38
◼ SOLUTIONS Bloomberg Businessweek August 19, 2019legislatures historically have been stingy in funding efforts.
Florida’s Republican governor, Ron DeSantis, said in June
that he’d identified $5.1 million t o fortify cybersecurity. The
state spends more on citrus research and animal control,
according to its 2019 budget.
The state’s Republican senior U.S. senator, Marco
Rubio, says it makes sense that hackers would continue
to target his state. “If you wanted to conduct influence
operations in this country by undermining people’s confi-
dence in our election system, Florida would be on the top
of your list,” he says. “We’re a large state. We’re a diverse
state. We’re politically competitive.”
Russians infiltrated two unnamed Florida counties in
2016, but state officials had no idea the counties had been
breached until after the election, when they were informed
by federal agents, according to officials close to the inves-
tigation who asked not to be identified. Federal authori-
ties aren’t releasing the names of the counties to stave off
embarrassment and to encourage local governments to
be forthcoming if additional flaws are discovered.
In Illinois, election authorities are at odds with DHS
over how successful Russian hackers were in breach-
ing the state’s system. Illinois officials say Russian cyber-
sleuths gained access for almost three weeks, secretly
downloading and attempting to alter more than 200,000
registration records before they were caught. They bar-
raged the system with so many commands that the reg-
istration site stopped working, says Matt Emmons, who’s
overseeing the state’s election security effort. “The gen-
eral consensus is they wanted us to know what they had
done and where they had been.” DHS staff told the Senate
Intelligence Committee that the attackers could have
done far more damage and maybe did, according to the
panel’s report. The differing accounts suggest continuing
friction between states and the agency, potentially creat-
ing an intelligence gap as the 2020 election approaches.
Officials in Illinois are resorting to some old-school
techniques to bolster security at their strip mall head-
quarters. When European government officials visited in
July to determine how U.S. election systems differ from
theirs, the state required them to undergo background
checks. It was an acknowledgment that preparing for
another 2016-style attack isn’t enough. “We’re constantly
telling our clients that it’s no longer a matter of ‘if’ you’ll
be attacked, but rather a matter of ‘when,’ ” says Haiyan
Song, vice president and general manager of Splunk Inc.,
a San Francisco-based cybersecurity firm. “That cer-
tainly applies to governments in election security, as well.”
�Kartikay Mehrotra and Alyza Sebenius, with Jonathan
Levin and Daniel FlatleyTHE BOTTOM LINE Illinois is spending millions to safeguard its voting
systems for the 2020 presidential election, but it might not be enough as the
number of nations committing data breaches multiplies.elections,” says Governor J.B. Pritzker, a Democrat.
“We’re securing our elections with state resources, but
there is a federal need. This is a national crisis.”
State election authorities are more prepared than they
were four years ago, when they weren’t focused on the
threat of voting system hacks. But Illinois’s struggles illus-
trate how outmatched most states are and how money—
and the cyberskills of local authorities—will determine
whether election infrastructure from Illinois to Florida will
be secure in November 2020. While those two were the
only states named in special counsel Robert Mueller’s
report as targets of election meddling by Russian hack-
ers, the Senate Intelligence Committee in July concluded
there were “extensive” efforts to hack all 50 states.
In 2016, Russia’s cyberforces sent e-mail phishing mes-
sages and tested the vulnerabilities of voting systems.
Election-security experts fear that was merely prac-
tice for a much more aggressive effort, according to the
Senate panel’s report. The biggest concern is that foreign
actors could change enough votes to swing an election.
Experts say that’s almost impossible because machines
generally aren’t connected to the internet and votes are
counted and audited at thousands of individual polling
places. A more plausible concern: Hackers meddle with
data that poll workers depend on. If voters’ information
is altered or their names removed from registration lists,
the result could be anger and chaos that undermine the
election’s legitimacy.
Funding remains a key obstacle. In Illinois, officials have
said they need about $175 million to rebuild and defend
the election apparatus but have received slightly more
than 7% of that amount. Like Illinois, most states don’t
have enough money to pay for new security measures
that experts say are required to ward off increasingly
sophisticated attacks, according to state election officials
across the country, academics who study election secu-
rity, and executives at cybersecurity companies.
The scale of the country’s election infrastructure is
a big part of the problem. Elections are administered by
state and local officials, which means all 50 states must
wage their own battles with the U.S.’s geopolitical rivals.
Convincing smaller and rural counties with few resources
that they too could be targets remains a challenge, says
Matthew Masterson, senior adviser on election security at
the U.S. Department of Homeland Security. They often lack
even basic security measures, such as two-step verifica-
tion for accessing internal election databases. “They think,
‘Who would want to bother us?’ ” he says.
Since last year, Congress has distributed $380 mil-
lion to the states, which have used much of that money to
install a threat-monitoring system called Albert, a spinoff of
a federal surveillance program. But Senate Majority Leader
Mitch McConnell has blocked a Senate bill to distribute an
additional $600 million for state election security, and state