Source: Delphotos via Alamy Stock Photo
After US election integrity and security took center stage as a political football after the 2020 Presidential race, the Cybersecurity and Infrastructure Security Agency (CISA) is doing what it can to dispel security concerns around this year's trip to the polls.
CISA officials said on Super Tuesday that the agency has set up an Election Operations Center in its Arlington, Va., offices to coordinate threat responses to primaries — though according to a senior official speaking on background, there have been no credible threats so far detected for the many races that were held on Tuesday or in previous primaries.
"We have had phenomenal connectivity with state and local officials and other partners," the person said. "We did not observe anything out of the ordinary, and there were no known or credible threats to election operations."
Nonetheless, CISA, along with several other organizations, has beefed up various cybersecurity support resources for elections in general, including more programs for state and local elections officials, and for volunteer poll workers.
These efforts include various in-person trainings, guidelines for conducting tabletop security exercises, and publishing various best practices guidelines. In addition, the agency has hired specific cybersecurity specialists to support each of its 10 regional offices.
And since January, CISA has assembled its Protect2024 website with a large collection of practical advice for state elections staff on how to improve their infosec posture, protect their network assets, and respond to incidents.
"Election officials have been preparing all year round to ensure a safe and secure election, and CISA has been right there supporting them," said CISA Director Jen Easterly in a recent media statement.
"It is a true team effort," said an agency official during yesterday's briefing, who also mentioned that the biggest potential threats are distributed denial of service (DDoS) and ransomware attacks that could disrupt normal election operations. The Bangladeshi elections were recently disrupted by DDoS attacks, for instance.
And yet, the nature of election risk has evolved far beyond those more traditional security concerns, researchers say — prompting additional efforts by CISA and its partners, and from the private sector as well.
AI, Deepfakes & Influence: Rising Sophistication in Election Attacks
Part of the issue with securing elections this year is that the attackers have gotten more sophisticated, using GenAI to create deepfake video clones to influence voters and spread through social media groups, along with continuing attacks by foreign governments and criminal malware gangs spreading dis- and misinformation.
A now-infamous example of a deepfaked Biden lending an endorsement ahead of the New Hampshire primary is illustrative of the issue, but Padraic O'Reilly, chief innovation officer of CyberSaint, points out that deepfakes have spread across the globe. Recently, they were spotted being used against candidates running in both Slovakia and Argentina, and it's not far-fetched that the US will see more of them.
"One candidate in Slovakia was shown being in support of raising beer prices, obviously that was a fake," he said. "But this is the inherent risk of having distributed voting systems, there is always some risk baked into them."
AI alone isn't the only problem either. "There is a whole new dimension in sowing doubt in the electoral process, that has more psychological impact," says Tom Hegel, threat researcher for Sentinel One Labs, adding that he is seeing more crowdsourced attacks and misinformation attempts.
Indeed, one of the biggest changes from four years ago is that losing candidates don't always concede, claiming election interference and spreading more misinformation, which is then amplified across social media.
"This involves state-sponsored actors pretending to be citizen activists or emailing large voter databases pretending to be members of Proud Boys or other organizations," Hegel notes. "It is incredibly depressing, especially when you see your own family members falling for these exploits."
To purportedly stem the tide, last month 20 social media and other tech vendors published a manifesto at the Munich Security Conference promising to fight these fakes, but not necessarily to remove them.
But many press reports have cited this so-called "tech accord" as a mostly voluntary effort, largely symbolic, and more toothless than anything more proactive or protective. "The vendors are asking us all to trust them to self-police their networks. But that usually doesn't work. They don't want to give up the revenue from the network traffic that the fakes produce," says O'Reilly.
As Hegel points out, "taking away most of the trust and safety teams from the social networks is also a contributing factor, and has allowed fake online personas attacking elections and democracy to flourish."
There is some good news on the defensive side: Following the 2020 election, CISA put together the Rumor vs. Reality website that was designed to address various election-related myths. Since then, it has inspired many states to create their own myth-busting pages, such as Colorado's. That state has a rapid response cyber unit, consisting of five cybersecurity and communications professionals, that was created as a disinformation task force to help local voting officials combat "election-stealing" myths and other disinformation.
The Physical Threat to US Elections & Personnel
Other election security efforts by CISA and its partners are focused on the security of the actual electronic voting machines, and, sadly, physical security of the election workers too.
On the former front, MITRE held a hackathon last fall bringing together machine vendors, ethical hackers, and elections officials to find and fix bugs in the equipment before they were deployed at local polling places. "The MITRE event brought together the practice of vulnerability disclosure with hands-on security testing by some of the most experienced and innovative ethical hackers in the country," wrote Kayla Underkoffler, lead security technologist at HackerOne, in that post.
And in September, the first-ever Election Security Research Forum hackathon featured organized pen testing and bug research for digital scanners, ballot marking devices, and electronic pollbooks, with a primary focus on the technology that voters may encounter at a polling site.
However, worryingly, voting machines are really a 2020 problem.
"The issue is more the supply chain for the local and state government networks, which in many cases are smaller vendors," says Tony Pietrocola, president of AgileBlue, a security firm. "They are now the weakest link in elections security."
As far as the physical safety of poll workers and others, since the 2020 elections, "their lives have changed dramatically, with many elections officials experiencing an influx of violent and even criminal threats," according to a February 2023 report by Joelle Gross of the MIT Election Data and Science Lab.
To try to obviate these threats, 14 states have passed laws to provide for their election workers' protection. The National Conference of State Legislatures tracks these efforts, including laws to keep their personal data private, criminalize these intimidation efforts, and requiring election workers to take classes in de-escalation tactics.
This has motivated others to step in to help, such as The Elections Group, one of several private election consulting firms. The group has developed, among other resources, a doxing protection checklist containing practical steps to safeguard personal information and enhance an elections worker's online privacy, and another checklist for election observers.
"A huge amount of attention is focused on election security now, and has the broader community of infosec researchers behind it," says SentinelOne's Hegel. "Everyone is looking at this because it is such a hot topic. Unfortunately, no one country is really winning at this yet or has figured out everything quite yet."
Whether that attention will stem the influence campaigns and physical threats is hard to predict. What everyone can agree on, as CyberSaint's O'Reilly says, is that "security incidents are unacceptable in a democracy like ours. Election officials work very hard to ensure free and fair elections."