For many, the final week leading up to Election Day will be spent doomscrolling through poll results, enduring wall-to-wall campaign ads during every television commercial break and nervously refreshing some number-crunching Electoral College forecast.
But as Election Day draws near, the IT and cybersecurity officials backstopping their states’ voting processes are projecting much more calm than your Facebook feed or family group text.
“The technical pieces are in place, the planning is in place,” said Jeff Franklin, the chief cybersecurity officer in the office of Iowa Secretary of State Paul Pate. “We’re checking the locks on the doors and that the windows are shut and walking through that checklist.”
Within the election security community, if the 2018 midterms — the first nationwide vote since the federal government declared elections to be critical infrastructure — were the “dress rehearsal,” 2020 has been considered the “big show.” In just the past few weeks, U.S. officials, led by the FBI and the Cybersecurity and Infrastructure Security Agency, have pumped out multiple alerts, including warnings that a Russia-linked hacking group has breached state and local networks and blaming Iran for a string of threatening emails to voters.
And while the overall level of malicious cyber activity appears to be down from 2016, other threats, like misinformation and disinformation, still abound.
‘180 degrees different’
Preparations for the 2020 election have been underway for more than a year, well before the eruption of a deadly pandemic that’s killed 225,000 in the United States and upended how people will cast their votes. Thousands of state and local election offices are hooked into the Elections Infrastructure Information Sharing and Analysis Center, and the federal government plans to stand up a nationwide “situational awareness room” to gather on-the-ground information from local officials, CISA Director Chris Krebs told CyberScoop recently.
Similar efforts are underway at the state level, with statewide officials preparing open channels to hear from their county-level partners and creating election-night war rooms of their own to pounce on any questionable network activity or bit of misinformation that pops up as polls close and vote-tallying begins. It all makes for a much different, more dynamic approach compared to the last presidential cycle, said Trevor Timmons, the chief information officer to Colorado Secretary of State Jena Griswold.
“Compared to 2016, it is 180 degrees different,” he said.
Timmons praised CISA’s hiring of several former state and county officials to lead the federal agency’s election-security efforts, as well as CISA and the FBI revising their information-sharing policies earlier this year. But he also pointed to some of his office’s own recent efforts, including the creation in July of a dedicated anti-disinformation unit that scans social media and foreign-backed media organizations like RT and Sputnik, and a recent series of penetration tests conducted by the security firm Synack.
“We saw good value,” he said. “They found a couple things not spotted by DHS.”
These included, he said, a bypass to the reCAPTCHA user verification tool on one of his office’s websites.
Preparing the war rooms
On Election Day itself, Griswold’s office will be running a command center to watch for and respond to malicious online activity or disruptions at its polling places, though owing to COVID-19 capacity restrictions, some participants may be connecting virtually.
“We didn’t need to do it the way we usually do it, with 20 to 25 people in the room,” Timmons said.
In Iowa, Franklin is also getting readying an election-night war room, where officials from Pate’s office, the state Office of the Chief Information Officer and other agencies will watch for any disruptive events, including misinformation and disinformation, network intrusions, natural disasters and civil unrest.
“What we are going for is that holistic cybersecurity approach,” he said.
Meanwhile, Franklin’s been in regular communication with the auditors who run elections in Iowa’s 99 counties, sharing threat intelligence that comes through the EI-ISAC and other channels, and implementing security tools from vendors including Cisco and FireEye. He also said that he worked with an Iowa-based security information and event management vendor, Pratum, to develop an incident response plan to be used by all counties, many of which are small and rural.
“Anything that’s a hot topic, [the auditors] have had an opportunity to bring it up with me,” he said.
‘All queued up’
Still, the last few weeks have been far from seamless. In addition to the alerts about foreign malign activity, election officials around the country have had to respond and react to incidents like outages to voter registration websites and, in one Georgia county, a ransomware attack that slowed the processing of absentee ballots.
“We prepare for all the scenarios,” Franklin said. “Ransomware’s not new, them targeting local governments is not new. There are phishing attacks, there are spoofing efforts going on. We’re on top of those and monitoring.”
Timmons said he’s been asking officials in Colorado’s 64 counties to pay close attention to the alerts he sends downstream and to report any suspicious network activity as quickly as possible, including samples. If that happens in the lead-up to or on Election Day, he said, his team will be quick to respond.
“The first thing to do is jump in, contain and recover,” he said.
But Timmons’ confidence in the long preparations for a much-anticipated and contentious election against a turbulent national backdrop shouldn’t be mistaken for a lack of cautiousness.
“We’re all queued up on pins and needles,” he said.