The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Coronavirus has upended election security training with just months before November

with Tonya Riley

Russian hackers could target election officials working from home. Adversaries could spread rumors about coronavirus outbreaks at polling sites to deter people from showing up on Election Day. Or they could launch disinformation campaigns claiming elections have been delayed or canceled entirely because of the virus. 

Those are just some of the new scenarios the University of Southern California’s Election Security Initiative is tackling as it races to conduct virtual training programs for campaign and election officials across all 50 states before November. 

The big takeaway: Every aspect of securing elections is now far harder than they ever imagined. The array of challenges officials are facing now make the pre-pandemic concerns about Russian hacking seem simple by comparison.

“Security concerns now are more urgent in almost all cases because the virus has really exacerbated security issues,” the initiative’s executive director Adam Clayton Powell III told me. “It’s not an abstraction. It’s very real for people that they’ll have to do this work in a more urgent climate than they anticipated.” 

USC launched its initiative early this year with a laser focus on helping to combat interference from Russia and other U.S. adversaries. 

The group, which received most of its funding from Google, planned to hold in-person trainings across the country and to help officials who attended link up with experts at local universities who could help them prepare for cyberattacks, disinformation campaigns and related threats. 

But, like everything else about the election landscape, that plan was upended by the pandemic.

Experts ticked off a series of new problems officials will have to manage during one of the group’s first virtual trainings this week conducted for Delaware officials via Zoom videoconference. 

That includes preparing for far more people to vote by mail and ensuring they have the mailing, envelope stuffing and sorting technology to manage that surge. It also includes recruiting younger poll workers for in-person voting sites who are less vulnerable to the virus and outfitting them with sufficient protective gear. 

All the last-minute changes leave opportunities for U.S. adversaries to sow chaos or confusion by spreading disinformation and stoking fears. 

“Elections right now are very much a work in progress,” Powell said. “Running an election isn’t easy and changing things at the last minute introduces a level of complexity and concerns about security that are not trivial.”

The USC group has run training programs in 15 states, about one-third of them since the pandemic began. It plans to do about two more trainings per week until all the states are complete and also hopes to run trainings at the Democratic and Republican National Conventions if they happen, Powell said.

The group is doing shorter programs via videoconference than it used to do in person, figuring that local officials don't have time to spend four hours sitting at a computer screen learning about hacking and disinformation right now. It's also getting larger audiences than it used to, partly because election and campaign officials don't have to travel across a state to attend. 

The average online training is getting about 200 attendees versus about 100 for the in-person ones, Powell told me. 

Officials are scrambling even more in states that delayed their primaries during the early days of the pandemic. 

For most of those states it will still be several weeks before they start figuring out what their November election might look like. 

“What we’re seeing is November’s a long way away,” Powell said. “It’s really over the horizon for almost everyone. People are worried about what’s coming in the next few weeks and months because so many primaries have been pushed into late spring.”

Those delayed primaries also create security problems of their own because they make voters who would have previously been highly skeptical of a malicious text or email saying Election Day had been delayed far more susceptible to the disinformation. 

“That might have seemed odd in the past…but we’re all working differently now and the fact we are working differently creates an opportunity for adversaries to trick us,” USC computer science professor Clifford Neuman told the Delaware audience. 

The uncertainties surrounding the election also make it more important for campaign and election officials to be in close contact before Election Day.

That way they can cooperate to stamp out any disinformation about how the vote will occur and boost confidence about the election result, Patricia Ewing, a campaign pro who was national campaign manager for author Marianne Williamson’s 2020 presidential bid, told the Delaware audience. 

“I normally only work with the department of elections if the race is close. I get my lawyers ready,” she said. “In this setting, I'm recommending campaigns actually help the department of elections, [that they say] we know what your problems are. We can talk about the safety of the elections.” 

The keys

DHS needs to do more to protect mail-in ballots from hacking, a group of computer scientists says.

The group is sounding an alarm about systems that allow voters to print out their mail-in ballots from home computers and sometimes to select their candidates before printing. 

Those systems are too vulnerable to hackers who could manipulate votes or undermine the secrecy of the ballot, the coalition of about 16 computer scientists said in a letter to DHS’s Cybersecurity and Infrastructure Security Agency shared exclusively with The Cybersecurity 202. 

They want CISA to revise its guidelines for state and local election officials to: 

  • Discourage computer-filled ballots except for voters with disabilities that prevent them from filling out ballots by hand.
  • Adopt computer ballot systems that disconnect from the Internet while voters fill them out. 
  • Mail ballots to voters whenever possible rather than having them print the ballots off the internet. 

We will need to rely on technology to help get through this election during the covid-19 pandemic, but there are substantial security and privacy threats associated with online ballot delivery and marking that mustn't be ignored, said Susan Greenhalgh, senior adviser on election security for the advocacy group Free Speech For People, which organized the letter.

The letter's signatories include Michael Fernandez, founding director of the Center for Scientific Evidence in Public Issues at the American Association for the Advancement of Science, Princeton University computer science professor Andrew Appel and Alex Halderman, director of the University of Michigan’s Center for Computer Security and Society.

Zoom will add superstrong encryption soon — but only for paid accounts.

The move is part of a 90-day security push the videoconferencing company announced after its skyrocketing popularity during the coronavirus pandemic exposed a slew of vulnerabilities. The improved encryption is being provided partly by the company Keybase, which Zoom announced it’s acquiring to improve its security and privacy. 

Zoom had advertised before the pandemic that it already offered end-to-end encryption, which shields communications from everyone except the sender and recipient. But that claim turned out to be exaggerated.

The company also said it’s "investigating mechanisms that would allow enterprise users to provide additional levels of authentication," but did not elaborate. The changes help fulfill the requirements of an agreement the company reached with the New York attorney general yesterday regarding its string of security lapses.

The Chinese government is spying on users of the nation’s super-popular WeChat app even when they’re outside China, a new study finds. 

The international surveillance on the app, which has more than a billion users worldwide, is helping the regime hone its censorship inside China, researchers at University of Toronto's Citizen Lab found

WeChat is a multipurpose app that allows users to do everything from chatting with friends to ordering food and hailing ride-share services. It’s also a popular form of communication between Chinese users and relatives abroad. But the report found that taboo images and documents sent by people outside China were monitored and scrubbed before they reached their recipients inside the nation

That also helps train WeChat's systems to better censor and surveil users inside China, Citizen Lab director Ronald Deibert explained in a Washington Post opinion piece. He urged international privacy advocates and app stores to investigate the findings.

We believe these findings should prompt urgent investigations by privacy regulators and other government agencies to explore WeChat’s potential liabilities, he wrote. App stores may consider removing WeChat from their listings on the basis of misleading consumers with inaccurate privacy information. "

Government scan

The Federal Trade Commission continues to battle an onslaught of coronavirus-themed scams.

The agency announced it sent 45 letters to companies it said were hawking phony coronavirus cures, bringing its total number of warnings to 120.

More government news:

Pentagon, Senators Blast FCC Decision to Let Company Share GPS Spectrum (Nextgov)

Senate panel advances Trump FEC nominee in party-line vote (The Hill)

Pentagon official: FCC decision on 5G threatens GPS, national security (The Hill)

Global Cyberspace

Iranian government-linked hackers may have been behind recent attempts to hack the emails of World Health Organization employees, researchers say.

The hackers sent seemingly innocent emails about the coronavirus to WHO employees while posing as news organziations and researchers, Bloomberg News's Ryan Gallagher reports. The hacking campaign appears to have been launched by an Iranian hacking group dubbed "Charming Kitten," ClearSky Cyber Security researchers said. 

The WHO’s chief information security officer, Flavio Aggio confirmed the agency had been unsuccessfully attacked but declined to comment on specific instances. Iran’s Foreign Ministry didn’t respond to a request for comment. 

More international cybersecurity news:

China’s Military Is Tied to Debilitating New Cyberattack Tool (The New York Times)

Russian hackers accessed emails from Merkel's constituency office: Der Spiegel (Reuters)

A passwordless server run by NSO Group sparks contact-tracing privacy concerns – TechCrunch (TechCrunch)

Chat room

Yesterday was National Password Day. Google's Director of Product Management Mark Risher celebrated by busting some common security myths:

Bottom line: Set up a password manager. 


  • The Cyberspace Solarium Commission will host a virtual forum today from 11 a.m. to noon.
  • The IT Sector Coordinating Council Chair Jamie Brown will talk with CISA’s National Risk Management Center Director Bob Kolasky in a webinar titled "IT Industry Briefing on CISA COVID-19 Response Efforts" hosted by CompTIA and ITI  Monday at 3 p.m.
  • The Senate Homeland Security and Government Affairs Committee will host a virtual roundtable to discuss U.S. cybersecurity and the Cyberspace Solarium Commission Report on Wednesday at 9:30 a.m.
  • The Senate Commerce Committee will host a hearing on the state of broadband amid the covid-19 pandemic on Wednesday at 10 a.m.
  • The Information Technology and Innovation Foundation will host a webinar “Mind the Gap: A Design for a New Energy Technology Commercialization Foundation” on Wednesday at noon.
  • The Open Technology Institute will host an event on the role of technology in pandemic response efforts on May 14 at 11:30 a.m.

Secure log off

Academy Award-winning actor Anthony Hopkins is truly living his best life during quarantine. 

And he has a cat!