For election officials, the story of the past four years has been a crash course in the fact that voting security is cybersecurity. And though states, counties and local jurisdictions that conduct elections have never had more resources available to them — an information-sharing exchange with thousands of members, federal officials warning them about intrusions on their networks and forays into practices like penetration testing and vulnerability disclosures — there’s always more work to be done. But finding the resources and talent to secure election systems is hard enough for county administrators even when there’s not a pandemic raging across the world.
That’s where the University of Chicago’s new Election Cyber Surge aims to fit in. The program, run out of the university’s Harris School of Public Policy, aims to match volunteer cybersecurity professionals with local election officials to help them protect their voter registration databases, websites and anything else that might be targeted by foreign adversaries, a list of nations topped by Russia, but, according to U.S. intelligence officials, also includes China, Iran, North Korea and Saudi Arabia.
Leading the Election Cyber Surge is Maya Worman, a former Department of Homeland Security official during the Obama administration who went on to the New York City Department of Information, Technology & Telecommunications, where she helped establish what is now New York City Cyber Command. In a phone interview in early September, Worman told StateScoop that while the new program lets local election administrators get expert advice from volunteer technologists, it’s also a way to patch the frequently cited shortage of cybersecurity talent in state and local government.
“Here’s people who need help and here’s people who can help,” she said. “Let’s put them together.”
There are already a lot of companies and organizations offering support to election officials. Where does the Election Cyber Surge fit in?
I don’t want to say it’s a result of Covid, because it’s not that simple. The early days predate me. [The Cyber Policy Initiative] has pulled off the Voting Village at DEF CON. It’s been well received by the computer science community, the technologist community, but also the election administrators. They were really bummed when DEF CON was canceled. So they said how can we take these eager and willing minds and people who want to facilitate a better understanding of vulnerabilities and election security measures, how can we leverage that network? And rather than simulations with lots of drama on a stage, how can we have a real-world application of the technologies, the vulnerabilities and the administrators’ real-world environment? We can’t go to DEF CON, but we still have this active network, and we still have these administrators who want to learn more. How can we, in this time of Covid, connect them both?
What brought you into the fold?
They were looking for someone who had the experience in cybersecurity and strategic planning with the local, state and federal government expertise. A lot of cyber folks don’t cross over, and I think they wanted a voice who had been on the municipal side to help make that introduction and build that trust, which is key. I was in retirement in middle America, and thought that I can definitely still do it. It seemed exciting, it seemed cool. I liked that it was an unprecedented model. Here’s people who need help and here’s people who can help. Let’s put them together.
That sounds like an extension of the problem in state and local government, where it’s hard enough to recruit cybersecurity talent, let alone hold onto it.
And this is not a static skill set. It’s never done. There’s continuing education. It’s not just that they’re hard to recruit, and expensive to pay for and they want to go to the next cool job. They have to be sharp and they have to stay sharp, and that’s just to keep pace. They’ve got to be really plugged in to all the tools and all the threats and be adept to managing that in the moment.
When the Election Cyber Surge’s volunteers are connecting with election administrators, what are they finding?
The known vulnerabilities that exist have been widely reported and widely understood and are not just limited to elections: permissions management, device management, secure websites. These are standard challenges that anyone with a website is faced with. Because those are known vulnerabilities, those are easy conversations to have in remote troubleshooting dynamics.
As we’re talking, the first absentee ballots are about to be sent out. What you see as the main areas of concern in the few weeks left before Nov. 3?
I think if you’ve recently an uplift or major cybersecurity review since 2016, or even 2018, it’s time to look at it again. That’s great and money well spent, but the evolving nature is why it’s so hard. Being mindful of security culture is important, but anything you did six months ago needs to be looked at again. And even if you did it yesterday, there is no harm in a confidential voice as part of your conversation as a sounding board to hear if there’s anything else that can be done. So even if they feel confident and assured by their executive leadership, this voice, with fresh eyes and none of the burden of understanding necessarily what’s happening within the environment of the individual jurisdiction, that that is a fresh voice that can be valuable. And why not try to learn more from an extremely knowledgeable professional in the field?
We hear a lot about all the various threats, whether it’s malware, disinformation. What does a bad scenario look like to you?
That’s tough because it’s so nuanced. One weak spot could unintentionally allow anything, and it could be weeks or months before anyone realizes. The spirit of this is making sure the people who are charged with this massive responsibility know they are not out to sea, they are not alone. Everyone needs to look at election systems as highly connected systems that work together, and not just on Election Day. It’s not just something we need to prepare for on Monday night, but all year round. We are trying to preempt any opportunity for someone to say “I didn’t have access” or “I didn’t know.”
So back to the staffing issue. These cybersecurity skills aren’t going to become any less valuable and competitive over time. Is the Cyber Surge sustainable?
While volunteers are free, organizing volunteers is not free, and there are costs that come with the program. If we see that we can do it again and get better at this and have a more efficient process at executing the program, I think we absolutely be around again. I think this sort of flips in how we think about cybersecurity services, talent acquisition might actually help that larger problem. These people who are coming out to help are so special, so precious, and the need for them is so insatiable, that if we can soften that, it might buy us a little time so we can educate more and the immediate need is not as dire. I see us here in two years.
This interview was edited and condensed for readability.