Elections, cyber vulnerabilities and the human factor

It’s quite possible that the biggest vulnerability of local elections systems are the components that walk around on two feet. All too often, it’s human error giving cyber criminals access into voter registration databases and polling devices. Election officials, agency employees and even election day poll workers may not realize how they may unknowingly provide login credentials through a phishing attempt, or transfer data to an unsecure device like a flash drive. The human factor in cybersecurity can have major consequences, including potentially affecting the outcome of an election.

Public entities face a high level of scrutiny over cybersecurity, and voters expect that their choices will count as cast. Voter registration rolls and election systems security have become a focus of national attention and concern. The Department of Homeland Security reported that during the 2016 general election, 21 state systems were targeted and a “small number of systems” were legitimately penetrated by cyber attacks. A Bloomberg investigative report revealed that 39 states became hacking targets during the 2016 elections, and a successful attack compromised 90,000 voter records in the state of Illinois. Such cyber intrusions are expected to be a major risk during the November 2018 midterm elections.

Cyber security training is an essential part of protecting the integrity of election systems. Election workers need to learn how to create strong passwords, recognize phishing and other malicious emails, avoid dangerous applications, and take necessary precautions when dealing with sensitive information. Following the 2016 elections, many agencies throughout the country invested millions of dollars to help secure their platforms. Even with the millions invested into security software, training everyone who uses these systems is the best way to begin to protect against tampering that could change the outcome of an election. Even with the world’s most secure hardware and software protections, human error or negligence will always be an issue.

Any part of the system connected to the Internet is a possible back door for election meddling. When election officials make Internet-based connections, they must be certain they are sending that data to the right place and the entire route is secured. Employees need to be trained to identify the correct destinations for sensitive registration and polling data and how to keep their communications secure. If a hacker gets into the system with credentials stolen from an unwitting employee or through a compromised communication channel, a lot of bad things can happen:

• Impersonation of actual voters by others, or vote casting under fake registrations created by hackers
• Voter suppression
• Registration information discrepancies requiring provisional ballot casting
• Denial of service attacks on official web sites that prevent voter registration and discourage election participation
• “Spoofing,” or the creation of fake web sites, to distribute misleading information about registration or polling locations, or reporting of false election results

California implemented new Poll Worker Training Standards for 2018 that reflect lessons learned since the original standards were issued in 2006. The new training standards, posted on the Secretary of State’s web site, include an extensive section on security and tampering of voting systems and materials used on election day. These standards are designed to provide local jurisdictions a guideline for developing their specific poll worker training.

The Defending Digital Democracy Project at the Harvard Kennedy School outlines five key points every election staffer needs to know and observe about cybersecurity:

• Everyone is a security official – everyone is responsible for being vigilant and reporting irregularities.
• Use two-factor authentication to protect your access credentials for elections systems, email and social media, and data storage. The extra step is an effective way to prevent unauthorized access.
• Create long, strong passwords to thwart automated hacking.
• Keep credentials secure and never share them with anyone else, regardless of who they are.
• Use best practices for cyber hygiene, including installing patches and software updates, and up-to-date antivirus software.

Creating and maintaining a strong culture of cybersecurity in your organization is an effective way to help prevent the human factor from compromising your electoral processes. The 2018 midterm elections are only a few weeks away. Your election systems are in place. Are your employees and your poll workers ready to do their part to protect this election’s integrity?

Brad Keenan is an Account Executive at Keenan & Associates specializing in cyber liability and policy administration. His email address is bkeenan1@Keenan.com.