Why Elections Officials Aren't Taking A Simple Security Step
MICHEL MARTIN, HOST:
We spend a lot of time on this program talking about disinformation ahead of the 2020 general election. One way local governments can push back against this is by providing information themselves in the form of a website that features the legitimate domain .gov. But NPR's Miles Parks says that's been easier said than done.
MILES PARKS, BYLINE: When it comes to getting good information, the Internet is kind of like a minefield. And that's a problem especially for the government, which needs to get information out to people about things like voting. Here's Chris Krebs. He's the head of the cyber agency within the Department of Homeland Security.
CHRIS KREBS: One of the effective ways we think to counter disinformation campaigns is to have highly visible, credible and trustworthy sources of information.
PARKS: And there is an obvious way to effectively communicate to people that the information they're getting from the government is legitimate. It's at the end of a website's name. If it says .gov, then it should be a legitimate source because the federal government holds the keys to that domain in a way it doesn't for dot-coms and dot-orgs.
KREBS: Dot gov is an authoritative message. It says this is, in fact, government.
PARKS: The problem is that thousands of counties across the country aren't using it. The cybersecurity firm McAfee did a domain name analysis of counties in battleground states. In Texas, 95% of counties aren't using .gov websites. In Michigan, 91% of counties aren't. An NPR analysis of Iowa found that just 9 of 99 counties are housing their election information on .gov websites. McAfee Senior Vice President Steve Grobman said not having a simple way to verify whether an election site is legitimate opens the door for a potentially disastrous disinformation campaign.
STEVE GROBMAN: It would likely go something like this.
PARKS: An adversary could buy a cheap domain for a site name that mimicked the real election site. They would then pick an area where they wanted to suppress votes, maybe some important districts in a swing state.
GROBMAN: They could choose urban areas if they wished to suppress Democratic votes. They could choose rural areas if they choose to suppress Republican votes, and then send email to users in those different districts that point them to a fraudulent site.
PARKS: The message could be as simple as we'd like to remind you to vote tomorrow. Please visit this website. The site would look identical to the real site, only with slightly wrong polling information or slightly wrong times.
GROBMAN: Even narrowing the window slightly could suppress enough votes to make a material difference in the outcome of the election.
PARKS: This might sound complicated, but Grobman says it would take less than an hour.
GROBMAN: It's incredibly simple. A single individual can do this.
PARKS: Experts say not having a consistent domain name structure could also make it easier to pull off a successful phishing attack, similar to what happened in 2016. So then why are so few counties using .gov websites? The biggest reason, officials told me, is a lack of communication from the federal government. Eric Van Lancker is the commissioner of elections for Clinton County, Iowa. The county just got a new website. It has a simple and easy-to-read interface with buttons to find out where to register to vote and where your polling place is.
ERIC VAN LANCKER: Oh, we love it. I've been looking for something like this for years.
PARKS: The thing is the URL is clintoncountyelections.com. I asked the commissioner whether he even considered getting a .gov address.
Is that something you had heard about and thought about? Or is that something that wasn't really in the conversation when all this website stuff was happening?
VAN LANCKER: Not - I was not even aware. And I think I'm pretty on top of the election issues and such here in the state of Iowa. But I never heard anything about that.
PARKS: Judging by the thousands of other counties still housing their election information on dot-com websites, he isn't alone. Miles Parks, NPR News, Washington.
NPR transcripts are created on a rush deadline by an NPR contractor. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.