After the integrity and security of the US elections took center stage following the 2020 presidential race, the Cybersecurity and Infrastructure Security Agency (CISA) is doing everything it can to allay security concerns about traveling to the polls this year.
CISA officials said on Super Tuesday that the agency has set up an election operations center in its offices in Arlington, Virginia, to coordinate responses to primary threats — although according to a senior official speaking on the matter, so far no credible threats have been detected for the many races that took place on Tuesday or in previous primaries.
“We have had phenomenal connectivity with state and local officials and other partners,” the person said. “We observed nothing out of the ordinary and there were no known or credible threats to election operations.”
Nonetheless, CISA, along with several other organizations, has strengthened various cybersecurity support resources for elections generally, including multiple programs for state and local election officials and volunteer poll workers.
These efforts include various in-person training courses, guidelines for conducting tabletop safety exercises, and the publication of various best practice guidelines. Additionally, the agency has hired specific cybersecurity specialists to support each of its 10 regional offices.
And since January, CISA has been assembling its own Protect2024 website with an extensive collection of practical advice for state elections staff on how to improve their cybersecurity posture, protect network resources, and respond to incidents.
“Election officials have been preparing all year to ensure a safe and secure election, and CISA has been there to support them,” CISA Director Jen Easterly said in a recent media statement.
“It’s a real team effort,” said an agency official at yesterday’s briefing, who also said the biggest potential threats are distributed denial of service (DDoS) and ransomware attacks that could disrupt normal operations. electoral operations. Elections were recently held in Bangladesh disturbed by DDoS attacksfor example.
Yet the nature of election risk has evolved far beyond traditional security concerns, prompting additional efforts from CISA and its partners, as well as the private sector, according to researchers.
AI, deepfakes, and influence: Growing sophistication in election attacks
Part of the problem with election security this year is that attackers have become more sophisticated in their use GenAI to create deepfake video clones to influence voters and spread through social media groups, along with ongoing attacks by foreign governments and criminal malware gangs spreading misinformation and misinformation.
A now-infamous example of a deepfaked Biden lending support before the New Hampshire primary is illustrative of the problem, but Padraic O’Reilly, chief innovation officer at CyberSaint, points out that deepfakes have spread around the world. Recently, they have been seen used against running candidates in both Slovakia and Argentina, and it is not far-fetched that the United States will see more of them.
“A candidate in Slovakia was in favor of raising the price of beer, obviously it was fake,” he said. “But that’s the inherent risk of having distributed voting systems, there’s always some risk inherent in them.”
AI alone isn’t the only problem either. “There’s a whole new dimension sowing doubts in the electoral processthat has a greater psychological impact,” says Tom Hegel, threat researcher for Sentinel One Labs, adding that he is seeing more crowdsourced attacks and disinformation attempts.
Indeed, one of the biggest changes from four years ago is that losing candidates do not always concede, claiming election interference and spreading more misinformation, which is then amplified through social media.
“This involves state-sponsored actors pretending to be citizen activists or sending emails to large voter databases pretending to be members of Proud Boys or other organizations,” Hegel notes. “It’s incredibly depressing, especially when you see your family members falling for these businesses.”
To supposedly stem the tide, 20 social media and other technology providers last month published a manifesto at the Munich Security Conference promising to fight these fakes, but not necessarily remove them.
But many press reports cited him the so-called “technology agreement” as a mostly voluntary effort, largely symbolic, and more ineffective than anything more proactive or protective. “Vendors ask us all to trust them to self-police their networks. But it usually doesn’t work. They don’t want to give up revenue from network traffic produced by fakes,” says O’Reilly.
As Hegel points out, “Removing most trust and safety teams from social networks is also a contributing factor and has allowed the flourishing of false online personas attacking elections and democracy.”
On the defensive front there is good news: after the 2020 elections, CISA put together the Rumors versus reality website designed to address various election-related myths. Since then, it has inspired many states to create their own pages that dispel myths, like that of Colorado. That state has a rapid response IT unitmade up of five cybersecurity and communications professionals, created as a misinformation task force to help local election officials combat “election theft” myths and other forms of misinformation.
The physical threat to US elections and personnel
Other election security efforts by CISA and its partners focus on the security of electronic voting machines and, unfortunately, also on the physical security of election workers.
On the previous front, MITER held a hackathon last fall brought together machine vendors, ethical hackers and election officials to find and fix bugs in the equipment before it was deployed at local polling places. “The MITER event brought together the practice of vulnerability disclosure with hands-on security testing from some of the most experienced and innovative ethical hackers in the country,” Kayla Underkoffler, head of security technology at HackerOne, wrote in that post.
And in September, the first ever Election Security Research Forum Hackathon involved organized pen testing and bug hunting for digital scanners, voter marking devices, and electronic voter records, with a primary focus on technology voters might encounter at a polling place.
However, worryingly, voting machines are truly a 2020 problem.
“The issue is more about the supply chain for local and state government networks, which in many cases are smaller vendors,” says Tony Pietrocola, president of AgileBlue, a security company. “Now they are the weakest link in election security.”
As for the physical safety of election workers and others, since the 2020 election, “their lives have changed dramatically, with many election officials experiencing an influx of violent and even criminal threats,” according to a report February 2023 report by Joelle Gross of the MIT Election Data and Science Lab.
To try to address these threats, 14 states have passed laws to ensure the protection of their election workers. The National Conference of State Legislatures tracks these effortsincluding laws to keep their personal data private, criminalize these intimidation efforts, and require election workers to take classes on de-escalation tactics.
This motivated others to step in to help, such as The Elections Group, one of several private election consulting firms. The group has developed, among other resources, a Doxing Protection Checklist containing practical measures to safeguard personal information and improve an election worker’s online privacy, and another checklist for election observers.
“An enormous amount of attention is now focused on election security, and it has the largest community of cybersecurity researchers behind it,” says SentinelOne’s Hegel. “Everyone looks at this because it’s such a hot topic. Unfortunately, no country is really winning yet or has it all figured out yet.”
It is difficult to predict whether such attention will stem influence campaigns and physical threats. What everyone can agree on, as CyberSaint’s O’Reilly says, is that “security incidents are unacceptable in a democracy like ours. Election officials work very hard to ensure free and fair elections.”