Facing foreign election foes, states hire ‘cyber navigators’

 

Connecting state and local government leaders

Cyber navigators train local officials how to prevent and respond to cybersecurity breaches and keep an eye on big security compromises and phishing threats.

After more than a year of virtual meetings, Bill Ekblad showed up last week at eight southern Minnesota election offices to deliver a simple message to county election chiefs and information technology directors: You don’t need to face the massive cybersecurity threat alone.

A Navy veteran who served 26 years as a cybersecurity strategist, Ekblad is Minnesota’s first cyber navigator, charged with helping local election offices defend against the ongoing menace from foreign foes.

“Savvy adversaries are finding new ways to wreak havoc, and that could be leveraged in the election world,” he said from the road. “Counties don’t have to face these challenges by themselves.”

If a phishing attempt targeted one county election official, it’s likely officials in one of the other 87 counties got a similar email, Ekblad said. Getting ahead of that threat by communicating with every election official around the state is essential, he added.

Local election officials are on the front lines of election defense, but they often are underfunded or lack the technical knowhow to protect systems from cyber threats. Seeing this vulnerability, at least seven states—Florida, Illinois, Iowa, Massachusetts, Michigan, Minnesota and Ohio—in recent years have launched cyber navigator programs that offer local election officials state-backed contacts to meet the challenge. Several other states are considering following suit.

Mark Lindeman, an acting co-director of Verified Voting, an election security nonprofit, said cyber navigators are akin to personal trainers or financial advisers.

“It recognizes that local election officials simply don’t have the time to become experts on cybersecurity along with all the other things that they are expected to be an expert in,” he said. “They really need people who can break down deep knowledge of cybersecurity issues into the next steps that they can actually take.”

In America’s decentralized election system, the voting process is administered by 10,000 separate election offices, making it impossible to mount a coordinated national defense. Disparities among counties in resources and personnel are immense. And while states have cybersecurity agencies, many don’t employ experts who specialize in election administration.

The modern voting process relies heavily on websites run by local election officials. Americans who want to register to vote, check their registration status, find out where to vote or look for authoritative information on who won elections go to websites that often are administered by counties or cities.

At the same time, local election officials are charged with configuring voting machines, tabulating results and then publishing them in some form. All these responsibilities require proficiency in cybersecurity or technical support staff, both of which are hard to come by when election officials face chronic underfunding.

Illinois was the first state to meet this challenge with cyber navigators.

Russian agents struck the state’s voter registration system before the 2016 presidential election, stealing the personal information of more than 70,000 voters. Two years later, the Prairie State hired nine cyber navigators to assist the state’s 108 election offices and prevent another breach of that magnitude.

The program costs between $5 million and $5.5 million annually. It was created in the state’s 2018 budget and signed into law by former Gov. Bruce Rauner, a Republican. The program is funded through federal Help America Vote Act grants and operates in partnership with the state’s Department of Innovation & Technology, which broadly oversees Illinois’ cybersecurity apparatus.

“If this could happen at the state level, where we have more resources available, what can we do to bolster their infrastructure, their awareness of how these attacks happen?” said Amy Kelly, the cyber navigator program manager for the Illinois State Board of Elections.

“Really, it was about educating individuals who weren’t cybersecurity experts,” she added, “giving them the tools to make informed decisions and making their election infrastructure more secure.”

Illinois is divided into four regions, with two navigators assigned to each and a manager based in Springfield, the state capital. Every county participates in the voluntary program, meeting monthly with its assigned cyber navigator and reporting any suspicious behavior, such as a phishing attempt or misinformation on social media.

Cyber navigators train local officials how to prevent and respond to cybersecurity breaches. In one scenario, a malicious actor with access to an election office’s social media account or website could spread false information about voting dates, times, procedures or results, leading to a crisis of confidence among voters. Officials also monitor for online misinformation.

Sangamon County Clerk Don Gray, a Republican, said the program has provided the foundational resources that all counties need to secure elections. Even though his is a medium-sized county surrounding Springfield, Gray said he and other local officials have benefited from the methodical knowledge of the cyber navigators.

“I don’t think any election office thought they’d be on the front lines of cybersecurity,” he said. “We’re just one keystroke away from eroding the confidence in the election system.”

While partnerships among local, state and federal election officials have grown over the past five years, there are still immense election security challenges, officials say. The threat from clever foreign adversaries such as Russia has not gone away.

“It’s clear that more and more nation states have shown an interest in interfering with our election process,” said Jen Easterly, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, at a National Association of State Election Directors conference this month. “We know that more work needs to be done to shore up our systems.”

Since the large-scale hacking and disinformation attacks of the 2016 presidential election, the federal government has launched several initiatives to bolster cybersecurity and improve “digital hygiene” among election officials.

This year, the cybersecurity agency is offering local election offices a .gov domain for added security. Since election administration is decentralized and sometimes lacks specific rules around county websites, many local election offices around the country have .com or .org domains. The agency also offers testing and training for local election offices.

Foreign actors target both large and small jurisdictions, Easterly said. Even an attack on a small election office could undermine faith in the national voting process, she warned.

In Steele County, Minnesota, a rural community of 36,000 residents, Director of Information Technology Dave Purscell knows his region does not have resources or staffing on par with Minneapolis, St. Paul or Rochester. To have a cyber navigator keeping an eye on big security compromises and phishing threats throughout the state has been a great, no-cost resource, he said.

“We have less people, we have less income, less … dollars available to accomplish things,” he said. “But we have the same threats, same risk, potentially even more. We really have to partner with agencies and other counties to work together.”

That doesn’t mean that all local election offices are excited to collaborate in these programs.

In Minnesota, Ekblad said he had to convince a few county officials to participate in the voluntary program. Some communities are fiercely independent and don’t want the state interfering in local government.

“I truly think I can add value to all of them,” Ekblad said. “There are some out there who are really not embracing all that we may be able to help them with, and I have to live with that.”

In Massachusetts, it has been challenging for cyber navigators to connect and coordinate with the state’s 351 town election officials and local IT staff, said Michelle Tassinari, director and legal counsel for the Elections Division of the secretary of the commonwealth’s office.

The Bay State is divided into five regions, each consisting of around 65 or 70 towns. One cyber navigator is assigned to each region. Overall, 80% of Massachusetts towns participate in the voluntary program.

Before the program, many local offices didn’t realize they had to view the broad cybersecurity threat as a local issue, Tassinari said. Inspired by cyber navigator programs in other states, Massachusetts is now trying to bridge the gap in communication and build relationships.

“By giving local election officials a specific contact, they’ve been able to make more robust relationships that we believe will continue to benefit the election community generally,” she wrote in an email.

Another challenge has been over-communicating, several state officials say. It was easy to forward a lot of technical emails that most officials didn’t want to see or could not understand. Cyber navigators have had to find a sweet spot without burdening officials with details that were too in the weeds.

The future of these programs may depend on their funding, much of it coming from the federal government. In both 2018 and 2020, Congress allocated hundreds of millions of dollars for state and local election security through the Help America Vote Act. But election officials and experts agree the money was insufficient. The threat is evolving, and state and local officials need to be ready, they say.

“The nature of this business is you never know what’s around the corner,” Ekblad said. “States that aren’t doing this can easily do it. If more adopted this approach, we could harvest more low-hanging fruit and make our election security landscape more healthy and secure.”

This article was first posted on Stateline, an initiative of The Pew Charitable Trusts.

NEXT STORY: CISA updates ransomware tips

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.