Primary Season Is the Largest Security Concern
When it comes to cybersecurity, DHS and other federal agencies are looking not just to November but to the primary voting that begins on Feb. 11 in New Hampshire. In March alone, 25 states, Puerto Rico and Democrats Abroad (the official Democratic organization for Americans living outside the U.S.) will vote in primaries — and those elections come in bunches just a week apart.
“My biggest concern is March 2020,” says Maurice Turner, deputy director of the Internet Architecture Project at the Center for Democracy and Technology.
“Changing votes in the November election is going to be very difficult to do at a scale that would be undetected. But if a particular candidate gets an extra 1 percent or 2 percent in a primary, that might be the difference for their opponent to not make it to a state the next week,” he says. “If it comes out that there was any sort of malicious interference, and that some of those votes may have been illegitimate, I’m not sure that we have the processes in place to do that investigation in that time frame.”
Security agencies have documented Russian interference in the 2016 presidential election and experts agree that bad actors from that nation and others are likely to try again. Former special counsel Robert Mueller told Congress last July, “They are doing it as we sit here.”
In January 2017, DHS responded to the threat by declaring voting to be part of the national critical infrastructure. This gave the federal government a more prominent role to play in elections, which otherwise are exclusively the purview of the states.
Since then, experts say, a new cooperative environment has arisen between federal, state and local authorities in the effort to prevent cyber tampering and ensure public confidence in the process.
States Receive Upgraded Election Security Support from Feds
With the creation of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) in 2018, federal and state officials gained access to a common source of threat data — and, just as important, a common forum for sharing cyber concerns around the elections.
Under the cooperative arrangement, federal authorities can help states see further than ever before as they seek to harden their voting systems against potential incursions.
“Before this, there wasn’t a holistic situational awareness,” says CISA’s Hale. “Things that happened in California weren’t being seen in Wyoming. Now, they can share alerts and warnings from activity seen and reported on their networks.”
CISA supports the states with risk assessments, looking for potential weak points in voting systems, and also with remote penetration testing, in which federal officials actively try to breach the elections infrastructure.
“We have done that with more than 25 states,” Hale says. “While it is only a point-in-time snapshot, it helps them make budget decisions going forward on what needs to be advanced to have a more secure system.”
In addition to that point-in-time service, CISA has supported more than 200 state, county and local election authorities with persistent vulnerability scanning of their internet-facing enterprises, ensuring the integrity of sites run by the local secretary of state, as well as online voter registration and other key sites.
States have been eager to avail themselves of this support, according to Elizabeth Howard, counsel to the Democracy Program in the Brennan Center for Justice. Congress allocated $380 million to support election security in 2018, “and all 50 states obtained federal funding to secure their election infrastructure,” she says. “They were planning to spend that on updates to the voter registration databases, cybersecurity practices in general, training and audits.”
Those DHS-led audits have proven especially valuable in helping states to understand the strengths and weaknesses in their systems coming into the primaries. This year, Congress has made available $425 million for states that want to boost their election security.
“If DHS can come in and identify vulnerabilities, it will help you to strengthen your system by identifying and addressing weak points,” Howard says.
Ransomware Attacks Provide a Template for Response
When hackers took down their systems, governors in those states called in the National Guard to help remediate the attacks, and the guard has subsequently said it would be adding new teams to expand its cyber defensive component.
The FBI, meanwhile, has announced plans to expand its victim notification policy. Officials say the law enforcement agency plans to brief state officials when election infrastructure located in their state but owned by local jurisdictions suffers a cyber intrusion.