Madison - St. Clair Record

Wednesday, April 8, 2020

Madison County officials differ sharply on election cyber security in wake of '16 Russian hacking

By John Breslin | Oct 19, 2018


A "white hat" hacking test of Madison County's computer systems is causing confusion and sharply differing positions over the involvement of the county clerk's office - which handles elections. 

Tests of county systems are currently under way and aimed at identifying vulnerabilities. They are being conducted by an outside vendor who employs "ethical hackers" to try to gain access to various departments' operating systems. 

Six county government offices agreed to participate - circuit court, county board administration, coroner, recorder, sheriff and treasurer. Beside the county clerk's office, four others that declined are auditor, circuit clerk, regional superintendent of schools and state's attorney.

Adler says he doesn't understand Clerk's decision not to test for possible vulnerabilities

One of those who declined to take part in the $40,000 test is County Clerk Debra Ming-Mendoza, who says she is uncomfortable with getting involved so close to the November election.

Ming-Mendoza told the Record she is supportive of the so-called "penetration test," but not until after the election, a position at odds with the information technology (IT) department, the head of which claims the county clerk also turned down the offer of a test to take place the day after the election.

"I offered to move it to the day after the election but that was declined," Rob Dorman, the county IT director, said.

Not true, according to Ming-Mendoza, who said, "I received no offer to do it after the election. It was decide right now, in or out."

Ming-Mendoza is in the middle of an election campaign herself, and Republican County Clerk Candidate Stephen Adler was quick to take a shot at the incumbent for declining to be involved in the test.

"Think about it...her decision makes Madison County's electoral systems the low hanging fruit," Adler said in a statement.

Ming-Mendoza explained her reasoning behind declining to take part prior to the election, rhetorically asking why she would let a hacker into the system while the election process is ongoing, with early voting having started Sept. 27.

"I do not feel comfortable having people hacking in to election process while it is continuing," Ming-Mendoza said, adding that it would be "irresponsible."

"Arguments could be made for after the election, (and) that is reasonable, that this can or should be done after the election," she said.

Her office has partnered with the Department of Homeland Security (DHS) to carry out a "hygiene" test on its external systems, Ming-Mendoza said.

And, she said a telephone conference was held involving her office, the IT department, and the DHS, to discuss a second penetration test to be carried out by the federal government after the election.

"It confuses me that Mr. Dorman does not believe I am on board, we will come in after the election to do it," Ming-Mendoza said, adding that it is encouraging that the IT director is saying that it can be done after the election.

Dorman said he did offer the test for after the election, but that it was declined, a position he described as a "shame."

"I would want every department to be involved," Dorman said. The tests being conducted are seen as "best practice" for dealing with cyber security threats, he said. 

Dorman added that, after he managed to cut his office's budget by 25 percent, a request was made for $100,000 to build up the county's computer security frame work.

In July, the county board announced a request for proposals, with Janus Associates winning the bid for the contract at a $40,000 price tag in August.

"It has never been done before, but it is best practice and should be done every three years," Dorman said.

Republican candidate Adler said the county clerk's failure to be involved has broader implications, not least because the office manages vital records.

"Stealing an election is the least of our problems; the Madison County Clerk's Office is the holy grail for identity thieves," Adler said.

Dorman said the continuing coverage of Russian hacking was on minds when deciding to initiate the penetration test process.

Various state and federal agencies are on stand by in Illinois to identify and counter any attempt to infiltrate the election process and systems this year.

Ming-Mendoza agreed that reports of Russian hacking in the 2016 election cycle has impacted decision making in her department.

"It is absolutely different," she said. "The Russians made everything different."

At a press conference earlier this week, it was announced that cyber experts attached to the Illinois National Guard will be working point on an operation to counter any potential hacking attempt. Cyber crime experts from the Illinois State Police, the DHS, and various other state and federal agencies will be on standby to deal with cyber threats, such as what was experienced two years ago in Illinois. 

According to various news reports, election officials in Illinois reported possible breaches to the statewide voter registration database in July 2016. It was later determined by federal authorities that Russian hackers got into the system, however no records were changed, nor were any votes altered.

"In the immediate aftermath of that incident, we implemented new cyber security policies and procedures to guard against a future attack," said Steve Sandvoss, executive director of the state Board of Elections.

"The Department of Homeland Security has advised election officials across the country to expect more such attempts to disrupt elections this year."

Maj. Gen. Richard Hayes Jr., adjutant general of the Illinois National Guard, added that the Illinois National Guard has "quite a bit of robust cyber-capability that we've had for many years."

"We're in a role to posture ourselves to support the entire state Board of Elections and the counties should they need assistance during the time in which the election proceeds," he said. 

Want to get notified whenever we write about any of these organizations ?

Sign-up Next time we write about any of these organizations, we'll email you a link to the story. You may edit your settings or unsubscribe at any time.

Organizations in this Story

Illinois State PoliceMadison County ClerkMadison County