Our Blind Spot on Election Security

The national dialogue around election security generally centers on interference from foreign adversaries. This assumption informs how we spend most of our time and attention in protecting election infrastructure from hacks or breaches. But what if the next significant threat on our election infrastructure comes from within our borders or even from inside election agencies?

Organizations have always faced the possibility that a trusted employee might choose to abuse their position. The so-called insider threat manifests when an employee with authorized access to sensitive information or systems compromises “data, processes, or resources in a disruptive or unwelcome way.” These individuals might simply misuse systems for personal gain. In more serious cases, they could leverage their privileged internal access to commit sabotage by stealing trade secrets either for revenge or profit.

The widespread adoption of IT in business and government has only amplified this threat. Now systems that were once separate are digitally connected, enabling one person to access systems and corrupt data across an entire organization without ever leaving a desk.

A recent study of commercial and public sector organizations found 1,105 malicious insider attacks across 204 organizations in the past year alone. Amazon home security company Ring acknowledged it has fired employees who abused their access to videos recorded by doorbell cameras. Uber also has terminated employees who improperly used the company’s technology to spy on customers for personal reasons.

Even the most sophisticated organizations are at risk. The U.S. Department of Justice indicted Harold T. Martin III and Joshua Schulte for stealing top secret information from their employers: the National Security Agency and Central Intelligence Agency.

State and local governments have also faced their share of attacks from within. Insider threats in state and local governments account for nearly half of the reported cases—many of them involving fraudulent misuse of residents’ information—in public administration. Making matters worse, state and local governments, unlike the federal government, aren’t required to have an insider threat mitigation plan.

Election infrastructure is especially vulnerable to this threat. The sector is chronically underfunded and short-staffed, especially when it comes to cybersecurity. It was only two years ago that the nation’s largest election vendor hired its first chief information security officer. Election administrators are also dependent on thousands of volunteers who come and go each election season to carry out important functions that frequently involve interaction with IT systems. This exposes the system to risk from a long line of potentially malicious insiders who are difficult to monitor effectively without negatively affecting volunteer participation.

While election administrators have always contended with fraud, the integration of technology into the election process allows individual actors to inflict far more damage. Imagine the power wielded by an IT administrator at a company that provides remote support for election software used across multiple states. Or an official or volunteer with direct, unmonitored access to the software system used for managing registration databases, designing ballots, counting votes and reporting them.

Malicious insiders could be motivated to compromise data or services because of their personal political motivation. Or they could be influenced by an external foreign actor.

Foreign adversaries have dedicated significant time and money to turn valuable human assets that can carry out their intelligence objectives. It isn’t far-fetched that a foreign intelligence agency could try to recruit an election official or employee who could provide direct access to sensitive election systems. Consider the cases of former CIA agent Aldrich Ames and former FBI agent Robert Hanssen, who were both caught spying for the Russian government. Given those instances and the value the United States places on the integrity of its elections, it would be a mistake to dismiss the possibility of foreign recruitment of election insiders.

What is especially concerning about the insider threat in the context of elections is the that the success of the election process depends on public trust. A criminal act to undermine election integrity really only needs to generate the perception that a successful attack has occurred—whether or not it actually did. If the public isn’t confident that elections personnel carried out their duties without bias or malice, the legitimacy of the outcome would be called into question.

Equally troubling is how little attention has been paid to the possibility of an insider threat in elections. It is essential that we guard against anything that might erode that trust now.

First, election administrators and vendors should implement basic security measures to limit the damage that a malicious insider might cause, either accidentally or maliciously. Relatively simple but effective practices include restricting access to the level of functionality necessary for each position and establishing physical safeguards to protect key systems. Recent advances in behavior analytics simplify the process of monitoring the specific subsets of employees who could cause potentially cause serious damage.

Second, the elections community should work closely with the intelligence community to apply lessons learned from the history of counterintelligence. While there has been some engagement to date, a more permanent process is necessary to forge the kind of trusted, personal relationships that enable exchange of sensitive protective measures. One option is for the federal agencies to offer the elections community access to the resources of the National Insider Threat Task Force. While not tailored to the elections sector, it could still provide useful insight on the insider threat.

Third, policymakers should investigate how voluntary guidelines or mandatory rules should expressly call out measures to protect against insider threats. The Election Assistance Commission oversees certification for physical voting machines, but it lacks the authority to require election officials to properly monitoring insider threats. States also generally do not require their own agencies—including those that run elections—to maintain insider threat programs. Given the national importance on maintaining the integrity of elections, states should examine adopting strategies to monitor and prevent insider threats in the election sector.

Elections are a sacred act of our democracy. As such, their credibility must remain supreme. This critical blind spot underscores the urgent need to treat election infrastructure as rigorously as one of the crown jewels of our nation’s critical infrastructure—banking, energy, telecommunications or national security. While election officials are consummate professionals who constantly execute smooth elections, they are not election security experts. Incorporating a security consciousness is critical to addressing both known and unknown risks.