Just this year, there have been twenty-six Congressional hearings on election security and administration. That averages out to be one hearing nearly every week that Congress has been in session! During that same time, cyberattacks on municipal infrastructure have increased in frequency and severity, to the point that local residents are feeling the impact. During an attack that targets a shared system supporting multiple state or local agencies, election services may be collateral damage.
Two incidents in particular highlight the potentially crippling effects of cyberattacks. In August, the computer systems used in business and financial operations in 22 municipalities across Texas were taken offline. In November, Louisiana officials aggressively responded to an attempted attack “similar to the ransomware targeted at local school districts and government entities across the country this summer” by taking every server offline. Criminals foreign and domestic are becoming as competent as nation-state actors, due to the commoditization of malware and ransomware, increasing the likelihood that voting processes across the country will be disrupted. An adequate response will require coordination throughout all levels of government and across multiple sectors.
The House Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation held a hearing on November 19 to explore how non-governmental actors can support election officials and campaigns in defending critical election infrastructure. Here are major takeaways from each witness:
“Microsoft is one of the most attacked companies in the world and applies those self-learnings to protecting its customers.”– Ginny Badanes (Microsoft)
“One thing we do know: If there has not been a large scale disruption or attack against our election infrastructure that is successful, it’s not because our systems are robust, but rather because nobody has tried to do it.”– Matt Blaze (Georgetown University)
“Tweets get leverage and virality from American users…[I am] not aware of anything Congress has done to combat disinformation.”– Richard Stengel (former State Department)
“It took the defense industrial base a long time to recognize the threat, too. It is a long, tedious process to filter down best practices.”– Frank Taylor (U.S. CyberDome)
The call for paper ballots and risk-limiting audits is one message that came through loud and clear. Numerous technical experts and advocates, including CDT, agree that an immutable audit trail is necessary to shore up voter confidence and adequately defend against election interference. The Brennan Center estimates, though, that as many as 16 million voters across eight states (FL, KY, LA, NJ, OK, PA, TN, and TX) will vote on paperless DRE machines in November 2020. This number is down significantly since 2016, but in order to purge paperless machines from every jurisdiction, additional funding will be required.
Director of the Cybersecurity and Infrastructure Security Agency (CISA) Chris Krebs noted that our Russian adversaries “will be back” in 2020. States have been preparing for that threat by identifying a series of operational priorities such as cybersecurity training for election officials and replacement of outdated or insecure equipment. The overall cost of those necessary upgrades far exceeds the $380 million provided by the 2018 Help America Vote Act security grants. States requested 100 percent of the available funding and are on track to spend 90 percent of the funds by November 2020. Ironically, 2019 could be the year that Congress fails to fund any state and local election security requests despite the imminent threat confirmed by the Intelligence Community, private sector security firms, and even the President. We should be past the point where more hearings are the only action that Congress can agree to take on this issue.