Facing foreign election foes, states hire ‘cyber navigators’

After more than a year of virtual meetings, Bill Ekblad showed up last week at eight southern Minnesota election offices to deliver a simple message to county election chiefs and information technology directors: You don’t need to face the massive cybersecurity threat alone.

A Navy veteran who served 26 years as a cybersecurity strategist, Ekblad is Minnesota’s first cyber navigator, charged with helping local election offices defend against the ongoing menace from foreign foes.

“Savvy adversaries are finding new ways to wreak havoc, and that could be leveraged in the election world,” he said from the road. “Counties don’t have to face these challenges by themselves.”

If a phishing attempt targeted one county election official, it’s likely officials in one of the other 87 counties got a similar email, Ekblad said. Getting ahead of that threat by communicating with every election official around the state is essential, he added.

Local election officials are on the front lines of election defense, but they often are underfunded or lack the technical knowhow to protect systems from cyber threats. Seeing this vulnerability, at least seven states—Florida, Illinois, Iowa, Massachusetts, Michigan, Minnesota and Ohio—in recent years have launched cyber navigator programs that offer local election officials state-backed contacts to meet the challenge. Several other states are considering following suit.

Mark Lindeman, an acting co-director of Verified Voting, an election security nonprofit, said cyber navigators are akin to personal trainers or financial advisers.

“It recognizes that local election officials simply don’t have the time to become experts on cybersecurity along with all the other things that they are expected to be an expert in,” he said. “They really need people who can break down deep knowledge of cybersecurity issues into the next steps that they can actually take.”

In America’s decentralized election system, the voting process is administered by 10,000 separate election offices, making it impossible to mount a coordinated national defense. Disparities among counties in resources and personnel are immense. And while states have cybersecurity agencies, many don’t employ experts who specialize in election administration.

The modern voting process relies heavily on websites run by local election officials. Americans who want to register to vote, check their registration status, find out where to vote or look for authoritative information on who won elections go to websites that often are administered by counties or cities.

At the same time, local election officials are charged with configuring voting machines, tabulating results and then publishing them in some form. All these responsibilities require proficiency in cybersecurity or technical support staff, both of which are hard to come by when election officials face chronic underfunding.

Illinois was the first state to meet this challenge with cyber navigators.

Russian agents struck the state’s voter registration system before the 2016 presidential election, stealing the personal information of more than 70,000 voters. Two years later, the Prairie State hired nine cyber navigators to assist the state’s 108 election offices and prevent another breach of that magnitude.

The program costs between $5 million and $5.5 million annually. It was created in the state’s 2018 budget and signed into law by former Gov. Bruce Rauner, a Republican. The program is funded through federal Help America Vote Act grants and operates in partnership with the state’s Department of Innovation & Technology, which broadly oversees Illinois’ cybersecurity apparatus.

“If this could happen at the state level, where we have more resources available, what can we do to bolster their infrastructure, their awareness of how these attacks happen?” said Amy Kelly, the cyber navigator program manager for the Illinois State Board of Elections.

“Really, it was about educating individuals who weren’t cybersecurity experts,” she added, “giving them the tools to make informed decisions and making their election infrastructure more secure.”

Illinois is divided into four regions, with two navigators assigned to each and a manager based in Springfield, the state capital. Every county participates in the voluntary program, meeting monthly with its assigned cyber navigator and reporting any suspicious behavior, such as a phishing attempt or misinformation on social media.

Cyber navigators train local officials how to prevent and respond to cybersecurity breaches. In one scenario, a malicious actor with access to an election office’s social media account or website could spread false information about voting dates, times, procedures or results, leading to a crisis of confidence among voters. Officials also monitor for online misinformation.

Sangamon County Clerk Don Gray, a Republican, said the program has provided the foundational resources that all counties need to secure elections. Even though his is a medium-sized county surrounding Springfield, Gray said he and other local officials have benefited from the methodical knowledge of the cyber navigators.

“I don’t think any election office thought they’d be on the front lines of cybersecurity,” he said. “We’re just one keystroke away from eroding the confidence in the election system.”

While partnerships among local, state and federal election officials have grown over the past five years, there are still immense election security challenges, officials say. The threat from clever foreign adversaries such as Russia has not gone away.

“It’s clear that more and more nation states have shown an interest in interfering with our election process,” said Jen Easterly, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, at a National Association of State Election Directors conference this month. “We know that more work needs to be done to shore up our systems.”

Since the large-scale hacking and disinformation attacks of the 2016 presidential election, the federal government has launched several initiatives to bolster cybersecurity and improve “digital hygiene” among election officials.

This year, the cybersecurity agency is offering local election offices a .gov domain for added security. Since election administration is decentralized and sometimes lacks specific rules around county websites, many local election offices around the country have .com or .org domains. The agency also offers testing and training for local election offices.

Foreign actors target both large and small jurisdictions, Easterly said. Even an attack on a small election office could undermine faith in the national voting process, she warned.

In Steele County, Minnesota, a rural community of 36,000 residents, Director of Information Technology Dave Purscell knows his region does not have resources or staffing on par with Minneapolis, St. Paul or Rochester. To have a cyber navigator keeping an eye on big security compromises and phishing threats throughout the state has been a great, no-cost resource, he said.

“We have less people, we have less income, less … dollars available to accomplish things,” he said. “But we have the same threats, same risk, potentially even more. We really have to partner with agencies and other counties to work together.”

That doesn’t mean that all local election offices are excited to collaborate in these programs.

In Minnesota, Ekblad said he had to convince a few county officials to participate in the voluntary program. Some communities are fiercely independent and don’t want the state interfering in local government.

“I truly think I can add value to all of them,” Ekblad said. “There are some out there who are really not embracing all that we may be able to help them with, and I have to live with that.”

In Massachusetts, it has been challenging for cyber navigators to connect and coordinate with the state’s 351 town election officials and local IT staff, said Michelle Tassinari, director and legal counsel for the Elections Division of the secretary of the commonwealth’s office.

The Bay State is divided into five regions, each consisting of around 65 or 70 towns. One cyber navigator is assigned to each region. Overall, 80% of Massachusetts towns participate in the voluntary program.

Before the program, many local offices didn’t realize they had to view the broad cybersecurity threat as a local issue, Tassinari said. Inspired by cyber navigator programs in other states, Massachusetts is now trying to bridge the gap in communication and build relationships.

“By giving local election officials a specific contact, they’ve been able to make more robust relationships that we believe will continue to benefit the election community generally,” she wrote in an email.

Another challenge has been over-communicating, several state officials say. It was easy to forward a lot of technical emails that most officials didn’t want to see or could not understand. Cyber navigators have had to find a sweet spot without burdening officials with details that were too in the weeds.

The future of these programs may depend on their funding, much of it coming from the federal government. In both 2018 and 2020, Congress allocated hundreds of millions of dollars for state and local election security through the Help America Vote Act. But election officials and experts agree the money was insufficient. The threat is evolving, and state and local officials need to be ready, they say.

“The nature of this business is you never know what’s around the corner,” Ekblad said. “States that aren’t doing this can easily do it. If more adopted this approach, we could harvest more low-hanging fruit and make our election security landscape more healthy and secure.”

This article was first posted on Stateline, an initiative of The Pew Charitable Trusts.