CISA: Election infrastructure has never been more secure

LAS VEGAS -- CISA Director Jen Easterly said U.S. election infrastructure "has never been more secure" during a Wednesday keynote panel at Black Hat USA 2024.

The session, titled " Democracy's Biggest Year: The Fight for Secure Elections Around the World," was hosted by Associated Press reporter Christina Cassidy and featured Easterly, European Union Agency for Cybersecurity (ENISA) COO Hans de Vries and Felicity Oswald, CEO of the U.K.'s National Cyber Security Centre (NCSC) as speakers. The panelists, all international cybersecurity leaders, discussed how they're approaching election security risks in a year where roughly half of the world's population is expected to participate in a national election of some kind.

Cassidy began by asking de Vries and Oswald about elections held within the U.K. and Europe this year and how successful they were. Oswald said that in March, the U.K. government identified attempted and successful attacks against the U.K.'s election commission from Chinese nation-state actors. When preparing for upcoming local and general elections, she said the agency went in "knowing that the hostile state threat was real and present and had impacted us in recent years." As a result, although there were efforts to disrupt British elections, Oswald said the whole process was smooth and people could vote securely.

Regarding recent European and Dutch elections, de Vries said "preparation is key." Although there were some disruption efforts such as DDoS attacks and "process manipulation," de Vries said there were no major incidents. A primary reason for this was collaboration between various partners and stakeholders.

"I think the impact was little because we prepared for cooperation and information sharing between member states very strongly," de Vries said. "And we had an exercise with the European Parliament and the European Commission last year to make sure that they all knew the process."

Easterly added that it was great that the international cybersecurity and infrastructure community across the globe was so tightly connected. Moreover, she referred to the close relationships CISA has with ENISA and the NCSC and that all agencies are learning from each other at all times.

"We have sent folks over to be part of your team prior to the elections, and then you sent folks over to us, and that's just really important to be constantly learning those lessons, because threat actors are entrepreneurial, and they're not going to use the same tactics they've always used," she told the other panelists. "I can say with confidence that election infrastructure has never been more secure, and the election stakeholder community has never been stronger."

When weighing in on a question about how election threats are evolving now compared to previous years, Easterly said that despite the strength of election infrastructure, stakeholders cannot be complacent because "the threat environment has never been so complex." She mentioned nation-state hacking efforts, particularly from Russia, incorporating commercial organizations such as public relations firms into their misinformation strategy. The most important thing CISA does and can do, she said, is amplify the voices of state and local election officials.

"They are truly the authoritative subject matter experts when it comes to elections, and that's a message that I would ensure that everybody here has: if you want information about elections, talk to your state and local election officials," she said.

One of the more illuminating pieces of information about the U.S. process came during a question about how the various security leaders were hardening the security of voting technology in 2024. Easterly said she didn't know more about election processes before she joined CISA and that the complexity of voting infrastructure was "mind blowing" to her. She also explained that "if you've seen one state's election, you've seen one state's election."

Moreover, although U.S. elections don't generally utilize the internet in the vote casting and tabulation process, she said there is a "heterogeneity" between every election's processes. CISA and the FBI issued a joint public service announcement (PSA) last week regarding DDoS attacks on election systems. While the PSA warned of potential DDoS threats, the agency emphasized such attacks will not the security of elections or the integrity of voting results.

In order to meet the challenge of securing elections, Easterly said security stakeholders have been utilizing a defense in depth approach. Since the election cycle started in early 2023, CISA has performed over 900 physical security assessments, nearly 700 cybersecurity assessments, 120 tabletop exercises, and 370 training sessions that have reached 20,000 participants.

"We are working to reduce risk across the full spectrum, whether it's cyber, operational, physical or the threat of foreign malign influence and disinformation, and all of these are part of the layers of controls in place so that the American people can have confidence in the integrity and security of the election infrastructure and election processes writ large," she said.

Alexander Culafi is a senior information security news writer and podcast host for TechTarget Editorial.