67 days. This is the time left until the 2020 Presidential Election.
As we all know, a secure and resilient electoral process is a vital national interest – it also plays an important role in a free and fair society – the cornerstone of American democracy.
Election security has emerged as a key component of national security policy over the past several years. Since 2016, multiple U.S. agencies have pledged to increase the level of support to state and local election officials in their efforts to protect elections. The federal government, as well, has prioritized the sharing of threat intelligence and provided support and services that improve the security of election infrastructure across the U.S.
So, how prepared is the U.S. government – at the federal, state and local level – to protect the democratic process? To find out, we talk to Richard Bird, Ping Identity's Chief Customer Information Officer (CCIO). He is a "Swiss Army Knife" security expert, who has his hands in everything from consumer privacy and regulatory design, to election security and consumer ID protection. He works with the White House Senior Director of Cybersecurity Policy, as well as others at the Social Security Administration, and has done projects like helping Colorado enable residents to use their smartphones as driver’s licenses. Prior to working at Ping Identity, he was JP Morgan’s Global Head of Identity.
Security Magazine: What is your title and background?
Richard Bird: I'm the Chief Customer Information Officer for Ping Identity. I'm biased, but I think it is the best job in the security solutions world as I get to be an advocate for customers around the globe. Not just on behalf of Ping but also with regulators and lawmakers in the US, Canada, Australia, the UK and the EU. I'm a former security solutions customer and practitioner. I had worked more than 20 years in IT executive management before leaving the corporate world a couple of years ago. I've held roles from being a merger integration director to a global head of identity to CIO to CISO. I've also been an elected official, which isn't very common for those of us in cybersecurity.
Security Magazine: Let’s talk about election security. What are the security risks associated with the Presidential Election of 2020?
Bird: The security risks for our next Presidential Election really break down into three separate categories, which is a fact that isn't really broadly communicated in the media. These risks are election influencing, non-standardized local control and then state level vote count manipulation. I'll get to the state and local level stuff momentarily, because it is a risk that is broadly misunderstood in our country. First and foremost, the use of digital media channels to influence elections in our country has been raised to the level of "epidemic." Big Tech, with less than 90 days to our election, has just now started to put the most basic levels of effort into trying to curb election steering. This failure in corporate leadership has, in turn, become an indirect security risk to our electoral system. I say indirect, because while foreign actors and internal entities are influencing elections - the voter still needs to ultimately take action at the ballot box. So while election steering gets a lot of media attention it doesn't remotely represent the greatest risk to our election security.
Most citizens aren't aware that the federal government doesn't actually control elections in America. Since the founding of the nation, elections have been a local affair. Every county in the country has a board of elections. Those county authorities are loosely federated under a state election board or commission. The federal government has almost no direct control over either. And that is where the greatest security risk lies. At the county board of elections level, we're talking about 3007 independent entities with 3007 different technology infrastructures and almost no standards or regulations guiding the use of technology or security solutions. We already have evidence of successful ransomware attacks at the local level. And at the state level the same ransomware possibilities exist but are compounded by the security threat of a bad actor accessing the total vote data and manipulating it. Many states have outsourced these vote aggregation functions, putting even more risk into the system as voting numbers are transported from one digital location to another.
Security Magazine: Currently, what are the challenges with securing the US’s election infrastructure?
Bird: For certain, the biggest challenge to securing election's infrastructure is changing a model that has existed for over 240 years in America. We've operated under a highly distributed, unfederated election model for a very long time and trying to introduce a model that would have strong standards and security controls might even set up a battle between the states and the federal government over Constitutional authority. It is a really sticky problem to try to fix - because our founders never really envisioned a world where there would be anything but paper ballots and strong boxes. In the digital era, the centuries old election infrastructure in our country just hasn't aged very well at all.
I think it is interesting that this actually corresponds to what we see in the corporate world in the United States as well. Security can't be leveraged in a meaningful and effective way if the underlying governance doesn't exist or is insufficient. Which means, election security isn't really a security problem. It is a governance problem first and foremost. We actually have all the technical capability and innovation needed, right now, to create really well guarded elections. We have no way at all to implement those technologies universally until we change the model itself.
Security Magazine: How likely is it that adversaries/malicious actors try to undermine the democratic process and/or influence public sentiment through misinformation, or disruptive cyberattacks on state and local infrastructure?
Bird: Guaranteed. Because it is highly effective. Which brings up another interesting correlation worth mentioning. The United States has built up our security capabilities at the public and corporate levels, as defenses in a traditional war setting. Firewalls and keys and passwords; all remnants of how we have fought battles for centuries. But, the targeting of humans with phishing and social engineering tactics? That is guerilla warfare. The digital world, particularly through social media, has created a universe where humans can be targeted en masse and influenced through the timeless application of fear, uncertainty and doubt. And when it comes to attacking the infrastructure itself? With local entities like school districts and law enforcement agencies being successfully compromised on a regular basis with ransomware, the win rate for the bad guys is just too high to not keep pressing those types of attacks.
Security Magazine: How does the current COVID-19 pandemic add to the threat landscape of this year’s presidential election?
Bird: Fear, uncertainty and doubt. Hopelessness. Helplessness. Anger. Anxiety. It is interesting to consider that the real threat to our elections is probably emotional. Human beings are, statistically speaking, really bad at personal security and risk management. There's a reason that things like the Darwin Awards exist; in general, we make a lot of really bad or risky decisions over the course of our lifetimes about our own security. When you add in all the possible negative emotions created by this challenging pandemic, you don't have an environment that leads to better decisions. From polling place violence to voter suppression, the added tension of the pandemic could lead to some really bad choices by folks across the country on election day.
Security Magazine: How can those in charge of protecting our elections (state and local CISOs/CIOs/Security leaders) combat cyber threats and enhance election infrastructure resiliency?
Bird: Given that it is unlikely that the federal government will actually lead the way in providing guidance, direction and standards on election security (not to mention financial resources), I think it is inevitable that states will need to begin to work together to propagate a set of practices, solutions and methods to secure our elections. States themselves will need to become much more prescriptive in demanding those same standards be used across the counties in their states. We aren't going to move the needle on election security with the loosely federated model we have today.
On a personal level, I think it is also time for corporate America to step up and provide technology and support for our electoral democracy. When one company controls more than 50 percent of the voting machines in our nation, we have a concentration risk problem we need to acknowledge. The corporate world has greatly benefited from our form of government. Maybe it is time for those same companies to provide the kind of technology and security horsepower that these state and local leaders need; free of charge.