Election officials are not as prepared as possible for cyberattacks that rogue actors may pursue in the coming cycle.
The Iowa caucuses will take place next week, which means that elections and their security will be something voters consider when engaging. A vital component is the technology used to host the voter roll and gather the votes. While officials regularly strive to ensure the technology is safe on Election Day, there is a struggle to provide the infrastructure required to run a safe and secure election for all.
“What’s vulnerable and the threats that election administrations face is everything leading up to and after Election Day,” Stephen Boyce, a cybersecurity lecturer at Marymount University, told the Washington Examiner.
State of cybersecurity in elections
While state and local election officials have been navigating cyberattacks for several years, the vast majority do not feel prepared for this year’s election. Less than 4% of state and city government leaders said that they were fully prepared for election-targeted cybersecurity attacks, according to a survey by the cybersecurity firm Artic Wolf.
A significant part of election officials’ struggle is a lack of funding. Over one-third of government officials said their elections team had “somewhat” or “very inadequate” funding for addressing cyber concerns in 2024, according to Artic Wolf.
State and county officials typically are expected to provide the funding for digitally securing an election, including cybersecurity needs. However, MIT Election Data and Science Lab director Charles Stewart III told the National Conference of State Legislatures in August 2023 that most jurisdictions are underfunded. Several counties lacked the resources in 2022 to hire enough poll workers, defend against violent threats against officials, and fend off cybersecurity attacks.
“It’s much more costly to defend against a cyberattack than to launch one,” Scott Algeier, the executive director of the Information Technology-Information Sharing and Analysis Center, told the Washington Examiner.
The second element for protecting voter data is ensuring staffers are trained to protect against and detect some of the most basic cybersecurity threats. Only 50% of election officials said they received election-specific cybersecurity awareness training, according to Artic Wolf.
“If a culture of security does not exist at a specific office or location, it is unlikely that they will take the preemptive and proactive measures necessary to secure their networks, systems, and data,” Amy Chang, a senior fellow of cybersecurity at the R Street Institute, told the Washington Examiner.
Some of the greatest threats to voter data can come through the most mundane sources of communication.
“A critical threat to election security remains in the basics, often starting with emails or SMS messages where ‘bad actors’ target election officials through phishing schemes to compromise credentials,” Patrick Flynn, an executive at the cybersecurity company Trellix, told the Washington Examiner.
Email is particularly powerful for hackers because it can be “highly customized” to look like official communications from related parties, Flynn notes. These emails can then be used to find key information needed to break into infrastructure systems and to steal and damage the software required.
The lack of funding and limited training can lead to slip-ups by those overseeing local elections.
One of the most recent examples of an electoral security failure was the breach of the District of Columbia’s Board of Elections in October 2023, when more than 600,000 lines of voter data were stolen by the hacker group RansomVC. The data were stolen through a breach of the Board’s web host provider and put the private data of over 400,000 voters at risk, according to the Board.
The data theft was so significant that it led to Committee on House Administration Chairman Bryan Steil (R-WI) and Subcommittee on Elections Chair Laurel Lee (R-FL) sending a letter to the D.C. Board demanding answers about why it did not reveal the number of affected users until December 2023.
“We know that cybersecurity creates challenges across the board,” Steil told the Washington Examiner. “But we need to ensure that not only the D.C. Board of Elections but all election operations across the country are secure.”
Local election officials also reported surges of malicious emails aimed at them in the 2022 election cycle, according to the FBI.
There was also the July 2016 hack of the Illinois Board of Elections, after which 12 Russians were declared guilty of stealing the voter data of over 500,000 residents.
CLICK HERE TO READ MORE FROM THE WASHINGTON EXAMINER
Thankfully, some federal aid is available to staffers to help remediate the gaps. The Cybersecurity & Infrastructure Security Agency provides several resources for local and state election officials to protect their election infrastructure and data. These include tools for providing timely and actionable threat information and developing tools for detecting malicious behavior. Officials also often cooperate through groups such as IT-ISAC, which share information and offer remedies to those in need.
The Help America Vote Act of 2002 also provides grants to improve local county elections, although those depend on Congress.
