higher education schools reopening covid

The U.S. is more prepared for cybersecurity attacks than ever before. But, as one cybersecurity expert put it, “Our adversaries are also more capable today.”

Don’t Sleep on Election Cybersecurity (Cyber Criminals Won’t)

By Amanda Zoch | April 6, 2021 | State Legislatures News

After the 2020 election, the Cybersecurity and Infrastructure Security Agency (CISA) and other members of the Election Infrastructure Government Coordinating Council proclaimed it “the most secure in American history.” More recently, the Departments of Justice and Homeland Security released a report finding no evidence of foreign interference in the election.

But lawmakers and election officials can’t celebrate just yet.

That report also discovered that Russian and Iranian campaigns “did compromise the security of several networks that managed some election functions” and “materially impact the security of networks associated with or pertaining to U.S. political organizations, candidates, and campaigns.” And cyberattacks during the 2020 election weren’t limited to election systems, political groups or campaigns. At a recent cybersecurity workshop, Gary Pruitt, president and CEO of The Associated Press, reported that the news agency was targeted with 10,000 phishing-attempt emails on Election Day 2020 alone. Since the AP serves as a central hub for reporting election results to the public, those attacks—even though they failed—are bad news.

The U.S. is certainly more prepared for cybersecurity attacks and issues than ever before. But Cliff Neuman, a University of Southern California computer science professor and cybersecurity expert, says, “Our adversaries are also more capable today.” As foreign actors develop more sophisticated cyberattacks, so too must the U.S. construct more sophisticated defenses.

Last month, Neuman joined NCSL alongside Adam Clayton Powell III, the executive director of USC’s Election Security Initiative, for a webinar on elections cybersecurity. The two experts discussed the threats to election security, our election system’s vulnerabilities and strengths, and what states can do in this fast-changing cyber realm. Watch the webinar here, or, for an overview and additional focus on legislative action, read on.

Cyberattacks: Who, Why and How

Most foreign actors intent on disrupting our nation’s election security come from Russia, China, Iran and North Korea, though other countries—including Cuba and Venezuela—have made smaller attempts. According to Powell, Russia is the one to watch—it has the budget for research and development and the people to implement these attacks.

Threats can be domestic too, coming from organized crime as well as individual criminals. Although foreign and domestic attacks may use similar methods, the intent typically differs: “Domestic actors are in it for the money,” Powell says. “Foreign actors are trying to discredit our election system, trying to discredit democracy itself.”

How do these attacks happen? Something as simple as clicking on a suspicious link or installing a bad app could download malware (short for “malicious software”) that disables a computer or voting system. Ransomware—perhaps the most notorious form of malware—disables a system, then demands a ransom before allowing the user to re-enable the system.

But attacks can do more than disable a system. According to Neuman, malware, viruses, worms, Trojan horses and other cyberattack methods can also steal data or, worst case, “modify a system to do things like change votes.”

Phishing is another popular attack approach, and it occurs when adversaries send messages that appear legitimate and ask the user to click on a link or log on to a website that looks secure but isn’t. Once the user has logged on to the faked website, they’ve just given the criminal their password—and possibly access to voter registration data, internal documents and other sensitive materials.

Other attacks include “supply chain subversion,” which is when malware is embedded into software or systems during the manufacturing and distribution process and prior to purchase; and “denial of service attacks,” which is when cybercriminals try to shut down systems by overwhelming them with fake queries or other communications. These cyber-attacks, notes Neuman, are “sometimes indistinguishable from a simple failure,” and he points to a recent situation in Virginia where workers on a sewage project accidentally severed a fiber optic cable and shut down the state’s online voter registration system on the final day of voter registration.

What States Can Do

Overwhelmed? Fear not. Powell stresses, “One of the great strengths of American elections is that we’re decentralized.” That doesn’t mean our systems don’t have weaknesses, just that it is very difficult to tamper with the election at the point of voting because there are so many different targets.

In fact, states and election officials are more aware of cybersecurity threats than ever before. According to Neuman, that awareness—coupled with support from CISA and the U.S. Election Assistance Commission—has helped states protect their elections infrastructure. Most election systems now include a paper trail and isolate election tabulating systems from the internet. He adds, that “when outcomes were questioned—and yes, the outcomes were questioned—the officials in charge were able to speak with greater confidence that the results were correct and there was the ability to do the manual recounts in those instances where there actually was a concern.”

States are taking many of the necessary steps to protect their elections, so what else can legislators do?

  • Revisit Laws, Policies and Training Around Election Security: Does your state require a paper trail? Is your vote tabulation system sufficiently isolated from other systems or networks? Can your voting machines be accessed via the internet? Are election officials or others who access voter registration or tabulation data trained on security best practices? See the table below for examples of relevant legislation.
  • Become and Stay Informed: “What we [states] need to do now,” says Powell, “is not to relax our vigilance.” As adversaries become more inventive, states and election officials must stay on top of updates from the Department of Homeland Security, CISA and other cybersecurity experts.
  • Collaborate: Powell also adds that every state has cybersecurity assets, such as the National Guard and even cybersecurity centers at universities. And Neuman stresses that elections aren’t the only site for cyberattacks, so costs for cyber defenses and other security upgrades can be spread across not just the election community, but government in general.
  • Educate Voters: Mis- and disinformation were significantly entwined with cyberattacks in 2020, and states can help counteract misleading information by encouraging voters to rely on trusted sources. The best source? Always the state election official’s website.

There’s always more work to be done on this front, but as Powell emphasized at the end of our webinar, election officials in all 50 states displayed “a level of commitment and professionalism that was remarkable under the most difficult circumstances we will probably face in our lifetime. Everybody took security very seriously. Everybody took elections very seriously.” And “everybody” includes legislators.

Recent Legislative Action

In 2020, four states passed five bills on cybersecurity.

  • Indiana required each county to use a cybersecurity company designated by the secretary of state to investigate cybersecurity attacks and analyze security risks.
  • Louisiana required the secretary of state to establish cybersecurity training for people with access to the state’s voter registration computer system and prohibited election officials from disclosing various types of computer system information.
  • Virginia required its State Board of Elections to identify, assess and address threats to election integrity.
  • Washington enacted new policies to address security breaches of election systems by foreign actors.

While no cybersecurity bills have yet passed in 2021, many are pending and may see further action before session ends. See the table below for more details, and scroll further for additional resources.

2021 Election Cybersecurity Legislation

State

Bill

Status

Summary

Arizona

SB 1242

Pending

Requires a committee appointed by the secretary of state to conduct a detailed review of election equipment security every two years.

Arizona

SB 1616

Pending

Prohibits any voting equipment used in a polling place or voting center from having internet access, any accessible port, and any access to data or results. Requires the delivery, use and return of the equipment to be logged on a chain of custody document.

Arizona

SB 1638

Pending

Requires the secretary of state to revoke the certification for vote recording and vote tabulating machines and devices by the August 2022 primary election unless they are manufactured in the United States and maintain an internal record of every insert and removal of a mass storage device, every software update and connection to the internet and every key stroke or screen touch made.

Arizona

HB 2359

Pending

Requires that any port, plug, door or other method of physical or electronic access to any voting machine or electronic pollbook shall be secured to prevent any unauthorized access. Requires the county to document and verify security procedures regarding access before any voting machine or electronic pollbook is placed into service for an election.

Arkansas

SB 487

Pending

Requires counties to certify to the secretary of state that the county has a secure electronic connection sufficient to prevent unauthorized access to the voter registration database and voting equipment.

Georgia

HB 326

Pending

Prohibits voting devices or systems used in any election from using any form of wireless network cards or wireless technology. Provides for the removal or disabling of such cards or technology before using such devices or systems.

Hawaii

HB 853

Pending

Provides that no electronic voting system or tabulator shall be used if the tabulators, voter assistance terminals, memory cards and flash drives cannot be securely stored or air-gapped from internet, Wi-Fi and Bluetooth access.

Illinois

SB 350

Pending

Amends the Freedom of Information Act to exempt from disclosure risk and vulnerability assessments, security measures, schedules, certifications and response polices or plans designed to detect, defend against, prevent or respond to potential cyberattacks on election systems. Also exempts the disclosure of any records that would constitute a risk to the proper administration of elections or voter registration.

Illinois

SB 2038

Pending

Among other security and chain of custody changes, requires the State Board of Elections to implement software that monitors and detects vulnerabilities to the security of the voter registration rolls. 

Illinois

HB 1972

Pending

Prohibits a voting machine from being connected to the internet while being used to cast votes.

Indiana

HB 1288

Pending

Among other provisions, provides that a voting system using an automatic tabulating machine may be tabulated only within Indiana and that the results from a voting system must be published to the public before any results are transmitted outside of Indiana.

Kansas

HB 2334

Pending

Prohibits the networking of electronic voting machines.

Kentucky

SB 63

Vetoed by governor

Provides that no voting system shall be connected to the internet.

Kentucky

SB 244

Pending

Provides that no voting system shall be connected to—nor have the ability to be connected to—the internet, a modem or network of any type.

Montana

HB 530

Pending

Requires the secretary of state to adopt rules—on or before July 2022—defining and governing election security using federal election best practices as recommended by the U.S. Election Assistance Commission and the national institute of standards and technology of the U.S. Department of Commerce.

New York

AB 829

Pending

Authorizes the State Board of Elections to reject the use of voting machines or systems on that grounds that such machines or systems are not proper, safe or secure.

New York

AB 830

SB 4865

Pending

Requires a “.gov” domain name for websites maintained by a board of elections.

Ohio

SB 14

Pending

Requires the secretary of state to adopt standards for the security and integrity of voter registration systems and that no voter registration system shall be approved by the board of voting systems examiners, certified by the secretary of state or acquired by the secretary of state or a board of elections, unless it meets those standards.

Washington

HB 1068

Pending

Exempts election security information from public records disclosure.

Washington

SB 5382

Pending

Requires the secretary of state to contract with individuals for the purposes of a security test of the voter registration system and that such testing must analyze system gaps and other flaws that could allow potential fraudulent or duplicate voter registration to occur.

 

Additional Resources