Cyber threats are becoming ever more sophisticated, presenting a constant challenge — especially for local governments with slim resources. Meanwhile, mis- and disinformation drum up public ire against elections officials, threaten residents’ abilities to vote freely and encourage those public officials who buy into the false narratives to tamper with elections, according to witnesses, whose backgrounds included areas like voting rights, cybersecurity and public policy.
ELECTIONS IT
State and local election officials can only achieve so much cybersecurity without federal help, said Matt Masterson, former senior cybersecurity advisor for the Cybersecurity and Infrastructure Security Agency (CISA). Certain threats — like a hypothetical software supply chain compromise impacting election systems software — are too advanced, he said.
There is currently no federal framework to guide state and local officials’ efforts to procure secure election software, said Brennan Center for Justice senior counsel Gowri Ramachandran. She said Congress can encourage a safer election IT market by restricting federal procurement to only those vendors meeting certain standards — thus creating a financial incentive.
But even vendors’ abilities are limited against the kinds of sophisticated attacks that breached SolarWinds, said Masterson.
“I think it is extremely unlikely that we can ask either election manufacturers themselves or state and local officials to stand up against that level of adversary on their own,” he said.
Open communication among stakeholders will be key, Masterson said, suggesting that an Information Sharing and Analysis Center (ISAC) or similar organization could help vendors collaborate with federal agencies like CISA, the FBI, and others to improve cyber defenses.
Should something still go wrong with election hardware or software, paper ballots provide the way to verify voting tallies — which makes it essential that all polling places use them, he added.
CYBERSECURITY SUPPORTS
CISA can also push election offices into better cyber postures. That includes by mandating they meet a certain security baseline, including steps like requiring multifactor authentication for critical systems, moving election websites to .gov and segmenting election networks from state and local ones, Masterson said.
And CISA can work with the Elections Infrastructure ISAC (EI-ISAC) to deliver cybersecurity services to counties with limited resources, as well as expand its Crossfeed program to proactively scan election systems for vulnerabilities.
Of course, keeping election IT secure and running smoothly takes money — specifically funding that is consistent and recurring. Masterson proposed, in written testimony, that jurisdictions pay for the portion of elections expenses that relate to filling posts in their level of government. That means cities cover mayoral races, while the federal government compensates state and local election offices for congressional election costs.
DOXXING WORKERS
Masterson also urged the federal government to do more to protect election workers.
State fusion centers already help different levels of law enforcement coordinate around threats, and Masterson said they should be leveraged for tracking and sharing information on those targeting election workers and officials. He further urged passing state and federal laws that penalize aggressors more severely.
Masterson also noted in his written testimony that many states have legislation intended to protect the identities of certain at-risk groups — like domestic violence victims and police — and recommended extending such shielding to election officials as well.
MISINFORMATION’S NEW FORM
The mis- and disinformation landscape is shifting.
Major social media platforms more strictly enforced content moderation after the events of Jan. 6, 2020. Some users responded by adopting new, alternate platforms that offer little content moderation, and/or by shifting discussions to person-to-person messaging services like Telegram where posts are less public, making discourse harder to monitor, said Alex Stamos, director of the Stanford Internet Observatory and commissioner at the Aspen Institute Commission on Information Disorder.
“The net effect of that is that our ability to understand what’s going on is actually much reduced, versus where we were in 2020,” Stamos said.
Proposed federal legislation could pull back the veil, however, by compelling social media platforms to let researchers on National Science Foundation-approved projects see internal data. Stamos also said CISA or another federal agency should actively monitor which false claims are gaining followings.
Social media is also not the only area warranting attention, with other channels like podcasts, cable news and radio all spreading false accounts, he added.
Clarke also said she is pushing legislation that would authorize CISA to distribute reliable information and debunk dangerous inaccurate narratives.
INSIDE MISINFORMATION
The Election Integrity Partnership (EIP) — a group created by several organizations including Stanford — responded to and analyzed voting-related mis- and disinformation around the last presidential election. It found that — rather than bots and algorithms being to blame — most information was created by Americans and made viral when spread by individuals with large social media followings, Stamos said.
Key voting-related misinformation included narratives that caused confusion about election procedures (such as misstating poll locations) or discouraged participation (such as by falsely claiming that people voting by mail would risk arrest for outstanding debts). Other common messaging encouraged individuals to commit fraud or attempted to generate doubt in the election’s outcome, Stamos said.
Along with eroding voter confidence, such false narratives can also generate insider threats if election officials start believing them, too, Ramachandran said.
For example, Tina Peters — the elections official for Mesa County, Colo. — was found to have jeopardized the security of some of the county’s voting equipment, seemingly in an effort to find evidence for election fraud claims. A judge said Peters lied to let an unauthorized individual copy voting machine hard drives.
Governments can help guard against such insider threats by conducting background checks, restricting and logging access and monitoring activities with video surveillance, Ramachandran said.
