Election security lessons from Illinois

The Department of Homeland Security is touting increased protections and speedier collaboration between state, federal and private stakeholders to secure the 2020 elections, but state officials and experts say the federal government could be doing more.

An Oct. 15 field hearing in Gurnee, Ill., held by the House Homeland Security Committee provided lawmakers with an opportunity to view election security programs through the prism of state and local governments, who take on most of the burden of administering elections while working with a fraction of the monetary and technical resources the federal government can bring to bear.

Illinois suffered one of the most high-profile attacks in 2016, when its voter registration system was penetrated by Russian hackers looking to sow chaos about voter eligibility.

Steve Sandvoss, executive director for the Illinois Board of Elections, told the panel the state has fixed the software design flaw that allowed the Russians to gain access to voter registration files and has put together an emergency response team composed of state officials, representatives from DHS and the National Guard to provide emergency assistance in the face of an emerging attack.

The state has created a Cyber Navigator program, which makes experts available to election jurisdictions to help them best allocate new dollars, like the $380 million in leftover Help America Vote Act funds released by Congress last year, to achieve a better security posture.

"I think what they're doing is they're introducing to the local election the basic concepts of security but then taking it through, step by step, analyzing what's going to be needed to be as secure as can possibly be," Sandvoss said.

Matthew Masterson, a senior cybersecurity advisor at the Cybersecurity and Infrastructure Security Agency, told lawmakers they're far better prepared to sniff out and mitigate foreign interference efforts than they were in 2016.

Information and context about threats culled from DHS, U.S. intelligence communities and law enforcement agencies are now flowing through an election-specific Information Sharing and Analysis Center, where they're disseminated across the country, and Albert sensors designed to detect malicious activity targeting election infrastructure largely missing in 2016 have been deployed across the country.

Masterson said the technical support CISA provided to states has changed as the agency gained a greater appreciation for the specific needs of the election community. Initially, states were offered the same tools and services -- such as vulnerability scans -- provided to federal agencies and critical infrastructure. Masterson told the panel that strategy has since given way to tools that are "quicker, less intrusive and can scale."

As an example, he cited new penetration testing capabilities deployed by DHS in 2018 and 2019 that can remotely identify security vulnerabilities in election systems without having to deploy field teams to a targeted state or jurisdiction. He also promoted the agency's "Last Mile" initiative, which provides state-specific threat profiles and customized technical guidance to counties.

"This scalability is critical because while our initial efforts in 2018 were primarily targeted at state election officials, we recognize the need to increase our support to counties and municipalities who operate elections as well," Masterson said.

The agency has also taken a more active role advising political campaigns and their party organs on how best to protect their assets from hackers, creating guidance on disinformation tactics and pushing for more unclassified intelligence to be made available to the election community.

Security experts argue that many of the main vulnerabilities plaguing states like Illinois have long been known. Their potential remedies: a regular federal funding stream, mandates around paper ballots and risk limiting post-election audits. The Brennan Center for Justice has advocated for a $2 billion injection of state and federal funding to tackle those and other problems long term, including a nationwide expansion of Illinois' navigator program.

"We know what we need to do to harden our election infrastructure, but we're lacking in leadership and funding," said Elizabeth Howard, counsel for the Democracy Program at the Brennan Center.

Less certain is how to mitigate disinformation campaigns or lessen the impact of the bots and trolls that spread them. Sandvoss said his state is encouraging residents to report instances of disinformation online, but he acknowledged that a formal reporting chain between states, the federal government and social media platforms had yet to be worked out.

"We haven't solidified that yet, but I think the idea will be to communicate it probably to us and we would distribute it to our partners and it would eventually make its way to whatever social media company it originated from to get it corrected," he said.

CISA has established real-time information-sharing relationships with major social media platforms and works to spread awareness about emerging false narratives around when and where to vote, but researchers have noted that such campaigns tend to go well beyond simply spreading confusion about voting logistics around election day.