STATETECH: How do you prioritize the cybersecurity threat landscape when there is so much out there?
Hobbs: That’s where our partnerships with the federal agencies really are important, because we’re working with them all the time to monitor the threat environment so we know what’s out there. Threat prevention is really part of the culture of security that we built here at our office, and prevention and response to each of these types of threats is something that we build into everything we do around election security. And again, our partnership with those federal folks is really important there.
STATETECH: Are there specific cybersecurity technologies or types of training, like anti-phishing training, that you have invested in to ensure that everything is as secure as possible?
Hobbs: Oh, absolutely. You brought up phishing, and that’s one of the things that we’re involved with is [an anti-phishing] campaign. We did that within our office. And you know, the secretary of state’s office has more than just elections. So, there are potential vulnerabilities at any avenue. And the counties are the same way. The county election departments are connected to other departments of the county in terms of their network. … So, [anti-phishing] campaigns are something that we do all the time — simulated phishing attacks.
In 2018 there was an attempted attack and it came from a county. And it was a county employee, not even in an election department, clicking on a link in an email. So, we have invested resources there. That’s not the only place, but that’s one of the examples.
Photo: Arizona Secretary of State's Office
Arizona Secretary of State Katie Hobbs says "threat prevention is really part of the culture of security" she has built in her office.
And I just want to clarify, when I say our office is not just elections but we’re connected to the library and all of those other things, that’s not to say that the statewide voter registration database is connected in all of those places as well. It’s not, and there are certainly firewalls there. I didn’t want to make it sound like somebody could hack into the library and get into the database. But obviously it’s an area of vulnerability.
STATETECH: Can you talk about how you approach the backup aspect of election infrastructure and ensure your systems are resilient?
Hobbs: It’s something that we talk about regularly with the counties, because obviously they’re the ones that are going have to deal with those immediate situations. If the internet goes out in a polling place, how do people still vote? Things like that.
So, we’re addressing that all the time. We had a tabletop exercise in December with all of the counties and some of our federal partners as well. I think it’s the first time it’s been done in the state. It was very successful. It was focused on cybersecurity and misinformation, primarily. However, because it was so successful, we were looking at implementing another tabletop specifically focused on those redundancy issues. That sort of didn’t happen when COVID happened. But I know it’s still in the works. I just don’t know if it’ll happen before this election, but certainly it’s on our radar and the counties’ radar. We have monthly election security calls with the counties, so it’s a constant topic of discussion and planning.
STATETECH: Could you characterize how your relationship is with places like the Cybersecurity and Infrastructure Security Agency at DHS? What work do you do together?
Hobbs: I think one of the things I was focused on when I got here was really just making sure that we had those lines of communication open and we kept the election security officer on board who was with the previous administration, and he had a lot of those relationships already established. And I have security clearance, so I’m at the table when they’re doing security briefings, and those are normally held with DHS, FBI and the state authorities as well. We have the Arizona Counter Terrorism Information Center.
All of the coordinating agencies are there at the table when we’re doing those security briefings. I mentioned the security calls we do with the counties and I believe CISA is on those calls. And then we’re also doing, leading up to the election, bi-weekly calls with all of our federal partners, just to keep abreast of the landscape and what we’re working on and potential problems that we’re anticipating.
STATETECH: Is there anything new or different that the state has to put in place to ensure the security of what’s expected to be an increased volume of mail-in ballots?
Hobbs: Fortunately, Arizona is in a really great position around mail-in ballots, because 80 percent of our voters already utilize that as their method of voting. We have the infrastructure. We have had no-excuse absentee voting for decades in our state. So, the infrastructure is there, and there’s not a lot that we have to do in terms of ramping up our counties. We’re already prepared to handle additional mail-in ballots.
STATETECH: There are so many threats. For example, what happens if, the day before an election, a ransomware attack locks up a voter registration database? Is there anything that keeps you up at night when it comes to election security?
Hobbs: Well, thanks for that, because now that will! So, here’s the thing: I think all of those threats are out there. But I think that the biggest threat around all of those is that it sows doubt and undermines the public and the voters’ confidence in the systems. And I think that is exactly what those kinds of campaigns are designed to do, whether or not they actually deploy ransomware or whether or not they actually breach the system, that the idea of the threat is out there and it creates fear, and it undermines people’s sense of competence and willingness to participate.
So, with that, they can actually change election results without ever touching somebody’s system, just by lowering participation. That really goes hand in hand with misinformation, which is also designed, whether it’s coming from the president of the United States or from foreign actors and their bot accounts, it’s designed to undermine confidence. And so, we are laser-focused on combating that with our own reliable, trusted information campaign. And I think that we can point as many voters as possible to those trusted sources of information — I mean, that’s what we need to be doing.