The possibility that a ransomware attack could cripple access to a voter registration database remains a major concern among cybersecurity officials.
To address this threat and others, state officials increased their security efforts ahead of the Nov. 3 general election. Over the summer, Colorado announced the creation of a rapid-response cybersecurity team that will help counties combat cyberattacks and disinformation. StateTech recently spoke with Colorado Secretary of State Jena Griswold on how her office is coordinating election security efforts and what she sees as the biggest threats.
STATETECH: What would you say are some of the lessons that Colorado has learned about election security, both in terms of conducting your own primary and looking at how things have played out in other states?
Griswold: We’re facing two crises when it comes to elections in November: the pandemic and the attack on our democracy by Russia and other countries.
Colorado really leads on both fronts and can serve as a model for voting under both crises. The first and foremost is the use of mail-in ballots and early voting and the accessible elections we have. And for the second, Colorado is one of the safest states in which to cast a ballot. Today, voting machines are not connected to the internet. Each vote has a paper record, we do risk-limiting audits, and I can go over all the things that we do to innovate.
I do think it’s very important to realize that election systems across the nation combat literally millions of malicious intrusions from all over the world, searching for vulnerabilities. And the fact of the matter is that foreign countries and would-be hackers will continue to innovate. I’m really proud of what we have done through COVID and also some lessons learned from our primary.
STATETECH: Can you talk about how Colorado approaches ensuring that its election systems are resilient in the event of cyberattacks?
Griswold: Absolutely. It’s really important to have various backup plans, basically. We have same-day voter registration. So, say the worst-case scenario happens when our statewide poll book is down; no voter will be turned away from the polls because of that same-day voter registration. But we do have backup servers that are continuously updated in real time. All of that information on those servers also goes onto a paper record that we can pull from.
I also issued a series of rules to make sure that, leading up to the election, every county has a backup of their registrations, either printed or on a laptop that is not connected to the server, that has the most recent registrations within the last 24 hours. And then I ran an emergency rule that is now a regular rule to make sure that we have a sufficient amount of paper ballots and provisional ballots at every polling location.
We were the first state in the nation to conduct a risk-limiting audit that shows to a high statistical degree of certainty that our election results are correct. We were the first in the nation to institute two-factor authentication to that statewide voter registration database and the first to do a secure ballot return. And, specifically related to the statewide poll book, based on what we learned from our primary elections, we set up a virtual command center where we are partnering with the Colorado National Guard, our IT security team and other partners to make sure that we are monitoring all of our election and support systems.
STATETECH: How do you see the election security threat landscape?
Griswold: From my perspective, we have the three priority threats, and these aren’t in order of their severity; they’re all very important. No. 1 is directed hacks on election infrastructure. No. 2 is the increase in ransomware attacks we’re seeing, where the election infrastructure itself is not being attacked, but a door to the election infrastructure is being attacked. And No. 3 is these misinformation campaigns.
It’s very important to contextualize for your readers that misinformation isn’t about one person saying a falsehood. These are coordinated campaigns from foreign countries to try to suppress the vote or trick voters. These are sophisticated campaigns that go right to the heart of our democratic right to vote. We prioritize all of them.
Of course, we do penetration tests and hunts, but we’re one of the only states to actually monitor the dark web and social media. We’re looking for all types of words, from “Hey, Election Day is on a wrong date” to key things that would alert us that our election systems or Colorado voters were being targeted.
I am proud that, last winter, I was able to lead a coalition of states to finally get the intelligence community to change their policy to alert states when state election infrastructures and local election infrastructures are under attack. Which, if you can recall from 2016, was a major failure of the federal government.
STATETECH: Are you going to conduct election security tabletop exercises with county officials between now and November?
Griswold: In preparation for November 2020, we conducted a tabletop with the counties, which was remote, in 2019. We ran an in-person tabletop with our counties — I want to say 62 out of 64 counties participated — in January 2020. We had five other states, the Department of Homeland Security, FBI, National Guard, the attorney general and three Election Assistance Commission commissioners attend that exercise.
And then my executive team, including our IT manager, elections director, my deputy secretary and myself, ran another in-person event with other states in D.C. We did another on July 30. We’re planning on conducting another in-person tabletop exercise after January 2021 because we have three statewide elections in 2020 in Colorado.
Ultimately, we feel really well prepared thanks to these tabletop exercises and the depth of participation in them.