Mar 03 2020

Election Security 2020: State and Local Officials Are on High Alert During Super Tuesday

Voter registration databases are a major threat vector as state and local associations work with election entities to enhance cybersecurity.

It’s Super Tuesday, and as Americans in 14 states and one territory vote in the Democratic presidential primary, state government election officials are coordinating with federal and local partners to combat a variety of cybersecurity threats. 

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is highlighting the threat to states’ voter registration databases. 

“We tried to figure out where the risk really is across these systems,” CISA Director Chris Krebs said recently at the 2020 RSA conference, according to Government CIO, “and what we discovered, not surprisingly, is the areas where information is centralized, and it’s highly networked — that’s where the risk is. And where is that? Voter registration databases.” 

All of the states are members of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), which is run by the Center for Internet Security and is working to establish channels of communication with state and local government agencies and offices, according to Krebs. The EI-ISAC enables information sharing among election entities and also analyzes incident and threat information to identify and report cybersecurity threat trends. 

States can also use cybersecurity and incident response services provided by the EI-ISAC.

The states are all working with DHS in some capacity to secure elections, and states are also operating with other in-state or for-profit partners, says Lori Augino, president of the National Association of State Election Directors and director of elections for the Washington Secretary of State’s office.

“In Washington, for example, we’re fortunate to have a lot of tech companies headquartered here, and we’re working with the National Guard to take advantage of their cyber-expertise. The purpose of the partnership is to prepare to respond to a cyber incident involving our office’s electronically networked computer and telecommunications systems related to our state’s election systems and infrastructure,” says Augino. “In the event a disaster or cyberattack affecting our election systems or infrastructure impacts public health, safety or welfare, the governor may order members of specialized Washington state and National Guard cybersecurity units into state active-duty status to conduct cybersecurity vulnerability assessments and defense activities to help secure impacted critical infrastructure.”

MORE FROM STATETECH: Read this infographic to discover how to protect voter information.

Registration Databases Are More Vulnerable Than Voting Machines

According to a poll StateTech conducted on Twitter, 39.7 percent of respondents said voting machines are the most vulnerable asset in election security, followed by state and local databases at 23.4 percent and computer networks at 19.2 percent. 

However, state and local election and cybersecurity officials say voting machines are not actually the most vulnerable part of the process. 

“We have to consider the full risk picture,” says Neil Jenkins, the chief analytic officer at the Cyber Threat Alliance. “Hacking voting machines would certainly have an impact but scaling that is hard. It requires hands-on access and time. And if you want to hack a lot of machines, it takes a lot of actors. That’s not easy. 

“It’s much easier, and thus more likely, that actors would attempt to target election infrastructure that is connected to the internet, like voter registration databases or election-night reporting systems,” Jenkins says. “Targeting these systems would not affect the vote count, but it could suppress voter turnout, trust in the results or both.”

Protecting voter registration databases is a critical part of state efforts to secure the election, says National Association of Secretaries of State President and Iowa Secretary of State Paul Pate. “States have helped local jurisdictions replace and update systems, provided cyber hygiene training, implemented two-factor authentication for access to statewide voter registration databases, supported risk assessments and more,” he says. “These efforts are to make all information more secure.”

In Washington state, all users of the state’s voter registration system are required to use two-factor authentication. “Two-factor authentication enhances the security of individual user accounts by using a secondary device to verify each individual’s identity,” Augino explains. “This prevents anyone but the user from accessing an account, even if they have their password.”

State-level secretaries of state, often the chief election officials in state government, have focused election security efforts on hardening infrastructure, Pate notes. 

“In recent years, states have helped support the replacement of outdated voting systems in use in their local jurisdictions,” Pate says. “States have also replaced or modernized voter registration systems, as well as other IT systems, to optimize security. In Iowa, we vote by paper ballot.”

Misinformation and disinformation might be the biggest issues secretaries of state face, Pate says. “There is no evidence a single vote was manipulated by the Russians in 2016, but we do know they tried to sow discord among the American people through social media,” he says. “I’m sure they and other foreign adversaries will attempt that again in 2020.”

In speaking with county IT leaders who are involved in the elections process, National Association of Counties CTO Rita Reynolds says that county election officials would disagree that voting machines are the most vulnerable element of election infrastructure. 

Generally, counties utilize disconnected elections equipment, she notes. 

“The voting collectors are not connected to a network connection in any way,” Reynolds says. “Results are pulled by secure USB, consolidated on a PC, which is also disconnected from the network, then data is pushed to another secure USB, which is then walked to a connected PC and uploaded via secure connection to the state’s secretary of state’s web application. Further security best practices include keeping the equipment behind locked areas, where only authorized users may access.”

MORE FROM STATETECH: Deepfake videos can increase chaos through misinformation; learn how to spot them.

States Aim to Be Proactive About Cybersecurity

When it comes to election cybersecurity, Pate notes that “the bad guys only have to get it right once; state and locals have to get it right 24/7.” 

Preparation is happening at all fronts, he notes. In response to the threats of election misinformation and disinformation, NASS launched the national #TrustedInfo2020 initiative, highlighting state and local election officials as the trusted sources for election information. “Our members are getting the word out and educating voters about the initiative regularly,” he notes.

Election officials “must be aware of potential disinformation efforts that may target their voters, but it is unlikely they can control it or defend against it,” Jenkins says. 

Instead, election officials “must know how to report it to the government and to social media platforms so that they can investigate and clean it up,” Jenkins adds. “To the extent that disinformation efforts target the voting process, election officials can also remind voters where to find correct information, such as poll hours or locations,” he says. 

Additionally, state and local election entities “should always be prepared for dealing with phishing attacks and attempts to steal or change data that they store,” Jenkins says. 

“These are things that election officials and their IT teams can train for and set up defenses to protect by enabling multifactor authentication and segmenting networks and data,” he says.

Joaquin Corbalan/Getty Images