Online campaigns aimed at misleading the public about the voting process, particularly the availability of mail-in ballots or tallying of votes, is the biggest digital threat to election security this year, a panel of experts told members of Congress on Tuesday.
Speaking to an online session of the House Homeland Security Subcommittee on Cybersecurity, witnesses said state and local election officials need to make sure not only that their IT assets like voter registration databases are well-defended, but that the public’s trust is protected, too.
“It’s not just the cast and count of the vote,” said John Gilligan, the president and chief executive of the Center for Internet Security. “It’s what’s the confidence level the American public has in the system?”
Amber McReynolds, who runs the National Vote at Home Institute, which promotes the expanded use of absentee voting, said officials need to be prepared to correct disinformation and misinformation about mail-in ballots, especially in states that are trying to expand voting by mail in response to the COVID-19 pandemic. These campaigns, she said, may include evidence-free allegations that mailed ballots are inherently fraudulent, a charge that has been leveled repeatedly by President Donald Trump and members of his administration.
“Threat actors may leverage limited understanding regarding mail-in voting to mislead the public,” she said. “This includes casting doubt without evidence about the integrity of the mail-ballot process.”
McReynolds, a former elections director in Denver, said mail-in ballots are subject to multiple layers of scrutiny, like signature matching, and that instances of fraud are “exceedingly rare.” Her comments echoed guidance released last Friday by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency on the risks associated with mail-in voting, and recommended that election administrators, candidates, media and nonprofit groups take steps to educate people about how mail ballots work.
At one point, Rep. John Joyce, R-Pa., asked Gilligan, whose organization runs the DHS-backed Election Infrastructure Information Sharing and Analysis Center, to describe his “worst-case” scenario. Gilligan said that that the 2016 election, during which Russian military intelligence officers attempted to access states’ voter registration databases, fit that description and that state and local officials’ efforts to bolster their cyberdefenses since then have made a difference.
“The security measures we have in place are vastly improved over what we had a short four years ago,” he said.
In an interview with StateScoop after the hearing, Gilligan said that while “misinformation and disinformation are significant concerns,” states and many local jurisdictions have made significant IT investments aimed at improving the cybersecurity around their election infrastructure. Many of the solutions have been furnished by CIS, including the Albert brand of network intrusion monitors which have been installed nationwide, with a handful of states, like Florida, deploying them in every county election office.
“Money that’s come from Congress has been used to buy new equipment, do multi-factor authentication, redesign databases so they’re better protected,” he said. “While there is no system that’s not able to be attacked, the defenses are much, much stronger.”
The EI-ISAC is also distributing endpoint detection and response software to its members, to give administrators a better view of devices on their networks, which is crucial when updating voter files or downloading voter lists to the electronic poll books that go to polling places.
And two weeks ago, Gilligan said, CIS started a service that prevents state and local government devices from connecting to known malicious websites, noting that “many of the threat attacks require back-and-forth communication.”
The new service, similar to one the National Security Agency recently piloted at the Defense Department, uses a secure DNS to ensure users are only routed to safe connections. So far, Gilligan said, 600 of the EI-ISAC’s member organization have signed up, a number he hopes to see rise to “a couple thousand” by Election Day.