Protector Of N.H. Primary Claims 'You Can't Hack This Pencil,' But Worries Persist

Jan 24, 2020
Originally published on January 28, 2020 10:51 am

Amidst fears about cybersecurity and the spread of disinformation, New Hampshire's first-in-the-nation presidential primary — along with the guardian of that tradition - is under scrutiny like never before.

New Hampshire Secretary of State Bill Gardner, the nation's longest serving elections chief, has long projected confidence about the security of his state's elections. In the fall of 2016, as national security officials were warning state elections offices to "be vigilant and seek cybersecurity assistance" from federal partners, Gardner declined — saying New Hampshire didn't need the extra help.

"We have a system that, we don't have to be concerned that it's going to be something different this time because of some imaginary foreign element out there or something that might be interfering with this election," said Gardner, who has been secretary of state since 1976, at the time.

But Gardner's approach to election security was called into question by both of the opponents who tried to unseat him as Secretary of State in 2018, a race he ultimately won by only a handful of votes.

Since then, some have continued to worry that Gardner's office was too slow to acknowledge the scale of the problem — too focused on the parts of the system that are hard to tamper with, and not enough on other, more complex vulnerabilities.

"New Hampshire is a top tier target as a first in the nation primary state," said Democratic state Sen. Jon Morgan, who also works for the cybersecurity company that recently discovered a major Russian hack into the Ukrainian company at the center of the ongoing impeachment case. "We need to be taking that much more seriously than we are."

Since 2016, Gardner continued to downplay the risk facing New Hampshire. When asked about election security at a meeting of the state's Ballot Law Commission a few months before the 2018 midterms, he had a simple response.

"You want to know about being hacked? You see this pencil here?" Gardner said, holding up a writing instrument for emphasis. "Want me to give it to you and see if you can hack this pencil? We have this pencil. This is how people vote in this state. And you can't hack this pencil."

And in many ways, there are reasons to be confident about New Hampshire's election security.

While other states have to worry about tampering with electronic voting machines, online registration and other election technology, with few exceptions, New Hampshire voters register and cast ballots on paper, in pencil — or pen — and in person. That will still be the case when voters head to the polls for the primary on February 11.

Disinformation, soft targets

But according to Gardner's counterpart at New Hampshire's Department of Information Technology, Commissioner Denis Goulet, that's not all the state has to worry about.

"I've said this to the Secretary of State, I think our biggest risk isn't in the sense that the election results could be affected, because it would be really hard to do that," Goulet said. "But what could happen is undermining the confidence of the system, which I think is at least as bad."

Ahead of its closely watched presidential primary in February, New Hampshire's IT and elections teams have been collaborating more closely, and the Secretary of State's office has stepped up its election security measures on several fronts: investing in new software to protect its voter database, more cybersecurity training for local pollworkers and programs to monitor the so-called "dark web" for looming hacking threats.

At the same time, New Hampshire election officials have turned down more hands-on cybersecurity help from federal and state agencies, instead contracting with private vendors to perform security tests.

"We want to make sure that we're the ones that are responsible for our elections," Gardner's Deputy Secretary of State Dave Scanlan said. "I think we have a healthy distrust of outside agencies trying to get access to our databases to perform certain functions."

Voters cast their ballots in Sutton, New Hampshire on Nov. 8, 2016. State officials say the state's old-school paper ballots mean its election systems are more secure than in other states.
Ryan McBride / AFP via Getty Images

Morgan, the state senator and cybersecurity consultant, says his biggest concern is that hackers might target what amounts to the front lines of New Hampshire's elections: holding cities or towns hostage with ransomware attacks, or trying to scam a local pollworker into giving up access to the state's voter files.

While the state elections office has significantly expanded its cybersecurity training for local pollworkers in the last few years, that training isn't mandatory. Some pollworkers are also preparing for the upcoming primary on computers with expired security protections.

The New Hampshire Secretary of State got $3.1 million dollars from the federal government in 2018 to help make these kinds of improvements, but most of its spending so far has gone toward security and equipment expenses at the state level. While state elections officials have warned cities and towns that they need to patch up their election security protections, it hasn't provided any financial support to help offset the costs of those local upgrades.

Backups but no audits

If there is a security breach, Scanlan says the state has backups in place to make sure the election still proceeds.

Local voter lists are backed up on a daily basis leading up to the vote. If someone shows up to the polls to find their registration is missing, they can still register on Election Day. If a ballot counting machine breaks down, a regular occurrence since the model New Hampshire uses is no longer on the market, the results can be tallied by hand — and already are in many towns.

"We're confident that we're going to conduct an election on February 11th regardless of what else might happen," Scanlan said. "And I say that with the understanding that we have to be vigilant and that any electronic system can be targeted."

New Hampshire also lacks one election safeguard used by more than three dozen other states: post-election audits. Audits are widely viewed as a simple way to instill confidence in elections by verifying the accuracy of the outcome.

But Gardner has opposed past efforts to bring the practice to the Granite State, and has fought local voting activists — like Deborah Sumner — who have pushed for more transparency in the ballot counting process.

"I know this is heresy," Sumner said. "I would rather we gave up the New Hampshire primary and had elections we have reason to trust in New Hampshire."

The way Sumner sees it, the case for post-election audits is only strengthened because of the national spotlight on New Hampshire races — not just in the primary, but also the general elections. In 2016, the race for president and U.S. Senate were decided by less than one percent.

Copyright 2020 New Hampshire Public Radio. To see more, visit New Hampshire Public Radio.

AILSA CHANG, HOST:

New Hampshire prides itself on its electoral traditions. There's the first-in-the-nation presidential primary coming up in a few weeks, and there are its paper ballots - a safeguard when there are so many concerns about election interference. But as Casey McDermott from member station NHPR reports, some in New Hampshire worry that the state's election officials are preserving tradition at the expense of security.

CASEY MCDERMOTT, BYLINE: To say New Hampshire Secretary of State Bill Gardner is confident in the security of his state's elections is an understatement. Here's how he addressed the issue a few months before the 2018 midterms.

(SOUNDBITE OF ARCHIVED RECORDING)

BILL GARDNER: You want to know about being hacked? You see this pencil here?

MCDERMOTT: Gardner held up an actual pencil.

(SOUNDBITE OF ARCHIVED RECORDING)

GARDNER: Want me to give it to you and see if you can hack this pencil? We have this pencil. This is how people vote in this state. And you can't hack this pencil.

DENIS GOULET: I mean, he's correct in that respect.

MCDERMOTT: Denis Goulet is in charge of information technology for the state of New Hampshire. And he says if you're just looking at the voting process, there's reason to be confident. While other states have to worry about hacking threats to electronic voting machines or other election technology, New Hampshire is still old-school.

GOULET: I've said this to the secretary of state. I think that our biggest risk isn't, in a sense, that the election results could be affected because it would be really hard to do that.

MCDERMOTT: With few exceptions, voters here register and cast ballots on paper and in person, but Goulet says that's not all New Hampshire has to worry about.

GOULET: What could happen is undermining the confidence of the system, which, I think, is at least as bad.

MCDERMOTT: Behind the scenes, New Hampshire's IT team has been working more closely with the secretary of state, helping to vet new cybersecurity software and urging a more holistic view of election security in general. But the secretary of state has still turned down more hands-on cybersecurity help from federal and state agencies. And from the outside, some still worry that Gardner's office was too slow to acknowledge the scale or complexity of the threats facing the state's elections.

JON MORGAN: New Hampshire is a top-tier target as a first-in-the-nation primary state, and we need to be taking that much more seriously than we are.

MCDERMOTT: Jon Morgan is a Democratic state senator. He also works for a cybersecurity company that just discovered a Russian hack into the Ukrainian energy company at the center of the ongoing impeachment case against President Trump. Morgan's biggest concern is that hackers might target the hundreds of municipalities on the front lines of New Hampshire's elections, holding them hostage with ransomware attacks or trying to scam a local poll worker into giving up access to the state's voter files.

MORGAN: There is a tremendous lack of resources and lack of expertise. And thus, that's where the threats are going to be targeted. The bad guys know that. The bad guys know where the vulnerabilities are.

MCDERMOTT: The state has offered a lot more cybersecurity training for local poll workers in the last few years, but that training isn't mandatory. New Hampshire also got $3 million from the federal government in 2018 to help shore up its election security, but it has only spent a fraction of that money and doesn't plan to share with cities or towns to offset the costs of local security upgrades. If there is a breach, Deputy Secretary of State Dave Scanlan says there are backups to make sure the election can still go on.

DAVE SCANLAN: I think if you compare the steps that we've taken with other states, we're - you know, we're right where we should be.

MCDERMOTT: There is one step New Hampshire has not taken that lots of other states have - post-election audits to check the accuracy of the vote count. Election policy experts and local activists have said New Hampshire should start doing audits and soon because it is such an electoral battleground not just in the primary but also the general election. In 2016, the races for president and U.S. Senate here were decided by less than 1%.

For NPR News, I'm Casey McDermott.

(SOUNDBITE OF METRO BOOMIN SONG, "SPACE CADET") Transcript provided by NPR, Copyright NPR.