The Cybersecurity and Infrastructure Security Agency on Wednesday released a guide to digital threats facing state and local election officials and recommendations on how to mitigate them in the run-up to November.
The “Cybersecurity Toolkit to Protect Elections” aims to help election administrators and their staffs protect themselves against threats including phishing, ransomware, email scams, denial-of-service attacks and other vectors that could potentially disrupt the voting process or confuse voters. The guide notes, for instance, that election officials “are often required to open email attachments, which could contain malicious payloads,” to run processes like absentee ballot applications.
It also warns that a ransomware attack against an election office could scramble or leak voter registration data or the software used to publish unofficial election results.
The cyber toolkit is the latest output from CISA’s Joint Cyber Defense Collaborative, or JCDC — the year-old initiative borrows its name from the band AC/DC — and comes as CISA Director Jen Easterly and many election officials gather in Las Vegas for the Black Hat and DEF CON events. Easterly launched the JCDC effort in 2021 to build engagement between federal cyber authorities, the tech industry and state and local governments.
Easterly told Axios on Wednesday that JCDC, which includes more than 20 major tech companies including the likes of Microsoft and CrowdStrike, spent its first year dealing with large-scale attacks, like the Log4j vulnerability, and is now focusing on other sectors, including elections. She said JCDC participants have recently started briefing state and local election officials.
Much of the recent national discussion on election security has focused on harassment of election workers, disinformation and misinformation and insider threats at local election offices — all largely fueled by ongoing falsehoods about the 2020 presidential election. The cyber toolkit, CISA said, is meant to help address technological resiliency.
Some states have also taken their own measures. Ohio Secretary of State Frank LaRose in June issued a security directive that expanded vulnerability scans on county election boards’ networks and ordered election tech vendors to develop vulnerability disclosure policies.
And the Election Infrastructure Information Sharing and Analysis Center, a resource- and intelligence-sharing operation funded by the Department of Homeland Security, recently announced an initiative called “Cyber STRONG” promoting its own risk-assessment and network-protection tools.