Attempted cyber attacks had no effect on Maricopa County, Arizona’s election systems last year, but the misinformation and disinformation on social media was another story.
Lester Godsey, CISO for Maricopa County, spoke at RSA Conference 2021 in a panel discussion Thursday about 2020 presidential election security and discussed how disinformation posed a bigger challenge for his county than actual hacking. And the challenge continues as Maricopa County is currently embroiled in a controversial election audit -- though Godsey didn't directly address the audit or the misinformation connected to it.
The panel, titled "Election Security: Lessons from the Front Lines," featured a discussion between Scythe founder and CEO Bryson Bort, FBI section chief Cynthia Kaiser, Godsey and Geoff Hale, senior cybersecurity advisor at the Cybersecurity and Infrastructure Security Agency (CISA). The RSA Conference session discussed 2020 U.S. election security as a whole, as well as election interference from nation-states and misinformation campaigns.
At the beginning of the panel, Kaiser stated that there was no evidence of election interference -- a claim backed by experts and election officials. Nevertheless, massive amounts of misinformation spread online, mainly through nation-state threat campaigns aimed at undermining trust in the election results.
Hale said the wave of nation-state interference might continue.
"Never have we had this level of scrutiny on an election. And it's important to say that even though this was a model election, we had two APT [advanced persistent threat] actors present," Hale said. "This ODNI report describes both Russia and Iran being active on election infrastructure, being active in social media disinformation and influence campaigns. This kind of starts the new normal for what threats and risks on election infrastructure are. We saw the playbook in 2016; it evolved in 2020. We're going to have to be ready for it in elections to come."
Kaiser also expressed concern about foreign adversaries.
"What I worry about is a 2022 or a 2024 where adversaries believe they can conduct these activities with impunity -- that there's no consequences or risks to conducting activities that they're seeking to do," Kaiser said. "And I think that that's why FBI Director [Christopher] Wray announced the FBI cyber strategy in the fall that focuses on imposing risks and consequences on cyber actors. I think it's essentially about getting some of these adversaries to change their cost benefit when they're thinking about doing some of these activities in the first place."
Godsey said Maricopa County saw real-world effects of the misinformation around the election; at one point, the county picked up chatter on social media channels that showed protesters had formed a caravan to track and follow election staff as they traveled to different locations in the county. In terms of threats moving forward, he said misinformation will be an ongoing problem with or without the election.
"Social media, disinformation and misinformation was a game-changer for us, and I would go so far as to say from a government perspective moving forward, any cybersecurity or information security teams, they should be adding this to their portfolio services. Because this is not going to go away just because the election's over, frankly," he said. "I think we're in a new era, if you will, in terms of additional threats and risks as well as sources of information for all of this."
Godsey's role as Maricopa County CISO is especially relevant in discussing the "game-changer" that is misinformation, given events this week surrounding its recent election audit.
The county has been the subject of controversy related to an ongoing election audit conducted by multiple firms, including a Florida-based security company, Cyber Ninjas. The firm, which has no known previous experience auditing elections, has been working with Republican members of the state senate on the audit.
Firms associated with the audit accused the county of deleting information on voter databases -- an accusation echoed by former President Donald Trump. This accusation has not been proven and the data was not destroyed, but Ben Cotton, founder of CyFIR -- another firm working on the audit -- claimed Wednesday that it was initially deleted and has since been recovered.
The audit was criticized in a letter to Arizona Senate President Karen Fann that was signed by five Maricopa County supervisors, Maricopa County recorder Stephen Richer and Maricopa County sheriff Paul Penzone. The letter claimed, among other things, that Cyber Ninjas was incorrectly counting ballots, and the group requested an end to the audit.
The audit is still ongoing, and new information is coming to light by the day.
Toward the end of the session, Godsey addressed the vendor community and asked them to consider "the ramifications of their technology" in election security, and how perception can cause election disruption even if an event doesn't occur.
"There doesn't actually have to be an event that can cause disruption to the election," Godsey said. "It just has to have the appearance of an event."
Alexander Culafi is a writer, journalist and podcaster based in Boston.