CISA is working with 8,800 election jurisdictions to put in place risk assessments and other cybersecurity procedures, Krebs said separately last week at the 2020 RSA conference, according to Government CIO. The agency is still emphasizing paper backups for voting machines but is also pushing state and local agencies to implement security protections for voter registration databases.
“We tried to figure out where the risk really is across these systems,” Krebs said, “and what we discovered, not surprisingly, is the areas where information is centralized, and it’s highly networked — that’s where the risk is. And where is that? Voter registration databases.”
Krebs warned that the threat of ransomware attacks against voter registration databases is a key concern, according to Business Insider. CISA is working with state and local law enforcement to combat the threats. “We can figure this out together,” he said at RSA, Business Insider reports.
Neil Jenkins, the chief analytic officer at the Cyber Threat Alliance, notes that “election officials are in a much better place in 2020 than they were in 2016.”
“It takes time to build partnerships and trust,” Jenkins says. “DHS has worked hard to be responsible stakeholders with the election community, and election officials are doing everything they can to improve their security and resilience in combination with the federal government and the EI-ISAC.”
States Work to Combat Voter Registration Database Security
According to a poll FedTech conducted on Twitter on what information is the easiest for a malicious actor to change, 43.4 percent of respondents said online election tallies, 34.6 percent said votes on ballots and 21.9 percent said voters’ personal information.
Election security officials say that registration databases represent a likely attack vector. “We have to consider the full risk picture. Hacking voting machines would certainly have an impact, but scaling that is hard,” Jenkins says. “It requires hands-on access and time. And if you want to hack a lot of machines, it takes a lot of actors. That’s not easy.”
— FedTech Magazine (@FedTechMagazine) February 6, 2020
It is much easier to access voter registration databases, election-night reporting systems and other election infrastructure connected to the internet, according to Jenkins, which makes them more likely targets for malicious actors. “Targeting these systems would not affect the vote count, but it could suppress voter turnout, trust in the results, or both,” he says.
National Association of Secretaries of State President and Iowa Secretary of State Paul Pate notes that states have helped local jurisdictions “replace and update systems, provided cyber hygiene training, implemented two-factor authentication for access to statewide voter registration databases, supported risk assessments and more.”
“These efforts are to make all information more secure,” he says.
Protecting voter registration databases is a critical part of state efforts to secure the election, says Lori Augino, president of the National Association of State Election Directors and director of elections for the Washington Secretary of State’s office.
In Washington state, all users of the state’s voter registration system are required to use two-factor authentication. “Two-factor authentication enhances the security of individual user accounts by using a secondary device to verify each individual’s identity,” Augino notes. “This prevents anyone but the user from accessing an account even if they have their password.”
Most elections are carried out on the ground at the county level, even if states set the voting rules. National Association of Counties CTO Rita Reynolds notes that “all things are not equal among counties in terms of security resources, so the level of vulnerability for information depends on many variables. But it does seem focused on the transfer of data.”
“For some, voter registration data may be most vulnerable in collection and transit, if they are collecting registrations through devices like iPads,” Reynolds notes. “For other states, if this collection process is not allowed, then it is less of an issue. For others, it could be through the use of USB devices to transfer tabulation results from the voting machines (i.e. ensuring the chain of custody and that the components in use have not been tampered with).”
The 2020 NACo Legislative Conference had an all-day CIO forum on Feb. 28 — which included presentations from CIS, CISA, the Multi-State Information Sharing and Analysis Center and EI-ISAC — focused on cyber education that counties can use to continuously improve their cybersecurity posture for all county functions, including elections.