Security

Election Security 2020: DHS Highlights Risks to Voter Databases

As Super Tuesday voting unfolds, federal, state and local agencies are coordinating to combat election infrastructure cybersecurity threats.

Phil Goldstein

Twitter

Phil Goldstein is a former web editor of the CDW family of tech magazines and a veteran technology journalist. He lives in Washington, D.C., with his wife and their animals: a dog named Brenna, and two cats, Grady and Princess.

As Americans across the country cast votes in the presidential primary in 14 states and one territory, better known as Super Tuesday, federal and state-level cybersecurity officials are sounding the alarm over the threats posed to voter registration databases.

At the same time, federal officials say, the government, and the Department of Homeland Security in particular, is much better positioned to tackle election interference and hacking than it was in 2016. Numerous agencies — including DHS, the Justice Department, State Department, National Security Agency and FBI — released a statement highlighting their coordination and warning that that “foreign actors continue to try to influence public sentiment and shape voter perceptions.”

The DHS’ Cybersecurity and Infrastructure Security Agency has been coordinating closely with the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), run by the Center for Internet Security (CIS), to establish channels of communication with state and local government agencies and offices, according to CISA Director Chris Krebs.

Speaking last week at San Francisco CyberTalks, Krebs said that “just having an ISAC — all 50 states, 2,400 jurisdictions — those sorts of things [make it so] we can continue to push information out. We can push out indicators on intrusion detection systems that we’ve been working with states on,” CyberScoop reports.

CISA is working with 8,800 election jurisdictions to put in place risk assessments and other cybersecurity procedures, Krebs said separately last week at the 2020 RSA conference, according to Government CIO. The agency is still emphasizing paper backups for voting machines but is also pushing state and local agencies to implement security protections for voter registration databases.

“We tried to figure out where the risk really is across these systems,” Krebs said, “and what we discovered, not surprisingly, is the areas where information is centralized, and it’s highly networked — that’s where the risk is. And where is that? Voter registration databases.”

Krebs warned that the threat of ransomware attacks against voter registration databases is a key concern, according to Business Insider. CISA is working with state and local law enforcement to combat the threats. “We can figure this out together,” he said at RSA, Business Insider reports.

Neil Jenkins, the chief analytic officer at the Cyber Threat Alliance, notes that “election officials are in a much better place in 2020 than they were in 2016.”

“It takes time to build partnerships and trust,” Jenkins says. “DHS has worked hard to be responsible stakeholders with the election community, and election officials are doing everything they can to improve their security and resilience in combination with the federal government and the EI-ISAC.”

States Work to Combat Voter Registration Database Security

According to a poll FedTech conducted on Twitter on what information is the easiest for a malicious actor to change, 43.4 percent of respondents said online election tallies, 34.6 percent said votes on ballots and 21.9 percent said voters’ personal information.

Election security officials say that registration databases represent a likely attack vector. “We have to consider the full risk picture. Hacking voting machines would certainly have an impact, but scaling that is hard,” Jenkins says. “It requires hands-on access and time. And if you want to hack a lot of machines, it takes a lot of actors. That’s not easy.”

What information is the easiest for a malicious actor to change? #FedStateElection #Protect2020

— FedTech Magazine (@FedTechMagazine) February 6, 2020

It is much easier to access voter registration databases, election-night reporting systems and other election infrastructure connected to the internet, according to Jenkins, which makes them more likely targets for malicious actors. “Targeting these systems would not affect the vote count, but it could suppress voter turnout, trust in the results, or both,” he says.

National Association of Secretaries of State President and Iowa Secretary of State Paul Pate notes that states have helped local jurisdictions “replace and update systems, provided cyber hygiene training, implemented two-factor authentication for access to statewide voter registration databases, supported risk assessments and more.”

“These efforts are to make all information more secure,” he says.

Protecting voter registration databases is a critical part of state efforts to secure the election, says Lori Augino, president of the National Association of State Election Directors and director of elections for the Washington Secretary of State’s office.

In Washington state, all users of the state’s voter registration system are required to use two-factor authentication. “Two-factor authentication enhances the security of individual user accounts by using a secondary device to verify each individual’s identity,” Augino notes. “This prevents anyone but the user from accessing an account even if they have their password.”

Most elections are carried out on the ground at the county level, even if states set the voting rules. National Association of Counties CTO Rita Reynolds notes that “all things are not equal among counties in terms of security resources, so the level of vulnerability for information depends on many variables. But it does seem focused on the transfer of data.”

“For some, voter registration data may be most vulnerable in collection and transit, if they are collecting registrations through devices like iPads,” Reynolds notes. “For other states, if this collection process is not allowed, then it is less of an issue. For others, it could be through the use of USB devices to transfer tabulation results from the voting machines (i.e. ensuring the chain of custody and that the components in use have not been tampered with).”

The 2020 NACo Legislative Conference had an all-day CIO forum on Feb. 28 — which included presentations from CIS, CISA, the Multi-State Information Sharing and Analysis Center and EI-ISAC — focused on cyber education that counties can use to continuously improve their cybersecurity posture for all county functions, including elections.