2020 Election Security: Few Ohio Counties Have Adopted Mandatory Alarm to Detect Hacks

In June, Ohio Secretary of State Frank LaRose issued a security directive to county boards instructing them to install the alarms, conduct assessments and training on physical threats and cybersecurity and change email systems, among other measures.

The Repository

By Rick Rouan

CANTON, Ohio -- The vast majority of Ohio's county boards of elections haven't installed the digital burglar alarm that Secretary of State Frank LaRose says helped his office detect a hacking attempt of his office's website on Election Day this year.

With less than two months to go before the deadline LaRose imposed for installation of the so-called Albert systems, just 13 out of Ohio's 88 county boards of elections have operational alarms. The remaining 75 have until Jan. 31 to install them.

The most important consequence is not being prepared," LaRose said earlier this month after the start of a daylong security conference for county elections officials in Columbus. "This is too important to take lightly."

Franklin County has had an Albert sensor in place since May 2018, with other network sensors in place at the Franklin County data center before that.

But even with the threat of digital attacks, LaRose said Ohio's election procedures are secure. None of the equipment used to cast or tally ballots is connected to the internet. Doing so would violate Ohio law.

In June, LaRose issued a security directive to county boards instructing them to install the alarms, conduct assessments and training on physical threats and cybersecurity and change email systems, among other measures.

So far, 52 counties have completed half of the security directive's instructions, and all of them have requested security support from the U.S. Department of Homeland Security.

Sean Durkin, director of information technology for Stark County, said his department is in the process of installing the Albert systems that detect online intrusions. And it is on track to finish by the January deadline set by the Secretary of State.

Durkin declined to provide specifics, citing security.

I'm not comfortable stating where we are exactly with that," Durkin said. "But we are moving along just fine with all the changes they've asked us to implement. We look to be fully compliant by the they said (the Secretary of State's directive) had to be fulfilled by."

Stark County Auditor Alan Harold, who oversees Durkin's department, said it's not clear yet what the costs to the county will be. Under the agreement, the county is responsible for the costs of maintaining the hardware and software provided by Center for Internet Security.

Durkin said in compliance with the Secretary of State's directive, his department performed security assessments of the Board of Elections' computers between April and August and the county's email system is in compliance with the Secretary of State's standards.

LaRose said he is optimistic about the prospects of the boards meeting the Jan. 31 deadline now that they are past the November election. That drew nervous laughter from the assembled elections officials.

The Election Day 2019 hacking attempt came from the Russian company OKPay Investment but was traced to Panama, according to the secretary of state's office.

LaRose has called the attack on his office's website "unsophisticated," but he said it was different from the typical "carpet bomb" hacks that search for security holes. Instead, it specifically targeted the voter registration form on his website and the voter lookup tool that is used frequently on Election Day to find polling places and determine what is on the ballot.

The goal of such attacks is to undermine the credibility of elections in the minds of voters and make the average voter wonder if it's worth it to go to the polls, he said.

We know that the threat is very real," LaRose said. "We know that the threat comes from a variety of sources, that these sources include state actors, that these sources include people with motivations such as financial reward or notoriety or fame."

The state hopes to combat some of what LaRose called "dedicated and well-resourced opponents" with the launch of a "cyber reserve" under the Ohio National Guard. That was created with the passage of an elections-security bill earlier this year.

The cyber reserve will operate similarly to the military reservists in the National Guard, with regular training and mobilization initiated by Gov. Mike DeWine. The state is recruiting cyber professionals across the state to be part of the first cyber reserve teams, which should be up and running by the end of January, said Maj. Gen. John Harris, adjutant general of the Ohio National Guard.

The goal of the reservists will be to "mitigate consequences" of a cyberattack and to return systems that have been attacked to working order, Harris said. They will be available for hacks of any government entity, not just elections boards.

In a room full of elections officials in jackets, ties and dresses, Harris said he made the conscious decision to don military fatigues, as he always does when discussing cybersecurity, to make a point about the digital war that is being waged.

Policy around the digital fight is lagging, he said. He compared the current way government addresses cybersecurity to a military group under attack that just keeps building thicker walls rather than mounting an offensive.

We don't think about the digital battlefield and the importance of the digital battlefield. We are engaged today in a pretty significant digital fight," Harris said. "It is truly a persistent fight and one we're engaged in every single day."

(c)2019 The Repository, Canton, Ohio

Visit The Repository, Canton, Ohio at www.cantonrep.com

Distributed by Tribune Content Agency, LLC.

McClatchy-Tribune News Service

Recommended for you

Copyright © 2020 Gov1. All rights reserved.