“No one wants to be the next John Podesta” — the chairman of Hillary Clinton’s 2016 campaign, whose personal emails ended up on Wikileaks after he fell for an email fraudulently claiming to be from Google — “but the biggest problem is you’ve taken 50 secretaries of state and 5,000 county officials, these sleepy government administrators, and put them on the front line of a war with a nation-state,” said John Dickson of the Denim Group, a cybersecurity consulting firm in San Antonio.
Dickson said that voting machines themselves, which tend to spend most of their lives in warehouses and are not networked, are easier to secure. But voter registration databases and websites that report election results are glaring targets.
Even if an election board has an accurate vote count stored offline, Dickson said that a successful denial-of-service attack can create a public perception that the results have been tampered with.
Instead of simply pursuing new hardware and other procurements, Dickson said election officials need to focus on training and education.
“What I recommend is some kind of two-factor authentication, at least at the state level, combined with social education to make [people] more aware about the phishing attacks that are always going to come in,” he said. “In some of the counties they do that, but think of the 254 counties in Texas.”
With respect to Texas, Dickson said some of the bigger counties — such as Bexar, where San Antonio is located — have the resources to upgrade authentication and educate staff, but many of Texas’ counties are rural and have small, part-time election officials.
“I think the question is how quickly they can move before November?” he said.