Elections Cybersecurity: Actions for Legislators
Less than two weeks before Election Day 2020, thousands of Americans were hit with a multi-pronged attack designed to cause chaos, confusion and fear. Thousands of Democratic voters received emails claiming that the U.S. election infrastructure had been breached. Meanwhile, Republican voters were waking up to a video on Facebook, Twitter and YouTube purporting to show the falsification of absentee ballots.
These seemingly disparate incidents coalesced around a central (but false) narrative: a compromised U.S. election.
Within 27 hours of reports from election officials and law enforcement agents in Florida and Alaska, the U.S. intelligence community had identified the attempt as a coordinated effort by Iranian hackers to spread disinformation and suppress voter turnout. This stunning example of successful threat mitigation—the bad actors were thwarted—was the fastest public disclosure of such intelligence by the United States, ever.
Had officials in Florida and Alaska not acted swiftly, reporting the incidents to appropriate federal partners who were then able to investigate and alert election officials everywhere, the damage could have been more severe.
When it comes to cybersecurity, everyone has a role to play. For instance, legislatures across the country have already taken steps to increase cybersecurity for elections. In this edition of The Canvass, we offer lawmakers strategies for combatting the next attack, including free and simple measures that can be put in place today.
Understand the Threat Landscape
The first step to successfully combatting cyberattacks whether in the elections sphere or elsewhere, is to understand the magnitude and scope of the problem. Today’s threat landscape differs from years past. While independent hacking groups and cybercriminals continue to wreak havoc and pose their own unique threats, experts warn of a rise in the number of hacking operations backed by nation-states.
“We are in the most concerning geopolitical environment for cybersecurity—it’s more important now than ever,” says Lindsey Forson, director of cybersecurity programs at the National Association of Secretaries of State.
A 2021 joint report from the U.S. Departments of Justice and Homeland Security revealed efforts by Russian, Chinese and Iranian government-affiliated actors to infiltrate U.S. election networks, including those of political organizations, candidates and campaigns during the 2020 election cycle. Though none of these attempts successfully compromised election results, cyberattacks from sophisticated domestic and foreign adversaries are a constant threat and should always be taken seriously.
To put the threats in perspective: “Everything is stacked in the bad actors’ favor; think of this as your smallest districts fighting against Russia,” says Kim Wyman, senior election security advisor at the Cybersecurity and Infrastructure Security Agency (CISA), a part of the U.S. Department of Homeland Security.
Evaluate Your State’s Existing Cybersecurity Practices
With the broader context under your belt, it’s time to home in on your state’s cybersecurity practices. “Go to your local election office and ask them to walk you through the path of the ballot,” advises Wyman. Engaging with local election officials is generally a good practice when considering any election policy change, but it can be particularly helpful for understanding security measures.
Ask questions—What security measures are in place? Where do security vulnerabilities exist? What threats have been detected? Remember, too, that a local election office is only one part of a larger technology ecosystem—the voter registrations are aggregated at the state-level, for example. Hackers might seek to gain access to, say, the voter registration system or the election management system through a variety of entry points. So, while the local election office might have some cybersecurity safeguards in place, the broader networks used at the county and state levels should also be examined for a more holistic cybersecurity assessment. This means having conversations about cybersecurity with those outside of the election office, such as the county or state I.T. departments.
Pick the Low-Hanging (Cyber) Fruit
Understanding the mechanics of cybersecurity comes with a steep learning curve. The good news is that plenty of free resources and tools are available to help election officials strengthen their cybersecurity efforts.
One free and easy step states can take to strengthen security is to require election offices to adopt a .gov domain for all official government websites. As a sponsored top-level domain, .gov is more secure than alternatives like .us or .com, and provides an easy way to identify trusted election information, as “If it’s not .gov, it’s not us,” said Marci Andino, director of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC),
EL-ISAC is an invaluable resource which supports the cybersecurity needs of the election community. Membership is free, voluntary and includes access to a suite of resources, such as guidance on security best practices, incident reporting and remediation, and notifications of possible threats. States could encourage—or perhaps require—election offices to join.
Members also receive access to tools and services such as the Malicious Code Analysis Platform, which allows users to submit suspicious items for threat analysis, the Vulnerability Management Program, which provides monthly notifications on outdated software that could pose a security risk and Malicious Domain Blocking and Reporting, which preemptively blocks network traffic from hazardous web domains capable of perpetrating malware, ransomware and phishing attacks.
Be an Advocate for Your State’s Elections
“It’s very hard to change an election, but it’s very easy to cause confusion. The goal of our adversaries is to sow confusion,” says Wyman. As part of their voter email deluge in 2020 the Iranians also claimed to have infiltrated America’s elections infrastructure. This claim was disproven, but it did propagate a damaging narrative: You can’t trust the system, so you shouldn’t vote. “They’re pitting Americans against each other, and it’s working,” adds Wyman.
Countering this kind of false narrative is hard—but legislators can help. As leaders and trusted community members with more experience with election processes than the general public, legislators are well-positioned to respond to mis-, dis- and malinformation that can undermine public trust in American elections. The May 2022 issue of The Canvass offers seven considerations for talking about elections with constituents, informed by the perspectives and experiences of fellow state legislators.
Make Cybersecurity a Legislative Priority
While many cybersecurity measures are free and do not require enabling legislation, others might.
In recent years, states have enacted a variety of legislation relating to election cybersecurity. For instance, Washington exempted sensitive election infrastructure and cybersecurity information from public records requests in 2021, so that bad actors can’t ask for the keys to the castle (or the details of cybersecurity protections). Louisiana adopted a similar measure in 2020, while separately requiring annual cybersecurity training for every employee utilizing computer networks managed by the secretary of state. In 2019, Texas required the secretary of state to offer cybersecurity courses for county election officers, who are required to complete such training each year. The bill also outlines reporting requirements for known cybersecurity breaches.
In 2020, Indiana enacted legislation requiring counties to use threat analysis and cyber and physical security services through the secretary of state’s office. California authorized the secretary of state to require data security training for individuals handling voter registration information in 2019.
In recent years, states have also implemented cyber navigator programs—an individual or team at the state level tasked with helping local election officials take cybersecurity precautions. At least seven states—Florida, Illinois, Iowa, Massachusetts, Michigan, Minnesota and Ohio—have such programs in place. Illinois became the first state to establish a cyber navigator program after the 2016 election, and it did so through legislation.
For a complete list of enactments relating to election cybersecurity, please visit NCSL’s State Elections Legislation Database.
Stay the Course
“People say, ‘Oh, our machines aren’t connected to the internet, we’re fine,’” says Andino. “No, it’s bigger than that. Cybersecurity is an ongoing process—you can’t just tick a box and say you’re done—election officials must protect all aspects of their critical elections infrastructure." The bad actors are full-time, so monitoring cybersecurity threats is a 24/7 task too. She says states don’t have to go it alone. Take advantage of free resources and consider enacting legislation to establish safeguards or strengthen existing ones.
It only takes one intrusion to cast doubt and sow confusion, but armed with the proper tools, states can thwart attacks and strengthen election resilience.
One Big Number
Several big numbers, really. Runbeck Election Services is the nation’s largest ballot printing and mailing business, working with 180 counties across the country to help provide secure, accessible elections. Headquartered in Phoenix, here’s a by-the-numbers rundown of the business:
- 16 million: The number of ballots Runbeck printed for the 2020 presidential election—all mailed out within four weeks.
- 1,000: The weight, in pounds, of a single roll of ballot stock. Runbeck will use approximately 1,300 rolls just for the upcoming November election.
- 20,000-60,000: The number of ballots each ballot stock roll produces (depending on the length of the ballots, which can range from 11 to 22 inches).
- 1.2 million: The number of ballot “packages” (ballot, return envelope, instructions and anything else that needs to be mailed) that can be printed each day.
- 90,000: The number of square feet in use now (with an additional 60,000 square feet under construction).
- 200: The number of full-time, year-round employees (with an additional 150-200 temporary workers hired for several months prior to a general election).
- Unlimited: The number of tours Runbeck staff are willing to give. If you’re in or traveling to the Grand Canyon State, reach out to Tonia Tunnell, to arrange a visit. Can’t make it in person? Check out Runbeck’s Building of a Ballot video for a fascinating walk-through.
Q&A with Hawaii Sen. Karl Rhoads
Hawaii Sen. Karl Rhoads (D) has represented Senate District 13, located on Oahu within Honolulu County, since 2016. Previously he served in the Hawaii House of Representatives for 10 years.
When did you become chair of the Senate Judiciary Committee? Why did you want this role?
I became chair at the beginning of the 2019 session—my third year in the Senate. I was also the Judiciary chair in the House for four years. I am an attorney, so I’m interested in the issues this committee covers: crime, elections, campaign spending, social justice issues.
One of the biggest election administration changes in Hawaii was the move to all mail elections in 2020 (HB 1248). Can you tell me about that change—why it was made and how it has gone?
That change was made for two big reasons. One: we felt like it would make it easier for people to vote. They don’t have to take any time off to vote and can sit at the kitchen table to fill out the ballot, mail it back or bring it to a voter service center. The other factor was money: We estimated it would save $900,000 a year. We’re a little state, so every million counts. Before 2020, we were basically running three separate systems (Election Day voting, early in-person voting and mail voting, which about half of voters were using by 2018). At some point, it just made sense to consolidate.
I think it’s gone tremendously well. Our turnout went way up with all-mail voting. There were some glitches last year, but we passed a bill in 2021 to fix them (SB 548). It will help get the balance of voter service centers right, and we added an advisory committee for disabled voters to provide feedback to the office of elections.
What are your election policy priorities this year and into the future?
This year we passed a bill to allow ranked choice voting (RCV) for certain elections, as an experiment. For me personally, RCV makes sense—it’s a reflection of the true philosophical makeup of a district. The problem with plurality voting is especially egregious when there are 30 people on the ballot, and someone can win with just 7% of the vote.
We also made some changes with campaign finance. We had a major scandal this year when colleagues of mine in the House and Senate were both busted for accepting bribes. That was blatantly illegal, but there was a lot of pressure to do some reforms. One that’s not technically in effect yet, but has already kicked in culturally, is a bill to prohibit fundraising events during session (SB 555). There were almost no fundraisers by incumbents during this legislative session. That’s a major culture shift—everybody used to do it.
What aspect of Hawaii’s elections makes you the proudest?
The thing that makes me the proudest is that elections haven’t been totally politicized here like in other places. If you lose your election in Hawaii, you know you lost. I don’t know if it will say that way, but at the moment, I’m proud of the fact that we still trust our elections.
This interview has been edited for length and clarity.
Legislative Update
As of June 1, 2022:
- Fourteen states plus Washington, D.C., Guam, Puerto Rico and the U.S. Virgin Islands are in regular session.
- Thirty states have adjourned.
- Two states—South Dakota and Virginia—are in special session.
- Four states—Montana, Nevada, North Dakota and Texas—do not convene in 2022.
So far, 159 bills in 37 states and 2 territories have been enacted in 2022, a surprisingly low number. Of these, a dozen relate to elections technology (though many of these bills tackle other topics, as well).
Three bills in two states prohibited voting machines and tabulation equipment from being connected to the internet: Kentucky HB 216, Kentucky HB 564 and West Virginia HB 4438.
Three states defined and/or established requirements for electronic poll books: Indiana HB 1116, Kansas HB 2138 and Kentucky HB 618.
Two enactments addressed funding for elections technology: Maryland SB 158 clarifies that each county must pay 50% of the costs for acquiring and operating the uniform statewide voting system, and Mississippi HB 2879 creates a grant program for counties to acquire modern voting systems that produces voter-verifiable paper ballots.
Three states passed legislation providing electronic transmission of blank ballots for people with visual impairment or physical disabilities: Arizona SB 1638, Illinois SB 829 and Kentucky HB 564.
West Virginia HB 4312 allows first responders to submit electronic ballots, just as military and overseas voters and people with disabilities can in the Mountain State.
Virginia HB 927 and SB 3 add on-demand ballot printing systems and ballot-marking devices to the state’s definition of “voting systems.”