STATETECH: This election year did not play out the way anyone expected. What were the main concerns at the beginning of the year?
MASTERSON: We spent the last three years working to understand where the risks lie in the system and how we can help build resilience around the process — everything from penetration testing of voter registration systems to regular scanning of their outward-facing networks. For us, the focus was on the outward-facing network systems; for example, voter registration, lookup tools, voter registration data, election night reporting systems, general office systems. Those are the largest areas of risk because of their attack surface availability and the resource challenges for state and local officials who have to manage patching and upgrading of systems.
Those challenges haven’t changed in the pandemic. What did change for election officials is the additional infrastructure that they had to put into place. With the expansion of absentee balloting in some states, you see the introduction of new systems, mail processing systems, central count scanners, items like that.
And also, there’s the introduction of new third-party providers. Vendors and third-party providers are a critical part of the election ecosystem and always have been, whether it’s voting machines, voter registration providers or electronic poll book providers. The pandemic shifted the risk more to these third-party providers, because election officials were having to make changes quicker than is typical — we’re talking about more rapid deployment of technology, more rapid reliance. The election officials have done a really good job on that, but it’s certainly an environment of dynamic change for them.
STATETECH: How many of the new processes are dependent on technology attached to the internet?
MASTERSON: Like everything in elections, it depends. Every state has an absentee balloting process. In some states, prior to COVID, it was 3 to 5 percent; then you’ve got states like Washington, Oregon and Colorado who do all vote-by-mail. States that already had robust vote-by-mail operations are using more systems that are at least locally networked or connected to voter registration data in some way, shape or form. So firewalling, access control, items like that become particularly critical.
In other jurisdictions, particularly midsize and small counties, they’re brute-forcing this with people. You’re not seeing as much introduction of technology; instead, they’re finding more people and having them open the mail physically, hand-feeding it through the scanners.
But there’s been endless amounts of help provided to these officials as they deal with that. States like Washington and Colorado have been on the phone with other states. We at CISA have worked with election officials in the private sector to produce documents around managing voting by mail to try to give them some best practices. We’ve really tried to recognize that different jurisdictions are in a different place in this.
STATETECH: Did you learn any lessons from the primary season that altered the outlook on what you needed to do for the November election?
MASTERSON: The lessons for us really came down to the need to be nimble in our response and services. We already were pushing to reach 8,800 localities running elections across this country. Now, in a COVID environment, you’ve got an audience that understandably is focused on managing a process that’s changing rapidly. And as you’re implementing new processes, your incident response plans are going to need to change. The good news is that prior to COVID, every election conference really focused on cybersecurity. COVID hits, the focus obviously is on COVID, but that cybersecurity threat remains a constant.
STATETECH: Is the preparation you’re seeing for the 2020 election different from 2016?
MASTERSON: Frankly, it’s night and day from 2016. 2016, just like the 2000 election, was a watershed moment for election administration. 2016 was the cyber awakening for us at the federal level, and for state and local. Election officials have always worked to secure their systems, but when a nation-state actor targets your infrastructure, that changes the conversation. What we’ve seen since 2016 is a massive amount of mobilization and effort from state and local officials. Now, we have intrusion detection sensors deployed on election infrastructure across all 50 states. That wasn’t in place in 2016. We have relationships with all 50 states, close to 5,000 election jurisdictions, where we’re either providing services and sharing information or they’re signed up as part of the Information Sharing and Analysis Center, which didn’t exist in 2016. Now, does that mean we’re where we need to be? No. There’s still work to be done, particularly in those midsize and small counties, reaching them and getting them the information and help they need.
STATETECH: Is there anything else that can be done to protect the Nov. 3 election?
MASTERSON: For the most part, the critical systems — your voter registration system, and certainly your voting systems — are pretty well locked in at this point. You’re not going to do major upgrades and certainly not change systems at this point, nor should you. That would introduce more risk. But you can still patch systems between now and the election, and should. You can still manage credentials and plan for credential resets between now and the election. You can still update unsupported systems that aren’t in that critical path, even just business systems, in order to manage risk. Unquestionably, you can review and update your incident response plan and practice.
Election officials are natural contingency planners. That exercise of going through and trying out your incident response plan and making sure you’ve got everything in there is something that should just be part of your election prep, as well as testing your backups.
STATETECH: What happens as Election Day draws closer?
MASTERSON: Forty-five days out from the election, we go into an enhanced operations tempo. What that means is more regular updating of the election officials on threat or risk, and more information sharing with our federal partners at other agencies to make sure we’re constantly evaluating what we can push out to state and local officials.
When we get within a week of the election, we’ll open our operations center. That is both in-person and virtual with all of our federal partners, with state and local election officials, with the private sector vendors that we work with — including voting machine vendors and voter registration vendors — and others, including the two political parties and social media companies, to make sure that we have close to real-time information sharing leading into the election, and then after the election. That operation center will stay open until election officials have certified the results.
Then, on Election Day, we open what’s called our Cyber Situational Awareness Room, which is a virtual chat room that thousands of local and state officials can sign in to and share information in real time. We have federal partners there, as well as the state and local reps. We did it in all of the primary elections. We did it throughout 2018. It gives us the capability to very quickly sort fact from fiction on the ground and say, “What’s happening out there? Is this something we should be concerned about or not?”
STATETECH: So, what happens if the final results aren’t available on election night?
MASTERSON: Election night results are unofficial results. They are important, and certainly the media and the public need that transparency on election night. But there’s an entire certification process that takes place across every state in order to certify the results as official. For election officials, that’s part of the plan — every election, every time. What American voters need to understand is we may need to be more patient as voters. On election night, you’re still going to get results, but we may have more of an outstanding balance of votes than we typically would have in some states. But in the end, we’re going to get to certified election results in each one of the states.
Again, this is why running the election at the state and local level is so important, because you can engage directly with the people that are running the election to get questions answered. You don’t have to rely on some Facebook post or tweet in order to get that information. Those people are right there in your community.
STATETECH: What kind of after-actions are planned for after the election, no matter what happens?
MASTERSON: Election officials, as part of their natural course of conduct, do after-action reports after every election. We at CISA will do exactly the same thing. Election infrastructure and working with state and local officials in the private sector is part of our mission now. After each election, we assess what more we can be doing to help support them, how is the risk changing, what information we can put out there to help them manage that risk, what services we can be providing that we’re not currently.
I’ll give you an example: In 2018, we did onsite penetration testing of several state election systems, and the response we got from the election officials was, “This is an amazing service. We really appreciate it. But is there any way you could do it remotely, so it’s not as intrusive to our operation?” Well, we developed remote penetration testing capabilities and have been doing that widely across state and local entities. That has been particularly important in the COVID environment.
Certainly, this election is going to give us a lot to chew on. What more can we be doing to serve this community to help support them? Because cybersecurity of elections isn’t going away. It’s only going to increase in importance, and it is certainly a priority for us at CISA.
STATETECH: When does planning for the next election begin?
MASTERSON: One of the most common questions local officials get is, “Well, what do you do the other three years?” The reality for election officials is that they’re always running the next election. It’s like painting the Golden Gate Bridge: You finish on one end and you start painting again. For most election officials, the planning process begins even in the midst of the election they are running. Frankly, it’s better for us that way, because we have to stay nimble and sharp in order to be responsive.