Lucas Ropek put up a moderately long piece on Governing last week on the threat of ransomware attacks on state and local government websites, and the specific threat such attacks may pose for elections. Ransomware comes from the world of cryptovirology, the use of cryptography to design troublesome and powerful software that can create “trapdoor” scenarios where only the attacker can undo the damage they create. Lucas dives deep into the problem, interviewing Aman Bhullar, chief information officer for the Los Angeles County Registrar-Recorder/County Clerk.
The piece also cites Andy Kroll’s thorough treatment at Rolling Stone last January that expressed strong concern about foreign elements throwing the election into chaos, allowing the incumbent president to claim it was rigged and clog the electoral system up with litigation rather than conceding. But Kroll’s piece also contains a grain of hope: although the current administration is not fully prioritizing cybersecurity, and the Senate won’t “vote on bipartisan bills that would require transparency by tech companies on advertising spending and make paper backup ballots mandatory in elections,” government security agencies have still accomplished a lot on their own, unencumbered by an administration that doesn’t really know how they can prohibit what they are refusing to prioritize.
But Lucas’s Governing story is really about local elections, which remain a concern because of paid cyber hitters. Federal law enforcement agencies can chase down those bad players after the fact, but there is currently no national cybersecurity system in place covering municipalities, or even state governments.
Granted, there is a federal Election Assistance Commission that hosts a website on security and election preparedness, but the content is primary advice and the site does not provide much in terms of additional resources. There are articles like “Using your procurement process to improve security,” which ignores the lack of meaningful procurement power for many municipalities in the wake of devastating losses in income thanks to anti-tax ideology and Wall Street shenanigans. Municipalities are seemingly all alone in this fight — they had been on their own through the Obama administration, and are on their own even more so now.
So although Russia and China aren’t interested in state and local elections, individual “cybermercenaries” can be paid to mess things up, and they have the ability to do so. Bhullar concedes that “the incentive for criminal hackers to target county election offices is high.”
Concern over county elections was amplified when cybersecurity company BlueVoyant released a report a couple of weeks ago. The report suggests that municipalities across the country vary greatly on experience, technical knowledge, and political prioritization of election cybersecurity.
It’s important to note that the threat is not in the manipulation of vote counts. The real threat is public confidence in elections, and that threat is definitely already impacting US elections. In fact, it has done so since before 2016: long before the president claimed millions of undocumented immigratnts were voting, or investigations concluded that Russian hackers had interfered with elections. If this lack of confidence trickles down to municipal and state races, however, it could damage solid local bulwarks for confidence in democracy itself.
One innoculatory force that writers on this topic aren’t considering is the role of candidates and campaigns themselves, and how they communicate with their voters. If it’s true that bad-faith or paranoid candidates can spread disinformation concerning the legitimacy of elections, its similarly true that good-faith candidates can use technology found in services like Accurate Append, deep canvassing tools, and their own technological portfolios to communicate with voters during election crises, or even talk about issues of election security before voting begins. It could be both provocative and hopeful to hear candidates explain election security challenges and also pre-empt their opponents’ irresponsible speculations about it.