Jurisdictions applying cybersecurity approaches learned from past elections may be vulnerable to new attacks, one expert says.
The 2020 presidential election is barely in the rearview mirror, but many counties are already revving up for the 2022 midterm vote – and ensuring that it’s secure. With threats coming from nation-states and the other usual suspects, election officials are applying cybersecurity approaches learned from past events. But that strategy could leave them vulnerable to new attacks, one expert says.
It’s likely that future elections will have more of a cyber component, but not with the goal of changing vote counts, as is commonly believed, said Mike Hamilton, chief information security officer at Critical Insight and former CISO for Seattle. The goal will be introducing uncertainty.
Ransomware or some other disruptive attack can inject doubt into a voting jurisdiction’s results, Hamilton said. “If I can snarl your data, it means I could have changed it. Whether or not I did is not even material because the perception that is created in people’s minds is that this can’t be trusted.”
Controversial voting legislation will factor into that uncertainty, as will redistricting data that the Census Bureau released last month based on its 2020 decennial count, Hamilton said. Gerrymandering will likely “further exacerbate the divide among Americans with this blatant display of ‘We’re going to pick the voters we want rather than the voters picking us,’” he said.
Additionally, ransomware as a service makes it relatively easy for disgruntled voters to launch attacks that make other voters insecure.
As a result, ransomware is “not going to be directed against election machinery. It’s going to [target] the county seat that’s going to conduct the election,” he said. “Even if all the election machinery was completely off that network, it’s still in question.”
Hamilton also cited cybersecurity-related dirty campaign tactics as a potential problem. For instance, in 2020, the FBI arrested the husband of a staffer for former Rep. Katie Hill (D-Calif.) for coordinating cyberattacks in 2018 against one of Hill’s opponents.
Additionally, cities, counties and their election offices must consider the role crises and emergencies play in election planning. When the pandemic threw a wrench into last year’s election, officials had from the crisis’s start in February to Election Day in November to shore up election systems. “But if the pandemic had started in, let’s say, September, instead of February, there would have been no way for us to retool quickly enough to conduct those elections,” said Hamilton, who was the vice chairman of the Department of Homeland Security's State, Local, Tribal and Territorial Government Coordinating Council.
Severe weather events such as fires and hurricanes can wipe out the ability to conduct in-person elections, so cities and counties may need to pivot to mail-in or online voting – alternatives that wrongly have a bad rap, he said.
“We’ve had lots of time to work on these various methods – vote by mail, etc. – and every one of these has the potential for something to go wrong. You can steal ballots out of mailboxes. You can have an insider in the election organization,” Hamilton said. “But the fact of the matter is, statistically, that’s roundoff error. None of that is really significant in terms of its ability to change the outcome of an election.”
One step toward making elections more secure – and potentially able to be conducted digitally – is monitoring that allows officials to see immediately when something goes wrong and stop it. Funding cybersecurity projects, however, has always been challenge.
The Infrastructure Investment and Jobs Act, which the Senate approved last month and Hamilton expects will pass the House, includes funding for cybersecurity efforts at the state and local levels. For instance, it would provide $1 billion over four years for the State and Local Cybersecurity Grant Program, which would give states and localities a way to harden systems they consider high-risk.
“My hope is states are going to include election infrastructure in that assessment and that there will be funds directed to election systems … to get them a consistent set of controls,” Hamilton said. “If those political jurisdictions that conduct elections would all assess themselves against a consistent standard, we’d start to line things up a little better.”
He recommends that election offices assess their cybersecurity against a standard of practice, such as the National Institute of Standards and Technology’s Cybersecurity Framework that federal agencies use.
“There is no absolute outcome you’re trying to achieve. What you’re trying to do is minimize the likelihood of a bad event. And when that thing happens -- because you can never drive the probability to zero -- you’ve got to worry about the impact and put out the little fire before it gets big,” Hamilton said.
This article was updated Sept. 13 to correct the name of the State, Local, Tribal, and Territorial Government Coordinating Council.