Racing the Clock on Election Security

Believe it or not, there are less than 100 days before the next presidential election. And in addition to picking a president, most of us are also voting for scores of federal, state and local officials as well. 

In addition to all of that, we have the COVID-19 pandemic which has many voters rightly concerned for the safety of both themselves and election workers. To compensate, many states are modifying the way that people are voting, both in-person and remotely. And this could open states up to new or unexpected cyber threats and physical challenges.

A perfect example of a physical challenge occurred during the recent primary election in New York. The New York Daily News reports that one in five absentee ballots cast in New York City were rejected for technical reasons. That’s over 100,000 votes that didn’t get counted. On the cybersecurity side, the Wall Street Journal reports that less than 20% of election officials nationwide have anti-phishing protection on their email, and many are using personal email addresses for official election board business. While there is no direct connection between email and the voting machines themselves, it does present a window that enterprising attackers could use to try and manipulate the election.

In the United States, each individual state administers elections. This includes the times when citizens of each state vote for federal offices like the president. Many states in turn delegate a lot of their authority to local or county boards. That could make for resource challenges in smaller or less well-funded municipalities. With less than 100 days left, time is getting short if we are going to fully shore up election security in the face of the pandemic. But officials from coast to coast are trying.

Last week, I was fortunate enough to be asked to moderate a panel with top election officials from across the county, as well as university professors, representatives from industry and even the hacker community. It was a lively discussion, and I was able to ask quite a few cybersecurity questions directly to the people who would be overseeing or assisting with protecting the upcoming election.

One guest I interviewed was the operations manager for the Orange County, California Registrar of Voters Justin Berardino. Orange County has a larger population than 21 of the states, so election issues are pretty complex there, especially with the pandemic being so active in California at the moment. When I asked about resources that state and local election boards could use to help shore up their cybersecurity, he pointed to the Multi-State Information Sharing and Analysis Center (MS-ISAC) as a good example.

“The really valuable thing about them [MS-ISAC] is when there is a pattern of threats that are being seen by multiple jurisdictions, or even just one, that needs to be disseminated to everyone, and they have a system to do that,” Berardino said. “And the more counties that we can get to sign up for that, the more helpful that information will become.” So it’s basically threat intelligence tightly targeted at elections.

The Executive Deputy Superintendent of the New York Department of Financial Services Justin Herring is also in charge of the state’s newly created Cybersecurity Division. In terms of threats for the upcoming 2020 vote, he stressed with these elections, not every attack is going to be a traditional one like you would find leveled against a bank or a private company.

“The attackers in this case can succeed in disrupting an election by undermining our confidence in the results, undermining our sense that the election was fair and dividing us,” Herring said. “That is often the aim of election disruption campaigns.”

Berardino agreed, stressing that misinformation campaigns can be just as dangerous to the integrity of the 2020 election as a traditional hack. 

“For the 2020 election, misinformation is a large concern, and one that we address with our election security plan,” Berardino said. “To combat this, we need to have accurate information on our social media and other channels, and are prepared to quickly disseminate it should disinformation get out there.”

I asked Marc Rogers about traditional cybersecurity threats against elections and voting machines. In addition to being the executive director of cybersecurity strategy for the security firm Okta, he is also the head of security for the DEF CON hacker convention, one of the largest of those types of gatherings in the world. DEF CON is known for, among other things, hacking voting machines and exposing security flaws within the election system. They consider themselves to be white hat hackers, or those who use their hacking skills to expose threats and improve security.

“A lot of voting machines that we have looked at don’t offer much more security than the average kiosk that you would find at a mall,” Rogers said. “I personally find that inexcusable. Systems used for voting should have minimum standards like no exposed USB ports and hardened operating systems.”

Rogers said that making hardened voting machines that can audit themselves and detect any tampering is possible given technology today, but the space is still evolving. He also pointed out the increased emphasis on disinformation campaigns, and he said that DEF CON hackers were studying how attackers can manipulate people using fake news stories, social media posts and other methods of disinformation. Rogers said the white hat hackers are researching the best ways to counter those new kinds of threats.

Sumit Sehgal studies election security as the chief technical strategist for security firm McAfee. The company conducted a study of election security in 13 so-called battleground states, and the results were not very encouraging. Many election websites lacked the necessary .gov validation, and some were not even using the more secure HTTPS protocol to prevent fake web domains from pretending to be official government sites.

Sehgal says that many of the challenges faced by local election boards come from the fact that voter data does not exist in one place like it would in a more traditional security model. Instead, it’s spread out in devices, voting machines, on prem equipment and in the cloud. This presents a steep learning curve for many local governments, which makes the sharing of information and best practices a key to hosting a successful election process this year.

“Will we be able to preserve the integrity of the 2020 election?” Sehgal asked. “I hope so, but it’s going to be very challenging. I can almost guarantee that.”

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys