Arizona’s election security for 2020: What experts say

Some aspects of how to secure Arizona's elections from hackers and fraudsters may seem obvious.

Change the passwords on equipment every once in a while, for a start. Oh, and make it complicated, with some numbers and uppercase letters tossed in.

Of course, there is a lot more to fending off cyber attacks.

The Arizona Secretary of State's Office is writing a new manual for county election officials and its first draft includes additional provisions on security. While experts praise some of those measures as big steps to prevent tampering, they are raising concerns about potential vulnerabilities with other measures.

County officials who administer elections can adopt tighter security standards than those set by the state, but the new election procedures manual will set out the minimum requirements that local officials must follow.

It revises policies last updated in 2014.

Concerns about USB sticks and passwords

Among the provisions that raised concerns is a suggestion that a USB stick used to transfer files from one device to another can be re-used if it is cleaned and reformatted.

Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, advised against ever re-using a USB device for such purposes.

Reformatting will not ensure the device is free from malware, he said.

"They're supposed to brand new, out of the box every time," said Marian K. Schneider, president of the national advocacy group Verified Voting. "I don't know that scanning them with antivirus software is going to be enough."

Another issue: The proposed manual says that the rosters of registered voters and printers for ballots-on-demand should, "to the extent practicable," transmit and receive data using security measures such as encryption.

Hall argued for scrapping the caveat about using those standards "to the extent practicable." There is no excuse not to use encryption, he said.

The recommended policy for passwords on voting system software is outdated, too, Hall said.

The proposed manual requires passwords contain a mix of characters, such as letters and punctuation marks. Passwords also would have to be changed on a regular basis.

But new standards issued by the National Institute of Standards and Technology say passwords should not have to include a mix of characters. And passwords should not have to be changed arbitrarily, according to the institute's new standards.

Instead, Hall said to use password managers that can create passwords unknown even to the person using it.

What security experts liked in the manual

But some provisions won praise.

The draft, for example, says workers must not connect electronic voting systems to the internet, any wireless communications device or any external network.

That rules out even connecting to a network with a firewall, which has created problems in other parts of the country, Hall said.

In updating the manual, the Secretary of State's Office scrapped some security provisions because counties no longer use all the same equipment as in 2014.

Sophia Solis, a spokeswoman for the office, said officials added other provisions to address concerns about connecting voting systems to the internet and using mobile storage devices like USB sticks.

Schneider, whose group promotes election security and particularly the use of paper ballots, commended the state for turning best practices into policy.

Still, she said local election administrators will need a lot of resources and money to secure election systems.

And Hall said he was surprised the state is not proposing more detailed standards for election security.

In all, the section on security measures for electronic voting systems totals about four pages out of more than 250.

Concerns about 2020 election hacking

Electronic security will be a particularly big concern heading into the 2020 election, however.

In August 2016, the FBI notified Arizona of a hacking attempt on the state voter-registration database after a Gila County employee opened an infected email attachment.

The Secretary of State's Office said in 2017 that the Russian government attempted to hack into the system ahead of voting the last presidential election but did not breach it. Election officials in several states maintain they also were targeted.

The Secretary of State's Office will submit a final draft of the proposed manual to the Attorney General's Office for approval before Oct. 1.

Andrew Oxford can be reached at andrew.oxford@arizonarepublic.com or on Twitter at @andrewboxford.

Comments are closed.