Election security status: Some progress on ballot integrity, but not on Russian interference

With the election less than two months away, government and election officials say voting itself is more secure, but Russian disinformation remains largely unaddressed.

Election security  >  Backlit hand drops a vote in a ballot box with US flag + binary code overlay
JCrosemann / Traffic Analyzer / Getty Images

The presidential election in 2016 was a wake-up call that the security of the country’s election infrastructure can never again be considered a sure thing. During the last presidential campaign, Russia hacked into the Democratic National Committee’s network and stole emails from Clinton campaign officials while also breaking into at least two county voting systems in Florida. Those digital security attacks took place alongside destructive disinformation campaigns that ran on vulnerable and unprepared social media networks.

At this year’s Billington Cybersecurity Summit, 55 days before the next presidential election, experts weighed in on the progress, or lack thereof, that the US has made in securing America’s elections since 2016.

Chris Krebs, head of the Department of Homeland Security’s (DHS’s) Cybersecurity and Infrastructure Security Agency (CISA), told attendees that three-and-a-half years after he joined the agency it has “turned the corner in a really meaningful way” on cybersecurity. “We're working in all 50 states on a regular basis to share information, to secure their systems, to ensure that they have all the resources they need to be prepared, whether it's a COVID environment or non-COVID environment.”

Matthew Masterson, senior cybersecurity advisor at CISA, says his group is hard at work on supporting the more than 8,800 officials who run the country’s elections. Many of the voting jurisdictions are small but many election offices represent the largest IT operations in their counties in terms of total number of assets.

“You’ve got voter registration systems, election night reporting systems. Voting systems get a ton of attention. There are so many pieces of infrastructure that exist at the state and local level,” he said. “For us at CISA, our focus is on making sure they have access to timely and actionable both information and intelligence to make sure they manage risks to their systems.”

More votes will be auditable in 2020

Nonetheless, election officials are natural risk managers, Masterson says, and the situation seems to be improving. In 2016, approximately 80% of votes cast had an auditable record of some sort, he said, a figure that has risen to 92% as we move toward election day 2020.

There’s still work to do though when it comes to audits. “Now what we need to focus on is how do we effectively and efficiently audit those records and how do we do it transparently so the public can have the confidence in the votes cast,” Masterson said.

The important thing is to reassure voters that their votes will be counted, Trevor Timmons, CIO, Department of State, State of Colorado, said. “At every step of the way, if they can see the resiliency and the process that is in place, we think that helps support the confidence of the voters.”

This year, with mail-in ballots, setting expectations is important. “We’re probably not going to know Tuesday at 7 pm; we’re probably not going to know Tuesday in the middle of the night, so we need to make sure expectations are set at the right level for this election.”

Chris Wlaschin, vice president of systems security and CISO for top election equipment maker Election Systems & Software (ES&S), believes his industry is working toward improvements. “In the last 15 years, election technology providers have moved forward to provide a paper trail,” he said. “Today our industry under the leadership of the Election Infrastructure Subsector Coordinating Council has come together and tried to move the ball forward when it comes to election security technology.”

Senator Mark Warner (D-VA), vice chairman of the Select Committee on Intelligence, said that despite some improvements, he is “very concerned in a host of areas that we have not done enough.” Social media companies are “doing a slightly better job,” he said.  “DHS, CISA in particular under Chris Krebs’ leadership, I think has done a pretty good job of improving the overall security of our election machinery and I think they’ve gotten most election officials recognizing that this is a threat.”

Bi-partisan election security legislation blocked

“At least our intelligence communities are more aware” of the overall threat of foreign nations hacking information and weaponizing information in the way that Russia did with the DNC hacks, Warner said. “The bad news quite honestly, and I think it’s Congress’ responsibility, is that we have not passed a single piece of legislation, even though there has been a great deal of bipartisan legislation proposed. The majority leader has not let them come to the floor.”

“We’ve not passed legislation that I would have thought would have been the ultimate low-hanging fruit. We called it the FIRE [Foreign Influence Reporting in Elections] Act. It says if a foreign government interferes in any presidential election, the obligation should be to not say ‘thank you for that help’ but to tell the FBI.” Senate Republicans blocked that legislation in mid-2019.

Russian disinformation still a concern, deep fakes not so much

Warner is particularly concerned about Russia trying to polarize the American electorate over racial justice in the last remaining days of the election. “One thing we know about 2016 is that Russia, with its disinformation, tried to exacerbate divisions in our country based on race,” he said. “I’m very, very concerned in these last 50-plus days whether Russia could try to exacerbate those divisions again.”

One thing that hasn’t happened so far is the misleading and divisive use of so-called deep fake images and videos, which experts had predicted might be used in election disinformation campaigns. “In many ways I’ve been surprised...that bad guys whether through election interference or frankly through market interference haven’t used the technology more effectively,” Warner said.

Chris Vickery, director of cyber risk research at UpGuard, shares Warner’s concern that the US hasn’t done enough since 2016 to protect elections. “A number of government committees, investigations, and revelations over the past four years have proven beyond doubt that our nation's system of elections is under ongoing assault from adversaries foreign and domestic who disagree with our freedoms, liberties, and rule of law,” he tells CSO.

“While many individuals on the periphery of this assault have been arrested, indicted, convicted, and continue to be subjects of investigation, there have been no systemic changes or rehabilitations introduced to address the root level problems and corruption being leveraged to harm our nation. I am not alone in fearing that the adversaries of democracy have not squandered four years of access to the immense power and influence available to the Office of the President of The United States of America and control over the Executive Branch.”

“We must be willing to recognize and confront the real possibility of extensive intentional sabotage, snares, and bear traps having been deployed while the foxes were entrusted to guard the henhouse,” Vickery says. “I wish I could be more reassuring and upbeat, but the consequences of sugar-coating the elevated risks we now face would far outweigh any temporary warm feelings. Now is the time for unvarnished real talk and real patriots to rise and demonstrate to the world that here, truth matters.”

Copyright © 2020 IDG Communications, Inc.

The 10 most powerful cybersecurity companies