Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
,
Government
State Officials, Security Experts Warn of Increased Cyberthreats Ahead of Vote
U.S. state officials and election security experts say federal funding for safeguarding election IT infrastructure is falling short of heightened cyberthreats but aren’t hopeful for a boost during the final weeks before the national vote.
See Also: New OnDemand | People-Centric Security for the Public Sector
Secretaries of state from across the country testified before Congress on Wednesday, warning that insufficient federal funding is hindering modernization efforts. They urged lawmakers to restore funding not approved by House appropriators for a program under the Help America Vote Act of 2002 that enables states to upgrade voting systems.
Arizona Secretary of State Adrian Fontes praised the Cybersecurity and Infrastructure Security Agency and the Department of Homeland Security as “vital” partners for state and local election officials (see: Inside CISA’s Unprecedented Election Security Mission). But he also said federal cyber and election security guidance often comes without necessary funding and told the House Administration Committee: “There is still more we could do at the federal level to support the hardworking Americans who run our elections.”
“If this is such a big deal, and it’s so important that we continue to have free and fair elections, fund them,” he later said.
Most experts agree that American election infrastructure is largely secure and resilient to targeted attacks. But the stakes are high, and the Nov. 5 presidential polling day will occur amid heightened global tensions as foreign adversaries deploy digital influence campaigns and other cyber tactics to undermine public confidence in the electoral process. The Department of Justice recently seized dozens of internet domains and announced sanctions against Russian media executives for orchestrating a widespread campaign to influence the presidential election (see: US Targets Russian Media and Hackers Over Election Meddling).
The FBI recently confirmed Iran was behind a hacking campaign that targeted both Vice President Kamala Harris and former President Donald Trump’s campaigns, resulting in the release of a research dossier that included information on Republican vice presidential nominee Sen. JD Vance, R-Ohio.
Congress isn’t likely to pass any legislation or grant new expansive funding for election security efforts before November, according to David Becker, election law expert and executive director at the nonpartisan Center for Election Innovation and Research. But even if Congress did approve new funding for election administration, the money “wouldn’t really be able to be spent in time to have much of an impact,” he told Information Security Media Group.
“There has not been adequate funding at either the federal or state level of elections overall,” Becker said.
Recent reports identify state voter registration databases as prime targets for domestic and foreign threat actors. A September report from The Center for Election Innovation and Research warns of potential breaches if election staff fail to follow secure access policies, such as using multifactor authentication or adhering to the principle of least privilege.
“We are seeing an increase in cyberattacks on critical election infrastructure, such as voter databases and election systems,” Theresa Payton, CEO of the cybersecurity firm Fortalice Solutions and former White House chief information officer, told ISMG. “This multifaceted approach to undermining elections – from cyber intrusions to the manipulation of public discourse – is one of the most dangerous threats we face at the core of our country.”
CISA released a checklist on Monday that election security officials and their IT teams can use to evaluate their current cybersecurity posture and identify any additional actions needed to address common threats. Senior officials previously told ISMG the agency is “committing more resources than ever before” toward election infrastructure ahead of the November vote and deploying a team of election security advisers to each of its regional offices nationwide to strengthen front-line support for local election workers.
James Turgal, vice president of global cyber risk at Optiv and former executive assistant director of the FBI’s information and technology branch, called the checklist a positive step but said it lacks critical information required to adequately secure local election IT infrastructure.
The checklist “does not even remotely refer to the steps or themes that information technology professionals need to focus on to protect the candidates, the back office and election office data and ecosystems,” Turgal said. He added that a recent joint advisory from CISA and the FBI on the effect of DDoS attacks on voting machines “fell short of providing actionable guidance that a CISO or CIO can use to secure their environment.”
Experts told ISMG that election and campaign officials should prioritize improving coordination with federal and state agencies and implementing robust training programs to address and mitigate these threats.
“Election offices should have policies in place to defend against social engineering attacks,” Turgal said, adding that all staff and volunteers should participate in social engineering and deepfake video training.
“Every campaign and state election office should secure cyber subject matter experts to build resilience in their people, systems and procedures,” he added.
As the campaign season continues to intensify ahead of the November vote, so too does the accompanying threat landscape – and the need for expansive national election security efforts. Experts say inadequate resources and funding risk leaving election systems exposed. And with emerging technologies adding new complexities, safeguarding the integrity of the electoral process has never been more critical.
“While we have made significant progress in securing voting infrastructure, the rise of AI-driven disinformation campaigns has introduced new challenges,” Payton told ISMG. “This evolution requires a more comprehensive approach to election security that addresses technical vulnerabilities and the human manipulation of information that can sway voter behavior.”
Defending the upcoming vote will also require a concerted effort to fortify existing systems and implement rigorous security protocols to ensure that all election staff and volunteers are well-prepared.
“We are in a better state in regard to cybersecurity than we’ve ever been,” Becker said Wednesday. “That’s largely due to the professionalism of election officials at the state and local level – not because of an adequate amount of funding, which we’re still lacking.”