Racing the Clock on Election Security

Workers use an electronic scanner as they process stacks of ballots at a Board of Elections facility, Wednesday, July 22, 2020, in New York.

Workers use an electronic scanner as they process stacks of ballots at a Board of Elections facility, Wednesday, July 22, 2020, in New York. John Minchillo/AP

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
By John Breeden II

By John Breeden II

|

There are less than 100 days left until the presidential election.

Believe it or not, there are less than 100 days before the next presidential election. And in addition to picking a president, most of us are also voting for scores of federal, state and local officials as well. 

In addition to all of that, we have the COVID-19 pandemic which has many voters rightly concerned for the safety of both themselves and election workers. To compensate, many states are modifying the way that people are voting, both in-person and remotely. And this could open states up to new or unexpected cyber threats and physical challenges.

A perfect example of a physical challenge occurred during the recent primary election in New York. The New York Daily News reports that one in five absentee ballots cast in New York City were rejected for technical reasons. That’s over 100,000 votes that didn’t get counted. On the cybersecurity side, the Wall Street Journal reports that less than 20% of election officials nationwide have anti-phishing protection on their email, and many are using personal email addresses for official election board business. While there is no direct connection between email and the voting machines themselves, it does present a window that enterprising attackers could use to try and manipulate the election.

In the United States, each individual state administers elections. This includes the times when citizens of each state vote for federal offices like the president. Many states in turn delegate a lot of their authority to local or county boards. That could make for resource challenges in smaller or less well-funded municipalities. With less than 100 days left, time is getting short if we are going to fully shore up election security in the face of the pandemic. But officials from coast to coast are trying.

Last week, I was fortunate enough to be asked to moderate a panel with top election officials from across the county, as well as university professors, representatives from industry and even the hacker community. It was a lively discussion, and I was able to ask quite a few cybersecurity questions directly to the people who would be overseeing or assisting with protecting the upcoming election.

One guest I interviewed was the operations manager for the Orange County, California Registrar of Voters Justin Berardino. Orange County has a larger population than 21 of the states, so election issues are pretty complex there, especially with the pandemic being so active in California at the moment. When I asked about resources that state and local election boards could use to help shore up their cybersecurity, he pointed to the Multi-State Information Sharing and Analysis Center (MS-ISAC) as a good example.

“The really valuable thing about them [MS-ISAC] is when there is a pattern of threats that are being seen by multiple jurisdictions, or even just one, that needs to be disseminated to everyone, and they have a system to do that,” Berardino said. “And the more counties that we can get to sign up for that, the more helpful that information will become.” So it’s basically threat intelligence tightly targeted at elections.

The Executive Deputy Superintendent of the New York Department of Financial Services Justin Herring is also in charge of the state’s newly created Cybersecurity Division. In terms of threats for the upcoming 2020 vote, he stressed with these elections, not every attack is going to be a traditional one like you would find leveled against a bank or a private company.

“The attackers in this case can succeed in disrupting an election by undermining our confidence in the results, undermining our sense that the election was fair and dividing us,” Herring said. “That is often the aim of election disruption campaigns.”

Berardino agreed, stressing that misinformation campaigns can be just as dangerous to the integrity of the 2020 election as a traditional hack. 

“For the 2020 election, misinformation is a large concern, and one that we address with our election security plan,” Berardino said. “To combat this, we need to have accurate information on our social media and other channels, and are prepared to quickly disseminate it should disinformation get out there.”

I asked Marc Rogers about traditional cybersecurity threats against elections and voting machines. In addition to being the executive director of cybersecurity strategy for the security firm Okta, he is also the head of security for the DEF CON hacker convention, one of the largest of those types of gatherings in the world. DEF CON is known for, among other things, hacking voting machines and exposing security flaws within the election system. They consider themselves to be white hat hackers, or those who use their hacking skills to expose threats and improve security.

“A lot of voting machines that we have looked at don’t offer much more security than the average kiosk that you would find at a mall,” Rogers said. “I personally find that inexcusable. Systems used for voting should have minimum standards like no exposed USB ports and hardened operating systems.”

Rogers said that making hardened voting machines that can audit themselves and detect any tampering is possible given technology today, but the space is still evolving. He also pointed out the increased emphasis on disinformation campaigns, and he said that DEF CON hackers were studying how attackers can manipulate people using fake news stories, social media posts and other methods of disinformation. Rogers said the white hat hackers are researching the best ways to counter those new kinds of threats.

Sumit Sehgal studies election security as the chief technical strategist for security firm McAfee. The company conducted a study of election security in 13 so-called battleground states, and the results were not very encouraging. Many election websites lacked the necessary .gov validation, and some were not even using the more secure HTTPS protocol to prevent fake web domains from pretending to be official government sites.

Sehgal says that many of the challenges faced by local election boards come from the fact that voter data does not exist in one place like it would in a more traditional security model. Instead, it’s spread out in devices, voting machines, on prem equipment and in the cloud. This presents a steep learning curve for many local governments, which makes the sharing of information and best practices a key to hosting a successful election process this year.

“Will we be able to preserve the integrity of the 2020 election?” Sehgal asked. “I hope so, but it’s going to be very challenging. I can almost guarantee that.”

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys

NEXT STORY: A Test and Trace Strategy for Reconnecting to Government Networks

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.