State officials are making a concerted effort to revamp Minnesota's defenses against cyber attacks-a preemptive initiative for the 2018 election season and beyond.
Secretary of State Steve Simon made his annual 87-county tour of the state, stopping in Brainerd last week to tout new developments to the state's cyber security systems. Under his guidance, the state has mobilized a cyber security team, hired consultants to analyze cyber security improvements and partnered with agencies, including the U.S. Department of Homeland Security, to address areas of weakness.
New legislation drafted in 2017 looks to revamp the state's aging voting equipment with a $7 million grant to purchase new voting equipment for state auditors. It provides up to a 50 percent price-match for mandatory equipment, such as optical scan precinct counters, optical scan central counters or assistive voting devices, as well as a 75 percent price-match for electronic rosters. The last time there were federally mandated funds for new election equipment was 2002.
Cyber security was a point of concern going back to his appointment in 2015, Simon said. But with the fears swirling around the 2016 election season and recent confirmation that Minnesota's voting system was targeted by hackers, the issue gained an urgency it previously didn't have.
"We started to see national and international headlines because of this issue," Simon said. "It definitely accelerated the pace of activity in our office, the level of interest in our office and around the state in this issue."
Minnesota was among 21 states targeted by Russian hackers during the 2016 election, though only Arizona and Illinois were infiltrated. Simon said Minnesota was being scouted by hackers, but nothing more. It was not compromised.
Describing the pattern as a "head-scratcher," Simon said there's no discernable rhyme or reason to the list of states that Russians decided to target in their hacking schemes. For example, Illinois (the state Simon identified as most compromised) does not pose as a viable battle-ground state that could be easily tipped during an election and shift national politics.
"It is like a race with no finish line. You're always trying to stay one step ahead," Simon said. "It's no different for our office, your office, then Target or Equifax or any other entity. It's no different in that sense, it's just the stakes are a little different here."
Much more than manipulating ballot machines, or imputing false votes directly-concerns more in line with traditional voter fraud-Simon said care is being taken to ensure the state voter registration system, or SVRS, is safe from outside influences. The SVRS not only compiles votes, it also contains Social Security numbers, driver's license information and other sensitive data.
Much of it comes down to updating the system, which Minnesota first implemented in 2004, to contend with the kind of functions and threats present in 2018 and beyond.
"The system does more now than it was ever intended to handle," Simon said. "In 2004, we were years and years away from online voter registration. We were years and years away from no excuses, absentee voting. ... There's going to be a lot of coding and computer programing over the course of years, but we've got to do it."
Simon said the expectations are that 2018 elections will be targeted in much the same way prior elections have been subject to external threats, particularly from Russia.
Going forward, Simon's office will be working with the U.S. Department of Homeland Security and the secretaries of each state will have an intelligence briefing in Washington D.C. sometime this week.
Still, there's something to be said about old-fashioned pen and paper. Simon iterated that Minnesota remains a state with a mandated paper trail for all its records, in contrast to 16-18 states currently implementing a touch-screen system with no receipt. In the event of a breach, he added, these paper trails may be the state's saving grace.
Simon said the most realistic threat may not be a systemic hack or breach of the system, in light of the state's track record and analysis of its security systems. Instead, he said, an imminent concern is a kind of psychological breach.
"Those looking to undermine our system don't have to be, quote, 'successful' when they attempt a cyber security breach," Simon said. "They just have to undermine confidence in the system. If the reports are to be believed, and I believe them, one of the aims is sowing doubt."