866.254.0000
Talk with a Specialist
Services
SOC & Attestations
Payment Card Assessments
ISO Certifications
Privacy Assessments
Federal Assessments
Healthcare Assessments
Penetration Testing
Cybersecurity Assessments
Crypto and Digital Trust
Schellman Training
ESG & Sustainability
AI Services
View All Services
Industry Solutions
Cloud Computing & Data Centers Meet a broad range of regulatory and industry compliance mandates for your customers
Financial Services & Fintech Cybersecurity assessments for both the banking industry and the financial service providers
Healthcare Reporting to manage risk and adhere to applicable laws and regulations
Payment Card Processing Validate compliance with the various forms of the PCI DSS
US Government Achieve authorization to work for federal agencies, DoD, and the associated contractor base
Higher Education & Research Laboratories Reinforce your commitment to securing your student's and institution's data.
View All Industry Solutions
Learning Center
Our Technology
About Us
Leadership Team
Careers
Corporate Social Responsibility
Strategic Partnerships
Visit About Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
Payment Card Assessments
Payment Card Assessments
ISO Certifications
ISO Certifications
Privacy Assessments
Privacy Assessments
Federal Assessments
Federal Assessments
Healthcare Assessments
Healthcare Assessments
Penetration Testing
Penetration Testing
Cybersecurity Assessments
Cybersecurity Assessments
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
ESG & Sustainability
ESG & Sustainability
AI Services
AI Services
Industry Solutions
Industry Solutions
View All Industry Solutions
Cloud Computing & Data Centers
Cloud Computing & Data Centers
Financial Services & Fintech
Financial Services & Fintech
Healthcare
Healthcare
Payment Card Processing
Payment Card Processing
US Government
US Government
Higher Education & Research Laboratories
Higher Education & Research Laboratories
Learning Center
Our Technology
About Us
About Us
About Schellman
Leadership Team
Leadership Team
Careers
Careers
Corporate Social Responsibility
Corporate Social Responsibility
Strategic Partnerships
Strategic Partnerships
Talk with a Specialist

«  View All Posts

Election-Related Threats and Defenses Blog Feature

By: Schellman

Print/Save as PDF

Election-Related Threats and Defenses

Cybersecurity Assessments

It’s that time again. If you weren’t already aware from the campaign calls & emails, the televised debates, and the social media storm, the latest American election is upon us.

That also means the latest debate about secure voting has also ramped up. As time has passed, the electoral system has largely progressed beyond paper ballots and hand counts, but transitioning to technology means new security concerns that grow more sophisticated all the time.

But how much should we really be worried about electronic dangers to the electoral process? And what can be done to secure our systems against them?

As providers of a slew of different cybersecurity assessments, we know a few things about what it takes to protect critical data like your vote. Threats to voting machines, registration lists, and significant infiltration by disinformation intended to sway voters one way or another—we’ll address all these in this article, where we’ll also attempt to clear some of the apprehension that’s become synonymous with elections.

Once you understand where we should concern ourselves and what defenses we can employ, you’ll be able to go to the ballot box with more confidence.

 

3 Election Threats and Their Likelihoods

1. Vulnerabilities in Electronic Voting Systems

Let’s start from the ground up.

We’ve heard it for years now—experts in hacking, elections, and computer security have warned that electronic voting machines have security vulnerabilities that could allow an attacker to alter vote counts.

And that’s technically true, and concerning particularly for those places that rely entirely on the voter’s interaction with the touch screen or other interface rather than a paper record. Absent a paper ballot that confirms the voter’s intention, an electronic record is more easily altered or deleted.

However, despite how easily accessed these machines can be from the Internet, attacks against voting machines remain an inefficient technique for a hostile nation-state or other foreign adversaries. The scope of such an attack is less appealing for those interested in changing voting outcomes, because, typically, they’re limited to those counties or precincts where these vulnerable machines are in use.

Truly subverting the outcome of even a statewide race requires an enormous amount of effort, including some potentially on the ground at the polling place—plus, to attack online you must at least be in the range of the machines’ Wi-Fi network.

The fact also remains that, while a bad actor may have a stake in affecting the outcome of a relatively local election, the probability of a large, capable organization doing so remains relatively small.

 

2. Voter Registration Rolls Susceptibility

In fact, election machines themselves may be vulnerable, but voter registration databases actually present a potentially more efficient target.

Many states use modern software for registration, with reasonable protections for securing their sites. However, many other state or municipal governments have constraints on their budgets or resources for the relevant security either endemic to the software or for its proper use—that opens the door for an attacker to disenfranchise voters without their knowledge.

That is, until they turn up to vote and are denied the right. In some states, voters can still register and vote on Election Day, but given they’re likely unaware they’ve been purged from the rolls, they may not come to the polls with the required proof of residence in hand. In other states, removal from the roll of registered voters after a certain point precludes voting at all.

With that being said, this isn’t just a software or budget issue either. Most election officials are usually ordinary citizens working for their county or municipality a few days a year to facilitate elections. As such, they may not have much security training and may rely on shared user accounts to access these systems when performing voter registration drives or early voting activities—this kind of casual usage could allow a bad actor to obtain the credentials necessary to attack such a system and adversely affect voter registrations.

 

3. The Spread of Harmful Misinformation

Though election hardware and software do need securing, the greatest one-to-many potential for large, foreign-threat actors to change the outcome of elections is to target citizens themselves with disinformation.

That’s because their efforts to do this or to incite certain actions over social media or similar venues have the largest audience and can be conducted entirely remotely. Election disinformation from 2016 is widely and well documented, and many of the techniques learned about how to target key voting blocs or how to propagate disinformation also appeared in the 2020 election—this is becoming an unfortunate tradition, it seems.

But while disinformation remains a potent and effective threat to free and fair elections, its singular weakness is that it can only influence the decisions people make—disinformation cannot actually compel a specific outcome (like hacking voting machines or preventing people from voting outright).

Still, we can combat this as voters and public officials by disregarding obvious disinformation or comparing it against credible news sources for accuracy—of course, that’s easier said than done. Voters in this election, like nearly everyone else, largely live inside their own information bubbles that may or may not include credible news and information, and thus, may or may not compete with aggressive and deliberate disinformation.

But someone deeply affected by conspiracy theories or who’s inclined to only believe the news they wish to believe is more a matter of psychology and sociology than information security. But given this very real threat, voters should stay aware of predatory disinformation—consciously choose to weigh the information your receive from various sources, and you should avoid the most harmful disinformation.

 

Get Out and Vote

Irrespective of any political position, the United States—like all modern democracies—rests on the foundation of free and fair elections. As the sophistication of online attacks grows, together with the previous proof of success, it remains an essential task for voters and public officials to protect our elections.

We must resist attempts to undermine both our actual electoral process as well as the public’s faith in said process—that means understanding the threats, taking steps to combat them, and regularly considering the effectiveness of both.

Now that you understand—at a high level—the degree of a few electoral threats, the next important step is getting familiar with:

  • How individual voter registration works in your state;
  • How the voting process works in your states; and
  • How to manage the sometimes-disparate pieces of information about the voting process.  

But in the meantime, Election Day is November 8th. If you haven’t already, please go vote and make your voice heard.

--

For more information on other pertinent cybersecurity threats you should be aware of, as well as resources that can help, check out our other content:

About Schellman

Schellman is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST CSF Assessor, a FedRAMP 3PAO, and most recently, an APEC Accountability Agent. Renowned for expertise tempered by practical experience, Schellman's professionals provide superior client service balanced by steadfast independence. Our approach builds successful, long-term relationships and allows our clients to achieve multiple compliance objectives through a single third-party assessor.

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Ready delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.