The computerization of elections has made the voting process vulnerable to hackers. Imagine: voting machines manipulated by foreign adversaries, city infrastructures crippled by ransomware on Election Day, and disinformation about results proliferating on social networks after the election.
So now what?
Fortunately, says Chris Krebs, the director of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), low-tech systems -- like mail-in and absentee voting -- are safe because they generate auditable paper trails.
"Auditability is a key tenet of ensuring you can have a secure and resilient system," said Krebs in an interview with CNET. "Really what we're talking about here is that if you're able to detect any sort of anomaly or something seems out of the ordinary you want to be able to kind of roll back the tape. If you've got paper you've got receipts, and so you can build back up to what the accurate count is."
Krebs emphasized that no election is perfectly secure. Because they are connected to the internet, said Krebs, of particular concern, are voter registration databases and election night reporting systems. "They're highly visible and they really [encompass] each individual state's activities. So that's what we're worried about at this point."
Disinformation is also a challenge, but Krebs says CISA has had success collaborating with social media firms to identify and reduce the impact of propaganda campaigns.
"We've been so effective in understanding how [foreign adversaries] are doing it," Krebs said, adding that the CISA office has had success "sharing information with the social media companies. And to their credit. They've done a great job of disrupting these activities. You're disrupting that coordinated and inauthentic behavior, but that just means that you know [adversaries] are not giving up or not throwing their hands up in the air moving on. They're actually just evolving their techniques."
Ransomware attacks targeting state and city election computers remains a significant threat, Krebs said. "We do think that state and local [governments] have a particular vulnerability or particular exposure" to ransomware attacks. "They are, in some cases, under-resourced or under-capitalized. So you've got more vulnerable and out-of-date systems that may be in place."
He warned that foreign adversaries might target under-funded and vulnerable election systems in order to undermine American's faith and confidence in the election and the democratic system overall.
"It seems a little far-fetched if you're in the middle of Nebraska and you're on the front line of the geopolitical conflict. It doesn't make a whole lot of sense," said Krebs. "When these actors come in they're not waving the Russian flag, not waving the Chinese flag. Cyber-actors, by their very nature, particularly intelligence services, want the cloak covert action and secrecy."
CISA recently released guides designed to help local officials identify potential vulnerabilities by partnering with both the federal government and election security experts in the private sector. "Our job is to help support in this case election officials across the states and country," he said.
Krebs said he has full confidence his vote will be counted accurately on Election Day, and that American voters should also be confident in the process. Because states and municipalities, not the federal government, are responsible for elections, different communities' voting systems are unique. This adds an additional layer of security, Krebs said, because an attacker couldn't compromise all those individual systems with a single breach.
"Election officials and state local election officials are professionals. They are natural risk managers. They deal with a whole range of threats," said Krebs. "You have to have the utmost confidence in these professionals that are conducting elections on an annual basis. The intelligence community, the Department of Defense, the law enforcement community, my team here -- we are working as well and as closely on any single issue."