Election-Related Threats and Defenses

Even if you have spent the last year living under a rock, you must be keenly aware that Tuesday, November 3rd, is Election Day in the United States. This year’s election has seen substantial early voting, record spending in certain races up and down the ballot, and a host of electronic dangers to the electoral process, including threats to voting machines, registration lists, and significant infiltration by disinformation intended to sway voters one way or another. As such, it is worth attempting to clear some of the fog away and understand where we should concern ourselves and what defenses we can employ. 

Let’s start from the ground up.

For many years, experts in hacking, elections, and computer security have warned that electronic voter machines have security vulnerabilities that could allow an attacker to alter vote counts. This is especially of concern where the voter’s interaction with the touch screen or other interface replaces any paper record, because absent a paper ballot that confirms the voter’s intention, an electronic record is more easily altered or deleted. Despite how easily accessed these machines can be from the Internet, attacks against voting machines remain an inefficient technique for a hostile nation-state or other foreign adversary, since the scope of such an attack is typically limited to those counties or precincts where these vulnerable machines are in use. Truly subverting the outcome of even a statewide race requires an enormous amount of effort, potentially on the ground at the polling place, or at least in range of its Wi-Fi network. The fact also remains that, while a bad actor may have a stake in affecting the outcome of a relatively local election, the probability of a large, capable organization doing so remains relatively small.

And though election machines themselves are indeed vulnerable, voter registration databases present a potentially more efficient target. An attacker targeting a county or municipal voter registration list could disenfranchise those voters without their knowledge until they turn up to vote. In some states, voters can register and vote on Election Day, but may not come to the polls with the required proof of residence in hand. In other states, removal from the roll of registered voters after a certain point precludes voting at all. Many states use modern software for registration, with reasonable protections for securing their sites. However, many other state or municipal governments have constraints on their budgets or resources for the relevant security either endemic to the software or for its proper use. With that being said, it’s not only a software issue, as many of the users are the election officials—mostly ordinary citizens working for their county or municipality a few days a year to facilitate elections. As such, they may not have much security training, and may rely on shared user accounts to access these systems when performing voter registration drives or early voting activities. This kind of usage could allow an attacker to obtain the credentials necessary to attack such a system and adversely affect voter registrations.

Though election hardware and software do need securing, citizens at the ballot box are also being targeted by disinformation, which actually provides the greatest one-to-many potential for large, foreign-threat actors—especially since their efforts to spread disinformation or incite certain actions over social media or similar venues have the largest audience and can be conducted entirely remotely. Election disinformation from 2016 is widely and well documented, and many of the techniques learned about how to target key voting blocs or how to propagate disinformation have already appeared in the 2020 election. Still, while disinformation remains a potent and effective threat to free and fair elections, its singular weakness is that it can only influence the decisions people make—disinformation cannot actually compel a specific outcome. To combat it, voters and public officials can disregard obvious disinformation or compare it against credible news sources for accuracy, but this is, of course, easier said than done. Voters in this election, like nearly everyone else, largely live inside their own information bubbles, which may or may not include credible news and information, and thus, may or may not compete with aggressive disinformation. Someone deeply affected by conspiracy theories or inclined to believe the news they wish to believe is not easily swayed towards the actual truth, and that steadfastness remains more a matter of psychology and sociology than information security. Even still, voters who have not fallen prey to disinformation can consciously choose to weigh the information they receive from their sources and can very often avoid the most harmful disinformation by doing so.

Irrespective of any political position, the United States, like all modern democracies, rests on the foundation of free and fair elections. Resisting attempts to undermine the electoral process or the public’s faith in said process remains an essential task for both informed voters and public officials. This means understanding the threats, taking steps to combat them, and regularly considering the effectiveness of both. As such, it is important to understand how individual voter registration works in your state, how the voting process works in your states, and how to manage the sometimes-disparate pieces of information about the voting process. 

Election Day is November 3rd. Please go vote, and make your voice heard.

About the Author

Jacob Ansari

Jacob Ansari is the Security Advocate at Schellman, where he leads the firm's security best practices advocacy. Jacob develops and leads educational efforts on security practices, emerging and extant threats, and related industry developments for both internal and external audiences, and regularly represents the firm as an experienced security practitioner, security officer, and industry expert on technical information security matters and leadership in the space. Jacob has also acted as the CISO for the firm and has an extensive history in a client facing role as the technical lead for Schellman’s PCI services. Additionally, Jacob has experience with other Payment Card Industry assessment services, namely Software Security Framework, PA-DSS, P2PE, 3DS, and PIN. Jacob has extensive technical expertise on matters of information security, compliance, application security, and cryptography, and has been performing payment card security assessments since the card brands operated the predecessor standards to PCI DSS. Over the 20 years of his career, Jacob has spoken extensively on security-related matters, trained and mentored assessors, and contributed to groups on emerging standards, advisory bodies, and special interest groups.

More Content by Jacob Ansari
Previous Article
My Adoption Story
My Adoption Story

Schellman's Sabrah Wilkerson shares the adoption story of her son Jonah, in honor of National Adoption Month

Next Article
Breast Cancer Awareness Month
Breast Cancer Awareness Month

Schellman's Misty Jacusis shares her breast cancer diagnosis and treatment story in honor of Breast Cancer ...


First Name
Error - something went wrong!