Attacks from within seen as a growing threat to elections
Election officials preparing for this year’s midterms have yet another security concern to add to an already long list that includes death threats, disinformation, ransomware and cyberattacks – threats from within.
In a handful of states, authorities are investigating whether local officials directed or aided in suspected security breaches at their own election offices. At least some have expressed doubt about the 2020 presidential election, and information gleaned from the breaches has surfaced in conspiracy theories pushed by allies of former President Donald Trump.
Adding to the concern is a wave of candidates for state and local election offices this year who parrot Trump’s false claims about his loss to Democrat Joe Biden.
“Putting them in positions of authority over elections is akin to putting arsonists in charge of a fire department,” said Secretary of State Jocelyn Benson, a Democrat and former law school dean who serves as Michigan’s top elections official.
Experts say insider threats have always been a concern. But previously, the focus was mostly on what a volunteer poll worker or part-time employee could do to a polling place or county system, said Ryan Macias, who advises officials at the federal, state and local levels on election security. Now the potential harm extends to the very foundation of democracy – conducting fair elections.
“Since 2020, the coordinated efforts to have threat actors run for office, apply to be election officials and volunteer as a poll worker or observer should be treated as national security concerns,” Macias said.
The potential risks posed by insider attacks run from granting unauthorized access to sensitive information to planting malware within election systems.
While insider threats are the hardest to guard against, Macias said measures are in place to recover from an attack. Most of the country relies on paper ballots filled out by hand or with the use of a voting machine, so there should be a paper record of each ballot cast. In addition, post-election checks are designed to identify potential manipulation or discrepancies in the vote.
This year, voters in 25 states will elect their state’s chief election official, and several races feature candidates who dispute the outcome of the 2020 presidential contest despite no evidence of widespread fraud or a coordinated scheme to steal the election.
Some voters also will decide who will run their local elections as the next county clerk. It’s these local election offices that have experienced security breaches.
In Mesa County, Colorado, authorities are investigating whether unauthorized people were granted access to county voting equipment. State officials began investigating after the county’s voting system passwords appeared on a conservative website. Because each county has unique passwords maintained by the state, officials identified them as belonging to Mesa County, where Trump won nearly 63% of the vote.
Clerk Tina Peters – a Republican elected in 2018 – then appeared at a “cybersymposium” hosted by Trump ally Mike Lindell, the MyPillow CEO who has sought to prove that voting systems were somehow manipulated to favor Democrats.
At that event a copy of Mesa County’s election management system – which is used for designing ballots, configuring voting machines and tallying results – was distributed. Experts have described the unauthorized release as serious, potentially providing a “practice environment” to probe for vulnerabilities.
Peters, in an interview, said she made the copy of a county voting system hard drive to preserve “the evidence of how you get to the result of an election, who came in, who made changes, who did what.” She denied knowledge of how a copy came to be distributed at the Lindell event and would not say who was with her when the copy was made.
“I didn’t go in to try to address some conspiracy theory,” Peters told The Associated Press. “It’s just my responsibility to protect, and solely my responsibility to protect election records.”
A grand jury in Mesa County is reviewing the case. Meanwhile, Peters has announced plans to run for secretary of state, overseeing elections for Colorado.
Elsewhere in Colorado, state officials are investigating after the election clerk in Elbert County, southeast of Denver, indicated he made two copies of a voting system hard drive last summer.
An attorney for Dallas Schroeder said in a written response to the state that Schroeder believes he had a “statutory duty to preserve election records” and was concerned that a visit by state officials to prepare for the 2021 elections “might erase or alter electronic records of the November 2020 election.”
There has been no indication of widespread fraud or other major irregularities following the 2020 election in Colorado or elsewhere.
In Ohio, federal and state authorities are investigating after network data purportedly from the Lake County Board of Elections in suburban Cleveland was made available online along with other data by people seeking to show the 2020 election was somehow manipulated.
A state analysis determined the data wasn’t from the Board of Elections at all, but rather a network that runs other county business. Secretary of State Frank LaRose, a former Republican state lawmaker who serves as Ohio’s chief election official, said it showed only “innocuous traffic,” such as between a county computer and a printer, but was used to suggest something nefarious.
“They grabbed that and they said, ‘Oh, look, here’s evidence,’” LaRose said. “It was evidence of nothing, and they were nowhere close to the Board of Elections.”
In Michigan, the secretary of state’s office recently announced a potential security breach at an election office in Roscommon County, in the rural northern part of the state, where someone is suspected of gaining unauthorized access to voting systems. State authorities are investigating.
Experts said these types of security breaches have so far been few and most election officials are experienced, neutral professionals who follow the rules and want no part of conspiracy theories.
But, they said, any official found to be undermining elections and breaking the law must be held accountable. No charges have been brought so far in any of the breaches being investigated in Colorado, Ohio and Michigan.
“One of the keys to combatting insider threats is that there are consequences, and we haven’t seen that yet,” said Matt Masterson, a former top election security official during the Trump administration.
In advance of this year’s midterm elections, federal officials who oversee election security say they have conducted training with officials on ways they can limit access to voting systems to reduce the chances of an insider threat.
In Ohio, state election officials credited additional cybersecurity measures put in place in 2019 with preventing the attempted breach in Lake County, which Trump won in 2016 and 2020. A state order required that election-related systems be separated from county networks to better protect them.
In Michigan, Benson said her office is “keeping a close eye – closer than ever before” on local election officials and is prepared to stop anyone who tries to jeopardize election security.
In Colorado, Secretary of State Jena Griswold recently announced a set of temporary rules she said were designed to address “emerging security risks,” specifically citing the cases in Mesa and Elbert counties.
The new rules reduce the number of county employees with access to the election management system and require that they be identified in the county’s security plan filed with the state. Proof of background checks must be provided to the state for anyone present as voting systems are prepared for an election.
“Undoubtedly, we will see more insider threats to come,” said Griswold, a Democrat. “States have to prepare themselves.”
Associated Press writers Julie Carr Smyth in Columbus, Ohio, and David Eggert in Lansing, Michigan, contributed to this report.