Cybersecurity experts say one of the most common and easiest measures to implement is an https encryption. But while many people rely on these local county election websites as trusted sources of election and voting information — particularly in a pivotal election year — many of these information hubs lack proper security measures against cyberattacks, an analysis by The Beacon found:
- Of the Missouri election offices with websites, 34% are not https encrypted
- Of the Kansas election offices with websites, 34.6% are not https encrypted
All together, these counties serve thousands of voters with critical races at the congressional, state and local levels this year. The findings reveal the existence of vulnerabilities that could undermine operations come Election Day in a time of heightened concern over this election’s integrity, experts say.
“If those information channels are corrupted, that can go a long way towards undermining trust in the system, faith in the system,” said Max Hailperin, professor emeritus of mathematics, computer science and statistics at Gustavus Adolphus College, who volunteers with the Minnesota Secretary of State’s working group on election security.
The two basic steps to a secure website
For all the Kansas and Missouri counties and municipalities that have an existing website, The Beacon primarily checked if a website had http or https encryption, and whether the website URL ended in .gov versus other domains like .com or .net.
It’s easy for anyone to register a website with a URL that ends in .com, .net or .org on popular domain vendors like GoDaddy. But a .gov site is a top-level domain proving that a website is an official government organization in the U.S. In other words, a .gov domain benefits from a higher level of legitimacy that can be beneficial to county websites in establishing trust with the public.
The Beacon found 105 operating county election websites in Kansas, and 116 in Missouri. Out of those, according to The Beacon’s analysis:
- 32 county websites in Missouri lack https encryption
- 36 county websites in Kansas lack https encryption
- Nine counties and one city in Missouri have a .gov URL
- Eight counties in Kansas have a .gov URL
- 22 counties in Missouri do not have any local election information website
- One county in Kansas does not have a local election information website
Cybersecurity experts agree that an https encryption is one of the simplest ways to offer protection. Https websites use a secure sockets layer to create an encrypted connection between a user and the site. Emma Briant, a professor at Bard College specializing in propaganda and political communication, said https encryption can protect sensitive information from being intercepted.
“In terms of security, it’s really serious to be making sure you’re using https,” she said. “When it comes to election security, it’s paramount that people can confidently access secure systems, reliable information and know their data is secure.”
The findings in Kansas and Missouri are not uncommon: A 2020 McAfee study of local election websites in 13 “tossup” states found that a majority of these sites lacked a .gov URL and https encryption. Steve Grobman, senior vice president and chief technology officer at McAfee, said having https encryption also enforces the integrity of websites.
“You want to make sure you’re going to your actual county’s website, that somebody hasn’t tricked you into going to a fake version of that site,” he said. “The second thing is because you’re possibly putting in sensitive information, you don’t want somebody to be eavesdropping on the network traffic and see what you put.”
Though a majority of county websites in Kansas and Missouri are https encrypted, many still do not have a .gov domain. Grobman said it’s important to have both. Government websites lacking a .gov domain are more susceptible to being spoofed, in which a fake website feigning legitimacy is created to intentionally mislead internet users.
“If you wanted to set up a fake site for county X, you could clone county X, but then change the voting dates, voting times, when early voting is happening, the procedure for requesting an absentee ballot,” he said.
‘You can cause an enormous amount of damage’
Some local election authorities have defended the lack of https encryption on their sites, arguing that only certified results are posted on the site or that their election counting machines are not connected to the internet. But cybersecurity experts like Grobman say election authorities still need that basic layer of protection.
One big example: Reports of Russian hacking during the 2016 election, in which hackers exploited vulnerabilities in the websites of state and local government bodies.
According to the report by special counsel Robert Mueller, Russian intelligence agents used an “SQL injection” to send malicious code to targeted state and local government websites to run commands and potentially infiltrate sensitive databases. The attack worked in Illinois — Russian agents hacked into the state board of elections website, allowing them access to a database containing voter registration information.
According to the Open Web Application Security Project, a nonprofit dedicated to improving software security, an SQL injection is the most common form of cyberattack against websites. Given this, cybersecurity experts are concerned that an SQL injection attack could cripple official election websites on Election Day again this year.
Between the websites and the databases, if you can hack either of those, … you can cause an enormous amount of damage.
Jake Braun, Cyber Policy Initiative at the University of Chicago
Weak cybersecurity measures could also make websites prone to disinformation campaigns, in which malicious actors wanting to trick voters with the wrong dates or protocols change that information by hacking the website.
“If you’re able to set up a collection site with inaccurate information that will make it more difficult to vote, and then can direct a certain segment of the population to that fake site, you can manipulate the vote through a disinformation campaign,” McAfee’s Grobman said.
Jake Braun, executive director of the Cyber Policy Initiative at the University of Chicago’s Harris School of Public Policy, said websites are inherently vulnerable. Things like https encryption, however, makes those attacks harder to carry out.
“Between the websites and the databases, if you can hack either of those, and we know they can hack both, you can cause an enormous amount of damage,” he said.
Lines of defense
One major obstacle to implementing stronger cybersecurity measures on a statewide level is the decentralized nature of U.S. elections. While every voter in the country can cast their ballot for president, election laws and protocols are primarily left to the states. On the website level, this means a hodgepodge of local election sites that vary widely in cybersecurity measures, though some states have increased efforts to improve that.
In Kansas, under the Cybersecurity Act that passed in 2018, heads of executive agencies are required to notify the state chief information security officer of any breaches or unauthorized exposures of data within 48 hours. If the breach involves election data, officials are required to notify the secretary of state.
Though each county in Kansas is responsible for its own website, the secretary of state communicates with local election officials to provide election-related resources and support, including in cybersecurity, according to responses from the secretary of state’s office. Last year, the state hired an election security specialist and partnered with federal and state entities to provide security training to counties.
“We are always evaluating programs, partners, and technologies to ensure the election process is protected and stays up to date with emerging security threats,” said Katie Koupal, deputy assistant secretary of state in Kansas, in an email to The Beacon.
Maura Browning, director of public affairs and strategic communications for the Missouri secretary of state, said the office provided security assessments to local election authorities specific to elections infrastructure and created a guide on security best practices.
Officials say neither Kansas nor Missouri was targeted by Russian hacking during the 2016 presidential election.
From voting machines to electronic poll books to attacks on websites, cyber experts say it’s difficult to foolproof elections. The primary question is how prepared election authorities are to handle attacks or disruptions if and when they do happen. One answer, Braun said, lies in risk mitigation.
“They should have a crisis communications plan in place in case their website is hacked and they have to take it down,” he said. “So that they can communicate with the media, with key stakeholders and so on.”
Braun recommends that local election authorities implement the top five critical cybersecurity controls as recommended by the Center for Internet Security.
“Do the best that you can with the money you have, and then try and put as many kinds of redundancies in place as possible to kind of stop the bad guys,” Braun said.
After being notified by The Beacon of its findings, Susette Taylor, the county clerk in Atchison County, Missouri, said the county website has been changed to https encryption and that it was a simple fix to add another layer of security.
On the Kansas side, Montgomery County is currently in the process of redesigning its website to include https protection. Charlotte Schmidt, the county election officer, said information posted on the elections page of the current http site is not linked to any program. She said the county hopes to make the new website live Oct. 13.
Local officials interested in improving their cyber hygiene can look to organizations such as The Athenian Project for help. In 2017, internet infrastructure and security company Cloudflare launched The Athenian Project with the intent of offering tools and resources to local election authorities to protect their websites from a cyberattack.
Alissa Starzak, head of public policy at The Athenian Project, said more than 200 jurisdictions, from the state to the county level, participate in the project. Some of the services The Athenian Project offers include protection from distributed denial of service attacks and a web application firewall.
“We want to make sure that people have information about where they go vote, we want to make sure that they have the ability to register to vote, and you want to make sure that those aren’t things to go down because of a cyberattack or because of just failure overload,” Starzak said.
“It’s really important that those things stay up.”
Celisa Calacal is the assistant editor at The Beacon. Follow her on Twitter or email her at celisa@thebeacon.media.
Sign up for The Beacon’s election tipline
The Beacon launched a texting tipline for the 2020 election. You can sign up by entering your number in the form below. By signing up for text alerts, you’ll hear directly from our journalists as we report on the election. Do you have a tip about something you think should be a story? Do you have a question about voting? Reach a Beacon journalist by replying to any message. We promise not to spam you.