author photo
By Bruce Sussman
Tue | Mar 3, 2020 | 3:15 AM PST

There is a lot hanging in the balance with 2020 Super Tuesday voting.

Where does election security stand? What has the U.S. done about election cybersecurity since 2016?

Christopher Krebs is Director of the Cybersecurity and Infrastructure Security Agency (CISA), a federal agency that did not even exist during the last presidential election.

Here is a look at some of the election security questions Krebs answered on stage recently at the RSA cybersecurity conference.

How big is the job of elections cybersecurity?

"So the technical challenges are actually underpinned by the broader administrative challenges of elections in the United States. Article 1, Section 4 of the Constitution says the states will determine the time, place, and manner of conducting the federal elections. And that has manifested itself into about 8,800 election jurisdictions across the country."

Which elections security lessons did we learn from 2016?

"What I've been saying is this: 2016 was a wake-up call front to back, wake-up call across the federal government. At the same time, state and locals in 2016, they didn't realize they were on the front lines of this geopolitical conflict, and they now are all aboard."

What kind of attacks must elections officials defend against in 2020?

"You have to think about the strategic objectives [of those who would interfere]. This is my view of the strategic objectives of the atmosphere: to be able to change the vote at scale in an unprecedented manner.

Given the decentralized nature of the individual voting machine in the United States, this is really complicated. It's a high investment, there's a lot of risk with it, and it's going to be difficult to achieve. On the other hand, what if you just targeted one or two jurisdictions in key spaces and then you amplify that? So what we've got to be able to do is work with our partners in state and local, work with our defense and intelligence community partners, and then inoculate the public. We can share this is what they're going to try to say, this what they might try to do.

This is the point, though, that it's not about a single outcome of an individual race. It's about a broader destabilizing of the public, of our confidence in the system. That's what was so shocking, I think, about 2016. 2016 was the first time, I think, for the elected officials and for the American public to truly understand that cyber could destabilize a democracy. And that's where we are."

What about paper ballots as the ultimate in election cybersecurity?

"Why are paper ballots important? So that you have an auditable record. That's just a core tenet of IT security that you can audit the process and look back at the log. Same thing goes for voting. If there's any question, you can go back to the paper.

What we have done over the last couple years is to give a lot of attention on risk assessments across the system, all the way from registering to vote to certification of the voting process, and trying to figure out where the risk really is across these systems.

And I think what we've discovered, not surprisingly, is the areas where information is centralized—and it's highly networked—that's where a lot of the risk is. What is that? Voter registration databases sort of the last year again, ransomware, thinking through some threat modeling what a threat actor might do, not even a nation state actor but a criminal.

Since about last year, we put a lot of focus on providing vulnerability management capabilities in the systems to state and local jurisdictions to get ahead of them, so we can harden as much as possible, but we also recognize that 100% security is not achievable. So we're focusing on increasing resilience. So let's say you have a ransomware event, you have an offline backup that you can test. 

We have a dedicated information sharing and analysis center for states, and about 2,500 jurisdictions are engaged. So again, the American people need to understand that we are taking this seriously, we are engaged on it, but 100% security is not going to be the outcome."

Some elections systems are only electronic

And while a lot of progress has been made on election security, some areas of the United States are using what security experts consider to be high-risk election machines. They have no paper trail.

Politico recently reported on this:

"Millions of voters across the country will cast ballots during Super Tuesday on old, insecure election equipment—even after nearly four years of handwringing and warnings about Russian election interference.

The jurisdictions at risk include three of Tennessee's biggest counties—Shelby, Knox and Rutherford—where the paperless voting machines at the polls will include devices with security flaws so alarming that voters tried suing to have the equipment removed from precincts. Dozens of small counties in Texas are also sticking with risky touchscreen machines that have no paper trail to help detect tampering or malfunctions. And in California, Los Angeles County is debuting new voting machines that have drawn scrutiny for security weaknesses, as well as their developer's past alleged ties to the Venezuelan government."

As CISA Director Christopher Krebs put it, "We also recognize that 100% security is not achievable."

Perhaps we can get closer to that goal by the general election in November 2020. We shall see.