Collaboration was key to nation’s most ‘cyber-secure’ election to date

It’s been a little over a month since 2024’s general election, and directors at the nonprofit Center for Internet Security told StateScoop that it was collaboration between local election officials and law enforcement agencies that allowed for the most “cyber-secure” election to date.

Leaders at CIS, which operates the federally funded Elections Infrastructure Information Sharing and Analysis Center, said that while there were threats reported on Election Day — including cyberattack attempts, text message disinformation campaigns and bomb threats — none succeeded in seriously impacting voting operations. While CIS’s Albert network monitoring sensors and its Malicious Domain Blocking and Reporting technologies helped thwart these attempts, the directors said collaboration among CIS, law enforcement and election officials leading up to Election Day were perhaps most critical.

Marci Andino, senior director of the EI-ISAC, and John Cohen, executive director of the CIS program for countering hybrid threats, told StateScoop that preparation for 2024’s election started in 2022. The effort was led in part by Cohen’s hybrid threats team, which last year worked with the center’s cyber threat intelligence team to develop and share a threat assessment for the general election.

Andino said the threat assessment helped to quell the nerves of election officials, some of whom were new to the job or nervous about cybersecurity threats and physical threats. On Election Day, there were five bomb threats made to election locations reported by EI-ISAC members, and some state-level offices reported bomb threats across their states, totaling approximately 30 election-related bomb threats across the U.S.

“They were concerned — presidential elections are always different. They’re more contentious, they’re higher stakes,” Andino said. “And, you know, we had a lot of new election officials as well, and they wanted to know: ‘What should I expect, what kind of threats will be out there?’ And that report gave them the answer.”

The 2024 threat assessment was updated several times leading up to the election, Cohen said. The assessment explored cyber-specific threats, such as phishing attempts, ransomware and hacktivist campaigns that could target election offices, election officials and voters. It also explored how cyber threat actors might have used tools like generative artificial intelligence to stir mistrust online or threaten to critical infrastructure.

Andino said threats detailed in the assessment were exactly what election officials and law enforcement saw materialize on Election Day. In total, CIS reports there were roughly 50 cyberattack attempts, and CIS’s domain name system security service blocked 138,782 attempts to connect to malicious domains on Election Day.

“Looking back now, we were right on target, and what we warned about, what they prepared for, is exactly what they saw on election day,” she said.

‘All hazards approach’

While the information shared in the threat assessment was a key part of the preparation for 2024’s Election Day, Cohen said this information wouldn’t have been as effective without collaboration from state and local election partners and law enforcement agencies during the 2022 midterm election cycle.

“We started hearing from law enforcement and election officials that, ‘Hey, we want to build on that collaboration that began in 2022 and we want the collaboration to be driven by a more expansive understanding of the threat environment,'” Cohen said.

Collaboration included CIS conducting tabletop exercises for law enforcement and election officials, and hosting web briefings to share the threat assessment with a larger pool of folks.

“Once we completed the threat assessment, we began briefing a broad group of state and local officials regarding the threat. So it wasn’t just election officials, it wasn’t just law enforcement. We began briefing mayors, governors, governors, homeland security advisers, emergency managers, cybersecurity professionals — and as we continued over the course of the year to update that threat assessment, we continue to do the briefings”

There was also new collaboration happening inside CIS, between the EI-ISAC and countering hybrid threats program, which previously had not been as integrated. Andino added that the group has begun to make less of a distinction between physical and cyber threats, and threat actors that are foreign and domestic.

“We’ve shifted to more of an all hazards approach. We can’t just focus on cyber. The lines are blurred,” Andino said. “It’s really hard to tell where cyber ends and the physical threats and the other threats begin. So working with countering hybrid threats really gave us that that big picture, that holistic view, and though that’s exactly what election officials were having to deal with, so it just made sense to be able to talk to them about all of the threats and provide guidance and ways that they could mitigate some of those threats.”

Election Day isn’t over

On Election Day, EI-ISAC operated a virtual situation room, which Cohen said was attended by about 1,300 election officials and their staff members. They shared information with each other, CIS, law enforcement and federal partners.

EI-ISAC monitored information coming into the virtual situation room with help from its cyber threat intelligence and communications teams. Andino called it a “huge data and information sharing opportunity.”

Cohen said his team also operated a new data analytics tool from CIS that monitored for disinformation threats. The technology, he said, can determine whether a piece of content intended to spread disinformation, if it was generated by AI and where it originated from.

“We also enhanced our ability to assess whether content that was being promoted online was AI, was artificial intelligence, generated or not, and to uncover data that would help lead to us better understanding who produced that content, who introduced it into the ecosystem. How fast was it spreading across the online ecosystem? Because that allows you to to help shape your counter message, but it also gives you insight into trends that are developing of threat actor behavior,” Cohen said.

Cohen added that some law enforcement agencies and election officials that worked with CIS and EI-ISAC this election cycle said all the collaboration leading up to the election and on Election Day were extremely valuable for security. But, he said, the work isn’t over, because this year’s election season doesn’t technically end until the inauguration on Jan. 20.

“We’re happy with what’s occurred thus far, but our guard’s not down, and we’re still continuing to work with those same constituencies to ensure that the final vote tabulation, the state-level certifications and the national certifications and the inauguration of the next president, all happen in a safe and secure environment,” he said.