Coronavirus creates new election threats, experts warn at Black Hat

"We have to engage now" to get this right, security luminary Matt Blaze says.

Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce | Amazon | Earned wage access | Online marketplaces | Direct to consumer | Unions | Labor and employment | Supply chain | Cybersecurity | Privacy | Stalkerware | Hacking Credentials
  • 2022 Eddie Award for a single article in consumer technology
Laura Hautala
5 min read

A voter in Maine drops an absentee ballot into a drop box. Election observers are calling for officials to allow a large increase in the number of mail-in ballots.

Getty Images

Election security was headed in a hopeful direction early this year. But speakers at the Black Hat security conference made it clear Wednesday that the coronavirus pandemic has brought new challenges to making sure every vote counts.

Federal election officials have been planning since early this year to address the changes the coronavirus pandemic will bring to elections, Christopher Krebs, the director of the Cybersecurity and Infrastructure Security Agency, said in a talk at the virtual conference. As the agency charged with helping elections agencies take on cybersecurity challenges, CISA predicts voters will need to spend extra time planning how to vote. Krebs says voters will have to be patient, especially when results take longer than usual to be tabulated.

Krebs urged the audience of security experts to offer help to local election officials. "Be a part of the solution," he said.

Cryptographer and election security expert Matt Blaze also addressed the conference, and noted that state and local elections officials will have to overcome major logistical hurdles to scale up vote-by-mail options while also creating a surplus of in-person voting locations. With fewer than 100 days until the 2020 presidential election, Blaze said it's imperative for people with tech knowledge to get involved and ask local election officials what help they need.

"This community is precisely the one whose help is going to be needed," Blaze said.

Watch this: Blackhat 2020: Tech community must help secure elections

If tech workers jump in to help as poll workers and IT support, they'll be helping finish a job that was progressing nicely at the beginning of 2020. Before the pandemic kicked in, state and local agencies were in the process of adopting solutions to help clean up big problems in election security that came to a head in 2016. Longstanding concerns about the security of electronic voting machines became more urgent amidst the alleged effort by Russian intelligence agencies to influence the presidential election. In response, election agencies moved away from paperless ballots and coordinated with federal authorities to protect election systems from outside hackers.

"There was reason for optimism," Blaze said. "And then, the pandemic came along."

Now, elections agencies must find a way to ensure that all voters who want to cast their ballots can do so without risking exposure to the coronavirus, and without finding the process so arduous they give up. This likely means a big pivot to mail-in ballots. While President Donald Trump has tweeted there could be high rates of fraud, those concerns aren't backed up by research. The bigger problem, elections experts say, is scaling up a vote-by-mail system fast enough to accommodate all voters who want it. And while some states are reportedly considering expanding online voting, security experts say the process isn't safe and shouldn't be on the table. With less than 100 days left until the election, the problem of giving registered voters a safe and secure way to cast ballots needs solutions, fast.

Election security experts agreed with Blaze's assessment. Those who have in the past warned of the vulnerabilities in electronic voting machines are now turning their critical eye to problems caused by worries that voters will be exposed to the coronavirus in long lines at polling places, and that demand for mail-in ballots will overwhelm election officials.

"The biggest problem we have with this election is it's risky for anybody to vote in person," said Kim Alexander, president of the California Voter Foundation. "There's a pandemic."

A big increase in vote by mail

Scaling up mail-in voting (also called absentee voting) will take a great deal of work. While some states already allow anyone to sign up for mail-in ballots, others require an "excuse" from voters, or a reason why they can't come to the polling place. Being over the age of 65 or having a disability are valid "excuses" in many cases. The states of Washington, Oregon and Utah have universal vote-by-mail systems.

Observers have called for states that require excuses from residents to let voters receive a mail-in ballot.

"It's unconscionable not to allow anybody to use postal voting who wants to use it," said Dan Wallach, a computer science professor at Rice University who has focused on election security. That being said, he added that the increase in vote by mail ballots will create a huge logistical burden for election directors around the country. Proper funding, as well as security measures to make sure ballot scanners are working correctly, will be needed to successfully run the elections.

What's more, a massive education effort needs to be mounted to let voters know how to return the ballots correctly. Ballots can be set aside for errors like forgetting to sign the ballot, putting all ballots from one household into a single envelope, or having a signature that doesn't match the one on file. 

In calling on Black Hat audience members to volunteer their time to elections offices, Blaze said time was of the essence. 

"The optimistic note is that we can do this," Blaze said, "but we need to engage now."

Digital election threats remain

The US is still at risk from digital threats in addition to the challenges of voting in a pandemic, Krebs emphasized. His agency's biggest concerns are ransomware attacks on systems that are exposed and visible on the internet, including voter registration databases and electronic voter rolls. As a result, CISA launched a program to help state and local election officials make sure they're securing those systems.

Watch this: CISA director: Paper record key to keeping 2020 election secure

Election agencies will need to keep analog records of these databases where hackers can't tamper with them. Election experts say that will involve making copies several times as the election approaches, so that a ransomware attack won't cause catastrophic losses in the middle of the voting process.

Disinformation is also a major concern, and Krebs said.

When it comes to campaigns to spread false or divisive narratives in state-run news outlets or through social media channels, he said, "Russia has never taken a foot off the gas."

Observers are concerned efforts to confuse or misinform voters might take advantage of how long it could take to count all mail-in ballots and certify an election result. Marian Schneider, president of Verified Voting, says election agencies need to educate voters ahead of time and explain why there might be delays in counting votes. A delay "doesn't mean that there was fraud rigging or shenanigans, it just means they needed more time," she said. 

Krebs likewise urged voters to be patient, and not believe everything you see on the internet.

"Think before you share," he said. "There's plenty of additional research you can do to validate those claims."