Election Security 2020: States Take Cybersecurity Measures Ahead of November

DHS Leads Federal Effort for Cooperative Security

States are looking to November and beyond, to the primary voting looming on the horizon.

“My biggest concern is March 2020,” says Maurice Turner, deputy director of the Internet Architecture Project at the Center for Democracy and Technology. 

“Changing votes in the November election is going to be very difficult to do at a scale that would be undetected. But if a particular candidate gets an extra 1 percent or 2 percent in a primary, that might be the difference for their opponent to not make it to a state the next week,” he says. “If it comes out that there was any sort of malicious interference, and that some of those votes may have been illegitimate, I’m not sure that we have the processes in place to do that investigation in that time frame.”

Security agencies have documented Russian interference in the 2016 presidential election and experts agree that bad actors from that nation and others are likely to try again. Former special counsel Robert Mueller told Congress last July, “They are doing it as we sit here.”

In January 2017, DHS responded to the threat by declaring voting to be part of the national critical infrastructure. This gave the federal government a more prominent role to play in elections, which otherwise are exclusively the purview of the states.

Since then, experts say, a new cooperative environment has arisen between federal, state and local authorities in the effort to prevent cyber tampering and ensure public confidence in the process.

MORE FROM STATETECH: Deepfake videos can increase chaos through misinformation; learn how to spot them.

States Eye Success Through Information Sharing and Audits

With the creation of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) in 2018, state officials gained access to a common source of threat data — and, just as important, a common forum for sharing cyber concerns around the elections.

“We are building a dialog with DHS and trying to get them comfortable in our world,” says Paul Pate, president of the National Association of Secretaries of State and Iowa Secretary of State. “We’ve been setting up various communications tools and setting up resources. When we started on this path, the feds weren’t telling us anything, so just the progress on that front has been a big improvement.”

The cooperative arrangement enables states to see further than ever before as they seek to harden their voting systems against potential incursions.

“Before this, there wasn’t a holistic situational awareness,” says Geoff Hale, director of CISA’s Election Security Initiative. “Things that happened in California weren’t being seen in Wyoming. Now, they can share alerts and warnings from activity seen and reported on their networks.”

CISA supports the states with risk assessments, looking for potential weak spots in voting systems, and also with remote penetration testing, in which federal officials actively try to breach the elections infrastructure.

“We have done that with more than 25 states,” Hale says. “While it is only a point-in-time snapshot, it helps them make budget decisions going forward on what needs to be advanced to have a more secure system.”

In addition to that point-in-time service, more than 200 state, county and local election authorities have turned to CISA for persistent vulnerability scanning of their internet-facing enterprises, ensuring the integrity of sites run by the secretary of state, as well as online voter registration sites.

States have been eager to avail themselves of this support, according to Elizabeth Howard, counsel to the Democracy Program in the Brennan Center for Justice. Congress allocated $380 million to support election security in 2018, “and all 50 states obtained federal funding to secure their election infrastructure,” she says. “They were planning to spend that on updates to the voter registration databases, cybersecurity practices in general, training and audits.”

Those DHS-led audits have proven especially valuable in helping states to understand the strengths and weaknesses in their systems coming into the primaries. This year, Congress has made available $425 million for states that want to boost their election security.

“If DHS can come in and identify vulnerabilities, it will help you to strengthen your system by identifying and addressing weak points,” Howard says.

READ MORE: Find out what a vulnerability scanner is and how it can enhance election security.

Cybersecurity Precautions Aim for Trusted Results

Armed with such insights, state and local authorities have taken a range of steps toward better cyber hygiene across the election enterprise.

Texas Director of Elections Keith Ingram has led an effort to ensure voting machines and county voting systems are disconnected from any external networks, a vital measure in the effort to prevent outside intrusion. He says his team has also assessed voter registration systems at the county level for compliance with National Institute of Standards and Technology guidelines.

To ensure the integrity of election night returns, “we are using Cloudflare and other denial-of-service prevention measures, and we are encouraging the counties the use it on their side as well,” Ingram says. “We are also making sure the counties have security certificates on their websites, so that when they post election night returns, the public can have confidence in those results.”

That latter effort is key to the state’s overall approach to cybersecurity. “We know there is some desire to delegitimize the outcome, to cause people to doubt the system,” Ingram says. “Most of what happened in 2016 and most of what we expect this year is in that category: to sow chaos and confusion around the voting process.”

Sometimes the surest way to build public trust is to unplug. Pennsylvania, for example, has mandated that all counties use new voting systems with voter-verified paper ballots by the end of 2019, and that those ballots be physically — not digitally — delivered, then retained for post-election audits.

Because the dot-gov domain is more secure and more trusted than its dot-com counterpart, Ohio is moving all election boards into that realm. “It’s a more secure area of the internet, and malicious activity is easier to monitor there,” LaRose says. “We are informing the public that if you want trustworthy information, if you want information you can believe in an era of disinformation, you get it from your secretary of state or your county board of elections. You get it from a dot-gov domain.”

Despite all these safeguards, something could still go wrong. To that end, Ohio moved in late 2019 to create a “cyber reserve,” regional 15-person teams that can stand up fast and work to remediate potential breaches in the voting process.

“Those units are being recruited as we speak,” LaRose says. “Their role will be to support continuity of operations in any aspect designated by the governor — the county courthouse, city hall — and also critical infrastructure, including the boards of elections and 88 county government entities with varying levels of sophistication.”

While state and local officials face a formidable challenge in fighting both cyberthreats and related online efforts to undermine public confidence, the pieces are in place to ensure the 2020 elections will have a high degree of digital resilience, says Rita Reynolds, chief technology officer of the National Association of Counties.

“In the states that are doing it well, there are strong partnerships between federal entities, the state leadership, the county election directors and their IT support,” she says. “That’s the model right there. It all boils down to communication and relationships.”