Connecticut is ramping up its cybersecurity efforts ahead of the Nov. 6 election, though some observers wonder if the state’s efforts will be sufficient to circumvent the kind of chicanery that was at play during the presidential election in 2016.
“Connecticut is really in very good shape” when it comes to averting cyberattacks, declared Secretary of the State Denise Merrill, who in April led a first-of-its-kind meeting of state, local and federal officials in an effort to protect Connecticut’s 2018 elections from such activities.
Merrill said her assessment was partly due to Connecticut’s reliance on paper ballots, which means that its voting machines are not connected to the internet.
Nevertheless, she noted that Connecticut was one of 21 states targeted by Russian hacking during the 2016 election, according to the U.S. Department of Homeland Security. Of those, only the Illinois’ voter registration database was successfully hacked, but officials there have maintained that the breach did not affect its election results.
While the cyberattacks in ’16 were conducted at least in part as an attempt to influence who would be in charge of the country, Merrill said she didn’t think that attacks this year would be made to unfairly steer either Ned Lamont or Bob Stefanowski to the state’s governorship.
“It’s more of an effort to get citizens to mistrust our electoral system, by creating chaos on election day,” she said. “The biggest problem we face is a campaign of misinformation, which we saw (in 2016) — the fake websites and false information being sent out. You can have a situation where people are told the wrong place to vote,” which can have a dampening effect on voter participation, Merrill added.
Merrill’s office plans to provide cybersecurity training to all local election officials and hire IT professionals where necessary to aid in identifying vulnerabilities within each municipality’s voter registration lists. “Some of our towns are so small that they don’t have an IT staff,” she noted.
Connecticut is also in the midst of spending about $1 million for additional vote-tabulation machines to replace outdated ones. Those funds are part of the $5.1 million the state received from the federal government, after Congress approved $380 million in election technology funding across the country in March.
Not all of the $5.1 million will be spent by November, Merrill noted, although the state is required to have used it all by September 2023. Connecticut must match 5 percent of the federal money, or $256,027, within two years of receiving it; Merrill said that match has been approved, with some $90,000 spent for hardware maintenance of the state’s voting system. Another $99,000 will be used to upgrade cybersecurity for the state’s centralized voter registration system.
Merrill said her office will likely also increase its audits. Currently it randomly selects voting precincts to have primary results audited following elections; five percent of polling places that use optical scan machines are subject to the audit, as prescribed by Connecticut General Statutes 9-320f. Those counts are then matched against vote totals from optical scan machines.
She is also in regular touch with Homeland Security and the FBI to stay on top of best practices, she said.
The state has not been shy about touting its cybersecurity successes. Its latest win was just announced with the release of the Connecticut Critical Infrastructure 2018 Annual Report, a comprehensive review of the state’s electric, natural gas and large water companies’ efforts to detect and prevent cybersecurity threats.
“Connecticut’s utilities are spending more time, devoting more resources, educating their workforces and transforming their cultures more thoroughly to meet the increased level of threats,” the report said. However, it added, significant threats and challenges remain, including increased volume, sophistication and country of origin of attempted malicious probes.
Merrill said she agreed with that conclusion. “There’s no such thing as an utterly safe system,” she said.
And therein lies the problem, said Rich Tehrani, CEO of Norwalk cybersecurity firm Apex Technology Services.
“It’s an unfair arms race we’re in right now,” Tehrani said. “Hackers are getting more sophisticated all the time. Every website, every email account is under constant attack.”
While awareness about cyberattacks at businesses, especially smaller ones, is still not what it should be — even in the wake of the 2016 election and high-profile data
breaches at Equifax, Yahoo and the U.S. Securities & Exchange Commission — Tehrani said that the federal and state governments are getting better at it.
However, he added, “Government tends to have a bureaucratic culture, which takes it a lot longer to respond to technological threats that change by the day, if not the hour. They’re behemoths that move like molasses.”
While there is plenty of evidence of state-sponsored cyberattacks from the likes of Russia, China and North Korea, Tehrani said he doubted that they would take specific aim at altering Connecticut’s November election results. That doesn’t lessen the threat, though: “There are all sorts of different entities out there,” he said. “It could be a completely random ransomware attack sent out as a mass email blast, which can cause a lot of trouble by itself.”
Tehrani noted that a recent report posited that one in every 100 emails has a malicious intent, including delivering malware, conducting phishing, or engaging in other forms of fraud and/or blackmail.
Sajal Bhatia, an assistant professor of cybersecurity and director of the master’s cybersecurity program within Sacred Heart University’s School of Computer Science and Engineering in Fairfield said that, while all states are trying to protect against cyberattacks, “The current challenge is that there is no consistent federal law that supersedes the 21 state cyberlaws. In order to protect states and companies from cyberattacks, institutions must be consistent in how they practice cybersecurity defense measures.
“By having a consistent federal law, states can adopt that framework, which will in turn make states become stronger to fend off cyberattacks,” Bhatia continued. “Although nobody is immune to cyberattacks, individuals, companies, and states should be prepared, ready to respond, and maintain cyber-resilience to reduce their risk exposure.”
Tehrani agreed. Even though he applauded the state’s cybersecurity efforts, which include an official “Connecticut Cybersecurity Strategy” unveiled in July by Gov. Dannel Malloy, he emphasized that being prepared ahead of time is key.
“It’s difficult to determine the who, why and when in advance of an attack,” Tehani said. “You just have to assume that you’re always under attack — because you are.”