Group warns of gaps in election infrastructure

The Department of Homeland Security's (DHS) cybersecurity agency has worked since 2016 to help states protect their election infrastructure from electronic attack, but it only takes one small breach to dent confidence in the systems, according to a digital rights and technology expert.

"There has been a ton of effort from [the Cybersecurity and Infrastructure Security Agency] and others," said William Adler, senior technologist for elections and democracy at the Center for Democracy and Technology (CDT).

"But cybersecurity is an active process. Threats are constantly changing and evolving, so we need to keep making the case that election officials need to prioritize cybersecurity and not be complacent," he said during a conference call with reporters on Oct. 16.

On the call, officials at the technology and digital rights advocacy group explained the variety of threats facing the upcoming elections, from voter suppression, to misinformation about mail-in ballots and cybersecurity.

The election, noted the CDT officials, is already underway, with millions of mail-in ballots already filed. In person voting system infrastructure is only weeks away from being used on Election Day, Nov. 3.

CISA officials are confident in their agency's work with states since the 2016 election that saw states' voting infrastructures scanned, and in some cases, compromised, by Russian-backed operators.

Adler expressed confidence in CISA's and states' work over the last four years tightening up voting infrastructure cybersecurity. But even an unsuccessful attack, if detected and publicized, can sow misinformation and undermine confidence, which is a Russian goal, according to Adler.

"It doesn't have to be a major breach or an altering of election results," he said.

The 3,000 county governments across the U.S. responsible for maintenance of local election systems offer multiple points of potential vulnerability.

"It's possible one of those counties is doing a less-than-stellar job. Even an insignificant breach in a small county can sow misinformation about state-wide or country-wide issues," said Adler.

Advances in cybersecurity capabilities and services from CISA and vendors don't help financially strapped county governments acquire new equipment or needed upgrades.

"Too many counties are using devices with known security vulnerabilities, no paper trail, or both," he said.

Out-of-date or vulnerable technology means local governments have to be very aware of physical security measures to protect the software, according to Adler. Some lapses in physical security have already been noted this election season, he said. However, he noted that localized attacks on voting machine software and other tactics are difficult to scale up to have any significant impact on larger election results.

"I think we'll have to see. It's theoretically possible, but I don't know if it's realistic," he said.