PROVIDENCE — A computer security expert is proposing a solution that would let the state Board of Elections bolster its cybersecurity on Election Day without having to rip out modems that make the state’s election system vulnerable to cyberattacks.
On Aug. 2, the Board of Elections asked Tony Adams, an information security professional who lives in Providence, to write a memo suggesting ways to reduce the risk of hacking on election night, when modems are used to quickly report unofficial results.
In an Aug. 14 memo, Adams suggests having the modems report unofficial results to computers that are separate from the state’s core election computer system, which configures ballots and tabulates official results. That way, if hackers did penetrate the system on election night, they couldn’t change the official results or hold the whole system hostage with ransomware, for example, he said.
“This idea is so elegant you have to ask: Why didn’t I think of that?” Board of Elections Vice Chairman Stephen P. Erickson said this week. “Because you don’t have to spend a lot of money, it’s relatively simple to implement, and it will substantially increase the level of security — and the perceived security, which is important.”
With another presidential election coming up next year, attention is focusing on the need to defend elections against attacks such as the Russian campaign to disrupt the 2016 vote. In July, the US Senate Intelligence Committee issued a report on Russian meddling, saying states should “remove (or render inert) any wireless networking capability” — such as modems.
On Aug. 8, a Vice article reported that despite assurances from US election officials and voting machine vendors, “a group of election security experts had found what they believe to be nearly three dozen backend election systems in 10 states connected to the internet” — including Rhode Island’s system.
“Although only one system was found online in Rhode Island, this one was particularly problematic,” the article said. “Rhode Island, unlike other states, conducts its elections from a centralized office at the state Board of Elections, instead of farming out election administration to each county or jurisdiction. The election reporting system the researchers found online, therefore, was the reporting system for the entire state.”
Erickson said the Board of Elections was looking into this issue before the Vice article because the modems now installed in state voting machines will be obsolete by January 2020: The modems use 3G technology, and the wireless network will only support 4G devices next year.
“So this is the decision point,” he said. “If we are going to have electronic transmission of any kind, we have to upgrade the modems.”
One option is to get rid of modems and to have elections officials deliver unofficial results to the Board of Elections on thumb drives, Erickson said. But that would mean a delay in reporting unofficial results to the press and the public on election night, he said.
Another option is to upgrade to the 4G modems while adopting Adams’s proposal to have the modems communicate with computers separated from the core election system, Erickson said. He called that idea “intriguing” and “workable,” saying the board will revisit the issue at its Sept. 3 meeting.
In his memo, Adams said the state’s election reporting server and its firewall are “publicly exposed and its exposure presents a potential vulnerability.”
Adams noted the Board of Elections has said the server is only exposed to the internet during testing and for 30 seconds when unofficial results are transmitted on election night. But he said the exposure is longer than 30 seconds and “even these periods of exposure represent a measurable risk.”
Adams recommended the board separate the system used to report unofficial elections results from the core elections management system — placing them behind different firewalls.
“The cost to implement and maintain this alternate solution could be minimal and the complexity manageable,” he wrote. “It would allow the function of transmitting unofficial results to continue without additional security risks if implemented properly.”
Adams told the Globe his proposal would not eliminate the risk of tampering entirely, but it would further reduce the risk in a system that already has several important security features.
“We do use paper ballots and we do use post-election risk-limiting audits that provide the means to increase confidence that there has been no manipulation of the votes,” he said. “A well-resourced adversary like the Chinese or the Russians will find a way to satisfy a strategic objective, but anything we can do to make it harder for them, the better.”
Adams also called for the Board of Elections to create a team of cybersecurity and elections experts to review the risks of conducting elections using Internet-connected systems.
“Public trust in our democratic processes is built and strengthened by transparent and honest governance in our elections systems, both locally and nationally,” he wrote.
John M. Marion, executive director of Common Cause Rhode Island, said the group wrote to the Board of Elections back in May 2018, asking it to remove the modems or take other steps to reduce the risk they pose.
“It’s better late than never that they are addressing this issue,” he said Thursday.
Marion said Adams identified the risks that exist in the state’s election management and reporting systems. “This memo suggests a concrete step that could be taken to prevent that by separating those two systems,” he said. “This would go a long way to alleviate our concerns.”
Adams joined the Common Cause Rhode Island board in October 2018, but he has been talking to the Board of Elections about cybersecurity matters on his own since 2016.
On Thursday, Secretary of State Nellie M. Gorbea said she is “encouraged that Tony Adams has offered his valuable input and hopes that his voice will be one of many in this conversation going forward. Rhode Island’s collaborative approach has helped us establish a reputation as a national leader in elections security.”