Aug 19 2020

Mail-In Votes Require Special Cybersecurity Attention

The mostly manual process can be upended by disinformation and outside inefficiency, experts say.

Cybersecurity was always top of mind in connection with the 2020 election season, but the focus has shifted to protecting a more low-tech method of casting votes: ballots filled out by hand and mailed in by voters.

The Cybersecurity and Infrastructure Security Agency has provided checklists of steps states can take to keep elections safe. Envelopes marked with special bar codes, extra protection for voter registration rolls and better security on websites that report election results are among the strategies being used. 

“The outbound and inbound processing of mail-in ballots introduces additional infrastructure and technology, which increases the potential scalability of cyberattacks,” notes the agency in a recent assessment of the infrastructure risk of mail-in voting in 2020. 

“Integrity attacks on voter registration data and systems represent a comparatively higher risk in a mail-in voting environment when compared to an in-person voting environment.”

Mail-based Voting Has a Long History

Voting by mail took hold during the Civil War, as states searched for ways to allow the millions of soldiers in the field to vote in the 1864 presidential election. States provided absentee ballots for civilians who could not make it to the polls, but not until 1979, when California permitted absentee voting for any reason, did the method become common.

In 2016, 38 states offered some kind of absentee or vote-by-mail option, according to the Pew Research Center, and 28 of those required no reason. Nearly half of the 180 million Americans eligible to vote are able to cast a ballot by mail.

As the novel coronavirus pandemic began in March, at the start of the presidential primary season, more states opted to provide no-excuse mail-in voting for anyone who did not want to visit the polls in person, and now only eight states require a reason beyond fear of COVID-19. 

Protecting a written ballot seems simple: the voter seals the envelope, the U.S. Postal Service delivers it and the local election office staff opens and counts it. 

“It’s extremely difficult for someone to take my vote and change it,” says Betsy Cooper, director of the Aspen Institute’s Aspen Tech Policy Hub. “It’s difficult to change votes at scale.”

Today, however, the process has become surrounded by so much disinformation and so many conspiracy theories that proving that the ballots have not been altered is even more critical. 

“Many election experts and officials are concerned that some voters could dismiss November’s results as invalid or rigged because of mis- and/or disinformation,” David Levine, an elections integrity fellow at the Alliance for Securing Democracy within the German Marshall Fund of the United States, testified before a House Homeland Security Committee cybersecurity subcommittee this month.

MORE FROM FEDTECH: Election security concerns come from all directions.

CISA Increased Efforts to Protect Elections after 2016

While states are primarily responsible for running elections, the federal government has been actively providing advice and funding to assist them. Elections have been considered part of the nation’s critical infrastructure since 2017. 

“It’s night and day compared to what existed in 2016,” CISA Director Christopher Krebs said at the Black Hat USA 2020 cybersecurity conference this month. “2020 will be the most protected and most secure election in modern history.”

For instance, CISA has published a “Guide to Vulnerability Reporting for America’s Election Administrators,” which provides details on issues election staffers should consider. 

“It’s the basics. It’s securing your voter registration database as best you can, it’s multifactor authentication, it’s having stuff with an audit trail,” says Michael Daniel, president of the Cyberthreat Alliance. “None of this is particularly, from a technical point, rocket science. From the federal perspective, it’s about offering support.”

Other areas states can focus on, according to the guide: security practices by third-party technology vendors, methods for reporting suspected vulnerabilities and methods for sharing information on problems with other enterprises.

“The government is doing a great job, really fantastic work,” says Mick Baccio, former CISO for Pete Buttigieg’s presidential campaign and a Splunk security expert, speaking alongside Cooper and Daniel in an election security webinar by Highwire. “Security is apolitical, and it’s hard to secure elections without introducing politics into it. All of us, no matter what bucket we live in, have found that roadblock.”

Outside Influences May Create a Negative Impact on the Vote Count

There’s a major challenge this election year, experts say: not necessarily the threat that malicious actors will hack into physical systems and change the vote, but that those same actors will sow disruption and bad information through social media and other means to cast doubt upon correctly counted and securely protected results. 

Mail-in voting is considered extremely secure by experts, who say that there is little to no fraud connected to the practice.

In addition, administrative changes at the highest levels of the U.S. Postal Service, along with new practices that USPS workers say have slowed mail delivery, must also be considered as states work to keep elections secure. 

“Your vote will be counted,” says Baccio, “provided it gets there in time.”

And it might take longer to count your vote in a mostly low-tech context; most of the equipment involved is basic mail-sorting equipment that works at a steady pace, says Maggie MacAlpine, an election security specialist with Nordic Innovation Labs.

So, the count could take days, especially in states where ballots must only be postmarked by Election Day; they don’t have to have arrived by Nov. 3. Legal challenges to the count may also delay results.

The final stages of the ballot count will still “be edge-of-your-seat, but I think it’s going to be different,” Baccio says. “Those next couple days, when the last vote comes in but we’re not done counting, that’s going to be the edge-of-your-seat time.”

READ MORE: Follow FedTech's election security coverage here.

zhudifeng/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.