Cybersecurity

Group warns of gaps in election infrastructure

voting security 

The Department of Homeland Security's (DHS) cybersecurity agency has worked since 2016 to help states protect their election infrastructure from electronic attack, but it only takes one small breach to dent confidence in the systems, according to a digital rights and technology expert.

"There has been a ton of effort from [the Cybersecurity and Infrastructure Security Agency] and others," said William Adler, senior technologist for elections and democracy at the Center for Democracy and Technology (CDT).

"But cybersecurity is an active process. Threats are constantly changing and evolving, so we need to keep making the case that election officials need to prioritize cybersecurity and not be complacent," he said during a conference call with reporters on Oct. 16.

On the call, officials at the technology and digital rights advocacy group explained the variety of threats facing the upcoming elections, from voter suppression, to misinformation about mail-in ballots and cybersecurity.

The election, noted the CDT officials, is already underway, with millions of mail-in ballots already filed. In person voting system infrastructure is only weeks away from being used on Election Day, Nov. 3.

CISA officials are confident in their agency's work with states since the 2016 election that saw states' voting infrastructures scanned, and in some cases, compromised, by Russian-backed operators.

Adler expressed confidence in CISA's and states' work over the last four years tightening up voting infrastructure cybersecurity. But even an unsuccessful attack, if detected and publicized, can sow misinformation and undermine confidence, which is a Russian goal, according to Adler.

"It doesn't have to be a major breach or an altering of election results," he said.

The 3,000 county governments across the U.S. responsible for maintenance of local election systems offer multiple points of potential vulnerability.

"It's possible one of those counties is doing a less-than-stellar job. Even an insignificant breach in a small county can sow misinformation about state-wide or country-wide issues," said Adler.

Advances in cybersecurity capabilities and services from CISA and vendors don't help financially strapped county governments acquire new equipment or needed upgrades.

"Too many counties are using devices with known security vulnerabilities, no paper trail, or both," he said.

Out-of-date or vulnerable technology means local governments have to be very aware of physical security measures to protect the software, according to Adler. Some lapses in physical security have already been noted this election season, he said. However, he noted that localized attacks on voting machine software and other tactics are difficult to scale up to have any significant impact on larger election results.

"I think we'll have to see. It's theoretically possible, but I don't know if it's realistic," he said.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


Featured

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Congratulations to the 2020 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

  • Cybersecurity
    cybersecurity (Rawpixel/Shutterstock.com)

    CMMC clears key regulatory hurdle

    The White House approved an interim rule to mandate defense contractors prove they adhere to existing cybersecurity standards from the National Institute of Standards and Technology.

Stay Connected