This is another commentary in a series issued by the 2020 Elections Project of the Center for a New American Security and the University of Pennsylvania’s Center for Ethics and the Rule of the Law and Annenberg Public Policy Center.
This fall, as Americans cast their ballots, many may be wondering what has been done to protect against the attacks they have heard so much about over the last four years. More important, they may be wondering whether the 2020 elections will be free from foreign interference, decided by American voters. It is important to answer unequivocally: Over the last four years, there has been an unprecedented all-of-nation effort to ensure that the 2020 election is as secure as any in U.S. history. I am honored to have partnered with the nation’s intelligence community to understand what our adversaries aim to do; to have worked alongside Department of Defense partners to discover the cyber tools our adversaries are using; and to have raced alongside our FBI colleagues to stay one step ahead of cyber actors targeting our election systems. Most important, it’s been an honor to support the efforts of election officials on both sides of the aisle.
To understand just how far we have come, we have to look back at where we were. In 2016, according to the intelligence community report “Assessing Russian Activities and Intentions in Recent US Elections” Russia “conducted cyber operations against targets associated with the 2016 US presidential election, including targets associated with both major US political parties.” Russian operatives targeted election systems across the country, used hack-and-leak operations against political campaigns, and launched a broader influence and disinformation effort. While they weren’t in a position to change a vote, we are clear-eyed that Russia and other foreign adversaries have the incentive to continue to undermine our democratic processes. And that’s what’s at stake here: whether it’s 2016, 2020, or 2024 and beyond, we are defending democracy against authoritarian regimes that aim to cause us to lose faith in our democratic institutions.
What made 2016 so challenging was the lack of an established election security apparatus in the federal government. Coordination and response ramped up when we discovered what the Russians were up to: in January 2017, the Department of Homeland Security designated the systems used to administer the nation’s elections “critical infrastructure.” This designation recognized that election infrastructure is of such vital importance to the American way of life that its incapacitation or destruction would have a devastating effect on the country.
From that point on, our team at the Cybersecurity and Infrastructure Security Agency (CISA) worked alongside the Election Assistance Commission (EAC) and developed meaningful relationships with election officials and the private sector vendors that support them. It all started with building trust, listening to their challenges, learning what works best for them, and helping state and local officials improve the security and resilience of their operations. It involved a lot of nights away from home, hundreds of flights, countless phone calls, and thousands of miles logged crisscrossing this nation. There were ups and downs, punctuated with some tense moments, but there’s no question that we have collectively made significant progress and now have three distinct advantages that did not exist four years ago.
1. We have helped foster a vibrant election security community.
Our first objective was to put up a big tent and bring the various players in the election security community together. Essentially, we wanted to achieve some degree of safety in numbers. There’s no way a single jurisdiction can defend against a dedicated attack by a foreign nation’s military cyber team on its own. But when all 50 states work together, there’s a real shift in the advantage back to the defender. That’s what the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) provides: the ability to spot the smallest of events and share it across the entire community to stop threats in their tracks. We also set up coordinating councils: one to bring together federal, state, local, tribal, and territorial election officials, and another for private sector election partners. Both are built to share trends and gaps and develop guidance all officials can use.
2. We’ve worked to make election systems more secure and resilient.
Our second objective was to improve the security posture of the systems that support elections across this country. For both in-person and mail-in voting, we are helping election officials secure the underlying systems and processes by providing a range of services, such as system vulnerability scans on a weekly basis, remote penetration testing for hundreds of jurisdictions and dozens of states, and phishing assessments. There is no question the security posture of election systems is getting better. We have observed improved patch rates, increased adoption of multi-factor authentication, more regular backups, and expanded logging of systems, to name just a few. We have worked with the largest election technology providers in the country to pick their systems apart, looking for vulnerabilities, and helped them mitigate those vulnerabilities. We continually work to map out and understand the various systems, mechanisms, processes, and techniques used across the election community to determine where the riskiest bits are and what is effective at managing those risks. One of the best risk management and resilience-building techniques we have found is paper. We continue to encourage states to shift to systems with a paper record associated with every vote—which is essential, because of the ability to audit such records. In 2016, 82 percent of votes cast were associated with a paper record, and for 2020 we project more than 92 percent of votes cast will have a paper record.
3. We have better visibility across the systems that support the administration of elections.
Our third objective was to improve our security visibility across election networks, to detect and mitigate threats as fast as possible. The trusted relationships we have built with both state and local election officials and the private sector have allowed us to work together to manage a nationwide system of intrusion detection systems to watch for malicious behavior across networks. As we approach the 2020 election, we have successfully launched these sensors across all 50 states. In some states, such as Florida, we have total coverage of every county. The sensors can alert on activity, which can then be investigated. We’re not stopping there, though. Working with the EI-ISAC, CISA is rolling out endpoint detection and response capabilities across hundreds of small and medium-sized jurisdictions to provide them with additional detection and protection capabilities they might otherwise not be able to deploy.
Although we have made a lot of progress, there is still much to be done. Adversaries have likely changed or evolved their approach to targeting our democracy, and we must be ready to respond. As we do for all things at CISA, we take a risk-based approach—meaning we’re factoring in the threats posed by actors, the vulnerabilities within the systems we care about, and the consequences of a successful attack. Understanding that we may not have perfect visibility of our adversaries’ intent, capabilities, or actions, we must game out and work through various scenarios to help manage risk to systems.
This approach has been hugely beneficial to our partners, because it forced us to really focus on the systems that matter the most and *why* they matter. In the case of elections, it became clear to us that the more networked, centralized systems pose the greatest risk. They tend to have greater consequences due to downstream systemic dependencies, and they also tend to have a variety of common vulnerabilities that could be exploited by any number of cyber actors. There’s no better example of networked and centralized systems than voter registration databases.
We have also been very deliberate in broadening our scope for possible attackers and attack paths against key systems. We are not just fixating on Russia, China, or Iran, in part because those actors don’t necessarily wave their flags and announce their presence—stealth and obscurity are part of their tradecraft. And that factor makes it hard for our outreach efforts to resonate with our partners. After all, if you’ve never seen it and you’ve only ever read about it, it’s hard to get motivated.
But something that is in fact hit-you-in-the-face obvious already happens across this country, all the time: ransomware. Cybercriminals attack state and local governments, schools, hospitals, and financial institutions every single day. They lock up systems and throw away the key if they don’t get their money. There is no indication that cybercriminals are targeting election systems with ransomware simply because they are election systems, but there have been opportunistic attacks. And as we approach Election Day, the stakes go up for these hugely important networks.
Fortunately, we are not only now realizing the risk. Last summer, CISA launched an initiative to focus work with state and local governments and the private sector to ensure that voter registration databases are protected from ransomware and can recover in the event they are targeted. This initiative entails sharing threat information, conducting assessments, and advising officials on how to lock down their systems. The good news is we are seeing improvement. A few weeks back, the Center for Election Innovation and Research released its biennial voter registration database report, finding that states and vendors take security seriously and are improving their posture.
As a bonus, there’s solid evidence that the techniques ransomware operators use overlap with many of the techniques the state actors use—so defending against those tools has the benefit of also making it that much harder for state actors. To riff on a line from the movie Dodgeball: if you can dodge Ryuk, you can dodge a state actor cyberthreat.
That said, there’s no such thing as 100 percent security, so in addition to protecting systems and helping state and local governments harden their infrastructure, CISA is also focused on the resilience of election systems and processes. It is imperative to have resilience measures at every precinct at the state and county levels. These measures include having tested offline backups of databases, paper copies of the pollbooks at the county level, an auditable paper ballot, and enough ballot stocks to meet the demand. By encouraging the hardening of systems and resilience measures, we will increase reliability in the voting process and instill confidence in the administration of elections. To steal a line from the late comedian Mitch Hedberg, we want our nation’s infrastructure to function a lot like escalators: “Because an escalator can never break—it can only turn into stairs. You should never see an ‘Escalator Temporarily Out of Order’ sign, just ‘Escalator Temporarily Stairs. Sorry for the convenience.’”
COVID-19’s Impact on November
While we are focused on making the 2020 election the most secure and resilient election in our history, we also know the election process during a pandemic will look unlike anything Americans have ever seen. There are fewer poll workers, because of the fear of contracting COVID-19; facilities that previously served as polling locations are not available; and the voter safety processes, such as social distancing and disinfecting equipment, may slow things down on Election Day. Fortunately, just as we have coordinating mechanisms to protect our election infrastructure, CISA’s critical infrastructure sector coordinating councils have used the last several months to develop a significant amount of COVID-19 election guidance.
Although there will be changes in the way many Americans vote, Americans will vote. Remember what I said earlier about more paper records associated with the vote this year than in 2016? Well, that’s in part due to a greater adoption of absentee ballots. In fact, the projection of 92 percent of paper ballots associated with the 2020 vote may be low. But as Dr. Fauci said, if precautions are followed, there’s no reason healthy people can’t vote in person on or before Election Day.
The Last Line of Defense: the American Voter
In terms of the big movements (equipment overhauls, systems upgrades, etc.), the security community has done much of what it can do in advance of the election. We’ll remain on the lookout, monitoring for threats and constantly communicating with our partners. Ultimately, the last measure of resilience in the 2020 election will be with the American people, who are encouraged to be “three-P” voters—prepared, participating, and patient.
Voters should seek information on how voting in their jurisdictions might have changed, understand registration and other voting requirements, and have plans for casting their votes. Now is a good time for them to check their voter registration status and update if necessary. CanIVote.org is a great resource provided by the National Association of Secretaries of State.
Voters should participate by looking for opportunities to get involved, and if possible, volunteer as election workers. There is expected to be a large shortage of poll workers this year; so those who are healthy, willing, and able, should consider volunteering. The EAC has created HelpAmericaVote.gov to help people sign up to serve.
Voters should be patient in dealing with the changes in voting related to COVID-19. It takes some time to count all that paper, and our nation’s election officials will be counting, canvassing for every last ballot, and auditing. We might not know the outcome of the election on November 3, and that’s OK. We should trust the election professionals as they do their jobs.
Each of us has a role to play in the security and resilience of our democracy. By working together, we can ensure that the 2020 elections are determined by the American voter, free from interference. #Protect2020 is more than a hashtag. For my teammates and me here at CISA, and certainly for our partners out in the election community, it’s been a way of life for the last several years. We’ve been preparing for this election, and we are committed to seeing it through.
Christopher C. Krebs is Director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.