In a time of growing political polarization, election results hold the power to alter policies, programs, laws, and in some cases, the trajectory of our lives. The stakes have never been higher. Jim Condos, the former Secretary of State in Vermont, sees it this way, "Your vote is your voice, and what we're all looking for is a free, fair, and accurate election process."
In this blog, we look at the challenge of achieving secure elections. “It’s a race with no finish line. Cybersecurity is ongoing; it never ends. What you see today is going to be different tomorrow,” says Condos.
Election tech ecosystem
Election security involves a multitude of complex systems, including website hosting, electronic voter registration, paper ballots, mail-in voting, early voting, and voting tabulators. These systems have evolved, bringing both convenience and complexity to the electoral process.
In the modern electoral landscape, technology, algorithms, polls, and the challenge of disinformation all wield significant influence. Casting a vote isn't simply about turning up at the polling station; it's about the intricate web of data and technology that shapes voters' choices on the ballot, and the systems in place to get that vote tabulated and reflected in the results.
Technology can unlock voter access, or obstruct it
On one hand, technology enhances voter engagement, providing crucial information about polling locations, hours, deadlines, and drop-off locations. On the other, it can influence voters with misinformation about candidates and issues, thanks to online algorithms shaping what we see. The internet is where people go for information, and finding ways to safeguard the integrity of that data is the challenge.
In a climate where sensational content is rewarded by clicks and views, and with the absence of legislation against false information, it becomes the voter’s burden to discern fact from fiction.
Protecting the systems around the vote
Election security encompasses a multitude of intricate systems, from website hosting to electronic voter registration and paper ballot tabulators, all demanding stringent security measures. Regular testing, monitoring, intrusion detection systems, firewalls, and data backups are some of the essentials to maintain the integrity of these systems.
Jim Condos highlights the significance of preventative measures, recommending daily backups to minimize data loss in the event of an attack. “In 2016, the Russians learned they couldn't change votes, but they could tamper with voter registration data. Having a daily backup kept us on top of any unusual changes.” He also shared a best practice for cross-referencing paper ballots in a post-election audit. “Every single vote has a paper ballot to match it and this provides an extra layer of security.”
Clear communication and well-defined incident response procedures are crucial. In the case of results reporting, if third-party software providers are involved, they should be included in incident response plans. Collaboration between state and local election districts is also key. Having Standard Operating Procedures (SOPs) in place ensures everyone knows how to respond when an incident occurs.
When Condos saw Russian attempts to infiltrate his system, he went right to CISA and within the hour an alert went out to all 50 states to look for similar attacks. Keeping national organizations like the Cybersecurity and Infrastructure Security Agency (CISA) in the loop helps keep attacks from spreading. Attack attempts should be reported to the Federal Election Commission (FEC), social media platforms, news outlets, and local election officials.
Election security is a shared responsibility
Government Chief Information Officers (CIOs) and Chief Information Security Officers (CISOs) play pivotal roles in creating and maintaining a secure election environment. Their responsibilities include risk assessment, cybersecurity training, regular security audits, disaster recovery planning, and fostering collaboration with various stakeholders.
But safeguarding election data is a shared responsibility, encompassing election officials, government CIOs, CISOs, and the public. Often, voter data comes from other agencies such as the Department of Motor Vehicles or the Department of Transportation. Protecting voter information may need to include a whole state government approach. By implementing robust cybersecurity measures, maintaining transparent processes, and implementing voter verification protocols, we can ensure that every vote contributes to a secure and resilient democracy. Finally, report misinformation when you find it to stop the spread.
Resources you can use
The protection of election data has become more critical than ever, given the weight of what an election result can mean for a community or country. If you’re looking for a confidence boost in your methods for securing election technology, review these resources:
NIST Guidelines: The National Institute of Standards and Technology (NIST) released guidelines for a roadmap to help election officials prepare for cyber threats during elections. You can check out these best practices here.
CISA Cybersecurity Toolkit: The Cybersecurity and Infrastructure Security Agency (CISA) has compiled a toolkit to help state and local government officials, election officials, and vendors enhance the cybersecurity and cyber resilience of U.S. election infrastructure.
DHS's Multi-State Information Sharing and Analysis Center (MS-ISAC):MS-ISAC offers cybersecurity resources, including free security awareness materials and guidelines specifically tailored for state and local governments.
Advice to share with voters
Make sure your constituents know that not all news stories are from credible sources. A tip for people seeking election information online or in social media feeds, is to take a quick look at the domain linked to the story. For example, if the URL ends in .ru (Russia) or .cn (China) but the story is about an election or event that’s not happening in Russia or China, exercise healthy skepticism as these domains often represent less sophisticated actors.
It's also crucial for media consumers to know how to distinguish between opinion pieces and factual reporting so they are aware when they are reading biased information. Opinion pieces typically adopt a first-person perspective and may feature "op-ed" in the heading.
We encourage security leaders and their constituents alike to explore free cybersecurity training resources to know when they’re hit with misinformation or worse, phishing emails around campaign donation requests. Numerous reputable organizations and online platforms offer comprehensive cybersecurity courses. One such example is Cybrary, a platform renowned for its collection of free courses and resources on a wide array of security-related topics.
NuHarbor is the go-to partner for state and local election security. Schedule a free consultation with a member of our team for guidance through election day and every other day of the year.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.