While state and local election officials deserve a “huge amount of credit” for improving their defenses against cyberthreats like ransomware and foreign-backed actors, top officials from the U.S. Cybersecurity and Infrastructure Security Agency said Thursday that insider threats — from individuals within election administration offices — are an increasing concern.
Speaking at the National Association of Secretaries of State conference in Baton Rouge, Louisiana, CISA Director Jen Easterly said election officials need to focus on an entire “landscape” of threats.
“If we focus too intently on one set of threats, we are very likely to miss those coming from another direction,” she told reporters. “Insider threats can do malicious things. They can also pose malicious physical threats.”
In recent months, breaches of election equipment have come under investigation across the country, following incidents in which unauthorized third parties have been given access to vote-tabulation devices, servers and other technology assets in attempts to prove baseless claims of widespread fraud in the 2020 presidential election.
In Colorado, for instance, Mesa County Clerk Tina Peters faces felony charges stemming from her alleged participation in a scheme to copy hard drives containing sensitive voting data. Michigan law enforcement officials are investigating similar efforts across multiple jurisdictions, Reuters reported last month.
While election administrators have long been wary of insider threats in general, Kim Wyman, a former Washington secretary of state who now leads CISA’s election-security efforts, said these recent incidents constitute a new thread.
“I’ve been doing this a long time,” Wyman, a Republican who ran Washington’s elections from 2013 until her CISA appointment last year, told StateScoop. “This is the first time we’re seeing people who work in an election office or the chief election officer share information — proprietary information — in ways we haven’t seen before.”
CISA’s library of guidance for election officials includes a 10-page document on insider threats, and Wyman on Thursday said administrators should be more cognizant of who has access to what.
“Be aware of your chain of custody and internal controls,” she said. “Much like a bank protects money, you never want to have a situation where staff gets in proximity of ballots by themselves.”
Those checks could include redoubling longstanding efforts like placing ballots and voting-related technology under constant video surveillance, or adding key-card access systems to the facilities holding those assets. Colorado, inspired in part by the Mesa County case, last month enacted legislation requiring all county election clerks to install round-the-clock video surveillance of voting system components and key-card access points to rooms where that equipment is kept.
“You want to make sure you’re limiting access to people that need to be there,” Wyman said. “Your server room — does anyone who’s not one of your IT people need to be there? No.”