The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Coronavirus contingency plans may also pose election security challenges

Placeholder while article actions load

with Tonya Riley

With Tonya Riley


Coronavirus is dealing election officials across the country a serious curveball even as they strain to keep the 2020 contests secure against another threat: Russian hacking.  

Officials are now forced to contemplate contingency plans to potentially overhaul their voting systems so Americans can still cast their ballots in a pandemic – and still ensure the process is secure. 

“Cybersecurity of elections is still a very real concern, so we have to walk and chew gum at the same time,” Lawrence Norden, director of the Election Reform Program at New York University’s Brennan Center for Justice, told me. “We need to make big changes to ensure everyone can vote safely while we still have our eyes on the issue of cybersecurity.” 

One major option surfacing now is surging vote-by-mail programs so citizens can avoid the polls. Democratic National Committee Chairman Tom Perez called for states to shift to widespread mail-in voting “wherever practicable” on MSNBC last night. “That's how you can solve the problem,” he said.

But this route could create security problems of its own, election experts warned especially if it’s implemented in a tight time frame. 

For example, officials would have to put safeguards in place to ensure mailed-in ballots are secure throughout their journey to election offices and to prevent U.S. adversaries or those seeking to tamper with the vote from sending in phony ballots to sow confusion. They’d also have to guard against misinformation related to the vote-by-mail process and figure out how to deliver ballots to people without street addresses.  

There’s also a heightened concern about people coercing friends and family members to vote for particular candidates with write-in ballots because the voters aren’t entering a private booth or cubicle to cast their votes. 

Changes this close to Election Day are also likely to create confusion among voters that could be exploited by Russia and other U.S. adversaries in disinformation campaigns. 

“Any time the process changes, it increases the risk that voters will not understand what’s going on and it increases the opportunity for malicious actors to take advantage of the process to undermine operations and spread disinformation,” Maurice Turner, an election security expert at the Center for Democracy and Technology, told me.  

There are just seven months to go before Election Day, but states may hold off on taking action until a clearer picture emerges of how long the pandemic will last. Already, we're seeing big differences in how states with upcoming primaries are responding to the virus. States including Kentucky, Louisiana and Georgia are delaying their primaries. But Florida, Arizona and Illinois are pressing forward with primaries today. This has raised concerns about disenfranchising voters who are still wary of going to busy polling places. Some decisions were last minute: Ohio Gov. Mike DeWine (R) is ordering a halt to his state's primary today despite a judge's order the election should go on, as my colleagues Amy Gardner, Elise Viebeck and Isaac Stanley-Becker report

The patchwork of state responses mean a partisan battle is even more likely in Congress over whether the federal government should move ahead with a mandate.  

Sens. Ron Wyden (D-Ore.) and Amy Klobuchar (D-Minn.), two longtime election-security advocates, introduced a bill that would mandate that voters across the nation have an option to vote by mail and authorizes $325 million to help states handle the load of mail-in ballots. 

“This is one key change we can make to ensure people don’t have to sacrifice their health to exercise their constitutional rights,” Wyden told me in an interview. “This is something that would have made a whole lot of sense six months ago, but now, in the face of a public health crisis, it’s just common sense.” 

Klobuchar told me in an email “Americans are facing unprecedented disruptions to their daily lives and we need to make sure that in the midst of this pandemic, Americans don’t also lose their ability to vote."

Those efforts are likely to face fierce resistance, however, from Senate Majority Leader Mitch McConnell (R-Ky.) who’s opposed any federal efforts to mandate how states should run their elections. 

A Senate GOP aide declined to weigh in on the Klobuchar-Wyden bill, but told me that “we want to make sure that states have the ability to work within their own systems, procedures, and protocols to protect voters and ensure every eligible voter has the ability to cast their ballot.” 

And President Trump added fuel to the fire by criticizing the delayed elections, telling reporters, “I think postponing elections, it’s not a very good thing…They have lots of room in the electoral places.” 

On the ground, expanding mail-in voting would also take a huge bureaucratic effort from state and local officials. “This is a big lift and we’d need to be pulling at almost every available resource we have to make this successful,” David Levine, the elections integrity fellow at the Alliance for Securing Democracy, told me. 

Advocacy groups are also pushing for expanded vote-by-mail including the American Civil Liberties Union, as my colleagues Isaac Stanley-Becker and Amy Gardner report. And the National Vote at Home Institute, a group led by former Colorado election official Amber McReynolds, is also set to release a plan this week for states and local jurisdictions to scale up options for at-home voting. 

This post has been updated to add comment from Sen. Amy Klobuchar (D-Minn.).


PINGED: The Justice Department is dropping charges against two Russian companies indicted alongside the notorious Moscow troll farm, the Internet Research agency, for spreading disinformation during the 2016 election, my colleague Spencer S. Hsu reports

The move was prompted by concerns that the companies, Concord Management and Concord Consulting, were using the trial process to obtain confidential information from prosecutors that they could weaponize in an information warfare campaign against the U.S. government, Katie Benner and Sharon LaFraniere at the New York Times report. 

In a court filing, prosecutors said the companies used the "judicial system to gather information about how the United States detects and prevents foreign election interference.”

The stunning reversal comes just weeks before the case was set to go to trial. Former Special Counsel Robert S. Mueller III indicted the companies alongside the better known Internet Research Agency but, unlike the IRA, they opted to defend themselves in court. 

The Justice Department’s move could stoke anger from Democrats, who have accused Attorney General William P. Barr of trying to undo the work of the Mueller probe amid rising concerns Russia will once again interfere in the 2020 elections.

PATCHED: Hackers appear to be taking advantage of the coronavirus pandemic to ramp up attacks on government agencies. Digital attacks against Pentagon networks have soared in recent days, Kevin Baron at Defense One reports, citing a virtual Town Hall for Pentagon employees. 

“They’re already taking advantage of the situation and the environment that we have on hand,” Essye Miller, the Defense Department’s principal deputy chief information officer said during the town hall. There’s no evidence, however, that any adversaries have penetrated DoD networks. In response, the Pentagon has barred employees from using YouTube and other streaming services to prevent overburdening the system.

PWNED: Disinformation operations related to the coronavirus are still ramping up and U.S. adversaries are getting savvier about spreading phony information in ways that are harder for government and social media companies to track, my colleagues Craig Timberg, Ellen Nakashima and Tony Romm report

Phony text messages claiming Trump would announce a national quarantine, for example, spread widely by email, text message, WhatsApp and TikTok -- not on Facebook and Twitter where they’d be easier to spot because of social networks' safeguards against disinformation. The falsehoods also spread via screenshots and it's more difficult for tech companies to detect keywords in images. 

The personal nature of direct messages makes users more likely to trust the information they're receiving, says Graham Brookie, the director of the Atlantic Council’s Digital Forensic Research Lab, which tracks disinformation. "It’s a return to an older threat,” said Brookie. “We saw it on e-mail. This is not new. We’re going to need to figure out more mechanisms to learn about it more quickly.”

National security officials are investigating if foreign adversaries are behind the misinformation campaign, which appeared aimed at causing a rush on stores that would disrupt supply chains and create panic.

The White House’s National Security Council publicly debunked the claims on Sunday, tweeting “text message rumors of a national #quarantine are FAKE. There is no national lockdown.” Trump also addressed the viral text messages yesterday, telling the press “It could be that you have some foreign groups that are playing games.”

More than one operative may have been responsible for the text messages, one U.S. official told my colleagues, based on the sophistication of the messages. Both the Pentagon and State Department issued warnings about foreign adversaries allegedly targeting Americans with coronavirus misinformation. 

Attorney General Barr urged U.S. attorneys to prioritize prosecutions and investigations of scammers and cyber criminals looking to take advantage of the COVID-19 crisis, Alex Mallin at ABC News reports.


— Cybersecurity news from the public sector:

Trump announced Google was building a virus screening tool. Then someone had to build it (Douglas MacMillan, Heather Kelly, Elizabeth Dwoskin and Josh Dawsey)

Senate Approves Short-Term Renewal of Surveillance Powers (The Wall Street Journal)


— Cybersecurity news from the private sector:

Health groups vulnerable to cyberattacks as coronavirus crisis ramps up (The Hill)

A coronavirus-tracking app locked users' phones and demanded $100 - CyberScoop (CyberScoop)

A Critical Internet Safeguard Is Running Out of Time (Wired)

No, 5G didn't cause the coronavirus pandemic (CNET)


— Cybersecurity news from abroad:

Coronavirus Outrage Spurs China’s Internet Police to Action (New York Times)

Israel to fast-track cyber-monitoring of coronavirus cases (Reuters)