The Edward L. Doheny Jr. Memorial Library, University of Southern California campus in Los Angeles, Calif. 

Jul 07 2020

Q&A: USC Election Cybersecurity Initiative’s Powell on the Battle Ahead

Adam Clayton Powell III, the University of Southern California initiative’s executive director, discusses what state and local governments can do to enhance election security before November.

Editor's note: This is one of a series of Q&As StateTech has conducted with state election officials and cybersecurity experts on election security. To read our Q&A with Colorado Secretary of State Jena Griswold, click here. And to read our Q&A with Peter Threlkel, director of information services for the Oregon Secretary of State, click here

The 2020 general election is now about four months away, and concerns about cybersecurity attacks on election infrastructure have not dissipated amid the coronavirus pandemic. If anything, they have grown more worrisome, as the pandemic has spurred states to adopt more remote voting, another avenue for attackers. 

As The Washington Post reports, “election officials have spent much of their time since Russia’s 2016 election interference operation scrambling to correct genuine and serious security vulnerabilities. Those include voting machines that lack paper records, voter databases that aren’t sufficiently protected against hacking and staff without appropriate cybersecurity training.”

Disinformation campaigns remain a potent threat vector between now and Nov. 3, experts say. And the environment in which state and local governments are operating is even more chaotic than usual. 

“We’re looking at administering elections when there’s an ongoing threat from foreign adversaries coupled with a pandemic and now civil unrest,” Elizabeth Howard, counsel for the Brennan Center’s Democracy Program and a former Virginia election official, tells the Post. “This is a terrible situation, but we’re going to be learning a lot of lessons we’ll be able to use in November.”

One group that is trying to help teach those lessons is the University of Southern California’s Election Cybersecurity Initiative. The initiative is a nonpartisan, independent outfit, supported by Google, and has been conducting election security trainings in states across the country every week. StateTech recently spoke with Adam Clayton Powell III, the initiative’s executive director, about the group’s work and what state and local officials can do to enhance cybersecurity. 

STATETECH: Can you give me some background on what the USC Election Cybersecurity Initiative is and what you are doing?

POWELL: We, as far as we know, are the only independent, nonpartisan, election cybersecurity initiative that is going to be on the ground — now virtually in many states — but on the ground in all 50 states. And that is a deliberate focus for us. We, for three years, had a partnership with the National Governors Association, where we were their cybersecurity university partner, and we helped them with internal, off-the-record, private meetings with state and local election officials around the country, as well as at their public NGA winter and summer meetings. And before then — this project actually goes back to 2015 — before that, it was a USC effort working more with the federal government.

We are a multischool project involving communications, engineering, public policy, business, law and the USC College of Letters, Arts and Sciences, which includes a center which is headed by two people who ran presidential campaigns, who are among the advisers we have for this project. Bob Shrum, who ran John Kerry’s campaign in 2004 and other Democratic campaigns, and Mike Murphy, who ran [a Super PAC supporting] the Jeb Bush campaign in 2016 and many Republican campaigns. 

Adam Clayton Powell, III | USC Center on Public Diplomacy
Photo: USC Center on Public Diplomacy

Adam Clayton Powell III, Executive Director of the USC Election Cybersecurity Initiative

What they told us, to your very point of who the readership is, they said, “Do not pitch your workshops to people who are IT professionals or computer scientists. This should be for everybody working in campaigns and elections. Let others worry about the IT professionals, or the computer scientists and people of that level. You focus on the basic practices which should be followed by everybody working in campaigns or elections.”

MORE FROM STATETECH: Explore this infographic to discover how to protect voter information.

STATETECH: What lessons have you taken or learned, or has the overall initiative taken and learned, in terms of election security over the course of the primary campaign?

POWELL: Two things. Very early on when we were still able to do this in person and I traveled to different states, it was clear that everyone in every state, both political parties, take this very, very seriously. There is no one that we’ve met that doesn’t believe this is a serious problem that requires their attention. 

What happened after the virus shut down a lot of travel and meetings, and the way we’re doing it now, we’re doing two states a week virtually. Again, we have yet to meet anyone in any state who doesn’t believe that the problems are not worsened by the COVID-19 pandemic, because people are working at home. And so, almost by definition, everything is less secure.

STATETECH: From where you sit, what would you say are the biggest or most glaring vulnerabilities that still need to be addressed?

POWELL: We’re coming at it — because we’re talking to people who are not computer scientists and IT professionals — from a very fundamental, basic point of view. And when we were first mapping this out, back in late fall, and we thought we were going to concentrate more on the computer science and IT areas, and everyone, including Bob and Mike, said, “No, what you want to do is just keep reminding everyone of things that they may think they already know, but they just have to keep being reminded. They have to keep doing it over and over again.” 

We now are down to three subjects … based on the advice of Shrum and Murphy and other state and local campaign managers, state and local election workers. And one of them is that we always began with basic cybersecurity and cyber safety.

And this is really cyber safety 101, but that is how problems and breaches happen. We begin with two-factor authentication. You think that’s really basic, right? And we build up from there. We end that section with resources in that state, the very state where we’re doing the workshop, focusing on cyber safety and cybersecurity for campaigns and elections. 

Cybersecurity experts explore the nature of the election security threat landscape.

In terms of campaign and election workers, what we are told over and over again is job one is to make certain that everyone, every day, every hour, is aware of how they should be working safely and securely. Because Russia, China, Iran and all the foreign adversaries and domestic ones, they’re looking for that opening. And if you give them an opening, all you need is one slip, as we learned in 2016, and it could have a major, major effect. Everybody knows that now. 

Then we pivot and do two other things. One is dealing with disinformation and misinformation, because that’s all around us now, and what that means for campaign or election workers and how they can respond. We ended that session with specific links to help them spot disinformation and misinformation coming at them, and then specific places they can go, including the Homeland Security one-page handout, which we used to hand out in person. Now, we couldn’t do it in person. Now, we just put up the link of the new NSA one-page handout on working from home, what you should be doing. And then the Facebook, Google, and Microsoft special protection sites that people would go to get that extra protection. Some are only available if you can demonstrate you are an election or campaign worker. 

And we wrap up with, “OK, no system is perfectly secure, so bad things will happen. What do you do after the bad thing happens to you?” So, that’s the third piece: crisis communication.

STATETECH: Is there any single cybersecurity tool that is the most pressing priority to deploy? 

POWELL: Oh, absolutely. We list them really in that first module that we do on cyber safety, starting with two-factor authentication. If you’re not doing it, why not just leave your front door open at night and put a sign out saying, “Come in and help yourself”?

But then you go beyond that. What are the tips for best passwords or pass phrases? What are ways of securing your data in transit and on your devices? These are things that again ... I think most people would consider cyber 101, because you have to do it all the time. You can’t stop. You can’t just slip up.

STATETECH: When you’re working through these trainings and talking with people on the ground, is there any sense of how they can or should be prioritizing responding to the varying election security threats?

POWELL: What people recognize is that the vulnerabilities are not in one place. And so, you have to secure every weak point in the data chain from the very beginning to the very end. And what’s happened, as we all know, is that some of the basic fundamentals of elections — which in the best of circumstances are complicated things to run — but some of the basic elements of elections, from the date of the election, where you vote, how you vote, how you register, all of these are changing in many states. And sometimes on very little notice. 

In some ways, we’ve been pretty fortunate, because a really determined adversary or set of adversaries could really have caused much more confusion than we’ve seen. We’ve had enough confusion, thank you very much, because of the COVID-19 virus. But the vulnerabilities to securing just the basic election information, it’s something which is out there, and everyone appreciates it. That’s one thing which is very different I think from what we’ve seen in the last four or five years is that, especially in 2015 and before the unfortunate DNC email hack, this was not terribly high on people’s list of things to worry about.

Adam Clayton Powell III
What people recognize is that the vulnerabilities are not in one place. And so, you have to secure every weak point in the data chain from the very beginning to the very end."

Adam Clayton Powell III Executive Director, USC Election Cybersecurity Initiative

In fact, a lot of people were saying that securing DMV records was the No. 1 problem, or securing health systems in hospitals was the No. 1 problem. Well, now everyone understands that we have to secure democracy, or a lot of other things fall apart. In fact, it was Bob Shrum who gave us our slogan. And I said, “You know, we’re going to be doing a 50-state campaign just like you and Mike used to do.” And of course, he said, “No, no, we didn’t do a 50-state campaign. No one does the 50-state campaign, not since Richard Nixon in 1960. And he was up in Alaska when Jack Kennedy was in Ohio. So how did that turn out?” And then I said, “OK, we’re doing a 50-state campaign with all the candidates,” and Shrum leaned forward and he said, “Adam, you’re wrong. Your candidate is democracy.” I said, “Whoa, I’m going to steal that line, with credit.”

MORE FROM STATETECH: Deepfake videos can increase chaos through misinformation; learn how to spot them.

STATETECH: Do you feel like there is enough effective coordination right now between the state and local officials and entities such as the Cybersecurity and Infrastructure Security Agency at DHS?

POWELL: In putting our program together, we worked with CISA at Homeland Security, Matt Masterson was a key person in our project, and he even presented module one in Ohio. He’s a rock star. It’s like having, I don’t know, Beyoncé on your tour. But what we’ve heard from Matt and others in federal agencies is that there is far more coordination now with the states. We hear that directly from state officials as well.

I mean, we have a federal system, as you know. We do not have a national election. We have on the order of 10,000 local elections in November. And then we total up the numbers to see who’s won president of Senate and House and other races. And so, it means that we need to worry about securing on the order of 10,000 local elections. That informs us all the time. That’s why we work with the state and local governments, because we found sitting in Washington and Los Angeles, which is where our project was based in 2015, it was difficult to scale, and reaching state governments is a huge benefit for us in that area.

STATETECH: Is there any specific election security scenario that keeps you up at night?

POWELL: Oh, there are some we can’t talk about. This is a learning experience for us, as well as a lot of other people, including Matt, because what we’re finding, as people share questions with us, is that “Oops, there’s another vulnerability we hadn’t thought of. We’d better build that into our program, or we’d better build that into a different program that USC or others might run for more expert CS or IT people.”

So that’s really the thing: The single thing that probably runs through everything that really keeps us up at night is what don’t we know. We don’t know what we don’t know. We’re learning a lot every week, but what don’t we know that some adversary might discover? I mean, adversaries have R&D budgets. Their job is to try to get into the castle. And so that’s really what keeps us up at night.

Bobak Ha'Eri/Wikimedia COmmons