HARTFORD, CT — Two days after President Donald Trump eliminated the position of cybersecurity coordinator on the National Security Council, Secretary of the State Denise Merrill convened the second meeting of the Elections Cybersecurity Task Force.
At the very beginning of the meeting, Merrill reminded the task force that the election system faces several threats, including natural ones, like the tornadoes that touched down in the state last week and caused more damage than some hurricanes in several towns. She said they have emergency protocols in place for what happens if a polling place loses power, but are still putting plans together for emergencies that might not be as easily detected.
“This will be the first statewide election following Russia’s attempt to interfere with our election infrastructure right here in Connecticut,” Merrill said.
She said there’s a belief out there that Connecticut’s online voter registration system was “hacked,” but the system was never impacted. Essentially the Russians knocked on the door, but were not able to get in and cause any damage or even change any information.
“Our cyber defenses held,” Merrill said.
She said Connecticut’s elections are very difficult to hack because they are decentralized, but what these attempts have done is “scare people” and make them think Connecticut’s elections are not secure.
“It is clear the real attack was on our faith in democracy,” she added.
Deputy Secretary of the State Scott Bates said Russian attempts at probing election systems are continuing into the 2018 election cycle, according to U.S. intelligence officials.
Merrill said they are taking nothing for granted and will make sure Connecticut’s elections are even more secure than they were in 2016.
“We are doing everything we can to strengthen cybersecurity,” Merrill added.
Sue Larsen, president of the Registrar of Voters Association of Connecticut and a member of the task force, said that they would like to get training on malicious emails and cybersecurity.
“We feel right now we’re not up to speed in what’s happening in the cybersecurity area,” Larsen said.
She also suggested the state spend some of the $5 million they’re getting from the federal government to upgrade some of the computer systems in towns.
She said several small towns are still using Windows XP—an operating system that was released for sale in 2001. She also suggested that the state send someone to the town for an audit of the election, instead of requiring the Registrar of Voters to drive the ballots to Hartford.
“We feel that’s a real security issue,” Larsen said.
Luther Weeks, executive director of the Connecticut Citizen Audit, reminded the task force that even though Connecticut’s voting system isn’t networked to the Internet, it can still be hacked.
Weeks pointed to the Stuxnet attack, a computer worm used in a successful nation-state attack of Iran’s nuclear program, which was based on an unconnected proprietary system.
“Even though our optical scanners are appropriately not attached to the Internet, they are still vulnerable,” Weeks said. “There’s no guarantee that a stand alone system can be protected.”
The memory cards that go into the tabulators or scan machines at the polling locations could be tampered with and reprogrammed. The University of Connecticut audits a sample of the cards before and after each election.
Alexander Schwarzmann, head of UConn’s Center for Voting Research, said they make sure “there is no funny business or extraneous data on the cards,” as part of their audit.
He said the audits of the cards, paper ballots, and recounts should “ increase the public’s confidence the elections are conducted properly.”
However, Weeks it would be easy for someone working in town hall in one of the bigger towns to get access to all of the cards in that town and reprogram them for a local referendum or election.
In the coming days Connecticut will receive little more than $5 million from the federal government and are in talks about how to strengthen voting security at the local level.
Mark Raymond, Connecticut’s chief information officer, said most of the attempts to gain access have come from phishing. He said making sure people know they’re reading email from a trusted person and not giving up any information is the first and best line of defense Connecticut has.
Earlier this month the state of Connecticut finalized its Cybersecurity Plan.
The plan recommends that every state employee receive education in cybersecurity awareness.