Security

States Cannot Waver in Election Security Efforts

Cybersecurity election concerns are growing more complex, which is why election officials need to be more vigilant than ever.

Matt Parnofiello

In his role as Senior Business Development Strategist and Senior Public Safety Strategist at CDW•G, Matt Parnofiello manages technology integration projects with public safety agencies from concept to implementation. Working with the CDW•G team, customers, and industry partners he provides agencies with new capabilities and improved safety through digital transformation.

Election security concerns for state and local governments have not gone away during the coronavirus pandemic. In fact, they’ve only grown more urgent.

Those concerns are mounting as states argue they do not have enough leeway to use the $400 million Congress appropriated for election security this spring, and “a coalition of more than 200 public-interest groups are pushing hard for Congress to include $3.6 billion for the 2020 election cycle in the next coronavirus relief bill,” as The New York Times Magazine reports.

Some states are considering moving to online voting because of concerns about having residents congregate at polling places. However, that move is something security experts are strongly cautioning against because of cybersecurity vulnerabilities. The Guardian reports the Department of Homeland Security opposed such moves in a draft guidance, warning that casting ballots over the internet is “a ‘high-risk’ endeavor that would allow attackers to alter votes and results ‘at scale’ and compromise the integrity of elections.”

The challenges posed by the pandemic are making a complicated security picture even more complex for state and local election officials. They need to remember all of the election security concerns that existed in January are still out there and are now more difficult to tackle — and they include malicious actors spreading disinformation and attackers targeting voting databases. All of those concerns need to be addressed between now and November.

The Threats Election Officials Are Considering

What could happen as voters go to the polls this fall? “Russian hackers could target election officials working from home,” The Washington Post notes. “Adversaries could spread rumors about coronavirus outbreaks at polling sites to deter people from showing up on Election Day. Or they could launch disinformation campaigns claiming elections have been delayed or canceled entirely because of the virus.”

The University of Southern California’s Election Cybersecurity Initiative spins out those scenarios, the Post notes, and is working to “conduct virtual training programs for campaign and election officials across all 50 states before November.”

“Security concerns now are more urgent in almost all cases because the virus has really exacerbated security issues,” Adam Clayton Powell III, the initiative’s executive director, tells the Post. “It’s not an abstraction. It’s very real for people that they’ll have to do this work in a more urgent climate than they anticipated.”

The USC group is holding shorter videoconferencing sessions for election officials than it did in person but is getting a larger audience, with online trainings getting an average of about 200 attendees versus about 100 for the in-person ones, Powell tells the Post.

How to Guard Election Infrastructure

States have been busy working with DHS’ Cybersecurity and Infrastructure Security Agency to help safeguard their election infrastructure. And DHS’ “tabletop in a box” exercises help state and local officials explore various scenarios to help states prepare to defend their networks.

Such scenarios may include news and social media manipulation, spear-phishing campaigns, disruption of voter registration information systems and processes, denial of service attacks and web defacements, malware infections on electronic voting machines and election management system software, and the exploitation of state and county board election networks. “A pretty broad example would be, you show up on Election Day and you don’t have internet access,” Robert Giles, director of the New Jersey Division of Elections, tells radio station NJ101.5. New Jersey ran the tabletop exercises in all 21 of its counties last September. “There will be cyber incidents, police/fire-type incidents, natural disaster incidents.”

New Jersey officials used $9.8 million obtained through Help America Vote Act provisions to pay for the exercises, another example of state-federal cooperation. The training “is an extraordinarily good thing,” Christine Hanlon, clerk for Monmouth County, N.J., tells NJ Spotlight. “This is forcing all election officials to deal with scenarios we may not have planned for. It’s critically important that we are prepared, and if it’s not in our plan, we need to add it.”

State and local election officials need to avail themselves of such training whenever possible and practice different scenarios with their staff. The fact that more of these trainings are now being held virtually should make it easier for officials to attend.

The national security blog Lawfare notes that election officials need to focus on “stress-testing and auditing existing digital election infrastructure … without a map of trouble spots, election officials will be blind to their risks in the critical months ahead.”

Additionally, “if digital election infrastructure is expanded or changed, security and resiliency measures should be an integral part of its design, not introduced after the fact.”

The blog also notes that DHS has resources to “help detect and secure digital infrastructure flaws” and that “election officials must seek out these resources early and often in the coming months.”

Election security concerns are evolving and growing more complex. State and local officials, in coordination with federal partners such as DHS, need to step up their game in the coming months to ensure a secure vote in November.

This article is part of StateTech's CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.