Despite Russia's attempt to hack the 2016 U.S. election and the voter registration systems of 21 states, an NBC News investigation reveals that election officials in the most heavily populated counties of three crucial swing states still haven't received formal training on how to detect and fight attacks.
Election officials in three of Pennsylvania's four biggest counties — Philadelphia, Allegheny and Bucks, which together account for nearly a third of the state's voters — told NBC News they never received cybersecurity training, which experts say is crucial for officials to identify risks.
NBC reached out to election officials in every county in Arizona, Pennsylvania and Michigan and got responses from 60 percent of the counties. Officials from all 15 Arizona counties responded, but only five said their officials had received cybersecurity training. In Pennsylvania, where 42 of 67 counties responded, eight counties said their workers had training. In Michigan, 40 of the state's 83 counties responded, and only 12 indicated receiving formal training.
A number of election security experts have sounded the alarm about the importance of training local election officials on how to avoid cybersecurity risks.
They say local officials are particularly at risk of being victims of "spearphishing" emails — emails that appear to be legitimate, perhaps from Google or an internet service provider, but are meant to extract passwords and other private information from the victim. Hackers could use that information to penetrate county and city electoral systems, and potentially state systems as well.
"In any sort of cyber system, the weakest element is the human element," said Andrew Schwarzmann, director of the University of Connecticut's Center for Voting Technology Research, which audits voting equipment for the state of Connecticut. Schwarzmann is among the experts who strongly advocate training for local election officials on how to recognize phishing and other hacking tactics.
'The new normal'
Last fall, Russian military intelligence sent phishing emails to 122 local government officials, according to an intelligence report obtained byThe Intercept. According to a Miami Herald report, officials from at least one Florida county opened the email, but not the documents attached.
In the case of election officials, the most useful information would be their credentials — username and password — to access the centralized voter registration system. From there, perpetrators could alter or delete voter information, which could prevent thousands from voting and cause chaos on Election Day.
"Phishing attacks are a form of social engineering," said University of Michigan election security expert J. Alex Halderman. "The one very important thing is to train people about what they are, how to recognize them, and how not to fall for them."
Halderman, who called phishing attacks "the new normal," described one that extracts credentials or computer access to allow an attacker to "in the door" of a state's voter registration database.
"Having access to the voter file means you're already in the building in a certain sense. You've gotten through the outermost security perimeter," Halderman said. "The question is whether the doors inside are all appropriately locked as well."
Whether those inside doors are locked is something he's worried about given the decades-old systems of some states, including Michigan.
Fred Woodhams, deputy communications director at Michigan's Department of State, said via email that Michigan's voter file, which was launched over two decades ago, is secure.
"The state's voter file is regularly backed up, and encrypted and protected with the latest cybersecurity methods available," Woodhams wrote.
Just months ago, an official Michigan Secretary of State webpage identified "Netscape Communicator" — which was discontinued in 2002 — as the Internet software provided to local jurisdictions to access the state's voter file.
After NBC News asked the Secretary of State's office why Communicator was the listed software, the page was wiped clean. Fred Woodhams, deputy communications director at the Michigan Department of State, said that Netscape is not in use today.
States take action
Some states have launched statewide initiatives to protect electoral systems.
While Pennsylvania, Michigan, and Arizona are among the states that leave training up to the counties, others provide training to city and county officials. NBC News does not have a comprehensive tally, but Washington, Virginia, Maryland, Mississippi, Georgia, Louisiana and Delaware are among the states that require and provide cybersecurity awareness training for local officials.
The Virginia Board of Elections started providing online tutorials two years ago and had a cybersecurity awareness presentation at its annual conference for election officials this year, noted Virginia Department of Elections commissioner Edgardo Cortés, who said that the trainings were "very helpful" and necessary.
Beyond training, Halderman identified other ways states can secure their voter registration databases further, including through the use of two-factor identification or a physical token to access voter registration information.
While Arizona has implemented multifactor identification according to a recent Hill article, Michigan and Pennsylvania have not claimed the same. County election officials in Michigan have indicated that access to the state's voter file doesn't require two-factor identification or a token.
Wanda Murren, press secretary for Pennsylvania's Department of State, would not comment on whether Pennsylvania's system requires a token or two-factor identification.
Counties are on the 'front lines'
For many states — including Michigan, Pennsylvania, Arizona and Florida — security training is handled at the county level. And when it's left up to the counties, election officials often do not receive the necessary cybersecurity training for several reasons.
One explanation from county officials is that their county was too small for a Russian attack. But Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology and an expert in election integrity, disagreed.
"Local and state government entities are increasingly on the front lines," he said. "They increasingly have to protect themselves from nation-state and ransomware attacks."
Halderman added that while hackers may cast a wide net initially, they are often determined enough to move to smaller targets if they are not successful.
Last June, in Arizona, Russians attempted to hack the state's voter registration database by targeting an election official in Gila County, Arizona's fifth smallest county. However, Gila County officials still do not receive security training, said the county's election specialist Alfonso Alvarez.
Another reason officials claimed training is unnecessary was that no votes have been changed and cannot be changed because the voting machines are offline. But Halderman, who has testified in front of the U.S. Senate Intelligence Committee on the topic, said that's not the case.
"Before every election, [voting machines] need to be programmed with races and candidates. That programming is created on a desktop computer, then transferred to voting machines," he testified in June. "If Russia infiltrated these election-management computers, it could have spread a vote-stealing attack to vast numbers of machines."
Hall also said that vote changing is not the only objective of an attack. Often, the aim is chaos, such as by deleting voter information.
"[County officials] have been thinking of voting changing attacks, not just disruption. You need to be thinking of this before it's a problem," Hall said. "The Russians will be back. There will be much more sophisticated attacks."
County officials without training also referred to their county IT department's ability to protect them when explaining their lack of concern.
In Forest County, Pennsylvania's third smallest county, elections clerk Jean Ann Hitchcock wrote in an email that she feels properly equipped to handle threats from outside, foreign actors and that she was not concerned about them. She also noted that she relies on the IT department for cybersecurity.
In 2017, Forest County allocated a total of $10,100 for IT, according to the Forest County budget. Halderman said he felt that funding that small wouldn't be enough to protect against a threat like Russia.
Although most Pennsylvania, Michigan, and Arizona counties that responded to NBC's inquiries do not receive formal cybersecurity awareness training, about a quarter of them do receive some form of education on the topic, such as occasional emails from their IT departments.
When cybersecurity is left up to the counties, Halderman said that a disparity in resources can create a problem. Bigger counties may have better defenses and the resources to train employees and smaller counties won't.
For Arizona's most populous county, this is definitely the case.
Maricopa County is home to Phoenix and more than half of the state's population. Rey Valenzuela, interim director of Maricopa County Elections, said that in addition to existing cyberdefenses, the county is able to hire an outside contractor to provide officials with periodic security training.
"We probably have the largest, most robust system [in the state]," Valenzuela said.
A few states and counties go even further by sending test phishing emails to employees to identify those who haven't been trained properly. In Mercer County, Pennsylvania, when the IT department sent test phishing emails, 30 percent of county employees opened them, said Jeff Greenburg, Mercer County director of elections.
"When states and counties are not adequately protecting themselves, they're not just necessarily putting voters within their borders at risk," Halderman said. "The results of the election in those places could determine or the balance of power in national politics."