fb-pixel

Election officials prepare for cyberattacks

Kirstjen Nielsen, US secretary of Homeland Security, and Jeh Johnson, who held the post during the Obama administration, addressed a recent Senate Intelligence Committee hearing regarding election security; the day before, senators released recommendations that included pressing states to buy voting machines that produce paper ballots, a recommendation seconded at Tuesday’s Harvard Kennedy School forum.
Kirstjen Nielsen, US secretary of Homeland Security, and Jeh Johnson, who held the post during the Obama administration, addressed a recent Senate Intelligence Committee hearing regarding election security; the day before, senators released recommendations that included pressing states to buy voting machines that produce paper ballots, a recommendation seconded at Tuesday’s Harvard Kennedy School forum.Erin Schaff/New York Times/File 2018

CAMBRIDGE — The headlines kept getting worse: “Feds Tell 21 States They Were Targeted During Election Day;” “Governor’s E-mail Hacked;” a former election official claiming on Twitter that the state was “Totally Unprepared to Guarantee Legitimate Elections.”

The headlines, displayed on a screen in a hotel conference room, were part of a role-playing exercise designed to put local, county, and state election officials through a nightmare scenario: What if their election was subjected to cyberattacks like the ones Russia perpetrated during the last presidential election. How would they respond?

Election officials from 38 states and territories were assigned to play various roles in the drama: a judge, an NAACP leader, an ACLU lawyer, a political operative, an IT specialist.

Advertisement



The military-style table-top exercise, as it was called, was sponsored by cybersecurity experts at Harvard’s Kennedy School of Government, who have launched a project called Defending Digital Democracy to prepare election officials for possible interference by Russian, North Korean, Iranian, or American hackers in the midterm elections this fall.

The officials, many of whom acknowledged they are overwhelmed and have no background in computer security, received a mix of practical tips and encouragement.

“The main point is that hackers are not magicians,” Michael Sulmeyer, director of the cybersecurity project at the Kennedy School’s Belfer Center, told the group. “You are not up against Houdini. Most of the time, the bad guy is taking advantages of weaknesses that are known. . . . The issue is fixing them. This is doable. This is possible.”

Bruce Schneier, a computer security expert, said the most secure election systems use optical scanners to read ovals filled out on paper ballots. That way, the paper ballots can be counted by hand if the computerized systems are hacked, he said.

Massachusetts uses paper ballots for its elections, with a mix of optical scan, digital scan, and hand-counting in some small towns.

Advertisement



“The more we can rely on paper, the better we will be,” Schneier said. “To the extent you have that, you are resilient against whatever hacks happen to the machine.”

Heather Adkins, director of information security and privacy at Google, told the officials they could protect their computers from hackers by disabling Bluetooth, turning off Wi-Fi, keeping the machines in a locked room, putting epoxy in the USB port, and narrowing the list of staffers who have administrative access to the systems.

“Maybe it should be 10 or 5,” she said. “Maybe two people should need the password.”

Eric Rosenbach, codirector of the Belfer Center, traced the roots of Tuesday’s training session to the spring of 2016, when he was chief of staff at the Pentagon, and intelligence suggested Russia was interfering in the presidential election that put Donald Trump in office.

“It’s something that really shook me up,” Rosenbach told the group, gathered at the Charles Hotel in Harvard Square. “I was just left with the feeling that I didn’t do enough, that we as an administration didn’t do enough, and that we’re still very vulnerable.”

In addition to working with tech executives, the project has named as “senior fellows” Robby Mook, Hillary Clinton’s campaign manager in 2016, and Matt Rhoades, Mitt Romney’s campaign manager in 2012.

Both former campaign chiefs said election meddling should not be a partisan issue.

“At the end of day, we all agree only American voters should be able to decide the outcome of American elections,” said Rhoades, who noted that the Romney campaign was targeted by Chinese hackers in 2012.

Advertisement



The centerpiece of the training session was the table-top exercise, a war-game-style simulation that gave election officials from various states and counties a few short hours to prepare for “the worst election day that you can possibly imagine.”

Caitlin Conley, an Army officer attending the Kennedy School, said the goal was to make officials “think fast and feel stressed to prepare them for a real-world cybersecurity attack.”

“We’re going to push you,” she told the group. “You are going to fail, at some point, no matter what you do. That’s good. You fail here, so you don’t fail in the real world.”

Michelle Tassinari, the director of elections and legal counsel for Massachusetts Secretary of State William F. Galvin, was assigned to play the chairwoman of the fictional Freedom Party, a role that allowed her to try to exploit the cyberattack for partisan gain.

“Yes!” she said when she landed the role. “I’m going to stir the pot.”

Reporters were allowed to cover only the beginning of the exercise so officials could feel free to vent their frustrations as the simulation grew increasingly stressful.

“We’re not experts in cybersecurity, and an exercise like this can be frustrating,” said Christine Walker, the clerk in Jackson County, Ore.

“But, at the same time, it’s purposeful. It’s meant for us to think outside the box, and to challenge ourselves to think, quite frankly, that there’s not a lot of nice people out there and, for whatever reason, they will try to infiltrate our systems.”

Advertisement




Michael Levenson can be reached at mlevenson@globe.com. Follow him on Twitter @mlevenson.