Election Security
What election officials need
Many local leaders say they desperately need two things to ensure a safe, secure election: more state and federal resources (including emergency funding from Congress) and political leaders’ help in educating voters, many of whom will be casting their ballots by mail for the first time this year.
Many states have moved to expand their residents’ ability to vote by mail and encouraged people to explore the option. In some cases, state officials have preemptively mailed absentee ballot applications to registered voters.
Still, when the Brookings Institution evaluated states on a variety of metrics — such as whether they allow voters to request an absentee ballot because of concerns about COVID-19, whether they make drop-off boxes or in-person channels available for submitting ballots and whether they accept ballots that are postmarked but not received by Election Day — 29 states received a grade of C or lower.
In a speech at the Black Hat USA event in August, election security expert Matt Blaze said the pandemic “added a whole new set of concerns
that were always there but that got brought very sharply into focus,” such as how to conduct voting during a state of emergency. “Basically, emergencies are likely to require scaling up our exception mechanisms, which mostly involve mail-in voting,” he added.
On the federal side, the Cybersecurity and Infrastructure Security Agency (CISA) and the Election Assistance Commission have pivoted to provide more expertise and assistance to state and local governments.
In an infrastructure security assessment released in July, CISA
Experts: Don’t dismiss the gains made since 2016
Despite all the challenges, a number of experts are urging Congress and the public not to lose sight of the substantial gains in election security that have been made since 2016.
“Compared to 2016 and 2018, the security of the elections infrastructure looks quite different in 2020,” said John Gilligan, president and CEO of the nonprofit Center
for Internet Security, during
an Aug. 28 House Homeland Security Committee hearing. “While there are no guarantees in cybersecurity, I can assure you that the security defenses we have in place for 2020 are vastly improved over those in place a short four years ago.”
Much of that work has focused on addressing known vulnerabilities that were often exploited by Russian hackers in 2016, such as probing (and, in some cases, compromising) voter registration databases, phishing vendors who develop election management or voting software, and running covert
information operations on social media platforms that went largely undiscovered until after Election Day.
According to updated statistics provided to FCW
by the Cybersecurity and Infrastructure Security Agency in late August, the agency
has deployed tools and technologies to respond to those weaknesses and monitor for cybersecurity threats.
CISA helped the Center for Internet Security deploy 276
of the organization’s Albert sensors in all 50 states, the District of Columbia and
at least 222 local election networks. The sensors are
part of an intrusion-detection system that monitors network traffic on voter registration systems and other election software for signs of malicious probing or attacks by hackers.
In addition, CISA has conducted 131 remote penetration tests and 59 on-site risk and vulnerability assessments for local
election infrastructure, and approximately 263 election officials nationwide are receiving vulnerability scan reports on a weekly basis. The agency also helped train thousands of election officials through online security courses, delivered “last
mile” election information to more than 5,500 localities, and provided trend analysis to the election community about vulnerabilities and
the latest threats to election infrastructure.
The unexpected challenge of a pandemic
Gilligan said protections in place today that were virtually nonexistent before 2016 include endpoint detection and response programs implemented by many jurisdictions and tools that prevent election computers from connecting to known malicious websites.
However, election officials did not anticipate having to
deal with a pandemic that threatens to deter millions
of registered voters from casting their ballots in person. Although many states have adjusted by dramatically expanding mail-in voting, they must contend with a surge
of voters who are unfamiliar with the proper procedures as well as disinformation from politicians and unscrupulous actors seeking to cast doubt on the reliability of mailed ballots.
Amber McReynolds, CEO of the nonprofit National Vote at Home Institute, echoed claims from other experts that voting by mail is no less safe or secure than other forms of voting.To the extent that there are unique risks, such as those highlighted in a vulnerability assessment conducted by CISA, she said they can be mitigated in part or in whole through voter education and awareness campaigns and by technologies such as ballot- tracking systems or audits of paper-based ballots that give
36 September/October 2020 FCW.COM