Cybersecurity in a fishbowl: How North Carolina’s Board of Elections handled it

The following is press coverage on NCSBE Cybersecurity, courtesy of scmagazine.com.

Election security has never been more scrutinized than the 2020 presidential elections. It left election boards fighting not only to protect the election from outside influences but also to justify the legitimacy of their own work.

Where it succeeded and where it failed makes the perfect case study in creating cybersecurity in a fishbowl.

SC Media talked to Patrick Gannon, public information officer for the North Carolina State Board of Elections, and two of the contractors the NCSBE used to bolster security for the 2020 election: Torry Crass of Woodstar Labs and Sean Maybee of Associated Universities. They shared how to provide security when those inside and outside the organization are watching with a skeptical eye.

Patrick, you’ve worked on several elections under both Republican and Democratic leadership. How did 2020 stack up?

PG: From an agency perspective this went very smoothly. From the perspective of needing to be worried about anything, nothing materialized. It was extremely successful; extremely safe – despite what you may hear. That’s been the most difficult part of the election. You’ve seen it in other states – election officials became targets. Misinformation led to threats to physical safety.  

If there was evidence, criticism would be warranted. Not threats.  

One thing people don’t realize is how much time we have to devote to responding to disinformation. Every time someone calls us or emails us with criticism, it takes time away from what we still have to do. 

TC: Having those things explained made a positive impact within those groups. I’d say they strive to be as transparent as humanly possible, to the point where my Dad or some curmudgeon would call up and start saying all these things that they got from QAnon, and they would actually talk to them and say “this is how we do it, these are the things that are in place, these are the things we’re doing to protect your vote.”

PG: Even before this election, we came up with a list of 10 points that we thought, if people understood, people would have more confidence in the election: conducting audits after each election; being one of the only states with a dedicated investigations division; how, every step of the way, Republicans and Democrats were in the room.  It was on our website, and we were able to keep referring back to that.

TC: Throughout the election, we all had to be good at communicating and explaining the different controls and processes, because I would say the public in most cases is not aware of the audit processes or the data controls that are already in place.

SM: Just coming up with an effective list is hard, from a cybersecurity perspective, because it has to be a good balance between being as transparent as possible while keeping specifics and TTPs private. 

But was being transparent successful in convincing people their vote would count?

TC: We had the opportunity to participate at a keynote at a cybersecurity conference in Charlotte before the election, where we were able to go through the 10 points, explain to people what we were doing.

Patrick asked at the start how many people had confidence in election security. Only around a third of them raised their hands.  

PG: If it was even a third, that is a surprise. 

TC: Cybersecurity people are critical by nature. But as it went on, we were able to convince people. At the end, Patrick asked again. Almost everyone raised their hands.  

What did the the people who had their hands down at the beginning of the keynote appreciate by the end?

TC: The expectation that a lot of folks seem to walk in with is that there’s no controls. There’s no security, there’s just a bunch of people who have no understanding of the cybersecurity space or technology in general. In some ways, I think that is a big portion of why the North Carolina Board of Elections engaged with us. It’s not that they didn’t have people that were working on cybersecurity or that they didn’t have controls in place.  

SM: Not to downplay our contribution, but a lot of that was for the legislators.  

I was going to answer your question another way, because this was my impression when we first became involved. When I go to my polling place, there’s a little old lady in tennis shoes at a desk, and you fill out a form, and she puts it under the table and then you go and there’s a machine inside these cardboard walls. And you wonder how can all this be secure?  

Well, you can convince people that’s secure. Transparency is a big piece of it. You need to have a way not only to communicate at the leadership level and to your board and to your executive team, but you also need to understand what they’re communicating down the reporting chain.  

You mentioned you were brought in as contractors not just to help but as a third party check to raise confidence. Does that work?

TC: I think it does help. There was a lack of trust in the establishment – a belief that everyone is in it to cause problems.  

It helps to have people come in and say ‘we’ve looked at this.

PG: We’re a small office and didn’t just have to deal with cybersecurity issues. We had five times as much vote by mail. We had concerns from people, ‘will my vote get there in time or at all?’ We had to work with counties to make sure there was enough PPE. And that was in addition to the normal issues that come up in a presidential election, which is a mammoth undertaking.  

Having Sean and Tory was a force multiplier. The more voices the better. At some point, if you don’t trust the [Cybersecurity and Infrastructure Security Agency] and you don’t trust the FBI and you don’t trust Chris Masterson and you don’t trust Chris Krebs and you don’t trust the state, it becomes a conspiracy that’s hard for us to address. The more voices you can have say this was a fair election the better.  

SM: I think one of the strengths of bringing in a CISO-as-a-service, like us, is that we bring a team. When it comes to people second-guessing,  we can engage with critics and say there was the consideration of whatever issue. We can say we have a specific expert on staff who handles that problem. 

So what do you take from this election in terms of where to improve moving forward?

PG: From my standpoint, it’s educating the public, educating lawmakers, making sure they have answers to the questions they have.  

We’ll keep trying to correct voter misconceptions on social media. We’ll advertise more of our successes, like having media campaigns to demonstrate logic testing in 2024. We need people to know this isn’t something being done willy nilly, or thrown together at the last minute. We are preparing for this year-round.  

We’re making plans to extend a voter confidence campaign to counter disinformation. I don’t know if it will be helpful to the extent we want it to be. I don’t know if it can be when there’s such a disconnect between the sides. 

SM. One of the things that caught us by surprise was that we were preparing for a Nov. 3 election. But a few weeks before that we realized we were working toward a game day that came early and kept going.  

How do you adapt to attackers who don’t necessarly want to work on your schedule? 

TC. You rely on partnerships. We received bulletins from the federal government. To be able to use those, we had to be sure early that the tooling and the visibility to determine which issues were important as they arose rather than being blindsided by a changing landscape.  

There are full-time employees here for a reason. It’s not just starting on Nov. 3 and packing up on Nov. 4. It’s continuous improvement and continually improving visibility.

SM: That goes back to the original question. The other piece is year round resources. None of that can come for free.

 

Article by Joe Uchill, SC Media Senior Reporter

 

In Other News…

VIDEO: Multi-wavelength Observations Reveal Impact of Black Hole on M87 Galaxy

In 2019, a worldwide collaboration of scientists used a global collection of radio telescopes called the Event Horizon Telescope (EHT) to make the first-ever image of a black hole — the supermassive black hole at the core of the galaxy M87, some 55 million light-years from Earth.

ACEAP Alumna Selected as Astronaut for SpaceX

Sian Procter, a participant in the Astronomy in Chile Educator Ambassadors Program (ACEAP) in 2016, has been selected as an astronaut by SpaceX. The Inspiration4 mission, scheduled to launch sometime after 15 September 2021, will orbit Earth for three days and conduct a variety of experiments.

New Images Reveal Magnetic Structures Near Supermassive Black Hole

The Event Horizon Telescope (EHT) — the worldwide collaboration that produced the first image of a black hole in 2019 — has produced a new image showing details of the magnetic fields in the region closest to the supermassive black hole at the core of the galaxy M87. The new work is providing astronomers with important clues about how powerful jets of material can be produced in that region.

After Long Shutdown, Giant Radio Telescope Array Set to Resume Observations

The Atacama Large Millimeter/submillimeter Array (ALMA), a set of 66 radio astronomy dishes perched high in the Chilean Andes, was hit hard by the pandemic. It shut down on 22 March 2020 and has remained silent ever since—far longer than most scientific facilities....

VLA Helps Astronomers Make New Discoveries About Star-Shredding Events

New studies using the VLA and other telescopes have added to our knowledge of what happens when a black hole shreds a star, but also have raised new questions that astronomers must tackle.

Radio Telescope is So Powerful it Can See the Surface of Other Worlds

Get ready for close-up surface images of distant planets in our solar system.

Next Generation VLA Endorsed by Canadian Panel

The Canadian Astronomy Long Range Plan 2020-2030, a report on priorities and recommendations for Canadian astronomy over the next decade, has recommended that Canada support the National Radio Astronomy Observatory’s (NRAO) proposed Next Generation Very Large Array (ngVLA), saying the new facility will enable transformational science across many areas of astrophysics.

The ITL Expects to Create 35 Businesses Between the Third and Tenth Year of Operation

The former Minister of Energy, Ricardo Raineri, who also has a long career as a professor and university researcher and international consultant, was appointed by the American consortium Associated Universities Inc. (AUI) as Director of Development and responsible for executing the installation stage from the Institute of Clean Technologies (ITL).

This Insane Picture of The Moon Was Actually Taken From Earth

A test of a powerful new space imaging instrument has given us a gloriously detailed new perspective of the Apollo 15 Moon landing site.

Successful Test Paves Way for New Planetary Radar

The National Science Foundation’s Green Bank Observatory (GBO) and National Radio Astronomy Observatory (NRAO), and Raytheon Intelligence & Space conducted a test in November to prove that a new radio telescope system can capture high-resolution images in near-Earth space.

You are now leaving AUI

You will be redirected to the related partnering organization's website.

You will be redirected to
in 4 seconds...

Click the link above to continue or CANCEL