Not everyone, however, feels prepared to face these threats, according to a new survey of election officials and workers. The Center for Digital Government* conducted the survey in November on behalf of cybersecurity company Arctic Wolf, polling a mix of folks from city, county and state government.
Topping the list of threats respondents are expecting are disinformation and phishing.
DISINFORMATION
False and misleading narratives are a persistent challenge that the advance of generative AI has only intensified.
“Just in the last six months, we've seen deepfakes improve so they're not as easy to detect as they were six months ago or a year ago, and that’s going to continue,” said, Marci Andino, senior director of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), who spoke about concerns she's heard from election officials.
Similarly, the new study found that nearly 51 percent of state and local government respondents named disinformation campaigns as a top election cyber concern.
To reduce risks, officials should work to raise awareness among staff, voters and local media about how deepfakes could be used in elections, Andino said. For example, a bad actor might create a deepfake of an election official sharing the wrong polling hours.
State and local officials should also start early to establish their official websites as trusted sources of information for voters to compare with information on social media, she said.
PHISHING
Phishing is getting more sophisticated, and election officials face unique challenges combating it.
Traditional cybersecurity training warns against clicking on emailed links or opening attachments from unfamiliar senders, but election officials regularly receive email from voters they don't know. They may also need to open attachments like absentee ballot applications, Andino said.
Election teams can reduce risks by isolating email systems from the rest of the network, so successful attackers can't get to the rest of the network, said Arctic Wolf CISO Adam Marrè. Relatedly, federal Voluntary Voting Systems Guidelines call for air-gapping voting and election management systems associated with election administration from other networks, as a defense measure.
Marrè also suggested using alternatives to email, such as online forms where more restrictions can be set, such as disabling attachments. If email does need to be used, anyone handling it should be trained on avoiding phishing.
“If someone is going to be sorting through that inbox, it needs to be someone who realizes that that should require their full attention, their full vigilance,” Marrè said. “It’s not a casual activity.”
Andino also said election officials can join the EI-ISAC for free and get cyber tools that help, like the Malicious Domain Blocking and Reporting solution, which may stop computers connecting to malicious sites after links are clicked.
Finally, it sounds simple, but teams should also be wary of attackers pretending to be voters or other election staff members. This might require going to extra lengths to verify legitimacy.
DATA BREACHES AND MORE
As survey respondents eyed the 2024 landscape, they were most concerned with election interference coming from China, followed by the U.S. and Russia.
Other top election security concerns included “hacking attempts in the election process, websites or systems” as well as ransomware on election infrastructure and technical glitches. Respondents also feared manipulation of election results or voter rolls, tampering with electronic voting machines or systems, and cloud services compromises.
Data breaches are another concern Andino hears from officials.
Last year saw such incidents in jurisdictions like Hillsborough County, Fla., and Washington, D.C. Voter lists contain sensitive info like Social Security numbers, alongside publicly available data. Constantly hearing about that kind of thing can make voters question the entire process, down to the outcome of the election, Andino said.
And officials are also concerned about attacks that take down sites that post election results or help voters find the polls.
Not knowing exactly what threats look like makes preparation difficult, Andino said, but election officials can focus on basics like ensuring staff has up-to-date knowledge, or the network is protected.
Marrè also encouraged election officials to tabletop possible scenarios, helping them think through issues and establish procedures ahead of time.
* The Center for Digital Government is a division of e.Republic, Government Technology’s parent company.
