A voter putting a ballot envelope into a Jefferson County, Colorado, ballot drop box. 

Dec 09 2020

Cybersecurity Lessons Learned from the 2020 Election Season

Coordination, technology investments and training are all key to secure elections.

We are now at the point in the election process when states have officially certified results from the Nov. 3 election. In the past few years leading up to the election, there was a great deal of attention and anticipation swirling around how state and local governments would secure their election infrastructure following Russian interference in the 2016 election.

The results show the hard work and coordinated efforts paid off, as the election went off without a hitch in terms of a cyberattack or malicious activity. What lessons can state and local government IT leaders, who often work in concert with election directors and secretaries of state, draw from the success of the 2020 election cybersecurity efforts?

There are a few clear takeaways that should inform how state and local officials approach cybersecurity moving forward as they plan for future elections. One takeaway is that coordination and communication is critical at all levels of government. Another is that investment in modern security technologies are imperative and pay off. A third is that training and preparation should be a constant task, not just something rolled out a few weeks before a major event such as an election.

Coordination Helped Inform State and Local Officials

In the runup to the election, there were widespread concerns about malicious actors spreading disinformation, hacking into voter registration databases, locking election security officials out of databases through ransomware attacks, manipulating vote tallies and potentially targeting the power grid to disrupt the vote.

None of that came to pass due to the coordination of security efforts by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

CISA spent years building partnerships with groups such as the Elections Infrastructure Information Sharing and Analysis Center, an election security clearinghouse for state and local governments staffed and operated by the Center for Internet Security.

CISA also built up strong working relationships with groups including the National Association of State Election Directors and the National Association of Secretaries of State, both of which commended the cooperative election security efforts.

“One of the big lessons learned from 2016 was that information sharing needed to improve significantly, so we put processes in place as a community to better share security information from the federal level to state and local election officials, as well as from election officials to our federal partners,” NASED Executive Board President Lori Augino tells StateTech. “The ISAC is the primary means of information sharing, including how information is shared to and from CISA and election officials, and it’s been very successful.”

The sharing of threat intelligence was critical, as was the coordination between federal, state and local officials. These practices and relationships should continue to be strengthened in the months and years ahead. American elections are a notoriously decentralized affair, with thousands of counties administering elections on the ground and reporting up to state officials. Coordination will always be crucial to ensuring that emerging threats are detected and planned for.

READ MORE: How were elections kept secure despite a barrage of misinformation?

Security Technology and Training Go Hand in Hand

Coordination wasn’t the only thing enhanced between 2016 and 2020. States also made investments in better cybersecurity technologies.

Augino notes that states “implemented things like two-factor authentication, phishing trainings, risk and vulnerability assessments and other best practices, which have been especially valuable this year as more people have been working remotely as a result of the pandemic.”

Working in coordination with the nonprofit Center for Internet Security, CISA has helped states deploy endpoint detection and response software, which is designed to identify and block malware and anomalous activity.

Lawrence Norden and Gowri Ramachandran, election experts at New York University’s Brennan Center for Justice, write in Slate that many states used federal and state funding to “modernize their IT infrastructure, while strengthening the technical knowhow of local election officials.”

Election systems, often outdated, had previously been “difficult to maintain, did not integrate well with modern systems, and featured security gaps that were easily exploited by bad actors,” Norden and Ramachandran write.

 

Lori Augino, NASED Executive Board President 
One of the big lessons learned from 2016 was that information sharing needed to improve significantly, so we put processes in place as a community to better share security information from the federal level to state and local election officials.”

Lori Augino  NASED Executive Board President 

Modernizing these systems “not only plugged security holes, it allowed local jurisdictions to adapt quickly when the pandemic hit,” according to Norden and Ramachandran. “Improved infrastructure meant that when voters who could not register at closed DMV offices shifted to using online registration sites, the sites (with extra capacity gained from upgrades) largely stayed up and working, with few exceptions.”

Norden and Ramachandran also point out the value of cybersecurity risk assessments performed by DHS and independent companies hired by states and local election offices, as they “almost certainly resulted in upgrades that led to not only more secure, but also more reliable systems that were less prone to malfunctions.”

Norden and Ramachandran also write that election officials also were able to conduct security trainings over the spring and summer remotely with thousands of election officials and got them using multifactor authentication. That made it easier for workers to work both remotely and securely on election issues.

Investments in combating disinformation helped build confidence in a process that saw record turnout, despite the pandemic,” they add. “And the move to paper ballots as a security measure also allowed election officials to reassure the public, inundated with disinformation about the trustworthiness of vote totals that they had the ability to ensure accuracy.”

Add all of this up, and what it says to me is that investments in modern security technology and risk assessments paid off. The upfront cost was also likely defrayed with federal funds, and the payoff in the security and integrity of the election was enormous.

Training is also something that should be a continuous effort. Cybersecurity training for election officials, especially around anti-phishing, was something that had been built up over the past few years and accelerated in 2020. That training should be continued regularly so officials do not lose those skills and are made aware of how to best combat emerging threats.

“Secretaries of state view election cybersecurity as a race without a finish line,” NASS President and New Mexico Secretary of State Maggie Toulouse Oliver tells StateTech. “We will continue to work in cooperation with our partners to assess and mitigate risks to election systems and processes in the years to come.”

As we head into 2021, all Americans can and should be proud of that sentiment, and of the stalwart efforts of state and local election officials across the country during this unprecedented year.

This article is part of StateTech’CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.

CITizen_blog_cropped_0.jpg

Merrimon/Getty Images