National Investigative Correspondent Mark Albert on July 7, 2020; Hearst Television

Iowa Secretary of State Paul Pate, who serves as the outgoing president of NASS, acknowledged, “COVID has put us behind." New Mexico Secretary of State Maggie Toulouse Oliver said, “we were making progress … but then the pandemic hit.” Michael Adams, secretary of state in Kentucky, said bluntly, "We got a lot of work to do."

Some secretaries implied other issues, such as COVID-19-related disruption, may be a higher priority right now. Securing county election websites, “may not be the most important things,” Nebraska Secretary of State Bob Evnen said.

Missouri’s chief election official, Secretary of State Jay Ashcroft, emphasized more robust security mechanisms are in place elsewhere, for example on state-run election infrastructure, like registration databases. "It's improper to assume that the underlying networks that need to be secure are not secure,” Ashcroft said in the interview.

Dramatic progress

Local election websites in his state did make dramatic progress since the first McAfee analysis in January when only 34.2% of pages had encryption; now, 84.2% do, the cyber company found. Much less improvement was made in use of the .gov domain, however, rising from 6.1% of county election websites to 14%.

The state with the biggest gains was Ohio, with 100% of county election pages now using ‘https’ to secure its sites, up from 61.4% in January, and the only state with all of its counties currently doing so. Pages on .gov rose more sharply, up from just 17% six months ago to 87.5% now.

Frank LaRose is the secretary of state in Ohio and spearheaded the improvements because, he explained, the threat is real.
"One of the most damaging things that our foreign adversaries can do is, is diminish voter confidence by hacking an elections website,” LaRose said in an interview.

Some states far behind

But some states are far behind.

Mississippi is one of the worst states for having encryption and .gov on local election websites, McAfee found. As of July 1, only 17.1% of its counties used encryption for their local election pages and only six percent were on a .gov domain.

"We don't have the authority to force" counties to increase security, explained Secretary of State Michael Watson. He called it "a great question," why more counties have not prioritized those changes.

California did make a little progress on adding encryption, rising to 74.1% of local election websites, up from 65.5% in January. But it made no progress in overall use for .gov, still at 13.8%, or 8 of its 58 counties, the data show.

Alex Padilla, California’s secretary of state, blamed it on “a matter of resources.” He said while he can’t force counties to change, he intends to stress “voter education is paramount.”

Georgia to seek new deadline

In Georgia, which saw disastrously long lines in some places for its June primary, the secretary of state promised in an interview that he'll seek a deadline from each individual county for better security on their election websites.

"We need to get from them a date on when they plan on having it implemented,” Secretary Brad Raffensperger vowed. “It's very important that we also help the county commissioners understand … how important elections are.”

In addition to election security, nearly all of the leaders said in interviews they worry about poll workers deserting at the last minute because of COVID-19 health worries, of postal delays due to a pandemic-fueled crush of absentee ballots, and of an impatient public, increasingly anxious if election results aren't known for days – including for the winner of the marquee presidential race.

Mark Albert is the chief national investigative correspondent for the Hearst Television National Investigative Unit, based in Washington D.C. April Chunko and Tim Tunison contributed to this report.

Know of election security problems or voter suppression? Have a confidential tip? Send information and documents to the National Investigative Unit at investigate@hearst.com.

Top Picks

Rare find: Father-son lobstermen pull calico lobster from Maine waters
What is the 'American Community Survey' and is it legit?
Clint Eastwood's former California home on sale for $21 million
Meet the Navy veteran skydiving for his 91st birthday