STATETECH: Can you give me some background on what the USC Election Cybersecurity Initiative is and what you are doing?
POWELL: We, as far as we know, are the only independent, nonpartisan, election cybersecurity initiative that is going to be on the ground — now virtually in many states — but on the ground in all 50 states. And that is a deliberate focus for us. We, for three years, had a partnership with the National Governors Association, where we were their cybersecurity university partner, and we helped them with internal, off-the-record, private meetings with state and local election officials around the country, as well as at their public NGA winter and summer meetings. And before then — this project actually goes back to 2015 — before that, it was a USC effort working more with the federal government.
We are a multischool project involving communications, engineering, public policy, business, law and the USC College of Letters, Arts and Sciences, which includes a center which is headed by two people who ran presidential campaigns, who are among the advisers we have for this project. Bob Shrum, who ran John Kerry’s campaign in 2004 and other Democratic campaigns, and Mike Murphy, who ran [a Super PAC supporting] the Jeb Bush campaign in 2016 and many Republican campaigns.
Photo: USC Center on Public Diplomacy
Adam Clayton Powell III, Executive Director of the USC Election Cybersecurity Initiative
What they told us, to your very point of who the readership is, they said, “Do not pitch your workshops to people who are IT professionals or computer scientists. This should be for everybody working in campaigns and elections. Let others worry about the IT professionals, or the computer scientists and people of that level. You focus on the basic practices which should be followed by everybody working in campaigns or elections.”
STATETECH: What lessons have you taken or learned, or has the overall initiative taken and learned, in terms of election security over the course of the primary campaign?
POWELL: Two things. Very early on when we were still able to do this in person and I traveled to different states, it was clear that everyone in every state, both political parties, take this very, very seriously. There is no one that we’ve met that doesn’t believe this is a serious problem that requires their attention.
What happened after the virus shut down a lot of travel and meetings, and the way we’re doing it now, we’re doing two states a week virtually. Again, we have yet to meet anyone in any state who doesn’t believe that the problems are not worsened by the COVID-19 pandemic, because people are working at home. And so, almost by definition, everything is less secure.
STATETECH: From where you sit, what would you say are the biggest or most glaring vulnerabilities that still need to be addressed?
POWELL: We’re coming at it — because we’re talking to people who are not computer scientists and IT professionals — from a very fundamental, basic point of view. And when we were first mapping this out, back in late fall, and we thought we were going to concentrate more on the computer science and IT areas, and everyone, including Bob and Mike, said, “No, what you want to do is just keep reminding everyone of things that they may think they already know, but they just have to keep being reminded. They have to keep doing it over and over again.”
We now are down to three subjects … based on the advice of Shrum and Murphy and other state and local campaign managers, state and local election workers. And one of them is that we always began with basic cybersecurity and cyber safety.
And this is really cyber safety 101, but that is how problems and breaches happen. We begin with two-factor authentication. You think that’s really basic, right? And we build up from there. We end that section with resources in that state, the very state where we’re doing the workshop, focusing on cyber safety and cybersecurity for campaigns and elections.
Cybersecurity experts explore the nature of the election security threat landscape.
In terms of campaign and election workers, what we are told over and over again is job one is to make certain that everyone, every day, every hour, is aware of how they should be working safely and securely. Because Russia, China, Iran and all the foreign adversaries and domestic ones, they’re looking for that opening. And if you give them an opening, all you need is one slip, as we learned in 2016, and it could have a major, major effect. Everybody knows that now.
Then we pivot and do two other things. One is dealing with disinformation and misinformation, because that’s all around us now, and what that means for campaign or election workers and how they can respond. We ended that session with specific links to help them spot disinformation and misinformation coming at them, and then specific places they can go, including the Homeland Security one-page handout, which we used to hand out in person. Now, we couldn’t do it in person. Now, we just put up the link of the new NSA one-page handout on working from home, what you should be doing. And then the Facebook, Google, and Microsoft special protection sites that people would go to get that extra protection. Some are only available if you can demonstrate you are an election or campaign worker.
And we wrap up with, “OK, no system is perfectly secure, so bad things will happen. What do you do after the bad thing happens to you?” So, that’s the third piece: crisis communication.
STATETECH: Is there any single cybersecurity tool that is the most pressing priority to deploy?
POWELL: Oh, absolutely. We list them really in that first module that we do on cyber safety, starting with two-factor authentication. If you’re not doing it, why not just leave your front door open at night and put a sign out saying, “Come in and help yourself”?
But then you go beyond that. What are the tips for best passwords or pass phrases? What are ways of securing your data in transit and on your devices? These are things that again ... I think most people would consider cyber 101, because you have to do it all the time. You can’t stop. You can’t just slip up.
STATETECH: When you’re working through these trainings and talking with people on the ground, is there any sense of how they can or should be prioritizing responding to the varying election security threats?
POWELL: What people recognize is that the vulnerabilities are not in one place. And so, you have to secure every weak point in the data chain from the very beginning to the very end. And what’s happened, as we all know, is that some of the basic fundamentals of elections — which in the best of circumstances are complicated things to run — but some of the basic elements of elections, from the date of the election, where you vote, how you vote, how you register, all of these are changing in many states. And sometimes on very little notice.
In some ways, we’ve been pretty fortunate, because a really determined adversary or set of adversaries could really have caused much more confusion than we’ve seen. We’ve had enough confusion, thank you very much, because of the COVID-19 virus. But the vulnerabilities to securing just the basic election information, it’s something which is out there, and everyone appreciates it. That’s one thing which is very different I think from what we’ve seen in the last four or five years is that, especially in 2015 and before the unfortunate DNC email hack, this was not terribly high on people’s list of things to worry about.