States Step Up Cybersecurity Efforts Ahead of the 2020 Election

States and Feds Team Up to Protect Election Infrastructure

Security agencies have documented Russian interference in the 2016 presidential election, and experts agree that bad actors from that nation and others are likely to try again. Former special counsel Robert Mueller told Congress last year, “They are doing it as we sit here.”

In January 2017, DHS responded to the threat by declaring voting to be part of the national critical infrastructure. This gave the federal government a more prominent role to play in elections, which otherwise are exclusively the purview of the states.

Since then, experts say, a new cooperative environment has arisen among federal, state and local authorities to try to prevent cyber tampering and ensure public confidence in the process.

With the creation of the Elections Infrastructure Information Sharing and Analysis Center in 2018, state officials gained access to a common source of threat data — and, just as important, a common forum for sharing cyber concerns around the elections.

“We are building a dialogue with DHS and trying to get them comfortable in our world,” says Paul Pate, president of the National Association of Secretaries of State and Iowa’s secretary of state. “We’ve been setting up various communication tools and setting up resources. When we started on this path, the feds weren’t telling us anything, so just the progress on that front has been a big improvement.”

The cooperative arrangement enables states to see further than ever as they seek to harden their voting systems against potential incursions.

Ohio Secretary of State Frank LaRose, right, has been working with county boards of elections to boost cybersecurity.

“Before this, there wasn’t a holistic situational awareness,” says Geoff Hale, director of CISA’s Election Security Initiative. “Things that happened in California weren’t being seen in Wyoming. Now, they can share alerts and warnings from activity seen and reported on their networks.”

CISA supports the states with risk assessments, to look for potential weak spots in voting systems, and with remote penetration testing, in which federal officials try to breach the elections infrastructure.

“We have done that with more than 25 states,” Hale says. “While it is only a point-in-time snapshot, it helps them make budget decisions going forward on what needs to be advanced to have a more secure system.”

MORE FROM STATETECH: Explore this infographic to discover how to protect voter information.

States Turn to DHS for Security Scans 

In addition to that point-in-time service, more than 200 state, county and local election authorities have turned to CISA for persistent vulnerability scanning of their internet-facing enterprises, ensuring the integrity of sites run by the secretary of state and of online voter registration sites.

States have been eager to avail themselves of this support, says Elizabeth Howard, counsel to the Democracy Program in the Brennan Center for Justice. 

Congress allocated $380 million to support election security in 2018, “and all 50 states obtained federal funding to secure their election infrastructure,” she says. “They were planning to spend that on updates to the voter registration databases, cybersecurity practices in general, training and audits.”

Those DHS-led audits have been especially valuable in helping states to understand the strengths and weaknesses in their systems coming into the primaries. This year, Congress has made available $425 million for states that want to boost election security.

“If DHS can come in and identify vulnerabilities, it will help you to strengthen your system by identifying and addressing weak points,” Howard says.

VIDEO: Hear from cybersecurity experts on the top election security threats. 

Disconnected Networks Help Boost Election Security 

Armed with such insights, state and local authorities have taken a range of steps toward better cyber hygiene across the election enterprise.

Texas Director of Elections Keith Ingram has led an effort to ensure voting machines and county voting systems are disconnected from any external networks, a vital measure to prevent outside intrusion. He says his team has also assessed voter registration systems at the county level for compliance with National Institute of Standards and Technology guidelines.

To ensure the integrity of election night returns, “we are using Cloudflare and other denial-of-service prevention measures, and we are encouraging the counties to use it on their side as well,” Ingram says. 

“We are also making sure the counties have security certificates on their websites, so that when they post election night returns, the public can have confidence in those results.”

The latter effort is key to the state’s overall approach to cybersecurity. “We know there is some desire to delegitimize the outcome, to cause people to doubt the system,” Ingram says. “Most of what happened in 2016 and most of what we expect this year is in that category: to sow chaos and confusion around the voting process.”

Sometimes the surest way to build public trust is to unplug. For examle, Pennsylvania required all counties to use new voting systems with voter-verified paper ballots by the end of 2019, and that those ballots be physically (not digitally) delivered, then retained for post-election audits.

LEARN MORE: What is a deepfake and how can it impact the election? 

Security Efforts Can Ensure Resilience Amid Threats

Because the dot-gov domain is more secure and more trusted than its dot-com counterpart, Ohio is moving all election boards into that realm. “It’s a more secure area of the internet, and malicious activity is easier to monitor there,” LaRose says. “We are informing the public that if you want trustworthy information, if you want information you can believe in an era of disinformation, you get it from your ­secretary of state or your county board of elections. You get it from a dot-gov domain.”

Despite all these safeguards, something could still go wrong. To that end, Ohio moved in late 2019 to create a Cyber Reserve, regional 10-person teams that can stand up fast and remediate potential breaches in the voting process.

“Those units are being recruited as we speak,” LaRose says. “Their role will be to support continuity of operations in any aspect designated by the governor — the county courthouse, city hall — and also critical infrastructure, including the boards of elections and 88 county government entities with varying levels of sophistication.”

While state and local officials face a formidable challenge in fighting both cyberthreats and related online efforts to undermine public confidence, the pieces are in place to ensure the 2020 election will have a high degree of digital resilience, says Rita Reynolds, CTO of the National Association of Counties.

“In the states that are doing it well, there are strong partnerships among federal entities, the state leadership, the county election directors and their IT support,” Reynolds says. 

“That’s the model right there. It all boils down to communication and relationships,” she adds.

Securing the Vote from Home

The COVID-19 pandemic has already upended the primary election season, and state election officials are planning for changes should the virus still be prevalent on Nov. 3. If vote-by-mail becomes the preferred way to cast a ballot, the state officials interviewed by the U.S. Election Assistance Commission recommend a few simple investments:

• Automation can help produce vote-by-mail packets, sort ballots and open envelopes.
• Barcode scanners can be used to record addresses on envelopes with returned ballots.
• Boxes will be needed to store ballots and envelopes. Ricky Hatch, county clerk/auditor for Weber County, Utah, recalls in an EAC video having to “scrounge” boxes from the local print shop.