Experts tout election security gains since 2016

Federal, state and local officials face an unprecedented number of challenges in carrying out a smooth, safe and secure election this year. Ones that continue to worry lawmakers, voting rights advocates and security experts.

However, a number of experts are telling Congress that while many of those concerns are valid, they and the broader public should not to lose sight of many of the substantial gains that have been made since 2016 that have closed or significantly narrowed security gaps that were wide open four – and even two – years ago.

"Simply put, compared to 2016 and 2018, the security of the elections infrastructure looks quite different in 2020," said John Gilligan, President and CEO of the non-profit Center for Internet Security during an Aug. 28 House Homeland Security Committee hearing. "While there are no guarantees in cybersecurity, I can assure you that the security defenses we have in place for 2020 are vastly improved over those in place a short four years ago."

Much of that work has been done around improving vulnerabilities that were not only known but often exploited by Russian hackers in 2016, such as probing (and in some cases compromising) voter registration databases, phishing vendors who develop election management or voting software and running covert information operations on social media platforms that went largely undiscovered until after election day.

According to updated statistics provided to FCW by the Cybersecurity and Infrastructure Security Agency last week, the agency has put in place tools and technologies to respond to those weaknesses and monitor for cybersecurity threats.

In partnership with CIS, the agency has helped to deploy 276 Albert sensors across all 50 states, the District of Columbia and at least 222 local election networks. The sensors act as intrusion detection systems, monitoring network traffic on voter registration systems and other election software, for signs of malicious probing or attacks by hackers.

CISA has conducted 131 remote penetration tests and 59 onsite risk and vulnerability assessments for local election infrastructure, and approximately 263 election officials around the country are receiving weekly vulnerability scan reports. The agency has also helped train thousands of election officials through online security courses, delivered "last mile" election information to more than 5,500 localities and provided trend analysis about risk and vulnerabilities and the latest threats to election infrastructure to the election community.

In addition to tools like Albert sensors, Gilligan pointed to endpoint detection and response programs that have been implemented by some election jurisdictions as well as domain blocking and reporting tools that prevent elections offices and computers from connecting to known malicious websites as examples of protections in place today that were virtually non-existent before 2016.

One thing election officials weren't counting on this year was a pandemic that threatens to deter millions of registered voters from safely casting their ballots in person. While many states have adjusted by moving to dramatically expand absentee (or mail) voting, they must contend with a surge of new voters who are unfamiliar with the proper procedure and disinformation from politicians and unscrupulous actors seeking to cast doubt on the reliability of mail-in ballots.

Amber McReynolds, CEO of the non-profit National Vote at Home Institute, echoed claims from other experts that voting-by-mail is no less safe or secure than other forms of voting. To the extent that there are unique risk considerations, such as those highlighted by a July vulnerability assessment done by CISA they can be mitigated in part or in whole through voter education and awareness campaigns, as well as technologies like ballot tracking systems or analog procedures like risk-limiting audits for paper-based ballots that provide election officials with a trove of data to track and verify individual votes.

"No election system is perfect, and this is why it's critical to continually review and improve systems by enhancing security access transparency, particularly in this unprecedented time," said McReynolds.

While the consensus of most election officials and security experts is that this expansion can be done safely and securely, many election administrators are being bombarded by false information, vitriol and abuse from politicians and voters around the issue of mail-in ballots.

In fact, while experts on the panel expressed optimism around a range of election issues, one of the areas they continue to be most concerned about leading up to election day this year is disinformation. Such campaigns have become markedly easier to establish and scale up through the use of widely available, open source tools that make it easier to push messaging through a coordinated network and interact with targeted groups of voters.

While much of the activity in this space is actually being carried out by domestic actors, some worry they also offer a message for countries like Russia, China or Iran to latch onto and promote through their own campaigns.

Security assessments about vote by mail, such as the one done by CISA, indicate that "if people spread [misinformation] and disinformation about the vote by mail process, if they say the process is easily rigged, that's the kind of thing that can be easily amplified by foreign adversaries," said David Levine, an elections integrity fellow at the Alliance for Securing Democracy.

Disseminating false or unsupported claims about voter fraud associated with vote by mail can make voters more skeptical about voting, undermine confidence in election results and give permission to state and local governments to restrict access to their citizens.

Just this week, Texas director of elections Keith Ingram wrote a letter to officials in Harris County threatening legal action if the county proceeded with plans to mail absentee ballot applications to their 2 million registered voters, saying it could cause voters who aren't eligible "to provide false information on the form." Absentee ballot applications are not used to cast votes, they simply make it easier for registered voters to legally apply for a mail-in ballot if they are eligible. Texas Republicans have also gone to court to block other localities from expanding vote-by-mail during the pandemic, often citing unsubstantiated charges of voter fraud.