The states are all working with DHS in some capacity to secure elections, and states are also operating with other in-state or for-profit partners, says Lori Augino, president of the National Association of State Election Directors and director of elections for the Washington Secretary of State’s office.
“In Washington, for example, we’re fortunate to have a lot of tech companies headquartered here, and we’re working with the National Guard to take advantage of their cyber-expertise. The purpose of the partnership is to prepare to respond to a cyber incident involving our office’s electronically networked computer and telecommunications systems related to our state’s election systems and infrastructure,” says Augino. “In the event a disaster or cyberattack affecting our election systems or infrastructure impacts public health, safety or welfare, the governor may order members of specialized Washington state and National Guard cybersecurity units into state active-duty status to conduct cybersecurity vulnerability assessments and defense activities to help secure impacted critical infrastructure.”
Registration Databases Are More Vulnerable Than Voting Machines
According to a poll StateTech conducted on Twitter, 39.7 percent of respondents said voting machines are the most vulnerable asset in election security, followed by state and local databases at 23.4 percent and computer networks at 19.2 percent.
However, state and local election and cybersecurity officials say voting machines are not actually the most vulnerable part of the process.
— StateTech Magazine (@StateTech) February 6, 2020
“We have to consider the full risk picture,” says Neil Jenkins, the chief analytic officer at the Cyber Threat Alliance. “Hacking voting machines would certainly have an impact but scaling that is hard. It requires hands-on access and time. And if you want to hack a lot of machines, it takes a lot of actors. That’s not easy.
“It’s much easier, and thus more likely, that actors would attempt to target election infrastructure that is connected to the internet, like voter registration databases or election-night reporting systems,” Jenkins says. “Targeting these systems would not affect the vote count, but it could suppress voter turnout, trust in the results or both.”
Protecting voter registration databases is a critical part of state efforts to secure the election, says National Association of Secretaries of State President and Iowa Secretary of State Paul Pate. “States have helped local jurisdictions replace and update systems, provided cyber hygiene training, implemented two-factor authentication for access to statewide voter registration databases, supported risk assessments and more,” he says. “These efforts are to make all information more secure.”
In Washington state, all users of the state’s voter registration system are required to use two-factor authentication. “Two-factor authentication enhances the security of individual user accounts by using a secondary device to verify each individual’s identity,” Augino explains. “This prevents anyone but the user from accessing an account, even if they have their password.”
State-level secretaries of state, often the chief election officials in state government, have focused election security efforts on hardening infrastructure, Pate notes.
“In recent years, states have helped support the replacement of outdated voting systems in use in their local jurisdictions,” Pate says. “States have also replaced or modernized voter registration systems, as well as other IT systems, to optimize security. In Iowa, we vote by paper ballot.”
Misinformation and disinformation might be the biggest issues secretaries of state face, Pate says. “There is no evidence a single vote was manipulated by the Russians in 2016, but we do know they tried to sow discord among the American people through social media,” he says. “I’m sure they and other foreign adversaries will attempt that again in 2020.”
In speaking with county IT leaders who are involved in the elections process, National Association of Counties CTO Rita Reynolds says that county election officials would disagree that voting machines are the most vulnerable element of election infrastructure.
Generally, counties utilize disconnected elections equipment, she notes.
“The voting collectors are not connected to a network connection in any way,” Reynolds says. “Results are pulled by secure USB, consolidated on a PC, which is also disconnected from the network, then data is pushed to another secure USB, which is then walked to a connected PC and uploaded via secure connection to the state’s secretary of state’s web application. Further security best practices include keeping the equipment behind locked areas, where only authorized users may access.”
States Aim to Be Proactive About Cybersecurity
When it comes to election cybersecurity, Pate notes that “the bad guys only have to get it right once; state and locals have to get it right 24/7.”
Preparation is happening at all fronts, he notes. In response to the threats of election misinformation and disinformation, NASS launched the national #TrustedInfo2020 initiative, highlighting state and local election officials as the trusted sources for election information. “Our members are getting the word out and educating voters about the initiative regularly,” he notes.
Election officials “must be aware of potential disinformation efforts that may target their voters, but it is unlikely they can control it or defend against it,” Jenkins says.
Instead, election officials “must know how to report it to the government and to social media platforms so that they can investigate and clean it up,” Jenkins adds. “To the extent that disinformation efforts target the voting process, election officials can also remind voters where to find correct information, such as poll hours or locations,” he says.
Additionally, state and local election entities “should always be prepared for dealing with phishing attacks and attempts to steal or change data that they store,” Jenkins says.
“These are things that election officials and their IT teams can train for and set up defenses to protect by enabling multifactor authentication and segmenting networks and data,” he says.