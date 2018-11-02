Susan Gill has never met Anatoliy Sergeyevich Kovalev.

The supervisor of elections in Florida’s Citrus County wouldn’t know Mr. Kovalev from a television repairman if he walked into her office on Election Day.

That’s the problem.

Recommended: Ahead of midterms, states scrambling to fend off cyberattacks

Kovalev is a Russian military intelligence officer assigned to Unit 74455. In 2016, he helped hack into the website of the Illinois Board of Elections and stole the files of a half-million voters, according to an indictment brought by special counsel Robert Mueller.

Ms. Gill has run elections for 22 years in her county northwest of Orlando. She’s one of the most experienced election supervisors in Florida. But it is highly unlikely that Gill would be able to detect a cyber-intrusion by Kovalev and his comrades in Moscow.

So she’s enlisted the help of a group of American specialists who can.

“We are always looking, always monitoring,” says Brian Calkin, who runs a 24-7 cyberthreat detection center near Albany, N.Y. Officially, the center is called the Election Infrastructure Information Sharing Analysis Center (EI-ISAC).

The operations center, part of the nonprofit Center for Internet Security, is staffed by 16 analysts working behind computer screens with a 12-foot by 16-foot interactive map on the wall that displays in real-time cyberthreat alerts as they are issued across the country.

The alerts are triggered by cybertraffic detection devices – called Albert sensors – that have been positioned in the election systems of participating jurisdictions.

Albert sensors are in place in at least 47 states and 68 counties. The center opened in March and the sensor coverage is not yet comprehensive. There are 10,000 separate election jurisdictions in the United States. But would-be election hackers can’t know with certainty where the sensors are.

One of the Albert sensors is embedded in Citrus County’s election system. It enables Mr. Calkin and his colleagues to digitally look over Gill’s shoulder (from 1,200 miles away) and warn her if they detect anything suspicious.

What they are looking for is an electronic signature associated with past malicious activity. For example, if Kovalev and his comrades attempt to duplicate their attack on Illinois, ideally the signature would be picked up, they would be identified, and local officials would receive a warning of a potential attack.

It would then be up to local officials to take action to defend their election systems.

The signatures are updated continually with input from multiple government and private sector sources.

AN IMPORTANT FIRST STEP

Calkin says his center is already receiving 5,000 to 6,000 alerts of potential cyber-intrusions every month. Nearly a third of them result in notifications to local election officials.

“Every single alert that every sensor generates has a criticality associated with it,” Calkin says. “The analyst will then make a determination to either pick up the phone to call somebody or simply send them an email – or in some cases both.”

He adds: “It happens within 10 minutes.”

Election security experts praise the program as an important innovation.

“This is absolutely critical,” says Maurice Turner of the Center for Democracy and Technology. In addition to providing an early warning system to local election officials, the combination of a network of disbursed sensors and the centralized operations center creates the ability to warn other jurisdictions across the country to be on the lookout for certain kinds of cyberthreats, he says.

“It greatly increases the speed and volume of the information that is shared [to other jurisdictions] about potential threats,” Mr. Turner says. “That helps mitigate the impact of widespread attacks.”

Some 1,400 election jurisdictions have become information-sharing partners with the cyber-intrusion center. That means that if a particularly dangerous threat is discovered by an Albert sensor, they will receive an urgent warning about that threat.

There are some criticisms of the program.

The sensors being deployed are not technologically sophisticated and are only as good as the operation center’s database of malicious signatures, says Parham Eftekhari of the Institute for Critical Infrastructure Technology (ICIT). He adds that the sensors will not prevent malware from activating.