Addressing Modern Threats to the Integrity of Free Elections

Election Security is a Core Issue That Demands Increased Attention—and Resources

One of the central pillars of American democracy, or democracy anywhere for that matter, is a commitment to fair and free elections. Americans vote because they believe that their vote matters. And that belief is dependent on two things: First, that the information they use to make their decisions about candidates and issues is reliable. And second, that the infrastructure surrounding the electoral process is both secure and resilient. And both of those elements are now at risk.

Electoral security gained prominence as a national issue in the wake of the 2016 elections. There is evidence of possible foreign interference, and continued reports that a growing number of malicious actors may be targeting various parts of our electoral processes. These concerns have increased our awareness of numerous vulnerabilities that exist in our current electoral process, ranging from unsecured voting machines to foreign efforts to influence voters through social media.

As a result, election security was officially designated as a Critical Infrastructure by the Federal Government in 2017. This brought increased technical assistance and resources to bear on the problem. In particular, Congress appropriated $380M in 2018 through HAVA (Help America Vote Act) for state and local governments to improve election security, and additional funding may be forthcoming before the 2020 election. But money alone cannot solve this challenge.

Two Elements That Make Election Security So Challenging

The importance of Public Perception

One of the biggest factors setting this issue apart is the extent to which electoral Integrity is as much a function of perception and public confidence as it is of technical security. Electoral systems do not have to have actually been compromised for voters to lose confidence in the process.

It is useful to differentiate between confirmed (demonstrated or technically plausible), potential, and claimed threat activity. Even a threat that, after expert assessment, is determined to be unfounded or non-credible can still have an impact on voter confidence. To effectively combat fear, uncertainty, and doubt among the electorate, technical assessments need to be coupled with a proactive communications strategy that assures voters that due diligence is being applied to safeguard the integrity of the election process.

The challenge is that such messaging attempts to disprove a negative – to demonstrate that something didn’t or couldn’t happen. Similarly, simply describing a risk that is theoretically possible warrants nuance and context – for instance, reporting that a stand-alone voting machine can be compromised via hands-on access does not necessarily equate to a viable real-world exploit that can be used to successfully ‘attack’ an entire electoral system, either in practice or at scale. Of course, those communications need to reflect actual efforts to recognize and secure our electoral systems. This places a premium on election officials complementing their investment to secure election systems by creating – and exercising – both an Incident Response Plan and a proactive public communications strategy.

The systemic nature of establishing election integrity

Election integrity is a complex ‘system of systems’, with numerous opportunities for spillover and cross-contamination of real or apparent compromise. There is a system for voting, a political campaign system, systems used to share information about candidates and issues, along with multiple supporting ecosystems (supply chains, government networks, etc.). A failure or compromise in any of these can have ramifications for the entire process.

The voting process alone consists of a variety of functional systems spread across 8,000+ jurisdictions, with many election officials managing more IT assets than any other department in local government – and usually without any formal cybersecurity training or experience. Each of those thousands of jurisdictions has a local voting infrastructure consisting of myriad systems that can be directly targeted and compromised. These include:

• voter registration databases
• electronic poll books
• vote capture devices
• vote tally systems
• election night reporting platforms
• voting support/back end systems

In addition, there are indirect targets, such as official Government and political party web sites and social media accounts that are often overlooked as elements of electoral integrity. A failure to secure such channels could lead to serious consequences, such as the dissemination of false official information on polling day (e.g., misreporting locations of polling places) that could affect voter participation every bit as much as tampering with voter rolls or tallies.

Such disinformation can also be directed at communications channels such as local media or political parties, reporting false claims of concession or victory before the polls close. Relevant points of access and attack for all of these channels include targeting the personal devices or accounts of users or the official accounts and devices of political parties or news outlets, as well as exploiting the policies and technologies of those organizations that provide social media and other communications platforms.

The sum of these systems creates a degree of shared vulnerability not typically seen in other types of cyber-related threats, such as the theft of Intellectual Property. This is one area where the often overused metaphor “a chain is only as strong as its weakest link” genuinely applies.

Risk Management and Partnership are Key

This is not to say that the challenges we face are insurmountable. At its core, election security is a risk management problem, and because of that, well-developed practices in risk management and resilience should be built into the process for addressing its integrity.

Complicating the process further, however, is the complex web of players associated with elections, starting with all levels of government (local, state, and Federal Government), non-state entities (industry, ‘influencers’, vendors, and political parties), and, of course, the voting public. However, if approached strategically, this complex and multi-party ecosystem also means there are multiple options and strengths that can be brought to bear to create resilience.

Partnership is key to achieving that resilience, and building partnerships should be an on-going activity – not just one that occurs during election years. While local government is “where the rubber meets the road” in terms of voting, there are clear roles for the other players in the broader ecosystem.

• Federal Government: The Federal Government has made considerable advances in building and strengthening partnerships since 2016, leveraging key tools of funding, expertise, information, and law enforcement. More can be done, however, to establish and ensure national electoral integrity ranging from funding new technology to identifying best practices and monitoring for foreign interference.

• States: Especially due to our unique Electoral College process, states are a key nexus point for elections. States are both closer to the problem than the Federal Government, as well as large enough to have critical mass in terms of expertise and funds. As a result, they are well positioned to lead on issues such as the creation and enforcement of standards and information sharing, and they have the ability to use legislation and regulation to facilitate collaboration and partnership. For example, they can enable industry to offer free cybersecurity training and services to local government and political parties without it being deemed lobbying or a campaign contribution.

• Non-government organizations: NGOs such as academia, professional associations, and non-profit centers are key sources of research and analysis into threats, vulnerabilities, and best practices.

• Influencers: Influential organizations such as the media and political parties play a key role in shaping public perception, and they should develop a deeper understanding of election technology and processes to inform their reporting and commentary.

• Vendors: Developers and manufacturers of any of the systems the election process relies on need to ensure they are delivering solutions that are effective, affordable, and able to scale to the needs of smaller voting jurisdictions that lack cybersecurity staff, as well as to larger cities and counties that have significant in-house expertise. And more than ever, security needs to be an integrated element of those solutions. One effective approach is for vendors to adopt an integrated network security approach built around a security fabric framework. Such a strategy integrates threat-informed security devices such as firewalls and intrusion prevention systems with identity and access control into a single security system that can span and adapt to even the most complex electoral ecosystems. These systems need to also include advanced threat protection capabilities, powered by artificial intelligence and machine learning, to detect and respond to even previously unknown threats in real time.

It’s All About the Voters

Of course, of all the players involved in elections, the voting public plays the most important role of all. While issues around creating a more educated and informed citizenry is a topic for another day, American voters deserve our best efforts to ensure they have access to reliable information and secure voting systems free from tampering or influence. That is an essential hallmark of American democracy that we need to protect and preserve no matter the cost.

Learn more about Fortinet’s comprehensive, effective, and adaptive security solutions for today’s connected government.

Learn more about best practices for improving election security in this webinar. Read our solutions brief to find out more about Fortinet’s security solutions for state governments.