Election officials and security experts strongly disagree with a recent assessment on states' election systems infrastructure.
A recent report on election systems cyber hygiene found that more than half of the state commissions reviewed received a grade of C or below, primarily due to poor patch management, leaked credentials and weak website security -- vulnerabilities that plague many enterprise systems.
In July and August, cybersecurity firm NormShield conducted risk assessments of 56 election commissions and secretaries of state offices to identify the publicly available information that hackers could exploit in an attack. It examined internet-facing network connected systems and components and found that while many states are focused on strengthening their cybersecurity, they still needed to update outdated operating systems and protect their email from phishing attacks.
The company provided the results of the first assessment to states to help them remediate vulnerabilities. A second scan in August found "significant improvement" in the security posture of several election commissions, NormShield said.
The nonprofit news organization ProPublica, however, checked with some of the states that had received assessments and found several officials who disputed the results, claiming that assessments had been run on systems unrelated to elections and that the technology used was limited. Further, they said that NormShield had "failed to honor industry best practices by not adequately alerting the states to its findings before making them public." Additionally, ProPublica said it "was unable to find a state that had made any changes after receiving the report."
Going even further, some critics said "NormShield’s behavior amounted to another kind of election security threat: companies looking to profit from a country on edge about the integrity of its national and local elections," ProPublica said.
In a published defense, NormShield said the intent and content of its report had been misunderstood. It pointed out that election security can be breached in many ways, beyond direct attacks on election infrastructure.
"That is why, in our report, we went beyond the narrow internal focus and examined the critical internet facing infrastructure that supports state election processes," NormShield said. "Hackers look at networks to find a foothold," the company said, so the review of election infrastructure focused on network connected systems and components that are exposed on the internet.
Nevertheless, election security experts were skeptical. “It’s not a good practice to release scary information based on insufficiently vetted, automatically generated threats. Election officials now need to spend time they don’t have responding to these poorly vetted claims,” Ben Adida, the CEO of VotingWorks, a nonprofit building secure and affordable voting machines, told ProPublica. “I’m sure NormShield meant well, but it seems to me they caused net harm.”