Security Experts:

The Incentive to Disrupt Elections has Never Been Higher

Election Security

The 2020 Elections Will be Hotly Contested, and the Integrity of the Election Is Critical to Ensure Confidence in a Free and Fair Election

In February, I was part of an international election observation mission to Moldova—the former Soviet Republic tucked between the Ukraine and Romania, and the poorest country in Europe. We met with candidates and political leaders, and collectively observed hundreds of polling places on election day, to help validate that the elections were free and fair. I loved meeting the people in Moldova and seeing their hope for the future. Even under challenging circumstances of corruption and disinformation, it was amazing to see democracy was holding its own.

What I saw in Moldova made me think about the sanctity of our election process in the United States, and how we can’t take it for granted. Yet adversaries are increasing their cadence of attacks on our election infrastructure, and given our geopolitical environment, the incentive to disrupt an election has never been higher.

We were leaving a polling place in a small village in northern Moldova—with the ubiquitous (for those parts) bust of Lenin still proudly standing out front—when a local colleague asked, “So in the USA, how confident are you that your vote will actually be counted properly?” I was caught off guard, as I’d never even had a passing concern in this area. “100% confident,” I answered. He asked if we had extensive poll observers or armed security at each polling place. I’ve seen a few observers over the years, but nothing close to the dozen or more observers at many of the Moldovan polls. I explained that our system worked because there was inherent trust, upheld by each part of the electoral process. Generally speaking, even the most partisan poll worker in the U.S. wouldn’t think of throwing opposition ballots into the trash can, or looking the other way as carousel voting takes place in plain sight. Or when it does happen, as it recently did in North Carolina’s 9th district, it’s national news. We trust the system because there are accepted norms, and because there’s a reliable history of the system working the way it should.

But you know what they say about trust: it takes years to build, but only seconds to destroy. A breach in the security of our election system would undermine that trust that has been built since the founding of our democracy. Imagine if you couldn’t be confident that your vote would be recorded, or worse, that it could be reversed.

Attacks on the sanctity of the ballot box have already begun. Readers of this column will be familiar with some of the examples:

• In the 2016 election cycle, we know that Russian actors probed the voter registration systems of at least 20 states.

• We’ve seen denial of service and ransomware attacks targeting state and local election agencies.

• FireEye recently reported on Russian actors APT28 and Sandworm Team recently compromising multiple governments in Europe in advance of elections. 

• The vulnerabilities in voting machines are myriad, have been well documented, and yet equipment makers continue to sell these outdated machines. FireEye Intelligence has observed voting machines for sale in underground criminal forums, for attackers to practice against.

• National parties and candidates’ organizations themselves have been targeted repeatedly.

• State-sponsored misinformation campaigns have dominated the headlines recently.

Fortunately, the U.S. government has taken some steps to address these issues. The 2018 Help America Vote Act (HAVA) allocated $380M, “to improve the administration of elections for Federal office, including to enhance election technology and to make election security improvements.” States are able to use allocations from this fund to purchase new voting equipment that provides a paper record of the voter’s intent, implement audit systems, upgrade computer systems, facilitate cyber security training for election officials, implement cyber security best practices, and fund other cyber security-related activities. 

It’s a good start, but as of September 30, 2018, just $31.4M (8.3% of the total allocated) had been spent by the states. Of that total, $18M was on cyber security, and just under $11M was used for new voting machines. You might think that the states have been slow to make their requests, but all states and territories have indeed submitted their requests and received their grants. Some states have detailed plans for improving their cyber security—for example South Carolina intends to spend $525,000 to conduct comprehensive risk and vulnerability assessments of their voter registration systems, remediate findings, conduct a penetration test of their e-poll book, and implement network monitoring solutions. Rhode Island intends to spend $734,000 to implement database activity monitoring, asset management systems, and a Security Information and Event Management system (SIEM) for their voting environment—in addition to budgeting for the necessary people to manage these tools. 

On the other hand, several states have requested no funding for cyber security, or only token amounts—e.g., funding a small vulnerability assessment, but no budget for remediation. It’s possible that these states had already allocated their own funds toward election security and don’t need the HAVA grant funding. However, I have yet to work with a state government that felt adequately funded for cyber security. I suspect one reason for the slow uptake is just a lack of answers: beyond the obligatory assessments and vulnerability scans, what should election agencies be doing to properly secure their environments, protect voter information, and the ensure integrity of the vote? These are complex and highly distributed systems, and it’s not an easy answer, but one that I hope to explore more in future columns.

It’s also my hope that we can properly fund more robust security for candidates’ organizations and national parties. Individual candidates are running campaigns on a shoestring budget, and a dollar spent to secure a database is one that isn’t used on a yard sign. It’s tough to prioritize security if funds aren’t specifically earmarked, but compromised campaigns can have global implications—as we saw when the Clinton campaign was hacked in 2016, perhaps tipping the outcome of the election.

Our state and federal election agencies don’t have to deal with the same level of corruption or misuse of state resources that I saw in Moldova, but they’re up against an even tougher adversary in the nation-state actors that seek to disrupt our democratic process. We have the right pieces of the puzzle to address these threats—the threat intelligence, the people, and now the funding to do something about it. I’m confident that our election officials can apply these resources to ensure the security of our voting process. The 2020 elections will be hotly contested, and the integrity of the election will need to be beyond repute to ensure citizens confidence in a free and fair election.   

RelatedHR1 Bill Includes Provisions to Improve U.S. Election Security

RelatedUS Election Integrity Depends on Security-Challenged Firms 

RelatedMicrosoft Disrupts Election-Related Domains Used by Russian Hackers 

RelatedU.S. Sanctions Russians for Hacking, Election Interference 

RelatedSecuring the Vote Against Increasing Threats 

view counter
Grady Summers is Executive VP and Chief Technology Officer at FireEye, where he oversees the global CTO team that supports R&D and product engineering and works with customers to address today’s evolving threat landscape. Grady has over 15 years of experience in information security both as a CISO and consultant to many Fortune 500 companies. He joined FireEye through its acquisition of Mandiant in 2014. Prior to Mandiant, he was a partner at Ernst & Young, responsible the firm's information security program management practice. Before E&Y, Grady was the CISO at General Electric, overseeing a global information security organization. His previous roles at GE include divisional CTO and a variety of positions in application security, web development, and infrastructure management. He holds an MBA from Columbia University and a bachelor of science in computer systems from Grove City College.