Utah elections have robust cybersecurity but workers stored passwords out in the open, legislative audit finds

SALT LAKE CITY (ABC4) — Utah’s election equipment is not connected to the internet, and overall, the state’s elections have ‘multiple layers of cybersecurity,’ according to a newly released legislative performance audit.

However, the report found some human errors that left state legislative leaders concerned — like county election staff leaving passwords to computers written on paper and out in the open.

“This is simply not okay,” said Jesse Martinson, the Audit Manager who presented the Performance Audit of Election Cybersecurity report to Utah’s top GOP and Democratic leaders, who make up the Legislative

Audit Subcommittee.

“Utah has multiple layers of controls that work together to help prevent cyber-attacks, ensuring that all control layers are optimized will help prevent someone from disrupting or undermining elections,” auditors wrote.

The audit found these six key findings:

1. The systems tested were not connected to the internet.
2. Wireless capabilities were found in voting equipment, and auditors recommend removing them altogether.
3. Election officials should better control what election workers can access.
4. Utah’s election software is appropriately certified and validated.
5. Election officials should strengthen passwords.
6. Two instances in which election computers were not properly secured.

The paper passwords were the biggest point of concern for House Speaker Mike Schultz, R-Hooper after auditors told him this happened in “multiple counties.”

“That’s a complete failure,” said Schultz, who pushed for answers multiple times on whether this and other findings meant that Utah was vulnerable to a hack impacting results.

Auditors explained the likelihood of a hack on results is not zero, but that Utah’s biggest threat wasn’t from outsiders; rather, it was from vulnerabilities like this from within. The audit also found that staffers had more controls than they should have, two sensitive computers were left unattended in public view, and they got casual with passwords.

“What I’m hearing you say is that, yes, it is possible that (an outside attack) could happen; however, because of the audits, the likelihood is it would get caught somewhere along the line,” Shultz said, to which auditors agreed that was a fair synopsis.

Auditors outlined that post-election audits and other controls were likely to “throw red flags” at any major tabulation problems and hackers would have to get through multiple other layers of security — even just prevention-type security like locks on doors, locks to rooms, specific keys, cameras, as well as layers of two-factor authentication and logs tracking employee actions.

House Minority Leader Angela Romero seemed to push back on Schultz’s notion that results could be subject to an outside attack.

“I want to clarify that because every time we have an audit committee, there are people who try to manipulate and misrepresent what is discussed here,” she said. “There is that check and balance here already — what we’re trying to do is fine-tune some things to make it even safer.”

Schultz later acknowledged that a hack from the outside would be rare, but like the issue with the written passwords, he echoed auditors perspective that the security controls were only as good as they were being implemented.

Auditors insisted that they’ve spoken with the counties and they’ve committed to change.

Weber County Clerk Ricky Hatch, who represents the clerks, addressed the written password issue, saying that the computers where the passwords were found were not the ones that tabulated results. They were only used for accessing Utah’s voter database.

“Let me assure you that the papers — while we absolutely agree that it should not be allowed — that laptop was not connected to the system to scan the results,” he said.

Hatch said it was a training issue with clerks who didn’t know their staff were doing this. And, that they would provide “training that filters down to all levels.”

“We’ll continue to be vigilant on that,” he said.

He also said that clerks had already implemented many of the recommendations from the audit.

“Utah’s 29 County Clerks remain steadfast in our commitment to safeguarding the integrity of our elections. We recognize that cybersecurity is an ongoing effort, and we will continue to adapt and improve to ensure our elections remain among the most secure in the nation,” he said.