When it comes to undermining democracy, even a failure can be a success.
Earlier this month, a Russian news report claimed that Michigan voter data had been hacked and ended up on the dark web. This report was later proven false -- no hack occurred, and all the "leaked" voter data was publicly available in the first place. Data protection and security experts say the intent was to sow disinformation and doubt by making voters believe their data isn't well protected. The goal wasn't to gain access to voter data, but to disenfranchise voters and propagate rumors of voter fraud.
Doug Cahill, vice president and group director of cybersecurity at Enterprise Strategy Group (ESG), said with the U.S. general election so close, attackers are purposely creating misinformation. Whether voter data is truly protected or not doesn't matter, because the objective is to create an air of controversy around the election process.
"Disinformation is more of a threat to voter confidence than any technology vulnerabilities," Cahill said.
Voter registry systems not the focus of bad actors
Voter data vulnerabilities aren't a significant concern, according to Neal Dennis, threat intelligence specialist and subject matter expert at Cyware Labs, a New York-based cybersecurity provider. Dennis served in the United States Marine Corps and worked as a counterintelligence analyst for the Air Force before switching to private-sector work in 2013. He has worked undercover online and investigated the Russian Business Network, in addition to providing cyberintelligence briefs to United States Strategic Command.
Dennis said since the 2016 election cycle, states and the federal government have taken a more proactive stance on protecting elections against cyberattacks. States are treating their voting systems like power plants and other utilities, by making everything as air-gapped as possible. An intrusion is difficult without compromising someone on the inside. On the federal level, the National Institute of Standards and Technology (NIST) has established cybersecurity guidelines and best practices. While it's not mandatory for all states to be NIST-compliant, it is a first step toward standardizing cybersecurity requirements nationally.
This article is part of
"I don't think fraud by cyber will be an issue. We'll see some attempts, but I'd be very surprised if someone got into a voter registry system," Dennis said.
So instead, bad actors such as opposing political parties and adversarial countries are attacking the integrity of the election process, said Barry Hubbard, principal consultant at Tio Oso Technology and Leadership.
Hubbard served in the U.S. Navy Pacific Fleet submarine force from 1974-1999 and spent his last four years there as CIO. He said protecting voter data is not a technology issue and claimed data protection vendors such as Commvault and Veeam can protect voter data just as well as enterprise data. However, for government agencies, buying the right technology isn't that simple. When purchasing networking equipment for his submarines, Hubbard had to follow a U.S. General Services Administration Schedule -- a long-term contract the government has with commercial entities. This limited his selection and often meant he could not implement what he knew to be a superior product.
Both Cahill and Hubbard said the lack of standardized election processes has created a challenge for protecting voter data. Each state handles the budgeting for and execution of elections differently. This leads to varying levels of technology investment and, ultimately, varying levels of data security. Cahill said he suspects that states with data privacy bills, such as California, also take voter data seriously, but he and Hubbard both find it problematic that security differs between states.
"Voters in Colorado shouldn't be any more secure than voters in New Jersey," Hubbard said.
Budgeting and building trust in election systems
Budgeting is another hurdle. Cahill said due to the COVID-19 pandemic, many state budgets are in the red, which makes it hard to drive voter data security initiatives. Worse, the cybersecurity skills shortage has been steadily getting worse, Cahill said, citing an ESG study published earlier this year. Top cybersecurity talent tends toward corporate positions with better pay, so local municipalities are often understaffed and running old systems.
"If you're a cybersecurity professional, the public sector isn't particularly interesting," Cahill said.
Hubbard, who has worked for private companies such as TiVo since leaving the Navy, added that in the private sector, purchasing decisions for data protection and other IT investments are based on ROI. However, government agencies tend to buy based on the lowest bidder, so long as the vendor satisfies the bare requirements of the IT project.
Manoj Nair, general manager of Metallic, a division of Commvault, said budgeting issues and lack of standardization are tied at the hip. When you can't get 50 attorneys general to agree on and enforce the same set of rules, it's impossible to write a playbook to budget against, Nair said.
Nair said one major difference between protecting voter data versus enterprise data is that the product must ultimately be sold to the end user -- the voters. Even if a state implements a truly bulletproof voting system with the most advanced security and data protection features, if voters aren't convinced their data is safe, they'll distrust the polling results or avoid voting altogether. Citing systems such as online shopping and banking, Nair said public trust in technology takes time.
"You've got to have layered, trusted systems, and it takes time to build these things," Nair said.
Marc StaimerPresident, Dragon Slayer Consulting
Nair said virtual or online voting are viable options, as the technology to do that safely currently exists and has already been implemented in some countries. However, he added that it would be a tough sell in today's political climate in the U.S.
According to Hubbard, an online voting system could be implemented by November if states put forth the effort -- but he highly doubts American voters would trust such a system.
Marc Staimer, president of Dragon Slayer Consulting, said protecting voter data from theft is important, but protecting it against unauthorized changes is even more so. He warned against vulnerabilities in the tallying software itself, which can tamper with votes before anything even goes into storage, but he added that it doesn't even take something that drastic to affect an election. A bad actor gaining access to a voter database could change addresses or party affiliations. A minor change could invalidate a vote by making a citizen appear to have voted twice or voted in the wrong county.
"It's not so much protecting the data; it's protecting against the mischief people can get up to by changing it," Staimer said.
Staimer said for all the investment in technology and electronic and online voting, mail-in ballots are still the most secure way to vote. Anything that doesn't leave a paper trail is vulnerable to tampering -- it's just one more consideration for trying to build an election system that keeps voters and their data safe.