WHIO-TV reporter Jim Otte and staff writers Laura Bischoff and Lawrence Budd contributed to this report.
Officials say Ohio’s elections are safe despite worries fueled by 2016 foreign meddling, thousands of uncounted Miami County ballots in 2018 and this month’s collapse of a Democratic Party vote-counting app at the Iowa caucuses.
Ballot-casting and counting infrastructure — fresh off an exhaustive update of security software, hardware and office procedures to fend off cyber attacks — is sound and secure, say state and local elections officials.
“Your vote is safe, and it will be counted as it has always been counted, if it’s countable,” said Jan Kelly, director of the Montgomery County Board of Elections.
But as millions of dollars are spent to guard against malicious computer attacks, it’s harder to thwart bad actors resorting to disinformation campaigns to diminish people’s confidence in the vote, said Ohio Secretary of State Frank LaRose, a Republican.
“What our foreign adversaries have tried to do instead of actually tampering with elections, is tried to tamper with our own perception of elections,” he said. “They’ve tried to cause Americans to lose faith in elections.”
“The really damaging part of that is it would cause the average person to start to wonder or worry that maybe their vote wasn’t going to be counted accurately,” he said.
Early voting begins this week for the March 17 primary election that will help determine local tax levies, the makeup of county governments, who’s on the ballot for Congressional and Statehouse seats in November and the Democratic nominee for p
The truth is the best antidote to misinformation and it is “deeply irresponsible” to share conspiracy theories and false information about elections, LaRose said.
In response to a Dayton Daily News question about President Trump’s tweets about voter fraud, LaRose said: “I’m not responsible for the president’s decision-making process or his social media strategy. But I will say that nobody is immune from what I just said: it is irresponsible to fear monger about elections administration. It doesn’t matter who you are. And certainly if you have the largest megaphone in the world, then you should think very carefully before you say something that would cause people to lose faith in elections.”
The state and its 88 counties spent nearly a quarter billion dollars on elections equipment last year and worked this year to ratchet up security measures and meet a LaRose directive.
Counties had until the end of January to meet a 34-point security checklist that included testing systems for the latest vulnerabilities and adding security upgrades, putting elections personnel through background checks, and installing cyber-attack detection and tracking hardware.
Eight counties missed the deadline in part, according to a state review. But most that fell short, including Clark and Warren counties, were expected to soon meet the requirements, according to the state.
Warren County’s computer systems went down for two hours Feb. 7 as technicians tried to install a required device that logs system traffic and sends the data to the secretary of state’s office, where it’s monitored, said Matt Nolan, the county auditor.
The county was still working on the operation last week, the main reason for missing the initial deadline, but one that will ultimately protect all the county’s computer systems, said Brian Sleeth, Warren County’s elections director.
Cyberattacks are real and constant, but rarely successful, Montgomery County’s Kelly said.
“We get daily updates from the agencies, entities and members of election infrastructure security … from all around the world and from the United States as to cyberattacks and ransomware,” she said. “They are going on all over the place.”
Last November, the secretary of state reported an Election Day cyberattack that attempted to introduce malicious code into the office’s website where people can check their voter registration.
“The good guys were successful and the bad guys were unsuccessful,” LaRose said. “But we have to be vigilant each and every day, and that’s what this is all about.”
While some cyberattacks have tried to worm their way into systems, none has affected election results because voting machines are never connected to the internet, Sleeth said.
“They were unhackable years ago, and they still are. Our election data is not kept on any type of network,” he said. “You would literally have to break into our office and change things. Everything is double-locked in secure rooms. The server has a security system. We have cameras monitoring our office.”
The secretary of state’s directive also called for more training of poll workers.
Human error turned out to be the reason more than 6,000 votes were overlooked in a November 2018 Miami County election. The blunder led to the firing of the elections director and the Board of Elections placed on administrative oversight by the state.
Beverly Kendall, the former elections director, was fired last year following an investigation that revealed 6,288 uncounted votes. The problem occurred when voting machines were not shut down properly because of a lack of training and human error, a LaRose investigation determined. The votes, which did not change any election outcome, were cast by early voters on touch-screen machines in the elections office.
LaRose praised Miami County’s efforts after releasing the elections board from oversight last month.
“Miami County has a turnaround story,” he said. “While Miami County just one year ago had a real trust deficit with the voters of that county, I’m happy to say they are on track to becoming one of the absolute best boards in the state.”
Laura Bruns, the new Miami County Board of Elections director, said most of the work on the directive was finished a month before the deadline because the office worked closely with the state on a pilot project to test the checklist.
“The focus was on security, it was on protecting our data, on protecting the vote for the voters of Miami County,” she said. “It was all very much a part of regaining the trust of the voters in Miami County.”
To be compliant, boards of election must also have secure website and email domains ending in .gov or .us. The requirement forced Montgomery County to move its domain from a .org address. The switch to the new domain, montgomery.boe.ohio.gov, has been completed for email, however as of last week the website there remained under construction.
LaRose said .gov sites are better patrolled by federal partners and are a “safer neighborhood” than .com or .org domains.
“When an individual goes to get information from their trusted source, which is their county board of elections or from their secretary of state’s website, they can look and know that a .gov domain tells them they are at a legitimate, government website,” he said. “Unfortunately, it’s far too easy to take something that looks like a state seal and put it on a fake domain.”
Moving to a more secure domain also improves the chances of turning back a phishing: an attempt to introduce malicious code onto a server by getting someone to click a phony email link made to look legitimate.
David Salisbury, a University of Dayton cybersecurity expert, said the checklist provides a deterrent against a threat entering county systems via unsuspecting email users.
“What keeps me up at night is a person who well-intentioned, a hard worker, at their job, busy as all get out, one of the messages come by and before they can think it through they click,” he said.
It was a phishing attack that led to the WikiLeaks dump of Hillary Clinton campaign manager John Podesta’s email in 2016.
‘This isn’t done’
The directive also calls for all election board workers and vendors — anyone with access to voting equipment — to undergo a background check.
Llyn McCoy, Greene County Board of Elections director, said new hires there have been subject to background checks since 2015. Some longtime employees did require a recent check to meet directive requirements.
The practice came as a new expense for Montgomery County, which checked 28 workers, each costing about $45, Kelly said. More part time elections worker will also undergo the checks, she said.
“Everybody came through clean, and everybody is still working here who was subject to the background check,” she said. “Anybody who touches a ballot or has access to anything at the board of elections should be background checked.”
The Ohio Secretary of State’s Office offered one-time, $50,000 grants to assist counties implementing the security changes. In 2017, the United States Department of Homeland Security designated U.S. election systems as part of the nation’s critical infrastructure, and the next year Congress appropriated $380 million in grants to the states to secure and improve election systems.
More federal money to harden election systems will likely to flow to states and counties.
“This isn’t done now. We’re not going to wash our hands and say we are done with cyber security and sit back. This is ongoing,” Kelly said. “This is what it’s going to be in the future,” Kelly said.
Thank you for reading the Dayton Daily News and for supporting local journalism. Subscribers: log in for access to your daily ePaper and premium newsletters.
Thank you for supporting in-depth local journalism with your subscription to the Dayton Daily News. Get more news when you want it with email newsletters just for subscribers. Sign up here.