08 Nov Midterm Election Integrity Requires More Than Just Cybersecurity

As adversaries sow chaos, experts warn on the importance of transparent security

– David Braue

Melbourne, Australia – Nov. 8, 2022

The assumption that better election security comes from widespread adoption of new e-voting technology is demonstrably false, a security expert and former White House CIO has argued as Americans take to the polls for the most significant elections since the 2020 Presidential vote.

With control of both chambers of Congress up in the air, the midterm elections could dramatically tilt the nation’s political climate — and that, Theresa Payton told Cybercrime Magazine, makes it more important than ever for citizens to educate themselves about the way their elections are handled in their local areas.

With every municipality embracing its own voting procedures and working with a different mix of technology, Payton — who spent more than two years as White House CIO under President George W. Bush, and is now CEO of security firm Fortalice Solutions and a member of the Cyber Defenders Council — emphasized the importance of “knowing your duty as a citizen of your state and as a citizen of the town that you live in.”

“[Find out] what you need to do to make sure your vote is counted the way you intend it to be counted,” said Payton, whose recent book Manipulated recounts the war against election systems being waged by cybercriminals in the shadows.

Such activities have become a standard part of the playbook for disruptive nation-states, with Vladimir Putin confidant Yevgeny Prigozhin this week seemingly admitting on social media that Russian agitators “interfered, are interfering, and will interfere” with U.S. elections.

“We need to remember that we have foreign adversaries who don’t care who wins our elections,” said Gordon Lawson, CEO of security firm Conceal, who joined Payton to talk about election security as voting day approached.

“They just want the American public to believe that the elections were not legitimate — and so we have a common enemy in this fight. This is a place where we can come together as a nation, no matter what side of the aisle you’re on.”

Vigilance and engagement are key to fighting back, Payton said, advising citizens to both watch out for and report irregularities at polling stations, avoid repeating unsubstantiated claims about the election’s results or integrity, and familiarize one’s self with the mechanisms that local governments offer for reporting inconsistencies.

With heavy scrutiny on the election amidst ongoing campaigns by critics of the 2020 election, “people need to have faith that there’s probably going to be irregularities and there’s probably going to be people speaking up against results,” Lawson said.

“That doesn’t mean we don’t have a strong system to work through that,” he continued, “and that also doesn’t mean that we shouldn’t be investing the time in the cybersecurity protections for the systems.”

Think globally, vote locally

Although the highly fragmented nature of America’s voting infrastructure prevents top-level manipulation of results, the wide spectrum of voting technologies at a local level highlights the need for robust cybersecurity measures, a recent Moody’s Investors Service report noted in warning of the potential credit risks stemming from “a potential wave of cyberattacks and influence operations aimed at undermining confidence in the U.S. election infrastructure.”

Even as some voting districts turn to electronic voting systems on the assumption that they provide stronger cybersecurity protections, however, on the ground many cash-strapped municipalities are relying on often low-tech voting solutions that offer strict process control and high degrees of auditability.

“There will be some cities and counties where, based on the demographics and the funding available to them, certain types of voting are not going to make a lot of sense,” Payton said.

In one area, that may mean “punch card ballot voting that everybody knows, loves, doesn’t get confused about and knows how to use”; in others, she said, “there may be a very tech-savvy demographic that wants to adopt new technology, and maybe that technology is being tested and piloted in that area.”

Election fraud was a risk long before computers factored into the process, she said, and because of this election authorities had long ago developed processes and failsafe mechanisms to flag potential manipulation of voting results.

One nameless state, for example, uses unique cartridges that are assigned to each voting machine and locked inside before each ballot, to legitimize the results from that machine.

If the system were manipulated in any way, Payton said — for example, by opening it and trying to substitute a different cartridge — “the machine will actually throw an error because it will know that it’s not the cartridge that was assigned to it, and it will wait for reprogramming instructions before it will accept a new cartridge.”

“Somebody would have to walk over and fix it,” she continued, “and all of this will be happening in broad daylight in front of everybody.”

Multiple layers of failsafes are part of the necessary operating procedures and processes to preserve election integrity, Payton said, noting that “board of elections officials have thought long and hard around how they secure the vote.”

“Even if it doesn’t come across as the most technically elegant solution, sometimes there is security through obscurity — not everybody being on the same thing.”

No matter how much local election authorities work to secure elections, however, Payton said individual developers of e-voting systems must also be held accountable — ideally by federal authorities that have an interest in ensuring that the vote’s outcome is unimpeachable.

“Anybody who creates election security software and equipment has a duty of care to make sure they’re part of the supply chain in the ecosystem of voting,” she explained, “and that they’re holding up their end of the bargain by doing third party assessments, ethical hacking, scenario planning, digital disaster playbook planning, and so on — and if they’re not, they should be held accountable for that.”

“When somebody says that something is completely unhackable, that’s not accurate in this time and place in the world — but I do believe there are multiple layers of physical security and mitigating controls that should assist officials to ensure that the way the vote was cast, and the way it was intended to be cast, is the way that it is counted.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

About Conceal

Conceal provides a capability that protects people and critical assets against the most advanced threat actors in the world. We are fundamentally changing the approach to cybersecurity by creating a platform where security practitioners can see the latest threat vectors and implement enterprise-wide solutions that comprehensively protect their organization.

With our Conceal platform, we take those core capabilities and evolve them into a commercially available product that incorporates intelligence-grade, Zero Trust technology to protect global companies — of all sizes — from malware and ransomware.

Conceal is leading the fight to protect enterprises from cyber threats — if there is malware, we detect, defend and isolate it from users and the network.