By Lesley Kennedy
Los Angeles—In the commercial world, a cyberattack likely results in the public losing confidence in the reputation of a product or company. But in government? And specifically, elections? It’s about people losing confidence in America’s entire voting process.
“We’re in a constant loop of trying to protect and defend our systems,” says Kim Wyman, Washington Secretary of State. “Most of the elections administrators I know got into this because they believe in democracy and they believe in their role in it. But at the end of the day, one cyberattack can change people’s perception of how strong and how secure our system is.”
Wyman spoke at the panel discussion “Cybersecurity for Elections: State Policy Options” July 30 during the opening day of NCSL’s Legislative Summit.
At least 21 state voter registration systems have been targeted by malicious actors, according to moderator Wendy Underhill, NCSL’s director for elections and redistricting. In reaction, she says, the Department of Homeland Security identified election infrastructure as critical infrastructure, and Congress recently provided $380 million to the states for cybersecurity options. “That sounds like a whole lot of money,” Underhill says, “but while it was well-appreciated, it’s sort of like, ‘I’m paying for the flowers at the wedding, who’s going to pay for the rest of it?’ ”
Matthew Masterson, a senior advisor at the Department of Homeland Security, says the 2016 election forced election officials to be faced with a flurry of questions: Are your systems hackable? What have you done to secure the process since the November election? What steps are you taking to protect against nation-state actors? “The reality is that state and local officials across this country now have to be prepared to answer those questions, regardless of whether it was their systems that were targeted or not,” he says. “Various groups of actors, whether they be terrorist groups or hacktivists or just someone looking to cause mischief, now view elections as a very prime target because of the publicity and ability to get attention or cause or undermine confidence in the process.”
If, say ISIS were to hack an election website’s home page, Masterson says, officials would be faced with the problem of not only how to react, but how to communicate with the public so that the integrity of the election remains intact.
“What we know from 2016 is that if the goal is to undermine confidence in the process, any jurisdiction is a possible target,” he says. “You only need to target one or access one to call into doubt others and that puts all 10,000 jurisdictions in play.”
And, he adds, even those who spend millions, and in some cases, billions of dollars to protect data still encounter cyber incidents. “This cannot just be about investing in protection,” Masterson says. “States and counties do not have enough resources—not just money, but personnel and time--to be able to protect everything all the time. So, the ability to detect and recover or build resilience is at the very core of what needs to be done in elections.”
Maurice Turner, of the Washington, D.C.-based Center for Democracy & Technology, says cyberattackers look at three key areas--registration, votes and reporting--using tactics such as phishing, ransomware, theft and confusion.
“Something that we’ve been hearing going back and forth since 2016 is ‘Did the Russians actually interfere with our elections?’ It’s been a pretty good distraction, and what I’d say is fixating on one attacker is actually a vulnerability in itself,” he says. “Attackers can come from anywhere. It can be a nation-state, a terrorist, an activist, a criminal organization interested in changing an outcome, and really can be just one lucky hacker.”
Turner says having a plan in place is critical for election officials, adding that he’s an advocate of conducting post-election audits to help build confidence in the systems already in place and serve as a deterrent. “When someone knows there’s going to be an audit of every single election, they’re less likely to actually try to manipulate the election,” he says.
And protecting elections is a bipartisan issue. Senator Henry Stern (D-Calif.) says the California Legislature was able to achieve bipartisanship and establish an office of cybersecurity this year with ongoing funding.
“Part of our challenge in the legislature has been to find those bipartisan opportunities where we can really move dollars to move issues forward and this seems like such an obvious one,” he says, noting that the biggest fear is that people start doubting that their votes count. “That can corrode the entire institution of all the houses we live in.”
Lesley Kennedy is an editor at NCSL.