Election security, misinformation threats loom large ahead of the US midterms

As the United States nears the 2022 mid-term elections, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) issued two back-to-back public service announcements (PSAs) that address the state of play when it comes to election integrity. The first announcement, seemingly designed to enhance voters’ faith in the election process, said the two agencies “assess that any attempts by cyber actors to compromise election infrastructure are unlikely to result in largescale disruptions or prevent voting.”

The PSA notes that neither the FBI nor CISA have seen “reporting to suggest cyber activity has ever prevented a registered voter from casting a ballot, compromised the integrity of any ballots cast, or affected the accuracy of voter registration information. Any attempts tracked by FBI and CISA have remained localized and were blocked or successfully mitigated with minimal or no disruption to election processes.” But threats are still present given that “election systems that house voter registration information or manage nonvoting election processes continue to be a target of interest for malicious threat actors,” the PSA adds.

The second PSA warns “of the potential threat posed by attempts to manipulate information or spread disinformation in the lead up to and after the 2022 midterm elections.” Specifically, foreign actors might intensify “efforts to influence outcomes of the 2022 midterm elections by circulating or amplifying reports of real or alleged malicious cyber activity on election infrastructure. Additionally, these foreign actors may create and knowingly disseminate false claims and narratives regarding voter suppression, voter or ballot fraud, and other false information intended to undermine confidence in the election processes and influence public opinion of the elections’ ‘legitimacy.’”

The agencies warn that threat actors might use a wide variety of online outlets, including spoofed websites and emails, text messages, and faked personas, among other tactics, “to spread disinformation and claim successful cyber compromises of election infrastructure, evidenced by ‘hacked’ or ‘leaked’ US voter registration data, suggesting compromise to the voting process or election result integrity.

US Cyber Command and NSA chief General Paul Nakasone agreed with the FBI and CISA on the absence of evidence regarding any significant plans for cyberattacks against the election. Speaking at a Council on Foreign Relations event, Nakasone said, “We are seeing no significant indications of attacks that are being planned right now.”

Recent developments point to continued election threats

Since the PSAs were released, several developments have highlighted the ongoing and active presence of security threats and disinformation campaigns aimed at midterm voting.

• Cybersecurity firm Trellix identified efforts to target county-level election workers in the cyber realm who are also targets of threats in the physical realm.
• Researchers at Recorded Future concluded that Russian, Chinese, and Iranian malicious actors are poised to launch disinformation campaigns to sway US voters.
• Russian-speaking threat group Killnet took credit for launching DDoS attacks against the websites run by Colorado, Connecticut, Kentucky, and Mississippi governments.
• According to newly examined emails and contracts, an additional county in Georgia, Spaulding County, was the victim of a destructive partisan effort led by former Trump lawyer Sidney Powell to discover voting fraud, with local officials colluding with Republican operatives to steal sensitive election system data. This news broke less than a month after surveillance video footage showed Cathy Latham, a former GOP chairwoman of Coffee County, GA, who is under criminal investigation for posing as a fake elector in 2020, escorting operatives working with Powell into a restricted area of the county’s election office and leaving them there for hours to access and possibly copy the county’s voting systems and data.
• Sources say that FBI agents in field offices across the country have notified some Republican and Democratic state party headquarters that they might be targets of Chinese hackers. The notifications follow an NSA memo that said the Chinese hackers, suspected to be the group formerly known as APT 1, scanned more than 100 US state-level political party domains.

Election system software breaches could be a blind spot

The PSA regarding election security seems a little simplistic to some security experts. “I don’t want to sound like an alarmist, but I think we have to look at some dark facts of the reality,” Susan Greenhalgh, senior advisor on election security at Free Speech for People, tells CSO. Greenhalgh, who is also a consulting expert to the plaintiff in the Curling lawsuit against Coffee County in Georgia, says she’s worried about the PSA on election security because it “seems to include a blind spot, which is that there have been all these software breaches around the country,” not just in Georgia but also in Michigan, Colorado, and Nevada and other places where we may not know that “stuff like this is happening.”

One of Greenhalgh’s primary concerns about the software breaches is that “people went out of their way to break the law to copy voting system software over a year ago. And those are people that wanted to disrupt the election in 2020. I think if you have people that have access to software and copied it, that needs to factor into any risk assessment to see how they may wish to use the copies that they went to great lengths to obtain to disrupt future elections.”

The theft of voting data could also exacerbate the disinformation problem flagged in the second PSA, Greenhalgh warns. She says computer scientists have told her that potential election disrupters “could be using the copied software to manufacture evidence of voting system issues.”

This kind of disinformation and manipulation seems like a “stretch” to election security strategist Greg Miller, one of two co-founders and chief operating officer for the Open Source Election Technology (OSET) Institute. “A lot of pieces would have to come into alignment, but it’s not beyond the pale; it’s not beyond reality,” he says.

Rogue election officials exacerbate the problem

The OSET Institute is nonetheless very concerned about the security breaches in Coffee County and elsewhere, which prompted the group to put out a statement in July about the “unspoken dangers of what has happened now that the perimeter security has been breached. You now have elections officials willing to go rogue or to drink the Kool-Aid or however you want to characterize it, and allow people to come in, unlock doors, or go through back alleys, whatever, and take equipment off to hotels, disassemble them, extract data, and then post that data. That is an unbelievable breach, and it completely exacerbates the problem we already have with giving blueprints out to attackers to launch even more insidious potential attacks.”

Miller thinks that the security PSA is a “pretty vague statement. There are three things that statement could mean. It could mean that they’re talking about successful cyberattacks that actually affect election outcomes. On the other hand, they could be talking about successful cyberattacks that did not affect election outcomes but did, in fact, breach IT systems. And then they could be talking about unsuccessful cyberattacks that didn’t breach any system, but they were in the public knowledge; people knew about it.”

The problem with the vagueness, Miller says, “is that the second and third items there, the successful attacks that didn’t affect anything but did breach a system or the unsuccessful attacks that didn’t do any harm, but everybody knew about it, are prime fodder or destroying public confidence.”

Foreign actor threats against the media need attention

Adam Clayton Powell III, executive director of the Election Cybersecurity Initiative at the USC Annenberg Center on Communication Leadership and Policy, tells CSO the PSA on election security strikes an appropriate tone even if “the Russians keep trying the doorknobs. It’s not as if somehow this threat has gone away; it’s just that we are in a better position to defend election systems and campaigns than in the past.”

Powell thinks one threat hasn’t received enough attention: potential foreign threat actor attacks on the media. Gary Pruitt, the former CEO of Associated Press, said that during the 2020 election, his news organization was subjected to thousands of cyberattacks from Russia leading up to election night. During one of the workshops Powell’s group runs for election officials and campaign workers, Powell asked Pruitt to explain what would’ve happened if Russia had succeeded in one of those attacks. “He said, ‘Oh, it’s very simple. We would’ve had no election returns that night,’” Powell says.

Powell agrees with the greater emphasis CISA and the FBI have placed on the dangers of misinformation. “It’s much more cost-effective for bad actors, foreign and domestic, to use disinformation and misinformation to cast out on democracy itself, on the election itself, and the election outcome,” he says. “That doesn’t cost a lot.”