The enthusiasm for tomorrow’s 2020 U.S. election is at an all-time high, and a great beacon of strength for the democracy we all hold dear. With so many Americans taking part in the vote, in what is now record early numbers, the questions “How safe is my voter information?” and “How safe is my vote?” are at the forefront of many concerns about election security. Americans are worried about their vote being hacked, whether it be by State actors like the Russians or Iranians, who we’ve heard about recently in the news, or by other actors that the general public isn’t as familiar with. These are legitimate concerns, with many layers we need to unwrap to fully understand, appreciate and address the threat.
About Election Hacking
First let us discuss the definition of “election hacking”, which entails both the security of our voting equipment and the security of our voting information and results. Security of our voting equipment is fairly straightforward – once I vote, is it recorded correctly, and can it be changed? In terms of voting equipment, the risk to the security of your vote is low. Election equipment is generally secure, disconnected from the Internet, and would require an extremely large-scale hacking attack to alter votes in a way that would meaningfully change the results of an election. Once you vote, the risk of it being electronically changed is extremely low. On the latter topic, it is much more likely that our voter information and results as reported could be stolen or altered. This type of hack would not change your vote but would allow our adversaries to execute an information operation capable of influencing elections or seeding doubt in our election process.
In most states, the State Board of Election is responsible for storing voter information. As opposed to actual voting machines, systems used to maintain voter information are inherently connected to the Internet so that it can be made available for legitimate purposes. Lack of sufficient funding combined with legacy IT equipment and practices has left much of this information at risk of being hacked by our adversaries. A week before the 2020 election, the FBI confirmed that at least one state’s voter information was hacked by the Iranians and used to send emails to voters in an attempt to influence their vote. One hypothetical scenario for election night is a state’s election result website being hacked to display incorrect results and sow doubt in the election outcomes. The state would have the correct, unchanged results at their State Board of Election, but every time they put them on the web the adversary would alter the reporting to show different results to the public. These kinds of attacks, which combine an electronic hack with an Information Operation, are not difficult for State-level actors to execute and are very likely to occur on an increasing level unless we make the investments to secure voter information and the platforms we use to communicate election results.
How to Address Security
So, what steps can we take to avoid hacks of voter information and platforms used to report election results? A layered approach will provide the best security. At a federal level, we must have a coordinated effort to protect state systems from foreign adversaries. This means government agencies such as the FBI, DHS, and members of the Intelligence Community need to do what they can to stop the attackers from getting to the information we want to protect or influencing the election. Most of the information about those activities are going to be classified, and the federal government needs to find a way to get that information to the states in an actionable manner that will prevent attacks. Each state should have at least one person that is cleared to have access to the classified information from the federal government.
On a tactical Information Security level, the states need to prioritize investment in the proper staff and systems to secure their voting rolls. One challenge states run into is that securing voter information gains a lot of attention around election time but is not a top priority in between elections. It needs to be.
There is no novel approach needed, instead states need to enact IT best practices and the work needs to be prioritized, funded, and executed. Standard practices the states should follow for IT security include but are not limited to, leveraging industry to host and secure systems, applying regular patches and updates to systems, storing regular backups, conducting vulnerability scanning and penetration testing, and have a third-party auditor that is continuously working to ensure the technology and processes in place are working.
Modernizing the IT environments used by the states for election activities is very important to avoid security pitfalls. The cloud environments provided by American companies such as Amazon, Google and Microsoft are very secure, and states should leverage those environments as cost-effective secure environments. Given their size, multiple customers, and positioning on the Internet, these providers have visibility into security threats before most others and are able to secure their clouds sooner than our states could if they hosted their own on-premises systems. They also automate most of the security functions that need to be done to maintain best practices. These same cloud environments can more securely host platforms states would use to report results and communicate to voters on Election Day, reducing the risk that bad actors would be able to interfere.
Keep Calm and Vote
Americans should rest easy with the knowledge that our voting machines are secure, and their vote is secure from electronic manipulation. They should be concerned with their state’s ability to secure their personal information and contact their state representatives to make sure it is a continual priority. In the case of a breach, they should be aware of the threat from Information Operations meant to influence or suppress their vote. On any election night, we should expect false information via the Internet, and be smart and patient enough to filter it out. While Americans may not always agree on politics, we can all agree that election security must be a national priority moving forward in order to protect each of us and the democratic process we all hold dear.
About the author: Wayne Schmidt is EVP for Cyber Operations at Federal Data Systems (FedData), a Maryland defense contractor. He has over 20 years of experience within Government and Industry in Cybersecurity and can be reached at [email protected]