Ensuring the security of Federal elections is always a tall task for local election officials, but amid a global pandemic and increasing cyber threats from foreign adversaries, those local officials have a particularly full plate.
During a July 23 FedInsider webinar, state and local election officials touched on a wide array of their priorities with the general election only 104 days away. Topping the list were traditional cyber threats, misinformation campaigns, and the logistical changes due to the COVID-19 pandemic.
Justin Berardino, operations manager at the Orange County, Calif., Registrar of Voters, said that while he is concerned about traditional cyber threats, he is really more focused on misinformation campaigns – especially ones being carried out on social media platforms. Only accurate information can combat misinformation, he said. Further, election officials need to ensure that they have a way to rapidly push out and share accurate information in the event of a misinformation campaign.
Speakers acknowledged that some social media platforms are taking steps to combat misinformation, but for the average voter it can be difficult to tell what is accurate information and what is intentional misinformation.
When it comes to more traditional cyber threats, Berardino identified spearphishing as a top concern. He stressed the importance of strong cyber training and good email filters to ensure phishing campaigns are not effective.
Justin Herring, executive deputy superintendent at the New York Department of Financial Services, shared concerns over traditional cyber threats. Herring said that his “day job” is being a financial regulator, but that defending against cyber threats is the same regardless of what you’re defending. When it comes to cybercriminals, it “doesn’t matter what their objective is,” they largely use the same types of threats.
However, Herring acknowledged that there are differences between his “day job” and his role in securing the general election. “There are some differences, a key one is you aren’t just defending a single network,” he said. Herring explained that in New York state – and the rest of country – elections are decentralized, with much of responsibility for elections being placed on county governments. That means multiple networks have to be defended because “you are having to defend the whole process around the election.”
Herring also acknowledged that in most other industries hackers need to be able to gain access to the network to be considered successful, but this isn’t the case with elections. Hackers can be successful merely by “disrupting an election and undermining our confidence in the election.” However, he said, “even if you discover an intrusion, you can still win the war if you have another method of carrying out the election” that inspires confidence and trust.
Undoubtedly, the COVID-19 pandemic has added an additional layer of concern for election officials. They have had to both reconfigure polling place layouts to enable social distancing, and respond to a greater demand for vote-by-mail. Berardino benefits from having already run three elections during the pandemic – the Federal primary during the early parts of the pandemic, and two state-wide elections during lockdown without any in-person voting. He said those elections have given his team “great data” for the November election. Speakers agreed that the pandemic has led to a spike in vote by mail requests, and discussed the impact on local election officials.
Dan Wallach, a professor in the systems group at Rice University’s Department of Computer Science, highlighted one benefit of increased vote by mail – more accurate auditing capabilities. Vote by mail requires the use of physical ballots, which leaves behind a paper trail that election officials can use to ensure an accurate count of votes.
“Auditing only makes sense when you have some kind of paper ballot,” Wallach said. “When you have a completely, 100 percent electronic voting machine – which are in fewer and fewer counties every year – there is really nothing to audit.”
In those instances, he said, “we are relying on traditional IT security.” Meaning, if a hacker gets in, the original ballot is compromised and there is nothing to audit. However, with more and more voters using a paper ballot, the ability to audit goes up.