This election cycle we’re running a high-stakes presidential race in the U.S., so it’s hard to imagine a foreign nation-state that wouldn’t like to cast a ballot. Unfortunately, we’ve seen election interference before and federal agencies like the National Counterintelligence and Security Center have produced unclassified Election Threat Updates to inform the public of nation-state threat actors and tactics ahead of the November elections.
This time around, we now understand that there are more holes in the election technology ecosystem than previously thought – and precious little time to make changes.
We need to fix a many-headed monster decades in the making. Since each state has its own say about running its elections, they predictably have different approaches. Oregon uses paper ballots only, but can the rest of the states in a federal election year do the same? Hardly. With less than 70 days to go, the federal government couldn’t hand out free beer to the electorate, let alone overhaul to paper that fast.
Meanwhile, we’re having a contentious debate about vote-by-mail. Some states already tout universal vote-by-mail and others are expanding their vote-by-mail or absentee voter programs because of COVID-19. Twenty-four percent of American voters live in states that plan on sticking to in-person voting this cycle.
Our state-based approach filters upward to create a federal mess. Combine that with the impracticality of building secure voting systems on tight budgets, and with reduced mobility during a pandemic, we have a real problem.
With the pressure on U.S. elections rapidly approaching do we realistically expect that we can fix our election system? Probably not. However, we can enlist security experts – such as those at SANS – to focus on election security between now and November.
These professionals can help public officials protect the integrity of our elections in five ways:
- Assume an imminent breach of integrity and develop a meaningful response plan. As data people, we’re good at being thrust into situations with few facts and expected to tell C-level folks both what could happen and how to respond to minimize impact.
- Start a long-term plan to build a secure election stack. Security wonks are good at that sort of thing, too. That doesn’t mean eliminating any possibility of compromise, but we can make it far more expensive for the perpetrators to penetrate. Simply bolting on blockchain won’t work – we have to think more comprehensively.
- Develop better training for the thousands of poll locations staffed with energized volunteers. Materials published in an easy-to-digest tips format can help workers spot and stop suspicious activity.
- Work closely with the voting equipment manufacturers. While some organizations have started to lean into the process, there’s been a palpable fear among researchers when attempting to alert manufacturers about security. This continues to change, including new penetration testing and vulnerability disclosure programs.
- Engage with voters. We still have to speak directly to voters and get them up-to-speed on the potential defenses each polling location plans to roll out. In an environment where fake security warnings are the norm, we have to put citizens on high alert to verify the authenticity of new security measures.
The stakes are high. The federal government has placed a $10 million bounty for those engaged in rigging a dirty election by hacking into the election system. We also must deal with the added challenge of the disinformation industry that’s been built to influence public sentiment in favor of a given candidate. In some markets, local governments are even pushing training on how to spot fakes, an endeavor that’s now harder than ever.
Fixing the voting system will take time, but for this cycle, each person has to do the research and figure out the best way to vote. In many states, voters can do mail-in, drop ballots off at the local election commission or do it the old-fashioned way: vote in-person. As a pillar of a civic society, voting is still the only real way to have our voices heard. However, if you suspect something suspicious, contact the Election Assistance Commission at [email protected].
Cameron Camp, security researcher, ESET