Election Security 2020: How Safe is your Vote?

Josh Numainville is a 2020 graduate of the Mitchell Hamline School of Law. Josh’s various writings and research projects provide practitioners with insights into how technology is altering the law. This article is an adaption of Josh’s working paper on election cybersecurity threats, which can be obtained by contacting the author at joshua.numainville@mitchellhamline.edu.

Introduction

Four years removed from the 2016 Presidential Election, politicians continue to debate the extent and effect of Russia’s election interference.1 Despite this polemical handwringing, the United States intelligence community has been clear in its assessment: election interference is a very real threat to U.S. National Security.2 While media attention has focused largely on Russia’s disinformation campaigns, the 2016 election also served as a testing ground for another insidious election interference strategy—cyberattacks on election infrastructure like voting machines and voter registration systems.3 These attacks were, at least according to publicly available information, relatively innocuous in 2016.4 However, the methods and strategies utilized by in 2016 are predictive of the greater threats our election infrastructure will face as foreign adversaries5 further develop their cyber capabilities. This article briefly explores three pressing election security concerns that the United States will face during the 2020 election and beyond, as well as the Department of Homeland Security’s decision to designate election systems as critical infrastructure and the limitations of the critical infrastructure designation.

Election Security Threats

Manipulating Voter Registration and Certification Systems

Thirty-seven states currently maintain online voter registration systems that allow voters to register to vote through the internet.6 Robert Mueller’s Report on the Investigation into Russian Interference in the 2016 Presidential Election concluded that the GRU—Russia’s largest foreign-intelligence agency—targeted these systems in 2016 by imbedding malicious code to extract voter registration information in twenty-one states.7 While the GRU’s exact motivations and goals for this attack are still debated, the GRU was able to extract voter registration data from at least one state.8 For reasons that are still publicly unknown, the GRU did not attempt to extract or alter voter data in any other states where it gained access to voter registration systems, despite gaining sufficient permissions to delete or alter data in several of these states.9

Moreover, the GRU also targeted the state election boards, secretaries of state, and the county governments in charge of certifying election results during the 2016 election season.10 For example, the GRU used spear phishing11 emails to gain access to county and voting technology company networks as a part of these efforts.12 These spear phishing emails were used to install malware that would allow the GRU to access the network connected to the infected computer, thereby accessing information about voters, vote count certification, or the voting machines used in elections.13 Through this method, the GRU was able to gain access to at least one Florida county’s election certification system.14

Attacks against voter registration systems are concerning for two reasons. First, hackers could simply force a shutdown of election registration systems by installing malware, exploiting vulnerabilities, and directly shutting down the voter registration system by taking it offline. However, the adversary would not even need to directly shut down the voter registration system to cause disruption. During the 2016 election, for example, Arizona was forced to voluntarily shut down its voter registration system after discovering the GRU’s information extraction malware on its voter registration system.15 Despite no evidence indicating that the malware had actually been used to extract or alter any data, Arizona’s voter registration system was still forced offline, which in turn led to voter registration delays and contributed to public concern about election integrity.16

At a more advanced level, these intrusions into voter registration systems could be weaponized to alter or delete voter data without detection, causing confusion and long lines on election day.17 While these voters who had their registration information altered or deleted could cast provisional ballots or register to vote the same day depending on the state, this would cause extremely long lines at polling places and there is no guarantee that the provisional ballots would be counted.18 Moreover, voter wait times of greater than one hour have already been shown to negatively impact voter turnout in the past.19 If a cyberattack increased poll place wait times, it would likely significantly reduce voter turnout, especially in heavily populated areas.20

Ransomware

In the same vein, national security experts also fear a potential ransomware attack on electronic voter registration databases or voting machines.21 Ransomware attacks lock users out of their computer system and data by encrypting the computer’s files.22 Access is returned once the victim pays the hacker.23 While electronic voting booths are not directly connected to the internet, electronic voter registration systems are always connected to the internet unless they are undergoing maintenance.24 Since voter registration databases are the one piece of election infrastructure continuously connected to the internet, they are the most susceptible to a ransomware attack.25 An adversary could use a ransomware attack to lock election officials out of their electronic voter registration or certification systems, thereby preventing them from registering new voters, validating voter identities prior to the election, or certifying election results.26 The Department of Homeland Security’s Cyber Infrastructure Security Agency, in recognition of this unique threat, has recently started a program to help prepare states for potential ransomware attacks by distributing best practice guidelines, testing electronic voter registration systems for vulnerabilities, and continuously scanning election systems for ransomware penetration.27

Altering Ballots

A third concern is that a foreign adversary could alter or delete votes through a cyberattack on voting machines. Currently, voting machine security is largely within the purview of the states.28 While the Help America Vote Act of 2002 (HAVA) created the Voluntary Voting System Guidelines with voting machine security best practices, states are not required to follow these guidelines.29 Moreover, while most states follow the HAVA guideline requiring voting machines to be tested and accredited by the Electoral Assistance Commission, HAVA’s requirements to ensure voting accessibility have ironically led to many of today’s cybersecurity concerns.30

By mandating accessibility at the polling place, HAVA led to the widespread adoption of electronic voting systems that are vulnerable to attack.31 Meanwhile, HAVA’s computerized statewide voter registration requirements pushed states to adopt a centralized voter registration system, allowing a potential cyberattack to access all voter registration data in one convenient location.32 Since voting machines are theoretically disconnected from the internet, altering or deleting ballots should be the least likely cyberthreat.33 However, the guidance that voting machines should be disconnected from the internet is not always followed.34 In Virginia, voting machines were connected to the internet for programming and testing purposes until 2015.35 Upon further investigation, elections officials found that the internet connection would have allowed an outside intruder to infect the voting machines with malware that could be used to alter or delete votes.36 Moreover, even when voting machines are not directly connected to the internet, there are still strategies an adversary could use to alter or delete certain ballots. For example, cybersecurity experts have demonstrated how sophisticated malware could be introduced to a closed voting machine network to systematically hide vote altering technology, either by printing a fake ballot receipt or giving up the altered ballot if a vote verification receipt is called into question and a new receipt is printed to verify the error.37

Electronic ballot transmission is also a pressing cybersecurity concern. Nineteen states allow some voters to return ballots via email, and four states allow voters to return ballots through a web portal.38 Email and web voting is often used by diplomatic corps or military members stationed overseas, but some states also allow every voter to return their ballot through the internet.39 Importantly, email votes can be exploited if sent over an unencrypted connection—which they often are.40 A cyberattack on ballots sent over an unencrypted internet connection could hack an email server to prevent ballots from sending, replace ballots with fraudulent votes, or piggyback malware onto a ballot file to infect a vote counting network.41 While there are some security measures in place to prevent malware infections from returned ballots, they are woefully inadequate.42

Classifying Election Systems as Critical Infrastructure

On January 6, 2017, outgoing Obama Administration Secretary of Homeland Security Jeh Johnson designated election infrastructure as a Government Facilities critical infrastructure subsector pursuant to Presidential Policy Directives 7 and 21.43 Secretary Johnson explained that protected election infrastructure included “storage facilities, polling places, and centralized vote tabulations [sic] locations used to support the election process, and information and communications technology to include voter registration databases, voting machines, and other systems to manage the election process and report and display results on behalf of state and local governments.”44 The reason for this designation, according to Secretary Johnson, was to prioritize cybersecurity assistance for election infrastructure and provide coordinated communications about threats to state and local governments.45

Under Homeland Security Presidential Policy Directives 7 and 21, the federal government may designate infrastructure “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”46 Once an infrastructure sector has been designated as critical, the federal government is tasked with providing assistance resources to strengthen critical infrastructure through a Sector-Specific Agency (SSA).47 This is done “to reduce vulnerabilities, minimize consequences, identify and disrupt threats, and hasten response and recovery efforts related to critical infrastructure.”48 The Government Facilities sector is managed by the Department of Homeland Security.49

After creating a critical infrastructure sector, an Information Sharing and Analysis Center (ISAC) serves as a centralized information sharing hub among sector members.50 ISACs provide threat assessments and analysis, allow critical infrastructure partners to exchange information, coordinate federal responses to cyberattacks on critical infrastructure, support law enforcement in their investigative responsibilities, analyze intelligence collected by other departments, and distribute intelligence to sector members.51 When the Government Facilities critical infrastructure involves state, local, or territorial governments, these governments are tasked with “implementing the homeland security mission, protecting public safety and welfare, and ensuring the provision of essential services to communities and industries within their jurisdictions, including mutual aid agreements and communication plans where feasible and appropriate” through State Homeland Security (SHS) strategies.52 State and local governments also often participate in emergency training exercises with federal departments and agencies when appropriate.53

Designation as critical infrastructure has several positive benefits. As part of the designation, the Department of Homeland Security offers to conduct election infrastructure cyber scans to probe for weaknesses, especially within voter registration websites.54 For states without the resources or funds to conduct these scans themselves, the critical infrastructure designation is crucial to discovering cybersecurity vulnerabilities.55 The critical infrastructure designation also permits states to utilize the Special Community Disaster Loans Program, through which the Department of Homeland Security offers $1.3 billion to aid in critical infrastructure protection.56 States could use this funding to patch vulnerabilities, update their election infrastructure, prepare for potential cyberattacks, and counter cyberattacks as they occur.57 Of course, the main benefit of the critical infrastructure designation is that it facilitates orderly information sharing and analysis in one centralized hub.58 By aggregating data and analysis, state governments will have better information about cybersecurity threats, trends, and countermeasures.59 As a result, state and local governments will have greater funding to respond to election vulnerabilities and better information about potential election security threats.

Conclusion

While the critical infrastructure designation may facilitate information sharing about cyber security threats and provide funding to respond to attacks, it will do little to alter the fundamental problems of aging voting technology and unsecured voter registration systems without further voluntary participation of the states. And, with many states concerned about federal overreach into state election administration, voluntary participation may be hard to come by. Overall, election interference remains a very real threat to U.S. National Security. The 2020 election will undoubtedly illuminate additional challenges that will need to be addressed in the future.

  1. Chris Cillizza, A Republican senator just completely denied the reality of 2016 election meddling, CNN (Nov. 25, 2019, 9:55 PM),https://www.cnn.com/2019/11/25/politics/john-kennedy-russia-ukraine-chris-wallace/index.html [https://perma.cc/6WRH-J7J2].
  2. Assessing Russian Activities and Intentions in Recent US Elections, OFF. OF THE DIR. OF NAT’L INTELL. 2–5 (2017), https://www.dni.gov/files/documents/ICA_2017_01.pdf [https://perma.cc/RPJ8-R5AJ]; SPECIAL COUNSEL ROBERT S. MUELLER, III, REPORT ON THE INVESTIGATION INTO RUSSIAN INTERFERENCE IN THE 2016 PRESIDENTIAL ELECTION 50 (2019).
  3. See ARTHUR L. BURRIS & ERIC A. FISCHER, THE HELP AMERICA VOTE ACT AND ELECTION ADMINISTRATION: OVERVIEW AND SELECTED ISSUES FOR THE 2016 ELECTION, CONG. RES. SERV. 1114 (2016), https://www.justice.gov/storage/report.pdf [https://perma.cc/PY4L-BXLF].
  4. Id.
  5. Russia is not the only threat to U.S. election infrastructure. An attack could come from another nation-state, terrorist organization, or unaffiliated independent hacker. Both Iran and North Korea, for example, have been quietly increasing their cyber capabilities in recent years. See, e.g.,Alex Ward, Microsoft says it notified nearly 10,000 customers that they were cyberattack victims (July 17, 2019),https://www.vox.com/2019/7/17/20697851/microsoft-russia-iran-north-korea-10000-election [https://perma.cc/UBD8-ELKK].
  6. Online Voter Registration, NAT’L CONF. ST. LEGIS. (Oct. 25, 2019),http://www.ncsl.org/research/elections-and-campaigns/electronic-or-online-voter-registration.aspx [https://perma.cc/V5X2-M742]. Washington, D.C., while not a state, also maintains an online voter registration database. Oklahoma, meanwhile, recently passed legislation that would make them the thirty-eighth state to enact online voter registration. Id.
  7. MUELLER, supra note 2. The specific technique used by the GRU is called SQL injection. Eric Manpearl, Securing U.S. Election Systems: Designating U.S. Election Systems as Critical Infrastructure and Instituting Election Security Reforms, 24 B.U. J. SCI. & TECH. L. 168, 168 (2018).
  8. MUELLER, supra note 2, at 5051.
  9. See, e.g.,Rick Pearson, 3 years after Russian hackers tapped Illinois voter database, officials spending million to safeguard 2020 elections, CHI. TRIB., Aug. 5, 2019, https://www.chicagotribune.com/politics/ct-illinois-election-security-russian-hackers-20190805-qtoku33szjdrhknwc7pxbu6pvq-story.html [https://perma.cc/D35B-BGP3]. In Illinois, for example, the GRU accessed the personal information of over 76,000 voters. Id. While Russia did not alter the data in this hack, the Department of Homeland Security stated that Russian hackers had gained sufficient access to be able to alter or delete the data if they had wanted to. Id.
  10. MUELLER, supra note 2; Manpearl, supra note 7, at 168.
  11. The U.S. Election Assistance Commission defines spear phishing as “A targeted attack by hackers, via bogus emails, that attempts to get the victim to provide login information or personal information to the hackers. Spear Phishing attempts may appear to originate from legitimate, known sources, such as organizational IT or known vendors.” INTRODUCTION TO INFORMATION TECH. FOR ELECTION OFFICIALS GLOSSARY, ELECTION ASSISTANCE COMM’N 8, https://www.eac.gov/assets/1/28/Glossary_IT-Terms_Managing_Election_Technology.pdf [https://perma.cc/JQ9R-ALX3].
  12. MUELLER, supra note 2, at 51.
  13. Id.
  14. Id.
  15. ALERT #T-LD1004-TT: TARGETING ACTIVITY AGAINST STATE BOARD ELECTION SYSTEMS, FBI (2016);Dustin Volz & Jim Finkle, Voter Registration Databases in Arizona and Illinois Were Breached, FBI Says, TIME,https://time.com/4471042/fbi-voter-database-breach-arizona-illinois/ [https://perma.cc/PBB2-NTVC].
  16. ALERT #T-LD1004-TT: TARGETING ACTIVITY AGAINST ST. BOARD ELECTION SYS., supra note 15;Volz & Finkle, supra note 15. Ironically, Arizona has been called an “innovator in paperless voter registration.” Online Voter Registration, supra note 6.
  17. Manpearl, supra note 7, at 17375.
  18. Provisional Ballots, NAT’L CONF. ST. LEG. (Oct. 15, 2018),http://www.ncsl.org/research/elections-and-campaigns/provisional-ballots.aspx [https://perma.cc/5CMN-FXHH]. Especially problematic are the different state restrictions on counting provisional ballots. For example, some states will not count provisional ballots cast at the wrong polling place. Id.
  19. Isaac Arnsdorf, These Voters Had to Wait for Hours: “It Felt Like a Type of Disenfranchisement” (Nov. 6, 2018), https://www.propublica.org/article/these-voters-had-to-wait-for-hours-it-felt-like-a-type-of-disenfranchisement [https://perma.cc/D7H4-Q54F].
  20. See id.
  21. Christopher Bing, Exclusive: U.S. officials fear ransomware attack against 2020 election, REUTERS (Aug. 26, 2019), https://www.reuters.com/article/us-usa-cyber-election-exclusive/exclusive-us-officials-fear-ransomware-attack-against-2020-election-idUSKCN1VG222 [https://perma.cc/K7T4-MLQC].
  22. Id.; INTRODUCTION TO INFORMATION TECH. FOR ELECTION OFFICIALS, supra note 11, at 7.
  23. INTRODUCTION TO INFORMATION TECH. FOR ELECTION OFFICIALS, supra note 11, at 7.
  24. Bing, supra note 21; INTRODUCTION TO INFORMATION TECH. FOR ELECTION OFFICIALS, supra note 11, at 7.
  25. INTRODUCTION TO INFORMATION TECH. FOR ELECTION OFFICIALS, supra note 11, at 7; Bing, supra note 21.
  26. Bing, supra note 21.
  27. Id.; Election Security Resource Library, DEPT. HOMELAND SEC.,https://www.dhs.gov/publication/election-security-resource-library [https://perma.cc/8EH7-5DDD].
  28. BURRIS & FISCHER, supra note 3, at 6.
  29. Help America Vote Act of 2002, 52 U.S.C. §§ 20101–20107, 20501–20511 (2018); BURRIS & FISCHER, supra note 3, at 6.
  30. 52 U.S.C. §§ 20501–20511; BURRIS & FISCHER, supra note 3, at 6 (explaining how HAVA’s voting machine accessibility standards led to greater adoption of Direct Recording Electronic systems, which are considered the most vulnerable voting machines to cyberattacks).
  31. 52 U.S.C. §§ 20101–20107; see also BURRIS & FISCHER, supra note 3, at 6–7.
  32. 52 U.S.C. §§ 20501–20511; see also BURRIS & FISCHER, supra note 3, at 6.
  33. Massimo Calabresi, How Russia Wants to Undermine the U.S. Election, TIME, Sept. 29, 2019,https://time.com/4512771/how-russia-wants-undermine-us-election/ [https://perma.cc/8VJP-9NCV]; BURRIS & FISCHER, supra note 3, at 4. But see SECURITY ASSESSMENT OF WINVOTE VOTING EQUIPMENT FOR DEPARTMENT OF ELECTIONS, VA. INFO. TECHNOLOGIES AGENCY (2019), https://www.wired.com/wp-content/uploads/2015/08/WINVote-final.pdf [https://perma.cc/22P6-FKS3] (demonstrating that voting machines can and have been connected directly to the internet).
  34. Manpearl, supra note 7, at 175–76.
  35. Id.at 176; SECURITY ASSESSMENT OF WINVOTE VOTING EQUIPMENT FOR DEPARTMENT OF ELECTIONS, supra note 33.
  36. Manpearl, supra note 7, at 176; SECURITY ASSESSMENT OF WINVOTE VOTING EQUIPMENT FOR DEPARTMENT OF ELECTIONS, supra note 33.
  37. BURRIS & FISCHER, supra note 3, at 13; JON GOLER & TED SELKER, SECURITY VULNERABILITIES AND PROBLEMS WITH VVPT, CAL TECH/MIT VOTING TECH. PROJECT, https://dspace.mit.edu/bitstream/handle/1721.1/96553/vtp_wp16.pdf?sequence=1&isAllowed=y [https://perma.cc/6F8J-JH8W]; see also Joshua Numainville, The Critical Infrastructure of Democracy: How Declaring that Election Systems are Critical Infrastructure Impacts Election Administration 21-34 (Apr. 24, 2020) (on file with author) (providing greater detail about different voting systems and their susceptibilities).
  38. Electronic Transmission of Ballots, NAT’L CONF. ST. LEGIS. (Sept. 5, 2019),http://www.ncsl.org/research/elections-and-campaigns/internet-voting.aspx [https://perma.cc/8YDQ-NZJ5].
  39. Manpearl, supra note 7, at 17980(explaining how Alaska allows all citizens to return ballots electronically due to its rural nature); Electronic Transmission of Ballots, supra note 38.
  40. Id.; What About Email and Fax, VERIFIED VOTING, https://www.verifiedvoting.org/resources/internet-voting/email-fax/ [https://perma.cc/9URX-JWNJ].
  41. What About Email and Fax,supra note 40. A malware attack through a returned absentee vote would involve attaching the malware to a PDF file, a file type that is already highly susceptible to malware infection. Manpearl, supra note 7, at181.
  42. What About Email and Fax, supra note 40.
  43. STATEMENT BY SECRETARY JEH JOHNSON ON THE DESIGNATION OF ELECTION INFRASTRUCTURE AS A CRITICAL INFRASTRUCTURE SUBSECTOR, DEPT. HOMELAND SEC. (2017),https://www.dhs.gov/news/2017/01/06/statement-secretary-johnson-designation-election-infrastructure-critical [https://perma.cc/PQ5G-4744]. Presidential Policy Directive 7 was established in 2003 to create a national policy “for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attack. HOMELAND SECURITY PRESIDENTIAL POLICY DIRECTIVE 7: CRITICAL INFRASTRUCTURE, IDENTIFICATION, PRIORITIZATION, AND PROTECTION, BUSH WHITE HOUSE, https://www.dhs.gov/homeland-security-presidential-directive-7 [https://perma.cc/V7AS-URF3]. Presidential Policy Directive 21, meanwhile, expanded on Homeland Security Presidential Policy Directive 21 by creating new policy goals, extending the purpose of the critical infrastructures program to protect not just against terrorist attacks but also cyber and physical attacks, and set out further guidance on coordinated efforts between state and federal government. HOMELAND SECURITY PRESIDENTIAL POLICY DIRECTIVE 21 – CRITICAL INFRASTRUCTURE SECURITY AND RESILIENCE, OBAMA WHITE HOUSE (2013), https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil [https://perma.cc/FX3X-RL6D].
  44. STATEMENT BY SECRETARY JEH JOHNSON ON THE DESIGNATION OF ELECTION INFRASTRUCTURE AS A CRITICAL INFRASTRUCTURE SUBSECTOR, supra note 43.
  45. Id.
  46. USA PATRIOT Act, 42 U.S.C. § 5195c (d) (2019); HOMELAND SECURITY PRESIDENTIAL POLICY DIRECTIVE 21 – CRITICAL INFRASTRUCTURE SECURITY AND RESILIENCE, supra note 43.
  47. HOMELAND SECURITY PRESIDENTIAL POLICY DIRECTIVE 21 – CRITICAL INFRASTRUCTURE SECURITY AND RESILIENCE, supra note 43.
  48. Id.
  49. Id.
  50. Id.
  51. Id.; STEPHEN DYCUS ET AL., COUNTERTERRORISM LAW 17374 (3d ed. 2019).
  52. GOVERNMENT FACILITIES SECTOR-SPECIFIC PLAN, DEPT. HOMELAND SEC. 11–12 (2015), https://www.dhs.gov/sites/default/files/publications/nipp-ssp-government-facilities-2015-508.pdf [https://perma.cc/A7AL-FESJ].
  53. Id.at 12.
  54. Allaire M. Monticollo, Protecting America’s Elections from Foreign Tampering: Realizing the Benefits of Classifying Election Infrastructure as “Critical Infrastructure”, 51 U. RICH. L. REV., 1239, 1258 (2017).
  55. Id.
  56. Id.at 1260.
  57. Id.
  58. GOVERNMENT FACILITIES SECTOR-SPECIFIC PLAN, supra note 52, at 1112.
  59. See Monticollo, supra note 54, at 126263.