IE 11 is not supported. For an optimal experience visit our site on another browser.

Volunteer hacker army boosts U.S. election cybersecurity

Networks remain "absolutely ripe for a disruptive or destructive attack by a capable adversary," one cybersecurity official said.
Image: Iowa Caucus
Officials from the 68th caucus precinct overlook the results of the first referendum count during a caucus event on Feb. 3, 2020, at Drake University in Des Moines, Iowa.Tom Brenner / Getty Images file

As election officials across the country prepare for November without knowing if they'll receive additional federal funds, a new volunteer group hopes to ease their cybersecurity concerns for free.

Some states pay private companies for cybersecurity, while others rely on in-house staff or federal assistance. But nearly all have had to drastically rearrange their budgets this year to focus on holding an election during a pandemic, such as covering an influx of mailed ballots and buying cleaning supplies and personal protective equipment.

All must contend with assuring people that their vote, no matter how it is cast, counts and is secure, even in the face of President Donald Trump throwing doubt on the very processes used to elect him, as he did in a tweet Thursday.

With Congress still debating what the next coronavirus relief bill will look like, and a proposal from Senate Republicans that offers no additional funding for election officials, states are anticipating the possibility that they won't receive any additional resources before November.

While the federal government does provide some free election cybersecurity tools, states are under no obligation to use them. The Department of Homeland Security offers state and local election directors some free cybersecurity services, and the Election Assistance Commission, an advisory agency that is the closest thing election officials and election system makers have to a federal regulator, recently released a free online cybersecurity course.

Ben Hovland, the chair of the commission, said he welcomed any free help to local election officials.

"If there's one drumbeat I consistently hit, it's state and locals need resources," he said.

Now, a University of Chicago initiative called the Election Cyber Surge aims to act as matchmaker between local election officials who may not have access to cybersecurity services and qualified experts who want to help. Officials will be able to choose an area of concern, then pick from a list of professionals willing to help via phone or video chat, a necessity during the pandemic.

"The need is obvious, but the help exists," said Maya Worman, a former longtime government cybersecurity strategist who is leading the project.

The program will begin with about 50 vetted volunteers, she said, with that number likely to double. Most were identified through a university database of trusted cybersecurity professionals, and have at least a decade of experience in the field.

Since last fall, the Department of Homeland Security has warned that voter registration systems and county governments are at particular risk from ransomware, which hackers use to encrypt a network and demand a ransom for a key to unlock it. Criminal gangs regularly target local government networks in the U.S. with ransomware by searching for networks with unpatched vulnerabilities.

The Department of Homeland Security's top cybersecurity official, Chris Krebs, said at a panel earlier this month that despite strides the U.S. has made since 2016 to bolster its baseline security, election-adjacent networks remain "absolutely ripe for a disruptive or destructive attack by a capable adversary" in the lead-up to or the aftermath of Election Day.

Krebs added that the U.S. so far hadn't seen in 2020 the level of cyberactivity aimed at election infrastructure in the summer of 2016. In that year, hackers working for Russian military intelligence accessed the Illinois voter registration database, as well as two Florida counties, though officials said no votes were changed.

Elizabeth Howard, senior counsel for the Democracy Program at the Brennan Center for Justice, a New York University think tank, called the Cyber Surge initiative "a much needed resource."

"Election officials in jurisdictions of all sizes in all states are potential targets of cybercriminals, hostile foreign nation states and other bad actors," she said. "Unfortunately, some of these jurisdictions lack the resources necessary to implement and maintain robust cybersecurity measures, and this concern seems much more likely to affect small election jurisdictions, which may run on a staff of only one or two."

The need is even more striking at the county level, where a chief election official is usually a local resident who won a small election and there's a slim chance of having in-house cybersecurity staff.

"We know how expensive things are, and that the cyber skills shortage is more profound in smaller places that can't recruit, can't pay, can't compete in any way with larger, more attractive places where people with these high-level skillsets want to be," Worman said.

Fears that a foreign intelligence service or ransomware gang would interfere with a voter database or election reporting system remain high.

Cyber Surge traces its roots to Def Con, the largest American hacker conference. Since 2017, Def Con has hosted a "voting village," where hackers take turns breaking into decommissioned election equipment. As the conference has gone virtual in 2020 because of the coronavirus pandemic, the Cyber Surge program is recruiting additional volunteers through its forums.

Harri Hursti, an organizer for both the Voting Village and Cyber Surge, said the latter can particularly help local election officials who don't know how to begin securing their networks.

"The issue we are addressing is a lot of the local election officials have no access to talent," he said. "There is no requirement to become an election official in most of the U.S. — so for anyone who wins the race on the ballot, now you have the job, no previous experience required."