- November 2020 elections are vulnerable to cyberattacks
- Experts in Indiana are helping election officials prepare incident response plans
- Pandemic has meant replacing in-person exercises with online webinars
With November fast approaching, election officials across the US are examining every aspect of voting. The COVID-19 pandemic has added greater urgency to the ever-present specter of cyberattacks and foreign interference.
In 2016, Russian hackers targeted voter registration databases, a key revelation in the Robert Mueller report. Cybersecurity professionals suggest this could happen again. In particular, they warn against ransomware, a scenario in which cybercriminals compromise computers and demand a ransom from election officials in return for an encryption key to unlock election records.
A Senate Intelligence Committee report in July 2019 listed numerous examples of cyberattacks, including a malicious cyberactor who stole a county employee’s credentials via phishing and posted them online for hackers to use.
Additionally, cybersecurity professionals are worried that hackers will go after election officials with malware or denial-of-service attacks, or man-in-the-middle schemes, also known as eavesdropping, where the attacker intercepts and relays messages between two parties who believe they are interacting with one another. Once attackers are in the conversation, they can filter, manipulate, and steal sensitive information.
To guard against these types of attacks in Indiana, the Secretary of State invited a team of cybersecurity experts from Indiana University (IU) to improve election cybersecurity incident response plans (IRPs). The IU team started working with county election officials from across the state in the fall of 2019 in an effort to mitigate risk from cyberattacks.
In December 2019, the IU team held in-person tabletop exercises designed to prepare for real-world scenarios, such as an election-day power outage, stolen poll books, or other cyberattack. During these scenarios, the IU team helped guide participants to think about things that may not have emerged organically through the table discussions.
“Many of the election officials were happy to share their experiences during the tabletop exercises. There were some ‘aha’ moments both at the tables and during the larger group discussions,” said Kelli Shute, project manager for IU’s Center for Applied Cybersecurity Research.
Mark Bruhn, former head of safety and security for IU, addressed the attendees: “Think of your IRP as an insurance policy for when bad things happen – one that you hope you never have to use.”
“The IRP, coupled with a set of playbooks, will help reduce stress and indecision in a very difficult situation,” Bruhn said. “Of course, you will still need to apply your expertise and experience to the situation, but I guarantee you that your IRP and playbook will be invaluable in a cybersecurity crisis.”
In February 2020, the team hosted nine more workshops across the state. They invited election officials from all of Indiana’s 92 counties to attend. The goal was for each county to create or update its cybersecurity IRP and create playbooks with checklists and procedures for specific scenarios.
The county IRPs and playbooks came in handy as election officials scrambled to adjust to fewer available poll workers and many more absentee ballots during the primary, postponed from May to June due to the pandemic.
With the state primary completed, the IU team has identified ways to further support election officials in the run-up to the general election on Nov. 3. No longer able to host in-person workshops, the team, with help from cybersecurity students, is recording webinars for election administrators, and providing live online training sessions.
“We continue to make ourselves available to counties during their incident response planning, taking calls, and reviewing and commenting on what they are developing,” said Bruhn. “We are planning to stand up a support center that will take those calls and materials and get them to people who can help the counties with whatever issue they are working through. That assistance will be provided through the November election.”
After the elections in November, the IU cybersecurity team will conduct lessons-learned sessions with Indiana county election officials to find out how things went, what troubles they encountered, and how they handled them, leading to improvements in the plans they have developed. The team will also make recommendations for how to continue to improve Indiana’s election cybersecurity well into the future.