Cybersecurity in a fishbowl: How North Carolina’s Board of Elections handled it

The following is press coverage on NCSBE Cybersecurity, courtesy of scmagazine.com.

Election security has never been more scrutinized than the 2020 presidential elections. It left election boards fighting not only to protect the election from outside influences but also to justify the legitimacy of their own work.

Where it succeeded and where it failed makes the perfect case study in creating cybersecurity in a fishbowl.

SC Media talked to Patrick Gannon, public information officer for the North Carolina State Board of Elections, and two of the contractors the NCSBE used to bolster security for the 2020 election: Torry Crass of Woodstar Labs and Sean Maybee of Associated Universities. They shared how to provide security when those inside and outside the organization are watching with a skeptical eye.

Patrick, you’ve worked on several elections under both Republican and Democratic leadership. How did 2020 stack up?

PG: From an agency perspective this went very smoothly. From the perspective of needing to be worried about anything, nothing materialized. It was extremely successful; extremely safe – despite what you may hear. That’s been the most difficult part of the election. You’ve seen it in other states – election officials became targets. Misinformation led to threats to physical safety.  

If there was evidence, criticism would be warranted. Not threats.  

One thing people don’t realize is how much time we have to devote to responding to disinformation. Every time someone calls us or emails us with criticism, it takes time away from what we still have to do. 

TC: Having those things explained made a positive impact within those groups. I’d say they strive to be as transparent as humanly possible, to the point where my Dad or some curmudgeon would call up and start saying all these things that they got from QAnon, and they would actually talk to them and say “this is how we do it, these are the things that are in place, these are the things we’re doing to protect your vote.”

PG: Even before this election, we came up with a list of 10 points that we thought, if people understood, people would have more confidence in the election: conducting audits after each election; being one of the only states with a dedicated investigations division; how, every step of the way, Republicans and Democrats were in the room.  It was on our website, and we were able to keep referring back to that.

TC: Throughout the election, we all had to be good at communicating and explaining the different controls and processes, because I would say the public in most cases is not aware of the audit processes or the data controls that are already in place.

SM: Just coming up with an effective list is hard, from a cybersecurity perspective, because it has to be a good balance between being as transparent as possible while keeping specifics and TTPs private. 

But was being transparent successful in convincing people their vote would count?

TC: We had the opportunity to participate at a keynote at a cybersecurity conference in Charlotte before the election, where we were able to go through the 10 points, explain to people what we were doing.

Patrick asked at the start how many people had confidence in election security. Only around a third of them raised their hands.  

PG: If it was even a third, that is a surprise. 

TC: Cybersecurity people are critical by nature. But as it went on, we were able to convince people. At the end, Patrick asked again. Almost everyone raised their hands.  

What did the the people who had their hands down at the beginning of the keynote appreciate by the end?

TC: The expectation that a lot of folks seem to walk in with is that there’s no controls. There’s no security, there’s just a bunch of people who have no understanding of the cybersecurity space or technology in general. In some ways, I think that is a big portion of why the North Carolina Board of Elections engaged with us. It’s not that they didn’t have people that were working on cybersecurity or that they didn’t have controls in place.  

SM: Not to downplay our contribution, but a lot of that was for the legislators.  

I was going to answer your question another way, because this was my impression when we first became involved. When I go to my polling place, there’s a little old lady in tennis shoes at a desk, and you fill out a form, and she puts it under the table and then you go and there’s a machine inside these cardboard walls. And you wonder how can all this be secure?  

Well, you can convince people that’s secure. Transparency is a big piece of it. You need to have a way not only to communicate at the leadership level and to your board and to your executive team, but you also need to understand what they’re communicating down the reporting chain.  

You mentioned you were brought in as contractors not just to help but as a third party check to raise confidence. Does that work?

TC: I think it does help. There was a lack of trust in the establishment – a belief that everyone is in it to cause problems.  

It helps to have people come in and say ‘we’ve looked at this.

PG: We’re a small office and didn’t just have to deal with cybersecurity issues. We had five times as much vote by mail. We had concerns from people, ‘will my vote get there in time or at all?’ We had to work with counties to make sure there was enough PPE. And that was in addition to the normal issues that come up in a presidential election, which is a mammoth undertaking.  

Having Sean and Tory was a force multiplier. The more voices the better. At some point, if you don’t trust the [Cybersecurity and Infrastructure Security Agency] and you don’t trust the FBI and you don’t trust Chris Masterson and you don’t trust Chris Krebs and you don’t trust the state, it becomes a conspiracy that’s hard for us to address. The more voices you can have say this was a fair election the better.  

SM: I think one of the strengths of bringing in a CISO-as-a-service, like us, is that we bring a team. When it comes to people second-guessing,  we can engage with critics and say there was the consideration of whatever issue. We can say we have a specific expert on staff who handles that problem. 

So what do you take from this election in terms of where to improve moving forward?

PG: From my standpoint, it’s educating the public, educating lawmakers, making sure they have answers to the questions they have.  

We’ll keep trying to correct voter misconceptions on social media. We’ll advertise more of our successes, like having media campaigns to demonstrate logic testing in 2024. We need people to know this isn’t something being done willy nilly, or thrown together at the last minute. We are preparing for this year-round.  

We’re making plans to extend a voter confidence campaign to counter disinformation. I don’t know if it will be helpful to the extent we want it to be. I don’t know if it can be when there’s such a disconnect between the sides. 

SM. One of the things that caught us by surprise was that we were preparing for a Nov. 3 election. But a few weeks before that we realized we were working toward a game day that came early and kept going.  

How do you adapt to attackers who don’t necessarly want to work on your schedule? 

TC. You rely on partnerships. We received bulletins from the federal government. To be able to use those, we had to be sure early that the tooling and the visibility to determine which issues were important as they arose rather than being blindsided by a changing landscape.  

There are full-time employees here for a reason. It’s not just starting on Nov. 3 and packing up on Nov. 4. It’s continuous improvement and continually improving visibility.

SM: That goes back to the original question. The other piece is year round resources. None of that can come for free.

 

Article by Joe Uchill, SC Media Senior Reporter

 

In Other News…

AUI and Accumen Partner to Increase Crisis Resilience to Natural and Manmade Disasters for Healthcare Sector

AUI and Accumen, Inc. announced they are partnering to provide services to improve crisis resilience to manmade and natural disasters for the healthcare sector at a historically challenging time.

New Scholarship Established by the AUI Board of Trustees

AUI and the National Radio Astronomy Observatory (NRAO) today announced the establishment of the AUI Board of Trustees NAC Bridge Scholarship Award.

2021 Jansky Lectureship Awarded to Mexican Astronomer

Associated Universities, Inc. (AUI) and the National Radio Astronomy Observatory (NRAO) have awarded the 2021 Karl G. Jansky Lectureship to Professor Luis F. Rodriguez of the National University of Mexico (UNAM).

Pride Month Statement

Pride Month is a time for celebration of LGBTQIA+ communities in commemoration of the Stonewall Uprising of 1969. At AUI, we celebrate an environment that is safe and welcoming to all, and the strength that our diversity brings us.

Cyber Expert Wins FBI Community Leadership Award

Robert R. Wells, special agent in charge of the Charlotte Division of the FBI has chosen a local cyber expert as the 2020 Director’s Community Leadership Award (DCLA) recipient for North Carolina. Torry Crass has been an invaluable partner to the FBI Charlotte field office since 2013.

2021 AUI Scholarship Recipients

Below are the fourteen winners of the 2021 AUI Scholarship conducted by International Scholarship and Tuition Services, Inc. These students will each receive an award of $3,500 per year to aid in defraying expenses at the college or university of their choice.

ITL Development Director: “We are convinced that our proposal is solid and meets all the requirements”

In an interview with Nueva Mining and Energy Magazine, Ricardo Raineri, Director of Development of the Chilean Institute of Clean Technologies (ITL) refers to the criticism that has hovered over Corfo’s decision, arguing that “it is essential to understand and emphasize that our proposal is based on an open platform model ”.

West Virginia Students Contact International Space Station LIVE

Friday, May 7th at 8:00 AM EDT, students in rural West Virginia will experience this once in a lifetime opportunity. Green Bank Elementary-Middle School (GBEMS) will be contacting astronaut Mark Vande Hei on the International Space Station (ISS).

The Universe just Became More Accessible: Free Software for Exploring the Universe Through Sound

Today free software has been released to help the blind and visually impaired (BIV) explore the universe through sound. With the support from the National Science Foundation’s STEM+C program, Innovators Developing Accessible Tools for Astronomy (IDATA) brought together nearly 200 BIV and sighted students, teachers, astronomers and programmers from across the Nation to create this innovative software called Afterglow Access.

Nueva Mineria covers the importance of ICTL’s Open Science model pioneered by AUI

The ICTL is a Chilean clean technology institute that is committed to developing innovations in the mining, power, battery, manufacturing, and related industrial sectors. The Open Science model allows a larger community to access R&D facilities based on the merit of their proposals.

You are now leaving AUI

You will be redirected to the related partnering organization's website.

You will be redirected to
in 4 seconds...

Click the link above to continue or CANCEL