Estimated read time: 4-5 minutes
- Utah auditors recommend cybersecurity improvements in elections after identifying vulnerabilities.
- Issues include password management and unsecured election computers accessible to the public.
- Officials are addressing concerns, emphasizing voter confidence and transparency in election security.
SALT LAKE CITY — Auditors are recommending several changes to ensure the cybersecurity of Utah's elections after finding a handful of potential "vulnerabilities" with password management and improperly stored election computers.
While the report from the Office of the Legislative Auditor General found that election computers were not connected to the internet, as required by state law, it said an election server in one county had hardware that could be used to connect to the internet.
The report also advised election officials to fix other issues after finding that some election workers in small counties stored usernames and passwords on paper notes next to computers and that two election computers in a pair of smaller counties were stored "in unsecured locations to which members of the public had regular access." Because election equipment cannot be connected to the internet, hackers would need physical access to breach any of the computers, which is why auditors said it's risky to have that equipment accessible to the general public.
House Speaker Mike Schultz, R-Hooper, expressed concern about the potential for fraud when the audit was presented to a panel of lawmakers Tuesday, and asked if the findings meant that bad actors could gain access to the system.
The auditors said checks in the process would likely catch anyone trying to tamper with election results, but the vulnerabilities could potentially be exploited by an "insider threat."
"So, if somebody were to modify something — whether manually shredding a ballot or digitally interfering with the system — this process here, I think the way it's designed would very likely at least throw some red flags," auditor Jake Dinsdale said of post-election audits required of each county clerk.
The audit's recommendations will help guide county clerks in shoring up security and potentially lead to legislation to address some of the issues.
"There's that check and balance there already. What we're trying to do is just fine-tune some things to make it even safer," said House Minority Leader Angela Romero, D-Salt Lake City.
Most of the concerns have already been remedied, according to Weber County Clerk Auditor Ricky Hatch, who responded to the findings. Even if results were tampered with, systems in each county capture what is essentially a "digital fingerprint" of the results, he said, which can be compared to verify the accuracy of the results and identify any meddling.
He said clerks are implementing training on password management for election workers, and the computers in both counties have been moved to areas locked to the public.
"Those findings related to counties that account for less than 1% of the voters of the state of Utah, and our county elections offices (are) struggling with funding to make sure that they have sufficient equipment, sufficient space and sufficient staffing to properly secure these systems," Hatch said.
All 29 county clerks signed a letter acknowledging the findings and promising to address them.
"We recognize that cybersecurity is an ongoing effort, and we will continue to adapt and improve to ensure our elections remain among the most secure in the nation," they wrote. "Voter confidence is paramount, and we are dedicated to earning and preserving that trust through full transparency, unwavering vigilance and continuous improvement."
The audit is the latest report on elections in the state — as required by law every two years — and comes on the heels of recent audits that found some 1,400 people on the voter rolls who appear to be deceased and identified several issues with election administration in Piute and Wayne counties.
Here is the full list of recommendations from the most recent audit:
- That the Legislature consider prohibiting wireless communication capabilities in the voting equipment listed in Utah Code.
- That election officials, working with election vendors as necessary, create an inventory of all user accounts granted to individuals on voting equipment and assess whether access privileges are appropriately matched to each user's legitimate system needs.
- That election officials ensure that all users' account privileges ... are limited to only what is strictly necessary for each user to accomplish his or her assigned duties.
- That election officials make use of a password administrator as directed by the Utah Elections Handbook or otherwise ensure that user credentials and passwords are managed and secure.
- That election officials consult with guidelines from credible cybersecurity organizations, like those provided here, to create and enforce a policy requiring secure, unique passwords for each user that is granted access to voting equipment.
- That election officials in the counties mentioned ... develop and implement procedures to protect the physical security of voting equipment as required in statute.
Correction: An earlier version incorrectly referred to auditor Jake Dinsdale as Jake Dinsmore.
