How would Bartholomew County handle a cyberattack that compromises its election systems?
The answer to that question, as well as other “doomsday-like,” election-related scenarios, will be put down on paper for the first time as Bartholomew County election officials continue their efforts to prepare for the 2020 presidential election, said Bartholomew County Clerk Jay Phelps.
Next month, Phelps and other county election officials will begin drafting written contingency plans for how his office would respond to a range of threats that would constitute what he described as an election administrator’s “worst nightmare” — including a cyberattack directed at the county’s voting systems, theft or physical tampering of electronic poll books and even a catastrophic natural disaster that wipes out electricity and cellphone towers.
Phelps clarified that his office already has a “verbal plan” in place for these scenarios and his staff knows the general practices for how to deal with them, but no written, step-by-step plans have been drafted. Phelps said he expects to have the written plans ready by April 1, just over one month before Indiana’s presidential primary on May 5.
[sc:text-divider text-divider-title=”Story continues below gallery” ]
“Most counties do not have set plans in writing, and there is no requirement by law to do so,” Phelps said. “By our county putting a written plan in place, it would lay a framework for future clerks and election administrators in Bartholomew County to have as a guide.”
The written plans will lay out how Phelps and other county officials would react, how they would coordinate with local and state law enforcement, state agencies and communicate with the public, Phelps said.
“You think you know what would happen with a worst-case scenario, but we don’t want to be caught off guard,” Phelps said.
Getting ready
The push to draft written plans was largely driven by Phelp’s tenure as an advisory member of the Indiana Executive Council on Cybersecurity and many of the best practices he and other election officials learned at the 2020 Indiana Election Administrator’s Conference, which was held in Indianapolis this past week by the Indiana Secretary of State’s office.
Several Bartholomew County election officials attended the conference, including Phelps, Bartholomew County Voter Registration and Elections Supervisor Shari Lentz, Voter Registration Deputy Taylor Seegraves, Bartholomew County Election Board President Jim Holland and Bartholomew County Election Board Vice President Julie Schuette.
During the conference, officials from the U.S. Department of Homeland Security and the Indiana University Center for Applied Cybersecurity Research led around 450 local election officials in Indiana through scenarios to see how each individual county would respond, Phelps said. Two of the scenarios discussed included the physical theft of an electronic poll book and a natural disaster that knocked out electricity at polling sites and cellphone towers in the county, Phelps said.
“(The conference) was just to get us thinking and get us prepared and actually have counties write a plan and get it in writing,” Phelps said. “Before 2016, we really weren’t thinking about cybersecurity.”
Cybersecurity risks
Cybersecurity has become an increasing concern for local governments in recent years, as criminals and state actors continue to target municipal computer systems.
Though no one is quite sure how often cyber attacks happen in Indiana, experts generally agree that the number of attacks and attempted infiltrations are rising, according to the Indianapolis Business Journal.
In 2016, Russian-backed operatives likely targeted election systems in all 50 states, according to a bipartisan report from the Senate Intelligence Committee. In Illinois and Arizona, hackers infiltrated state voter rolls, which contain the names of millions of voters, according to wire reports.
In the Hoosier State, several cyberattacks, including ransomware attacks, have been carried out against local government systems in recent years.
Ransomware is a specialized type of malicious software that encrypts files and makes them inaccessible on a computer system until a ransom is paid to the attacker, according to Kaspersky, a Russia-based multinational cybersecurity provider. Ransomware is often installed through phishing emails with malicious attachments or links.
In 2016, a Madison County attack locked up most of the county’s systems, forcing police to revert to writing paper tickets until the city paid a ransom of $21,000, according to wire reports. In July, LaPorte County paid over $130,000 in Bitcoin when its systems were infected.
In August, Lake County was hit with a ransomware attack that shut down the county’s email service and other county government applications for more than two weeks, according to The Associated Press.
“Counties are being hit,” Phelps said. “…There are new threats that we’ve facing over the past four to five years. We just have to get better and continue taking care of our systems.”
‘It just takes one click’
Bartholomew County officials have been taking steps to minimize the risk of cyber attacks, including upgrading the county’s computers to Windows 10, updating election machine software and testing a new verification system that leaves a paper record of each electronic ballot cast, Phelps said.
The system, called a voter-verified paper audit trail, or VVPAT, is an independent verification system added to electronic voting machines that prints and stores paper copies of electronic voting records to safeguard against possible election fraud and voting machine malfunction.
Columbus voters tried out the new system as part of a pilot program during the municipal elections this past month. County election officials said the trial run was a “great success.”
Phelps said he expects the county to continue to use VVPATs during next year’s presidential primary and general election.
“By November 2020, we could have up to 60 VVPATs,” Phelps said.
Additionally, MicroVote, the manufacturer of the voting machines the county uses, in July picked up all of the county’s voting machines and the two computers that the county uses to count votes and program the voting machines, took them to Indianapolis, where they were upgraded to Windows 10, Phelps said.
Overall, Phelps said there is a “sense of urgency” to prepare for cyber threats in the run-up to the 2020 elections.
“It just takes one click to completely get a hold of an entire system,” he said.
[sc:pullout-title pullout-title=”Indiana Clerks Association” ][sc:pullout-text-begin]
Bartholomew County Clerk Jay Phelps on Tuesday was sworn in as vice president of the Indiana Clerks Association.
[sc:pullout-text-end][sc:pullout-title pullout-title=”What’s next” ][sc:pullout-text-begin]
Next month, Bartholomew County Clerk Jay Phelps and other local election officials will begin drafting written contingency plans for how they would respond to a range of worst-case, election-related scenarios, including cyber attacks, theft of voting equipment and natural disasters.
Phelps said he expects to have the plans ready by April 1, just over one month before Indiana’s presidential primary on May 5.
[sc:pullout-text-end]
