It's forgivable if it has slipped the national mind during the coronavirus pandemic, but a national election is still scheduled for Tuesday, November 3, 2020. And there are still people who focus their attention on making sure that the election process is secure — people who are not entirely confident that "secure" and "election" are going to be the peanut butter and chocolate of autumn.
"Frankly, I think as an outsider I don't think anyone can tell you whether we're going to have a secure election. In some areas it happens by mail, some use voting machines from private organizations, and some use a combination. The problem is in our ability to audit the systems, not just the electronic, but the paper systems," says Sam Small, CSO at ZeroFOX.
The issues come, say experts, not just in trying to secure the results of an election but in trying to secure many different processes run by thousands of different individuals, using many different technologies — and doing it in a way that voters find both relatively convenient and trustworthy.
The question many jurisdictions are asking themselves is: Which set of risks are they (and voters) willing to tolerate? Whether it be the potential risk of vulnerable systems or potential health risk of visiting polling places in person, either may impact results.
"I think there's a big challenge for government to encourage people to vote and to feel safe doing it," says Small. "A lot of people who aren't versed in the [cybersecurity] risk are going to push for voting by app or voting by Web, and I think we need to exercise great restraint in choosing convenience over security."
Security of Layers
The American election process' security difficulties aren't for lack of trying.
"Secure voting and election security have been studied for more than 30 years. Some of the greatest minds in security have devoted years to the issue," says Small. "If you talk with any reputable security expert, they would tell you that this is one of the gnarliest problems in computer security. I think you'd be hard-pressed to find an expert who would tell you that you can host a secure election online. Even paper has problems."
In some ways, the difficulties are compounded by the fact that November 3 will not see an election — it will see hundreds, if not thousands, of elections. "There's the presidential election layer and there are other forms of election," says Israel Barak, CSO at Cybereason. Barak's different layers refer to the presidential election, congressional elections, state, and even local elections all taking place via the same ballot mechanisms.
"There are multiple layers at which an adversary could have an impact on a democratic process," he says. "Can these other layers be more easily manipulated than the presidential election?" Barak points out that these other races can easily have an impact on public policy and faith in government that is at least as great as the presidential election.
The layers can also refer to different factors that can have an impact on voting. "On the presidential side, we've been very focused on protecting the election infrastructure: the election machines, the voter roles, and the election count process," Barak says. "[However], we haven't paid as much attention to the second-degree systems. These could have an impact on how people get to the voting centers — keeping people at home rather than going out to vote."
The factors can also start long before voters head to the polls.
"I think it goes back to the security of our processes around the voter rolls. How legitimate are the voter rolls? How many people on those roles are deceased? How many actually have US citizenship and have the right to vote in US [federal] elections?" asks Bob Maley, CSO at NormShield. (Note: Only US citizens are permitted to vote in federal elections, though some jurisdictions allow noncitizens to vote in local elections.) "So I think those are election security issues that are higher in my concern than the other ones because, to be honest, with the people they can be easily influenced."
An Election Exercise
Cybereason has run a number of election simulation "table games" for US election and law enforcement officials, the most recent of which was in February. Dubbed "Operation Blackout 2020," the game pitted experienced security professionals against one another on red and blue teams.
One of the parameters of the game was that the red team efforts weren't confined to the vote-casting process — they included influencing the results of the election by manipulating new organizations, social media, and even traffic control systems with an impact on how voters in the fictional city of Adversaria might reach polling places.
In the exercise, the bad news is that the red team was able to create chaos. The good news is that the blue team was able to respond in a way that rendered the damage short-term. So what was learned that could help in an upcoming election?
(continued on page 2 of 2)
First, communications are key — and a new battleground. Effectively communicating with the news media and being able to use multiple channels of communication are key. Those new communication channels shouldn't exclude old-school methods, either. When attackers compromised law enforcement communications, amateur radio operators helped fill critical gaps until service was restored.
Next, new and developing technologies make threat prediction difficult and raise the level of unpredictability in the process. Law enforcement should have steady and positive communications with technology companies so they are aware of new technologies, how they can be used, and what at least some of the implications of their use might be.
Finally, no amount of planning could match reality. Developing playbooks can help turn certain responses into automatic actions, but law enforcement and elections officials must remain light on their feet and responsive to developing threats. They must also deploy and act sooner rather than later and quickly reach out to other agencies and actors to help.
Every Vote Matters
Taking all the threats into account, it may seem odd that many experts are optimistic about a successful, reliable election day in 2020.
"I think we have the capability. I really do," says Maley. "We did a report last year on some cybersecurity hygiene around government systems that touch the election. And in those reports, we found some states that are doing amazingly well."
Other states, he says, give him pause, and not necessarily because of actions in their election offices.
"Their ecosystem is not just the infrastructure that they manage, but it's all the third parties that they also touch," says Maley. "And in the election systems, the Department of State for each state usually manages those systems, and there are some who are extremely good at that. But there are some that then consume services from their states, things like email, domain name services, and they don't consider those things as part of the election systems. That frightens me."
And dealing with the overall issue of election security needs to start soon. Barak is adamant about election security before the polls open. He says that successfully suppressing votes for one party or candidate in key areas might lead citizens to question the validity of the entire election process.
"When they start looking at the process that keeps one party at home, people might ask whether the results are valid, and if the suppression is in a swing state, whether the national results are valid," Barak says.
And the worst result, the experts agree, would be for voters to lose confidence in the process of electing their leaders.
A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19.