Looking for election threats in all the wrong places

 

Connecting state and local government leaders

Jurisdictions applying cybersecurity approaches learned from past elections may be vulnerable to new attacks, one expert says.

The 2020 presidential election is barely in the rearview mirror, but many counties are already revving up for the 2022 midterm vote – and ensuring that it’s secure. With threats coming from nation-states and the other usual suspects, election officials are applying cybersecurity approaches learned from past events. But that strategy could leave them vulnerable to new attacks, one expert says.

It’s likely that future elections will have more of a cyber component, but not with the goal of changing vote counts, as is commonly believed, said Mike Hamilton, chief information security officer at Critical Insight and former CISO for Seattle. The goal will be introducing uncertainty.

Ransomware or some other disruptive attack can inject doubt into a voting jurisdiction’s results,  Hamilton said. “If I can snarl your data, it means I could have changed it. Whether or not I did is not even material because the perception that is created in people’s minds is that this can’t be trusted.”

Controversial voting legislation will factor into that uncertainty, as will redistricting data that the Census Bureau released last month based on its 2020 decennial count, Hamilton said. Gerrymandering will likely “further exacerbate the divide among Americans with this blatant display of ‘We’re going to pick the voters we want rather than the voters picking us,’” he said.

Additionally, ransomware as a service makes it relatively easy for disgruntled voters to launch attacks that make other voters insecure.

As a result, ransomware is “not going to be directed against election machinery. It’s going to [target] the county seat that’s going to conduct the election,” he said. “Even if all the election machinery was completely off that network, it’s still in question.”

Hamilton also cited cybersecurity-related dirty campaign tactics as a potential problem. For instance, in 2020, the FBI arrested the husband of a staffer for former Rep. Katie Hill (D-Calif.) for coordinating cyberattacks in 2018 against one of Hill’s opponents.

Additionally, cities, counties and their election offices must consider the role crises and emergencies play in election planning. When the pandemic threw a wrench into last year’s election, officials had from the crisis’s start in February to Election Day in November to shore up election systems. “But if the pandemic had started in, let’s say, September, instead of February, there would have been no way for us to retool quickly enough to conduct those elections,” said Hamilton, who was the vice chairman of the Department of Homeland Security's State, Local, Tribal and Territorial Government Coordinating Council.

Severe weather events such as fires and hurricanes can wipe out the ability to conduct in-person elections, so cities and counties may need to pivot to mail-in or online voting – alternatives that wrongly have a bad rap, he said.

“We’ve had lots of time to work on these various methods – vote by mail, etc. – and every one of these has the potential for something to go wrong. You can steal ballots out of mailboxes. You can have an insider in the election organization,” Hamilton said. “But the fact of the matter is, statistically, that’s roundoff error. None of that is really significant in terms of its ability to change the outcome of an election.”

One step toward making elections more secure – and potentially able to be conducted digitally – is monitoring that allows officials to see immediately when something goes wrong and stop it. Funding cybersecurity projects, however, has always been challenge.

The Infrastructure Investment and Jobs Act, which the Senate approved last month and Hamilton expects will pass the House, includes funding for cybersecurity efforts at the state and local levels. For instance, it would provide $1 billion over four years for the State and Local Cybersecurity Grant Program, which would give states and localities a way to harden systems they consider high-risk.

“My hope is states are going to include election infrastructure in that assessment and that there will be funds directed to election systems … to get them a consistent set of controls,” Hamilton said. “If those political jurisdictions that conduct elections would all assess themselves against a consistent standard, we’d start to line things up a little better.”

He recommends that election offices assess their cybersecurity against a standard of practice, such as the National Institute of Standards and Technology’s Cybersecurity Framework that federal agencies use.

“There is no absolute outcome you’re trying to achieve. What you’re trying to do is minimize the likelihood of a bad event. And when that thing happens -- because you can never drive the probability to zero -- you’ve got to worry about the impact and put out the little fire before it gets big,” Hamilton said.

This article was updated Sept. 13 to correct the name of the State, Local, Tribal, and Territorial Government Coordinating Council. 

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.