Outside Firm Finds Elections 'Risk' In Vermont, But Condos Says State Is Prepared

Aug 13, 2018

A cybersecurity firm hired earlier this year to try to hack into Vermont’s elections system uncovered a potential vulnerability, according to records requested by VPR. But Secretary of State Jim Condos says his office has since mitigated the risk.

Attempts by Russian hackers in 2016 to gain unauthorized access to elections-management systems in 21 states have put elections security at the forefront for elections officials across the United States.

Vermont was not one of those states, but Condos says the threat persists as Vermont and other states head into the 2018 midterms.

“We already have word from the … intelligence community in D.C. telling us that the Russians attacked in 2016, and they are going to attack again in 2018,” Condos says.

Back in May, Condos’ office hired the company SHI International to kick the tires on Vermont’s system. The New Jersey-based firm ran what’s known as a “penetration test,” where they search for the same vulnerabilities that a malicious hacker might use to gain unauthorized access.

The company’s report gave generally high marks to the state’s elections IT infrastructure, calling it “considerably well established and mature in comparison” to other systems SHI has audited.

"Cybersecurity is essentially a race without a finish line, because the bad actors, the bad guys, if they couldn't get into our system yesterday, they'll evolve and try to get in in a different way today." — Secretary of State Jim Condos

The firm did, however, identify one potential vulnerability, related to something known as “multiple external authentication portals.”

“So in layman’s terms, I think what they’re referring to … are when you’ve got a system like, for instance, a statewide voter database, there are times when you have authorized users around the state that need to get into that database,” says David Becker, founder and executive director of the Center for Election Innovation and Research, in Washington, D.C.

The problem, according to SHI, is that those “authorized users” - a town clerk for example - only had to type in their username and password to gain access to the system.

That’s known as single-factor identification. And if Vermont wants to gird against unwanted intruders, then SHI said it should have multiple-factor authentication - like when your bank or credit card company sends you a code, via text or email, that you need to type in before you’re allowed to get into your account.

“It basically ensures that someone sitting in Moscow can’t access the system when only authorized users could,” Becker says.

Condos says his office was in the midst of instituting a two-factor authentication system before SHI conducted the penetration test. He says that system is now fully in place.

“We already knew we were going to fix that problem,” Condos says. “And it wasn’t a problem, it was just a potential area of concern.”

Montpelier City Clerk John Odum, an elections security expert himself, says the new security protocols are an important development.

“Two-factor authentication plugs a lot of holes,” Odum says. “I mean, I can’t think of a single step you could take that would be more effective.”

Odum, however, says there’s “no such thing as an invulnerable system.” Security, he says, is “a constantly moving target.”

Condos uses a different analogy.

“Cyber security is essentially a race without a finish line,” Condos says. “Because the bad actors, the bad guys, if they couldn’t get into our system yesterday, they’ll evolve and try to get in in a different way today. And if they can’t get in today, they’re going to try again tomorrow.”

Becker, who used to work in the elections division at the U.S. Department of Justice, says it’s unlikely that hackers, Russian or otherwise, would actually try to change the results of an election.

They’re more likely to mess with voter rolls, Becker says - to take people off them, for example, or alter their precincts.

“Their goal is to get us to lose confidence in our own system, and to undermine democracy not just in the United States but worldwide,” Becker says.

Condos says voter confidence in the system is critical. And he says Vermonters should have that confidence.

Condos says he can’t guarantee there won’t be an attack on Vermont’s system. What he is confident of, Condos says, is that security protocols will enable his office to detect intruders when they arrive, and prevent them from undermining the integrity of Vermont elections.

The Department of Homeland Security, for example, which designated elections infrastructure as a “critical asset” in 2017, monitors state elections systems for real-time breaches.

“They can get back to us within 15 minutes to let us know whether we’re under attack or not,” Condos says.

The federal government also conducts a weekly “hygiene scan,” according to Condos.

“Every week they do a ping off of our system to see if they can see any vulnerabilities that may have opened up,” Condos says.

Condos says his office also does a daily backup of the voter registration databases, so that if bad actors do manipulate the voter rolls, Condos’ office can default to previously saved version.

And Condos says the ultimate cybersecurity safeguard is, ironically, the use of paper ballots as a backup, even in Vermont towns and cities that have electronic voting machines.

“Paper ballots can be audited. They can be recounted,” Condos says.

Condos’ office has commissioned two independent penetration tests of Vermont’s elections infrastructure since 2016.

VPR requested copies of all reports related to those tests, but Condos’ office redacted almost all of the records.

In a response to VPR’s records request, Deputy Secretary of State Chris Winters said the redactions were made to “information about our system architecture, specific areas tested, test results, and vendor recommendations about hardening our defenses.”

“Making that information public would give bad actors a blueprint for how to potentially exploit our systems and would jeopardize the security of our systems and elections,” Winters wrote.

Winters cited an exemption in Vermont’s public records law that allows state officials to withhold from public release “passwords, access codes, user identifications, security procedures, and similar information the disclosure of which would threaten the safety of persons or the security of public property.”

Becker says in his view, “Secretary Condos has given you a completely legitimate reason” for withholding the redacted materials.

“He has to walk … a very fine line,” Becker says. “On one hand they want to transparently demonstrate to all Vermont citizens … that they are doing what they need to do to shore up their systems. But if they go into too much detail, they’ve provided a roadmap to those that would hack into their systems.”

Odum says if Condos’ office did have to make public reports related to the penetration test, “that would then become a disincentive to do these [penetration] tests at all, because you don’t want to create a blueprint for how to hack the secretary of state.”

“You want people to do penetration testing,” Odum says. “You want folks banging on the door from the outside in, because they’re going to see folks building the walls from the outside in just aren’t going to see.”