Apr 13 2020

Election Security 2020: Feds and States Coordinate on IT Security

From tabletop exercises to simple phone calls, election officials at all levels work together to track threats to the system.

After federal intelligence officials revealed possible Russian interference in the 2016 elections through disinformation, phishing attacks and hacking, the Department of Homeland Security added the election system to its list of critical infrastructure worth extra protection.

While actual elections are conducted and controlled by local and state authorities, DHS and other federal agencies help them secure those events, sharing timely and actionable threat intelligence as well as providing support and services that improve election infrastructure and protect the democratic process. 

Those services include tabletop cybersecurity exercise packages that allow states to run through potential attack scenarios.

The 2020 election will be “the most secure, most protected election in the history of the United States of America,” Christopher Krebs, director of DHS’ Cybersecurity and Infrastructure Security Agency, said at an Axios event in early March. “People need to keep in mind that election security is something that we’ve been plugging away at for a long time.”

Here’s one example: The 2002 Help America Vote Act, which created the U.S. Election Assistance Commission, plus the DHS critical infrastructure designation, ensured that federal and state officials were on the same page, with appropriate resources, to secure the 2020 elections.

EAC Provides Important Election Security Info to States

The Election Assistance Commission is a federal clearing house for election information, says Benjamin Hovland, EAC chairman, and that’s critical because U.S. elections are decentralized. The organization provides resources on voting accessibility and voter registration, but also cybersecurity and specific election security resources.

“We are the only federal agency that is solely dedicated to thinking about how to improve election administration in this country,” he says. “That gives us a vantage point of understanding election official capacity.” 

Biweekly calls with federal and state stakeholders allow federal and local election officials to touch base on issues of the day, he says. 

“We’re able to share information on what people are doing or hearing and compare notes, then try to work together to identify a shared voice where we can ensure people are getting trusted source information and actionable information they can use. That did not exist before and is a big difference between 2016 and now.”

The EAC publishes regular updates on voting system analysis, and a resource page about coordinating with voter system manufacturers (which now also includes tips on cleaning voting machines in light of COVID-19).

“I think good election administration comes down to good governance and customer service, and so in the cyber realm, that means taking care of the basics and making sure patches are done and upgrades are done,” Hovland says.

Paul Pate, Iowa Secretary of State and president of the National Association of Secretaries of State, says that the 2017 critical infrastructure designation has made a world of difference to states. While things might have been bumpy as everyone adjusted, “with a little work, we were able to make the connection to federal resources,” he says. 

LEARN MORE: Explore this infographic on election security processes.

‘Tabletop in a Box’ Teaches States to Confront Security Scenarios

“It’s really important to understand that we now have working relationships,” Hovland adds. “We’ve got names of people. They know who we are, and we have a better sense of what we can ask for and get those resources from them. These were all very significant accomplishments.”

For states, CISA can conduct cybersecurity assessments on local election systems, attack detection and prevention; share information about attacks and threats; and train cybersecurity personnel on election matters. The “tabletop in a box” cybersecurity exercises — a 58-page guide that lets states run their own scenarios — became available in 2018.

The scenarios include news and social media manipulation, spear phishing campaigns, disruption of voter registration information systems and processes, denial of service attacks and web defacements, malware infections on electronic voting machines and election management system software, and the exploitation of state and county board election networks.

“A pretty broad example would be, you show up on Election Day and you don’t have internet access,” Robert Giles, director of the New Jersey Division of Elections, told radio station NJ101.5. New Jersey ran the tabletop exercises in all 21 of its counties last September. “There will be cyber incidents, police/fire-type incidents, natural disaster incidents."

New Jersey officials used $9.8 million obtained through Help America Vote Act provisions to pay for the exercises, another example of state-federal cooperation.

The training has proved valuable, Krebs told NPR: “An election official who three or four years ago would have probably just blindly and blithely followed the instructions [in a phishing email or phone call] now is like, ‘Wait a second; that doesn’t sound right.’”

DHS, States Communicate Often on Election Security

Keeping communication between local officials and federal agencies is key to keeping elections secure. 

“The most important thing is to get the local election officials to the people who can help them best address the issue,” Matt Masterson, senior cybersecurity adviser for CISA, told StateScoop

Pate says that CISA has been good about reviewing state processes and providing feedback, and says that states have been kept apprised of attacks by DHS. “They’ve played a big role in helping create the connection,” he says.

natasaadzic/Getty Images