Are Mass. elections safe from hackers? It depends on whom you ask
Last month’s warnings from the Department of Homeland Security that Russia could attempt to influence the fall elections have prompted reviews of voting systems across the country, including in Massachusetts.
But in the midst of a contentious primary for the post that oversees elections, the state of voting security in Massachusetts depends on whom you ask.
Secretary of State William Galvin, who has overseen elections in the state for the past 24 years, said Wednesday that Massachusetts has not seen the type of election fraud or cyber hacking that has occured in other states.
“We have a secure system. The proof of that is we have not been hacked. That’s the proof,” Galvin said in an interview Wednesday.
The vote of confidence came after Galvin’s challenger in the Sept. 4 Democratic primary, Boston City Councilor Josh Zakim, called a press conference to raise concerns that Massachusetts has not taken heed of the national intelligence warnings, putting the state at risk of election meddling, such as cyberattacks on the state’s voter rolls.
“We need a secretary of state who is proactive on this, who is going to say the status quo is not OK, because it’s not,” Zakim told reporters.
“There have already been attempted hacks in other states that have been widely reported from intelligence agencies, from national security agencies . . . and Massachusetts needs to be ready for 2018, and 2020.”
If elected, Zakim would create a “best-in-class” Cybersecurity Operations Center within the office’s elections division, he said, which would include at least seven full-time staff members who would monitor data such as voter rolls.
He estimated a budget of $600,000 to $700,000 and said he would lobby the Legislature for support.
Galvin responded that his information technology department already monitors voter rolls and elections, and that no more staff are needed. “What are they going to do, look at the clock?” he asked.
Election security and voter access have emerged as campaign themes in contests for secretary of state, as federal officials in recent weeks have sounded alarms that outside entities, such as Russia, could attempt to influence the elections. The secretary of state’s office runs elections across the state, among other duties such as overseeing the public records laws and monitoring securities.
Federal investigators found after the 2016 election that hackers had targeted voter data in 21 states. Massachusetts was not one of them, and there was no evidence any vote was affected anywhere.
In May, a Globe review found that states in New England had taken steps to enhance security, including by hiring cybersecurity consultants.
On Wednesday, Galvin said the state’s hesitance to employ unchecked technologies in voting booths has helped to protect Massachusetts from cyberattacks. Voting devices such as touch screens, for instance, have proven to be more vulnerable to attacks.
The state relies on a paper ballot system, one that’s not logged on to any Internet network. Voting machines are tested for accuracy before elections, he said.
Galvin said the state’s voter rolls are also kept in a closed system. Municipalities have access to them, but they are kept by the state, and cities and towns can access only their own local information.
Galvin said that the security of voter rolls is monitored by security analysts.
Galvin said more work could be done to test and safeguard the system, but said random audits are performed before and after elections and argued that the system’s design protects it from online attacks.
“We’re on a very closed system with very restricted access,” he said, calling any criticism of it “buzz words and rhetoric.”
“We’ve tried to make our system less fragile, and I think we’ve succeeded,” he said. “Our success in not having been hacked is the evidence that we’ve done that.”
Marie Ryan, town clerk in Great Barrington and president of the Massachusetts Town Clerks’ Association, said Massachusetts municipal clerks have not expressed concern about the state system, because it is not connected to any other network.
“We never really have been worried about that kind of security,” Ryan said. “Our system, our voter registration, it’s a closed system.”
She added that “nothing gets put on the Internet.”
But Zakim, calling the integrity of elections “a cornerstone of our democracy,” said the state needs to do more. He pointed to Colorado and Rhode Island, which have implemented “risk limiting audits” that require random analysis of ballots after any election, which could indicate whether further examination is needed.
He also said the state needs more backup systems for voter registration rolls, and that those rolls should have round-the-clock monitoring.
“You cannot continue the ‘put your head in the sand’ approach to election security in Massachusetts and say just because of paper ballots, we’re safe,” he said.
“We have other vulnerabilities, and we need to be addressing those.”
Asked if he had confidence in the integrity of the upcoming primary election, Zakim said, “I think we need to do better.”