Our Blind Spot on Election Security

Election security officials have paid little attention to the possibility of an insider threat.

Election security officials have paid little attention to the possibility of an insider threat. SHUTTERSTOCK

 

Connecting state and local government leaders

COMMENTARY | Election infrastructure is unprotected from a serious risk: the insider threat.

The national dialogue around election security generally centers on interference from foreign adversaries. This assumption informs how we spend most of our time and attention in protecting election infrastructure from hacks or breaches. But what if the next significant threat on our election infrastructure comes from within our borders or even from inside election agencies?

Organizations have always faced the possibility that a trusted employee might choose to abuse their position. The so-called insider threat manifests when an employee with authorized access to sensitive information or systems compromises “data, processes, or resources in a disruptive or unwelcome way.” These individuals might simply misuse systems for personal gain. In more serious cases, they could leverage their privileged internal access to commit sabotage by stealing trade secrets either for revenge or profit.

The widespread adoption of IT in business and government has only amplified this threat. Now systems that were once separate are digitally connected, enabling one person to access systems and corrupt data across an entire organization without ever leaving a desk.

A recent study of commercial and public sector organizations found 1,105 malicious insider attacks across 204 organizations in the past year alone. Amazon home security company Ring acknowledged it has fired employees who abused their access to videos recorded by doorbell cameras. Uber also has terminated employees who improperly used the company’s technology to spy on customers for personal reasons.

Even the most sophisticated organizations are at risk. The U.S. Department of Justice indicted Harold T. Martin III and Joshua Schulte for stealing top secret information from their employers: the National Security Agency and Central Intelligence Agency.

State and local governments have also faced their share of attacks from within. Insider threats in state and local governments account for nearly half of the reported cases—many of them involving fraudulent misuse of residents’ information—in public administration. Making matters worse, state and local governments, unlike the federal government, aren’t required to have an insider threat mitigation plan.

Election infrastructure is especially vulnerable to this threat. The sector is chronically underfunded and short-staffed, especially when it comes to cybersecurity. It was only two years ago that the nation’s largest election vendor hired its first chief information security officer. Election administrators are also dependent on thousands of volunteers who come and go each election season to carry out important functions that frequently involve interaction with IT systems. This exposes the system to risk from a long line of potentially malicious insiders who are difficult to monitor effectively without negatively affecting volunteer participation.

While election administrators have always contended with fraud, the integration of technology into the election process allows individual actors to inflict far more damage. Imagine the power wielded by an IT administrator at a company that provides remote support for election software used across multiple states. Or an official or volunteer with direct, unmonitored access to the software system used for managing registration databases, designing ballots, counting votes and reporting them.

Malicious insiders could be motivated to compromise data or services because of their personal political motivation. Or they could be influenced by an external foreign actor.

Foreign adversaries have dedicated significant time and money to turn valuable human assets that can carry out their intelligence objectives. It isn’t far-fetched that a foreign intelligence agency could try to recruit an election official or employee who could provide direct access to sensitive election systems. Consider the cases of former CIA agent Aldrich Ames and former FBI agent Robert Hanssen, who were both caught spying for the Russian government. Given those instances and the value the United States places on the integrity of its elections, it would be a mistake to dismiss the possibility of foreign recruitment of election insiders.

What is especially concerning about the insider threat in the context of elections is the that the success of the election process depends on public trust. A criminal act to undermine election integrity really only needs to generate the perception that a successful attack has occurred—whether or not it actually did. If the public isn’t confident that elections personnel carried out their duties without bias or malice, the legitimacy of the outcome would be called into question.

Equally troubling is how little attention has been paid to the possibility of an insider threat in elections. It is essential that we guard against anything that might erode that trust now.

First, election administrators and vendors should implement basic security measures to limit the damage that a malicious insider might cause, either accidentally or maliciously. Relatively simple but effective practices include restricting access to the level of functionality necessary for each position and establishing physical safeguards to protect key systems. Recent advances in behavior analytics simplify the process of monitoring the specific subsets of employees who could cause potentially cause serious damage.

Second, the elections community should work closely with the intelligence community to apply lessons learned from the history of counterintelligence. While there has been some engagement to date, a more permanent process is necessary to forge the kind of trusted, personal relationships that enable exchange of sensitive protective measures. One option is for the federal agencies to offer the elections community access to the resources of the National Insider Threat Task Force. While not tailored to the elections sector, it could still provide useful insight on the insider threat.

Third, policymakers should investigate how voluntary guidelines or mandatory rules should expressly call out measures to protect against insider threats. The Election Assistance Commission oversees certification for physical voting machines, but it lacks the authority to require election officials to properly monitoring insider threats. States also generally do not require their own agencies—including those that run elections—to maintain insider threat programs. Given the national importance on maintaining the integrity of elections, states should examine adopting strategies to monitor and prevent insider threats in the election sector.

Elections are a sacred act of our democracy. As such, their credibility must remain supreme. This critical blind spot underscores the urgent need to treat election infrastructure as rigorously as one of the crown jewels of our nation’s critical infrastructure—banking, energy, telecommunications or national security. While election officials are consummate professionals who constantly execute smooth elections, they are not election security experts. Incorporating a security consciousness is critical to addressing both known and unknown risks.

David Forscey is Managing Director of the Aspen Cybersecurity Group. Previously, he worked in the Resource Center for State Cybersecurity at the National Governors Association and as a National Security Fellow at Third Way.

NEXT STORY: Resilience Renewed in Houston

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.