States add armor in fight against election disruptions

Four years ago, when Russian hackers attempted to break into election computer networks around the country, local and state officials were left to rely mostly on federal agencies to find out what happened and to figure out how to respond.

Four years later, many states have built or vastly expanded their own capabilities to prevent and respond to cybersecurity attacks on their voting systems and other government computers. Communication is far better among states and local election offices and between those offices and federal election security monitors. Some state officials are also taking on the task of responding to disinformation and misinformation being spread about the election.

With six days until the voting stops, and the nation awaiting reliable if not rapid results, the final exam for election security 2020 has hardly been completed. But at the moment a passing grade that helps preserve the fragile credibility of American democracy seems possible — and it's the states that may have earned it.

Colorado, which has already become a model for the states that have switched to mostly voting by mail because of the coronavirus pandemic, is again taking the lead.

In July, Democratic Secretary of State Jena Griswold announced the formation of RESCU, a clever acronym standing for Rapid Response Election Security Cyber Unit. The five-member team is led by Nathan Blumenthal, an expert in election threat prevention and counterterrorism who previously worked at the Department of Homeland Security, on the National Security Council and for the director of national intelligence.

Sign up for The Fulcrum newsletter

"Colorado leads the nation in election security," Griswold claimed in making the announcement. "And we must continue to innovate to stay ahead of threats."

According to the National Conference of State Legislatures, her state is among at least 15 with a chief information security officer in the governor's office — a position that is established in Colorado law and oversees statewide security management programs.

A handful of states, including deep blue Massachusetts and battleground Ohio, also have chief privacy officers. These people deal with issues like computer privacy at state universities.

Colorado's unit was created using some of its share of federal funds distributed among the states for election security. Congress allocated $805 million in the past two years for those grants, and Colorado's share totaled $13.4 million.

Fifteen other states used some of these funds to hire staff to work on election security, according to a review of the applications filed with the federal Election Assistance Commission. Several applications made it clear that the positions would end when the federal funding expired.

Experts have said additional funds were needed by the states this year for election security and to help with additional costs related to the pandemic. But the money was never delivered because months of negotiations — mainly between Treasury Secretary Steve Mnuchin and House Speaker Nancy Pelosi — failed to yield a deal before Election Day on another package to stimulate an economy plagued by surging Covid-19 cases.

Last week, Griswold announced a new initiative to combat foreign misinformation efforts. The three-pronged effort uses social media, digital outreach and a website.

Government officials say they believe the Russians have switched tactics this campaign season and are focused much more on misinformation to weaken public confidence in the election than on hacking into computer systems. In September, the FBI and the Cybersecurity Infrastructure Security Agency issued a general warning about attempts to spread misinformation leading up to Election Day.

Then last week, the FBI announced that Iran and Russia were leading a misinformation campaign and were targeting voters whose registration information (which often is already public record) they had obtained.

The special website created by Griswold's office provides accurate information about problems with voting, and some advice on how to spot and respond to problems.

Another resource new since the 2016 election is the Elections Infrastructure Information Sharing and Analysis Center.

Backed by the Department of Homeland Security and set up in 2018 by the nonprofit Center for Internet Security, the sharing center provides the country's more than 8,800 state and local jurisdictions a place to coordinate and swap information on election security.

Yet another resource that several states have tapped into to help fight cyber attacks is the intelligence and IT expertise in their National Guard structures.

Earlier this month, Democratic Gov. Jon Carney of Delaware issued an executive order authorizing the state's National Guard Cybersecurity Squadron to help deal with possible attacks.

"We receive direct threats every day," said Jason Clark, the state's acting chief information officer.

He added that he had not yet seen "any specific targeting of our election systems here in Delaware to date."

Florida, once again a key battleground in the presidential race, remains one state where officials and the public are again being left in the dark about election-related cyber attacks.

Members of the state's congressional delegation had asked Director of National Intelligence John Ratcliffe for information about the state's involvement in a misinformation campaign that was announced last week. But the legislators were told on Monday that the director's office did not have time to brief the delegation.

Ratcliffe had said at a news conference that Iran obtained voter data and used the information to send phony emails, including several hundred to Floridians. The emails were purportedly from fascists and threatened people if they did not vote for President Trump.

It was eerily similar to last year, when federal officials told GOP Gov. Ron DeSantis the names of two counties where election computer systems had been hacked during attacks by Russian operatives in 2016. No data was taken and no votes changed.

But in exchange for finally getting the information, DeSantis had to promise to keep the names secret.