Election Security: Recovering from 2016, Looking Toward 2020

Months away from another presidential election, many wonder whether the United States has the protections and processes in place to secure its most important elections. Research shows 2016 was a wake-up call of sorts, prompting federal, state, and local officials to work together.

Cisco Talos researchers began a long-term investigation into election security issues following the 2016 breach of the Democratic National Committee's servers. Four years of research are summarized in a new report, which encompasses the elements of US election infrastructure, the complex role of political theory, the progress made since 2016, and the work that still needs to be done to protect elections.

"The big thing was just how complicated the field of play is here," says Matt Olney, director of threat intelligence and interdiction with Cisco Talos. The factors in an election-focused attack range from the federal government, which has a limited role in elections but an outsize role in terms of intelligence and capabilities, to the local level, where people sign on to help with elections and find themselves in the crosshairs of advanced and highly targeted cyberattacks.

Researchers say the attackers' primary motivation is to undermine not only the core integrity of individual elections but the faith and trust people have in state institutions to fairly run them.

This is more than a technical problem, Olney says; it's a public perception problem. Officials also must consider how they can technically secure elections in a way that reinforces their community's faith that they're doing their job well. Adversaries understand how they can weaken the trust between people and government, reducing officials' ability to address issues.

"It's a play to reduce the ability for the US to react and affect work affairs," Olney explains.

In the report, Talos researchers detail various parts of election infrastructure and how officials should approach their security. Election management systems (EMSs), for one, coordinate the roles of the states and localities, and may include jury pool management, voter registration, ballot management, and election reporting. The EMS is a high-profile target for attackers because it's an accepted way for localities to change the voter registration database, the researchers report.

Voter registration databases — central databases holding registration information about voters — have been targeted in the past and are expected to be in the crosshairs going forward. 

The biggest improvement made between 2016 and 2020 is the growth of information sharing, says Olney. The Cybersecurity and Infrastructure Security Agency has taken on a role as a "security focal point" for the federal government. The agency has begun to offer phishing tests and vulnerability scanning; its staff members have flown to different states to provide support and share their understanding of security threats.

Information sharing goes both ways, Olney explains. The creation of the Election Infrastructure ISAC (EI-ISAC) "has been critical" in terms of pulling information into a centralized location to better understand the threats that states and localities are facing. EI-ISAC has deployed Albert intrusion detection and flow analysis systems to state and local authorities, the report states.

"The most important relationship, really, in election security is that state and local bond," he says. "Ultimately, the things that are being attacked are part of the state and local networks." Because states and localities cannot face state-sponsored actors alone, this collaboration, and the communication of efforts to voters, are essential to protect the integrity of US elections.

Related Content:

Register now for this year's fully virtual Black Hat USA, scheduled to take place August 1–6, and get more information about the event on the Black Hat website. Click for details on conference information and to register.