Time running out to protect US November elections

Experts say it's too late for significant legislative action to better protect voting this fall, but meaningful changes are still possible.

Election security / vulnerabilities / United States flag overlays voting ballot and unsecured lock
Thinkstock / Lutsina Tatiana / Getty Images

Four years have passed since the 2016 presidential election when revelations of Russian hacking of the DNC threw political contests into turmoil. In the aftermath, the Mueller investigation, Justice Department indictments and other efforts made clear that the US election and voting systems themselves were the targets of cyberattacks. The subsequent Mueller probe and DOJ indictments also revealed massive Russian digital disinformation campaigns that permeated the election.

Now, as the country heads into the next presidential campaign weakened by a pandemic and laboring under a collapsed economy, little has happened over the past four years to substantially shore up voting, campaign or election security, with only marginal improvements made around the edges. There is time, though, to implement last-minute security measures that could substantially improve election integrity, experts say.

“The overarching issue that really concerns me is that we’re four years from first learning that the Russians were trying to hack into our election infrastructure in the spring of 2016,” Susan Greenhalgh, veteran election security expert and senior advisor on election security to Free Speech for People, tells CSO.

No significant election security legislation passed

“It was in August [2016] that [then US Secretary of Homeland Security] Jeh Johnson convened his first call with the secretaries of state to talk about the security of election systems. We have seen none of the sweeping reforms that people have been talking about,” Greenhalgh says. “There have been incremental improvements in educating election workers regarding cybersecurity best practices and improving the security tools around voter registration databases and those type of systems that can be managed at the state level.”

For the most part, comprehensive legislation aimed at overhauling the weaknesses in how America safeguards its elections has not passed the congress over the past four years. “The progress is so minuscule it’s virtually non-discernible,” Greenhalgh says.

Congress allocated $380 million toward election security measures in 2018 and then again freed up $425 million to securing voting in December 2019. This year Congress awarded $400 million for states to prepare for mail-in ballots during the 2020 election under the Cares Act, passed in March. That amount is far lower than the $2 billion that the Brennan Center for Justice at New York University Law School estimated states need to protect themselves fully. It also comes with strings attached, such as matching funds from already cash-strapped states.

The single most useful piece of legislation that would have had the most significant impact on election security was the Secure Elections Act, according to Greenhalgh. That law required verified paper ballots and the performance of robust post-election audits before elections are certified. The bill faced stiff headwinds from state officials who wanted greater funding but not the mandates contained in the legislation.

The states said, “We don't want you to tell us how to run our elections. We can do fine on our own,” Greenhalgh says. “[They said], ‘We just want you to give us money.’ And that’s what Congress has done - because it's easier to just give money.”

Without legislation mandating true security requirements, nothing is likely to change how vulnerable US election and voting systems are to hacking, Mick Baccio, security advisor at Splunk, former threat intelligence team leader in the Obama White House, and former CISO for the Pete Buttigieg campaign, tells CSO. “In terms of campaign cybersecurity, there is nothing out there that says I have to do it.”

“There is no legislation. There is no oversight. There is nothing that says I have to have cybersecurity in my campaign or I have to have two-factor or I have to have DMARC,” Baccio says. “Without some kind of federal oversight, without some kind of legislation, I just don’t see it happening, and I think that’s a disservice to a lot of people and to a lot of candidates.”

Private sector helps fill election security gaps

Some private sector initiatives have helped fill the void. “Look at all the things that have come out since 2016,” Baccio says, such as Google’s Advanced Protection Program, Microsoft’s Defending Democracy, and Michael Kaiser’s Defending Digital Campaigns initiatives. “There are plenty of institutions and companies that are trying to raise the bar, that are breaking their backs to get people to vote, to understand the systems, to make things more secure.”

Moreover, DHS’s Cybersecurity and Infrastructure Security Agency’s (CISA) Project 2020 is equipping states to pull together and work cooperatively with one another and the federal government to scan for threats to voting infrastructure and share best practices. Realistically, though, real changes that address the range of election and voting security threats won’t happen in the roughly three-and-a-months left until election day. “It’s somewhere down the road. There is nothing we can do between now and November that would be a game-changer,” Baccio says.

Still time to better protect voting

Even though not much time is left to make any dramatic improvements in election security, states can take some steps to protect voting from known risks, Greenhalgh says. “There should be no use of wireless modems in any voting systems or any sort of Internet connection” to ensure that voting equipment is genuinely air-gapped from online threats.

“After 2016, we were told over and over again that the voting machines were never connected to the internet. Nobody could actually hack the vote totals. That was completely untrue. It was a lie,” Greenhalgh says.

In some states, particularly Florida, Wisconsin and Michigan, wireless modems are used to transmit the voting results from where voting booths are located back to the county server, which aggregates the vote totals. Thirty-two states allow people to vote over the internet due to disability, military service overseas or for other absentee voting reasons.

According to Greenhalgh, over 100,000 votes were cast over the internet in the US on election day in 2016. Internet voting is so concerning that France and Norway, two countries that had internet voting in 2016, shut down those voting options after learning how Russia hacked into election systems in the US

Shutting down the use of wireless modems in election equipment and stopping Internet voting is still feasible before voting begins, and it will cut down on the voting infrastructure by orders of magnitude, Greenhalgh says. “Both can be their own avenue to vote total compromise.”

Baccio questions whether another kind of voting threat, the kind of Russian hacking of the Democratic party used to disseminate disinformation, will emerge again this election cycle. “It would not shock me if there were a compromise or leaked emails or something like that, but I wouldn’t be surprised if there weren’t,” he says. “If your goal as a nation-state is just chaos and the rapid decline of the West, you’re already doing a good job.”

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies