Election security has never been more scrutinized than the 2020 presidential elections. It left election boards fighting not only to protect the election from outside influences but also to justify the legitimacy of their own work.
Where it succeeded and where it failed makes the perfect case study in creating cybersecurity in a fishbowl.
SC Media talked to Patrick Gannon, public information officer for the North Carolina State Board of Elections, and two of the contractors the NCSBE used to bolster security for the 2020 election: Torry Crass of Woodstar Labs and Sean Maybee of Associated Universities. They shared how to provide security when those inside and outside the organization are watching with a skeptical eye.
Patrick, you've worked on several elections under both Republican and Democratic leadership. How did 2020 stack up?
PG: From an agency perspective this went very smoothly. From the perspective of needing to be worried about anything, nothing materialized. It was extremely successful; extremely safe – despite what you may hear. That’s been the most difficult part of the election. You’ve seen it in other states – election officials became targets. Misinformation led to threats to physical safety.
If there was evidence, criticism would be warranted. Not threats.
One thing people don’t realize is how much time we have to devote to responding to disinformation. Every time someone calls us or emails us with criticism, it takes time away from what we still have to do.
TC: Having those things explained made a positive impact within those groups. I'd say they strive to be as transparent as humanly possible, to the point where my Dad or some curmudgeon would call up and start saying all these things that they got from QAnon, and they would actually talk to them and say "this is how we do it, these are the things that are in place, these are the things we're doing to protect your vote."
PG: Even before this election, we came up with a list of 10 points that we thought, if people understood, people would have more confidence in the election: conducting audits after each election; being one of the only states with a dedicated investigations division; how, every step of the way, Republicans and Democrats were in the room. It was on our website, and we were able to keep referring back to that.
TC: Throughout the election, we all had to be good at communicating and explaining the different controls and processes, because I would say the public in most cases is not aware of the audit processes or the data controls that are already in place.
SM: Just coming up with an effective list is hard, from a cybersecurity perspective, because it has to be a good balance between being as transparent as possible while keeping specifics and TTPs private.
But was being transparent successful in convincing people their vote would count?
TC: We had the opportunity to participate at a keynote at a cybersecurity conference in Charlotte before the election, where we were able to go through the 10 points, explain to people what we were doing.
Patrick asked at the start how many people had confidence in election security. Only around a third of them raised their hands.
PG: If it was even a third, that is a surprise.
TC: Cybersecurity people are critical by nature. But as it went on, we were able to convince people. At the end, Patrick asked again. Almost everyone raised their hands.
What did the the people who had their hands down at the beginning of the keynote appreciate by the end?
TC: The expectation that a lot of folks seem to walk in with is that there’s no controls. There’s no security, there’s just a bunch of people who have no understanding of the cybersecurity space or technology in general. In some ways, I think that is a big portion of why the North Carolina Board of Elections engaged with us. It’s not that they didn’t have people that were working on cybersecurity or that they didn’t have controls in place.
SM: Not to downplay our contribution, but a lot of that was for the legislators.
I was going to answer your question another way, because this was my impression when we first became involved. When I go to my polling place, there’s a little old lady in tennis shoes at a desk, and you fill out a form, and she puts it under the table and then you go and there’s a machine inside these cardboard walls. And you wonder how can all this be secure?
Well, you can convince people that’s secure. Transparency is a big piece of it. You need to have a way not only to communicate at the leadership level and to your board and to your executive team, but you also need to understand what they’re communicating down the reporting chain.
You mentioned you were brought in as contractors not just to help but as a third party check to raise confidence. Does that work?
TC: I think it does help. There was a lack of trust in the establishment – a belief that everyone is in it to cause problems.
It helps to have people come in and say ‘we’ve looked at this.
PG: We’re a small office and didn’t just have to deal with cybersecurity issues. We had five times as much vote by mail. We had concerns from people, ‘will my vote get there in time or at all?’ We had to work with counties to make sure there was enough PPE. And that was in addition to the normal issues that come up in a presidential election, which is a mammoth undertaking.
Having Sean and Tory was a force multiplier. The more voices the better. At some point, if you don’t trust the [Cybersecurity and Infrastructure Security Agency] and you don’t trust the FBI and you don’t trust Chris Masterson and you don’t trust Chris Krebs and you don’t trust the state, it becomes a conspiracy that’s hard for us to address. The more voices you can have say this was a fair election the better.
SM: I think one of the strengths of bringing in a CISO-as-a-service, like us, is that we bring a team. When it comes to people second-guessing, we can engage with critics and say there was the consideration of whatever issue. We can say we have a specific expert on staff who handles that problem.
So what do you take from this election in terms of where to improve moving forward?
PG: From my standpoint, it’s educating the public, educating lawmakers, making sure they have answers to the questions they have.
We’ll keep trying to correct voter misconceptions on social media. We’ll advertise more of our successes, like having media campaigns to demonstrate logic testing in 2024. We need people to know this isn’t something being done willy nilly, or thrown together at the last minute. We are preparing for this year-round.
We’re making plans to extend a voter confidence campaign to counter disinformation. I don’t know if it will be helpful to the extent we want it to be. I don’t know if it can be when there’s such a disconnect between the sides.
SM. One of the things that caught us by surprise was that we were preparing for a Nov. 3 election. But a few weeks before that we realized we were working toward a game day that came early and kept going.
How do you adapt to attackers who don't necessarly want to work on your schedule?
TC. You rely on partnerships. We received bulletins from the federal government. To be able to use those, we had to be sure early that the tooling and the visibility to determine which issues were important as they arose rather than being blindsided by a changing landscape.
There are full-time employees here for a reason. It's not just starting on Nov. 3 and packing up on Nov. 4. It's continuous improvement and continually improving visibility.
SM: That goes back to the original question. The other piece is year round resources. None of that can come for free.