White House questions election security; experts do not
A number of infosec experts, election officials and government agencies say Election Day was free from hacking and cyber attacks, but the White House disagrees.
Members of the infosec community, government officials, and election security experts and vendors agree that while it may not have been perfect, Election Day was free from major cyber attacks and disruptions.
While some fear there are still election-related attacks on the horizon and concerns about disinformation campaigns remain high, a joint statement from the Elections Infrastructure Government Coordinating Council and the Election Infrastructure Sector Coordinating Executive Committees called the Nov. 3 election "the most secure in American History."
The statement released Nov. 12, included the Cybersecurity and Infrastructure Security Agency (CISA) Assistant Director Bob Kolasky, U.S. Election Assistance Commission Chair Benjamin Hovland and National Association of Secretaries of State (NASS) President Maggie Toulouse Oliver, among others.
"There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised," the statement said.
One week after the statement was released, President Trump took to Twitter to fire the director of CISA, Christopher Krebs, despite numerous reports of the agencies' diligence during the election. The White House, CISA and other U.S. election officials continue to disagree on the security of this election.
An attack-free Election Day
Awareness and communication were two major factors that helped improve election security this year. That communication included frequent alerts to any possible or emerging threats and was highlighted by the collaboration between state and federal governments. In addition, the monitoring of adversaries was key in staying ahead of threats.
Mark Testoni, CEO of SAP NS2, told SearchSecurity that the biggest contributor to 2020 election security was awareness that drove collaboration between federal and state government.
"The challenge for a perpetrator is when people become more aware," he said. "Education is an important aspect to security; it's not all technology, it's behavior patterns. States were much more focused. It's such a decentralized system if you're going to have an impact on the election, you have to pick the right precincts to have a big impact. So, top of it is awareness than collaboration, but it all started with awareness."
The decentralization of the American election system is both good and bad, according to Chet Wisniewski, a principal research scientist at Sophos. The good: It minimizes impact attack zone.
"Meaning, if you're Russia and you really wanted to tamper with the election itself, the problem is you've got 15 different types of equipment operated 25 different ways in 50 different states. So, to figure out how to disrupt each county and each state based on what kind of equipment they're using and what kind of manner they're handling the SD cards that have the votes on them," he said. "There's so much complexity to it that it'd be difficult to have a widescale impact on the American election."
CrowdStrike president and CSO Shawn Henry also told SearchSecurity that the most important first step in cybersecurity is awareness.
"The Department of Homeland Security, FBI and other government agencies were very diligent in providing emerging threats to the private sector as they developed," he said in an email to SearchSecurity. "They put together specific alerts regarding different types of malware and adversary tactics, disinformation campaigns, and they generally raised the bar for those organizations responsible for election infrastructure. This encouraged them to be vigilant for anomalous behavior in their environment."
Testoni also commended DHS's efforts in this years' election, referring to them and other parts of the government as the "coordinating body for cybersecurity at the federal level," particularly CISA.
"I think a lot of people in state government and people in the country were scared after the 2016 election. I think some of the federal organizations in homeland security, the CISA organization and others did a good job of identifying threats and reaching out," Testoni said.
Wisniewski also applauded CISA's efforts.
"The good thing about election infrastructure is that most of it is offline, and the voting equipment and the votes being counted and all that is not done in a way that would likely be impacted. What would be impacted is the voter rolls, the registration systems. Most every state allows voters to register online or verify that they're still on the voter rolls online, and because those were online there was an opportunity for ransomware to disrupt it," he said. "CISA did a very good job at monitoring the state operations from a central standpoint, trying to observe whether anything dodgy was going on and giving them a heads up."
Another factor in this year's secure election, according to Henry, is that organizations took the threat seriously and deployed appropriate mitigation technologies and strategies.
"CrowdStrike was protecting over 140 different agencies that were part of the election infrastructure from campaigns, to local municipalities, to organizations and companies in the supply chain, and those organizations put successful cybersecurity technology and strategies in place in advance of the anticipated threats," he said. "I also think that was done more broadly across the thousands of other organizations that are part of the election infrastructure."
Henry also observed reporting from U.S. intelligence that were actively monitoring adversary infrastructure.
"The U.S. government has capabilities also and, while they have not formally stated it, I think it's reasonable to assume that if they did see adversary actions to disrupt our election, they would have taken preventive measures," he said. "While we may not have seen attacks against the election infrastructure, we certainly saw attacks against the election via disinformation targeting the American electorate.
The spreading of disinformation
Disinformation campaigns that attacked the integrity of elections results are both homegrown and amplified by nation-state actors, according to Testoni.
"There's homegrown disinformation, there's probably more than surly state-sponsored or external threat of disinformation, and there's also the whipping up of that disinformation by various parties," he said. "It's our reality, whether it's the election or any sort of a number of issues, we find ourselves subjected to this in society now. We're always going to have people who are trying to push agendas on us whether its internal or external."
According to Henry, the disinformation is absolutely amplified by foreign intelligence services.
"They sit back and assess what's happening in America and magnify the divisive issues, all in an attempt to create chaos and confusion. Their use of social and mainstream media gives them great access to the broad populace. The impacts these governments are having is so great that they will continue well into the future," he said. "The targeting is not limited solely to the U.S. either, as we've seen this type of activity in democracies and elections around the world."
Challenges from nation-state adversaries are huge problems, especially during these challenging times, CrowdStrike CTO Michael Sentonas said.
"Obviously in the U.S. in the middle of an election and a transition there's heightened concern with that style of issue and what we did see [in the "2020 CrowdStrike Global Security Attitude Survey"] was that 83% of the U.S. respondents say their organization can't rule out being a target by any government, which is an interesting statistic. That's a big number."
One of the efforts to confront disinformation campaigns, whether homegrown or amplified, came from a "Rumor Control" page created by CISA, which covers pre, post and Election Day information.
"I think it's a great idea particularly since there's a lot of swirl post-election. Getting information out is great, and secondarily we have to look at ourselves because the country is so divided, people are looking for things that support their own positions. They just are," Testoni said. "I just sense that we have people in this country that aren't going to feel comfortable with the fact that we had a fair election and that's unfortunate because I think most of the indicators suggest we had a fair election. Was it a perfect election? No. But did it adequately represent probably what the American people wanted to say? Yes. I am more concerned with our institutions coming under fire when they shouldn't be."
In addition to the mis- and disinformation page, CISA and other agencies had its work cut out because of the diverse American election system, which Wisniewski said has its negatives and positives. The negative: There's 50 different state laws and more than 3,000 counties across the country, and each is potentially conducting elections differently.
"It's really hard for CISA or the FBI or anyone else to give solid advice to all these different county clerks all over the country on how to secure the election, because it's a combination of what their state laws are combined with what voting system they're using in that district which would alter how you give them advice."
Securing future elections
While multiple sources confirm that Election Day has come and gone securely, it doesn't minimize the fear of future threats.
"Why did Election Day cyber attacks that we speculated would take place not materialize? My response is -- we don't know yet that they didn't occur," said Bill Harrod federal CTO of MobileIron. "Foreign adversaries and nation-state actors are more likely to have caused high-profile and much-publicized attacks prior to the election in order to undermine confidence in the election process. However, on Election Day, these same bad actors may have leveraged "low and slow" attacks to collect data that can be used in subsequent attacks and to enhance the sophistication of the next round of phishing attacks."
The increased awareness around the 2020 election is important to maintain between campaigns as well, Wisniewski said.
"With all the attention on it this year, I think this is a really good thing that in 2024, I suspect we'll be on much better footing to ensure both the integrity of the vote and the security of the systems simply because of the amount of public visibility of the issue now," he said. "We're all talking about it, and that means it may get some of the money and attention it needs to shore it up."
Security news writer Alex Culafi contributed to this report.