Oct 20 2020

States Have Improved Election Cybersecurity, but Still Can Do More

As the 2020 election season enters the final stretch, federal agencies and outside experts warn states must be on guard.

After more than a year of preparations and security enhancements, state and local governments are entering the final weeks of the 2020 election season. With millions of votes already cast, two things are clear: Government agencies have markedly improved their cybersecurity controls in the wake of the 2016 election, and yet they could still be doing more and cannot let their guards down.

Outside experts say that state governments, especially those in battleground states, have improved their cybersecurity protections for election infrastructure and voter data. However, there are still cybersecurity measures they should be taking ahead of Election Day on Nov. 3.

Meanwhile, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency is continuing to coordinate with state and local agencies on election security threats, especially from nation-state actors and cybercriminals. CISA is confident in election security protections that have been put in place but remains on high alert.

CISA Remains ‘Hypervigilant’ on Election Security

CISA has been a vital partner for state and local governments as they have ramped up their election security efforts over the past year, and even before then. Working in coordination with the nonprofit Center for Internet Security, CISA has helped states deploy endpoint detection and response software, which is designed to identify and block malware and anomalous activity. CISA has also been sharing threat intelligence with secretaries of state and other officials at the state and local level.

Although CISA has been keeping an eye on malicious actors emanating from Russia, China and Iran, the agency has not seen any “sustained campaigns against election infrastructure that would likely affect the integrity of election results,” GCN reports, based on comments made Oct. 13 by Robert Kolasky, director of CISA’s National Risk Management Center.

“But we’ve seen enough things that could go in that direction that we need to be hypervigilant,” he said.

Indeed, in an Oct. 9 alert jointly issued with the FBI, CISA reported that it had “recently observed advanced persistent threat (APT) actors exploiting multiple legacy vulnerabilities in combination with a newer privilege escalation vulnerability — CVE-2020-1472 — in Windows Netlogon.”

The tactic CISA observed is a common one known as “vulnerability chaining,” which, the agency says, “exploits multiple vulnerabilities in the course of a single intrusion to compromise a network or application.”

Although it does not appear that state, local, tribal and territorial government networks are being “selected because of their proximity to elections information, there may be some risk to elections information housed on government networks,” CISA said in the alert.

“CISA is aware of some instances where this activity resulted in unauthorized access to elections support systems; however, CISA has no evidence to date that integrity of elections data has been compromised,” the agency said. “There are steps that election officials, their supporting SLTT IT staff, and vendors can take to help defend against this malicious cyber activity.”

Despite the warning, Kolasky said the run-up to the election will highlight how the agency’s coordination with state and local agencies has paid off. “It’s game day, or almost game day, and we’re ready to go,” he said, according to FCW.

Meanwhile, in some states, National Guard units are helping bolster cybersecurity monitoring efforts for election officials. NBC News reports:

Ohio’s National Guard has biweekly calls with the state secretary of state’s office and has an open call for civilians with technical experience to help with the 2020 election. Minnesota’s Guard joins state election officials for cybersecurity walkthroughs with federal officials, and Colorado’s helps monitor network traffic to state election websites.

READ MORE: Learn how Colorado Secretary of State Jena Griswold is protecting her state’s election infrastructure.

What States Can Do Ahead of Election Day

In late September, the Brennan Center for Justice at New York University Law School issued a report on election security noting that “there has been substantial progress in the last few years, and indeed the last few months, to implement the kind of backup and security features that should allow all voters to cast ballots that will count, even in the event of a successful cyberattack or other unforeseen system failure.”

However, the report warns that “there is still more that many jurisdictions can and should be doing to secure our elections over the next few weeks.”

“[Election officials] talk about election security in a way they didn’t four years ago,” Derek Tisler, a Brennan Center fellow and one of the report’s authors, tells StateScoop. “A lot of election officials have seen it as an important part of their jobs. A lot of states have brought on additional IT expertise. Most experts would say this is going to be the most secure election we’ve ever had.”

However, he says, “there’s still time to check the procedures you have.”

The report looked at the 12 states that the polling website FiveThirtyEight rates as potential “tipping points” for the presidency: Arizona, Colorado, Florida, Georgia, Michigan, Minnesota, Nevada, New Hampshire, North Carolina, Ohio, Pennsylvania and Wisconsin.

The report urges state and local governments to continue educating voters about balloting procedures, especially with the expected surge in mail-in ballots. Additionally, the report says that “every part of the polling place voting process that relies on technology should have a paper failsafe in place, allowing voters to continue casting ballots until the technology issue can be resolved.” The report also notes that states should conduct more robust post-election audits.

In terms of cybersecurity protections, the Brennan Center says election officials should change passwords on key accounts seven to 10 days before Election Day, review and update any IT resiliency and continuity of operations plans, ensure that key personnel have up-to-date contact information for cyber incident response support, and review social media accounts for content and reach to voters.

“Each of these steps should increase security in the final days and weeks of the election while requiring relatively few resources during an extremely busy time,” the report concludes.

adamkaz/Getty Images

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT