Lee Clark is a cyber intelligence specialist who has worked in the commercial, defense, and aerospace sectors in the US and Middle East. He can be found on Twitter at @InktNerd. He holds an MA in intelligence and international security from the University of Kentucky’s Patterson School. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.

National Security Situation:  The 2020 U.S. General Election (the election) faces a nuanced and critical cyber threat landscape that requires careful navigation.

Date Originally Written:  September 2, 2020.

Date Originally Published:  September 18, 2020.

Author and / or Article Point of View:  The author is a cyber intelligence professional and Election Officer in Virginia. This options paper will provide options for addressing cyber threats to election systems and infrastructure in the context of the 2020 election.

Background:  The cyber threat landscape of the November 2020 election in the U.S. is critical and complex. Election interference and propaganda efforts are not new on the global stage. However, the simultaneous merging of industrial-level disinformation operations, targeted cyber intrusions by state-funded organizations, and the woeful state of local cyber civil defenses in the U.S. combine to create a unique situation with challenging nuances and implications.

Cyber intrusions related to the 2016 General Election, mostly attributed to Russian-linked actors, are widely documented and analyzed in both the public and classified spheres of the national security community. The current threat landscape is more complex than in 2016, as evidenced by a public statement from the Office of the Director of National Intelligence indicating that cyber actors backed by China, Russia, and Iran are all actively attempting to influence the outcome of the election[1]. Defenses have also been bolstered in some areas, such as the Department of Defense taking an active role in the cybersecurity of the election, including deployments of cyber personnel abroad to hunt for threats to election systems[2].

The threat landscape is further complicated by public opinion, as demonstrated by the outrage connected to the publication of a false report that Russian threat actors stole and exposed voter databases from several U.S. states in August 2020. In reality, no cyber intrusion occurred and the data was publicly available. However, the public outcry over the incident indicates the potential for civic unrest in the event of a cyber attack that could be perceived to threaten the integrity of results[3].

Elections in the U.S. involve conflicting and competing stakeholders, intricate federal and local regulations, numerous technologies of varying complexity, as well as legal and ethical norms and expectations[4]. In a standard “Impact times Likelihood” threat matrix, the impact of a direct cyber attack compromising election results is high, but the likelihood is low. However, given the number of systems and interconnected networks used to coordinate elections, smaller attacks on peripheral or supporting systems are much more likely, though less impactful unless in a sufficient volume to cause widespread disruption[5].

Significance:  Election systems, including hardware and administrative organizations overseeing election operations, are classified by the Department of Homeland Security as critical national infrastructure[6]. The integrity of election results is critical to the validity and credibility of democratic governance in the U.S. A disputed election as a result of cyber aggression would be severely problematic for U.S. national security.

The geopolitical situation surrounding the election creates the potential for various adverse outcomes, including: deterioration of public faith in election processes; contested results in legislative and presidential races; civic unrest; and erosion of democratic processes. Elections are immensely complex and securing the cyber facets of elections involves national and local information and operational technology (IT and OT); registration databases; support software; and hardware used at polling places, including voting machines, ballot scanners, and devices like laptops and tablets. To manage the cyber threat landscape and mitigate potential harms resulting from threats, policymakers have three key options:

Option #1:  Launch a public education campaign focused on the logistics of managing election challenges to a) reduce the effectiveness of disinformation efforts seeking to undermine public trust in election processes and results and b) reduce public anxieties regarding the integrity of ballots.

Risk:  First, given the sociopolitical polarization among the U.S. electorate, it is likely that a significant portion of the voting public would view a public education campaign as factually incorrect or intentionally misleading. Second, this same polarization also indicates that a campaign would be unlikely to affect public opinion because the intended audience is unreceptive to information that would contradict preferred beliefs. Finally, this option is solely strategic and cultural in nature, and would not address the tangible, tactical level vulnerabilities that exist in election systems.

Gain:  If the press and social media (avenues for public information sharing) are considered supporting factors of election infrastructure, then a campaign to weaken disinformation networks could strengthen peripheral systems vulnerable to attack with a potentially high impact.

Option #2:  Provide a national fund to supplement the capabilities of national and local election administration organizations to implement best standards and practices including: current equipment, adequate staffing, standard written policy, and risk-limiting audits.

Risk:  First, efforts to provide funding to secure election systems have proven to be politically sensitive and difficult to move through Congress[7]. Second, this option would likely carry extreme financial cost to adequately address security needs The U.S. is currently experiencing a severe financial crisis as a result of the COVID-19 pandemic, compounding what would be a difficult option even in a financially sound period.

Gain:  Providing supplementary funding for organizations charged with safeguarding election systems would likely allow the organizations to directly address actionable technical and administrative vulnerabilities that expose systems to attacks. Properly resourcing these organizations could exponentially reduce the threat landscape for future elections.

Option #3:  Provide a large scale staffing support program for local cyber offices using Federal or contracted personnel with relevant expertise to augment high-risk election precincts and help harden defenses.

Risk:  First, the state of the cybersecurity and IT job markets make it unlikely that sufficient numbers of experienced and qualified staff could be retasked or hired and placed in needed areas. Second, the logistics of placing such a large workforce at nationwide locations would require a significant financial burden. Finally, travel challenges associated with the COVID-19 pandemic would further complicate the ability of support staff to be placed and to effectively integrate with localized teams.

Gain:  Supplementing cybersecurity staff at local and national offices leading up to the election could allow those organizations to better prepare for potential threats, and could offer a chance for knowledge transfer and training that would benefit future election operations.

Other Comments:  None.

Recommendation:  None.

Endnotes:

[1] Office of the Director of National Intelligence. Statement by NCSC Director William Evanina: Election Threat Update for the American Public. 2020. https://www.dni.gov/index.php/newsroom/press-releases/item/2139-statement-by-ncsc-director-william-evanina-election-threat-update-for-the-american-public.

[2] Shannon Vavra. “Cyber Command Deploys Abroad to Fend Off Foreign Hacking Ahead of the 2020 Election.” CyberScoop. 2020. https://www.cyberscoop.com/2020-presidential-election-cyber-command-nakasone-deployed-protect-interference-hacking.

[3] Catalin Cimpanu. “Cisa and Fbi Say They Have Not Seen Cyber-Attacks This Year on Voter Registration Databases.” ZDNet. 2020. https://www.zdnet.com/article/cisa-and-fbi-say-they-have-not-seen-cyber-attacks-this-year-on-voter-registration-databases.

[4] Lee Clark. “An Assessment of the Current State of U.S. Cyber Civil Defense.” Divergent Options. 2019. https://divergentoptions.org/2019/11/11/an-assessment-of-the-current-state-of-u-s-cyber-civil-defense.

[5] Tara Seals. “Shoring Up the 2020 Election: Secure Vote Tallies Aren’t the Problem.” Threatpost. 2020. https://threatpost.com/2020-election-secure-vote-tallies-problem/158533.

[6] National Academies of Sciences, Engineering, and Medicine. Securing the Vote: Protecting American Democracy. 2018. https://doi.org/10.17226/25120.

[7] Scott R. Anderson, Eugenia Lostri, Quinta Jurecic, and Margaret Taylor. “Bipartisan Agreement on Election Security—And a Partisan Fight Anyway.” Lawfare. 2019. https://www.lawfareblog.com/bipartisan-agreement-election-security-and-partisan-fight-anyway.