State election officials say that despite millions of cyber attempts to gain access to South Carolina’s voter registration system in the past year, no one has succeeded.
But two election watchdogs complain that problems have been discovered and they want to be shown evidence of their severity.
On just six sample dates alone, including last November’s Election Day, hackers tried 485,000 times to get to 7.2 million online voter registration records. That’s according to data gathered from vulnerability assessments done by the technology division of the S.C. Department of Administration for the state elections office. There were about 150,000 attempts just on Election Day, which media outlets reported in July.
The tens of millions of tries in South Carolina is a normal amount, Chris Whitmire, the State Election Commission spokesman, said Wednesday.
None of those attempts succeeded, according to Whitmire, who called the number of attempts, “Not concerning on its face.”
Further, there have been no known attempts to hack into records of actual votes cast or vote tallies, he said.
Votes and vote totals across South Carolina are not kept online, as are voter registration records, and are not accessible to anyone, even employees, through the internet, Whitmire said.
“No, no, no,” he said when asked if hackers had penetrated firewalls or other blocking mechanisms that protect voting records at the state agency or any of the 46 county elections offices.
“South Carolinians can be confident that checks and balances are in place,” Whitmire said. “(W)e continue taking all reasonable measures to secure the state’s election infrastructure in preparation for the 2018 general election and beyond.”
Electronic voting is backed up by a paper trail at every precinct and each of the county elections offices, Whitmire said. The state agency, however, routinely only gets only electronic reports.
Still, vulnerability tests by three organizations have turned up problems that need to be fixed.
Initial assessments by the S.C. National Guard’s Military Department Defense Cyber Operations and the U.S. Department of Homeland Security done in the wake of the Russian hacking of the presidential election found weaknesses in all county offices and at the state elections agency. The elections agency later hired the Charleston-based cybersecurity firm Soteria to plug the holes.
But a USC computer science professor and a Lowcountry elections watchdog want to see the full assessments for themselves.
“Every single county has at least a critical or high vulnerability,” said University of South Carolina computer science professor and elections analyst Duncan Buell. “They were not doing the no-brainer things for election security.”
The Homeland Security assessment found the same level of vulnerability in servers used by the state agency, he said.
Buell is not assured by the Election Commission’s assertions that hackers have failed to get into the Palmetto State’s voter registration or election tabulation systems.
His uncertainty is rooted in the fact that only about a third of the 4,600 pages of documents that he and a Charleston elections watchdog, Frank Heindel, requested have been released by the state commission, and those were heavily redacted, Buell said.
“All of that stuff is blacked out,” he said of details that would answer questions about whether any hacks were successful, or what, if any, information was sought.
The National Guard assessment that started nearly a year ago turned up information that every county is vulnerable when it transfers data, Buell said. That means counties were not using secure communications channels, not encrypting information or reusing flash drives.
“That’s the most damaging,” he said. “That’s the software that actually counts the votes at the end of the day.”
So far, here is what the National Guard cyber tests have disclosed, according to Buell:
▪ All counties were found to have “high vulnerability” in transferring election data. Because of the redacted material, it’s unclear if that includes personal information about voters.
▪ Four counties (Clarendon, Marion, Lee and Williamsburg) were rated as critically vulnerable for allowing too many people to have access to voting computers, Buell said. An additional 13 counties were rated as highly vulnerable.
▪ Twenty counties were found to be critical in failing to secure election software that is used by county election headquarters to count voting outcomes. Each of the remaining counties were found to have high vulnerability.
Buell and Heindel have been examining data obtained through the state’s open-records law that so far have cost Heindel nearly $3,000.
“They are deliberately dragging their feet,” Heindel said of the remaining South Carolina data he was provoked to request two days after former FBI director James Comey testified to Congress that many states were targets of Russian hacking. “So,” Heindel said, “I can tell that there is some juicy stuff in there.
“Why does a citizen have to spend all these dollars and wait months and months to see these security report cards?” he said. “We’re in cybersecurity war with the Russians, and citizens can’t see the security report cards.”
A year after a federally supervised cybersecurity team of volunteers crafted national guidelines in advance of the 2018 elections, 7,000 election jurisdictions nationwide don’t have access to the guidelines, the McClatchy newspaper chain’s Washington, D.C., bureau reported this week.
The guidelines have been derailed by unspoken power struggles between federal agencies and state and local election agencies, which have full constitutional authority over elections, according to the article published Tuesday.
Problems and fixes
S.C. National Guard analysts reviewed S.C. counties’ elections data that’s stored electronically. Here’s what they found in Richland and Lexington counties:
Four cases of “high vulnerabilities” were found in voting machines and election servers, the software that runs the system and prepares and processes election results.
No critical failings were found nor is there evidence that voters’ personal information has been compromised, said elections and voter registration director Rokey Suleman.
But county website security has been upgraded and steps have been taken to secure hardware used in election preparation and tabulation, he said.
The assessment resulted in tightened security on what elections director Dean Crepes called “minor things.”
He cited changing in-office passwords more often as well as for the first time having specific codes for USB (Universal Serial Bus) ports.
Coding of ballots and voting machine flash drives is ongoing but not complete, he said.