Critical Infrastructure Security, Critical Infrastructure Security, Network Security

State of Security: Kentucky

Who's in charge: Secretary of State Alison Lundergan-Grimes, Executive Director Jared Dearing

Kentucky's reliance on electronic vote-recording devices with no voter-verified paper audit trail (VVPAT) capabilities makes little horse sense, according to security experts.

Citing documentation from Kentucky's office of the Secretary of State, as well as press releases and news articles from the last six months, the Verified Voting Foundation estimates that 32 of Kentucky's 120 counties will exclusively use electronic voting machines with no paper trail in this November's election, while only four will produce an all-paper trail. The remaining counties will feature a mix of paper and electronic, although most voters will use paper ballots.

Absentee ballots will also be paper-based, and must be returned by mail or in person, which is a more secure process than sending them electronically.

Regardless of the exact numbers, the Bluegrass State's lack of paper-based voting documentation would make it very difficult to catch, audit or meaningfully remedy a successful attempt to hack into the machines and modify vote totals. Verified Voting identities Kentucky's DRE equipment as the Hart InterCivic eSlate dial solution, the Danaher Shouptronic 1242 push-button machine, the MicroVote Infinity touchscreen solution and the Election Systems & Sofware iVotronic touchscreen device.

This year, Kentucky received nearly $5.8 million in federal funding for election security, a significant portion of which will reportedly be allocated toward building a more hacker-proof election infrastructure, with the goal of upgrading districts' electronic-based voting machines to paper-trail machines by 2020.

But the Courier Journal of Louisville has reported that some local officials have gone on record asserting that such replacements aren't necessary, even though in some cases they are using the same model of machine that researchers at the DEFCON cybersecurity conference proved could be hacked.

The Center for American Progress has issued Kentucky a "D" grade for its election security, due to not only its over-reliance on risky DRE machines, but also what it considers a flawed audit system. The watchdog organization notes that Kentucky's audits are problematic because they are "tied to a fixed percentage regardless of the margin of victory," there is no escalation requirement, and the media's ability to observe the process is limited.

There are some positives, though. For instance, the state's voter registration system is protected by access control, logging, intrusion detection and vulnerability assessments, and locals officials do participate in cyber training. Also, voting machines are tested to meet to EAC (Election Assistance Commission) Voluntary Voting System Guidelines.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.