As early voting gets under way across the United States, volunteer cybersecurity technologists unleashed through the Election Cyber Surge — a new program through the Harris School of Public Policy’s Cyber Policy Initiative (CPI)  — are working behind the scenes to ensure election systems are secure for the 2020 general election.

Tackling a range of projects, including one to protect a voter database using blockchain technology, Election Cyber Surge pairs experienced volunteers with state and local officials in jurisdictions ranging from fewer than 15,000 and more than 3 million voters, CPI leaders said in a recent interview.

Mary Hanley

The Election Cyber Surge does not charge for the help it provides, and boasts 10 active projects and a roster of nearly 100 cybersecurity professionals, said Mary Hanley, MPP’15, CPI’s associate director.

This year’s effort, which was announced late this summer, serves as a pilot program, and CPI is happy with the value-add so far. Based on the results and the feedback they have received, CPI expects to continue the Election Cyber Surge program long term.

Federal officials may not yet be seeing cyberattacks like those linked to Russia during the 2016 election, but a recent malware attack swept up voters in a Texas county and sparked fears of more to come. And the COVID-19 pandemic has put election administrators under extreme pressure with disruptions including shifts to mail-in voting, reductions in in-person polling places and election judges, and work often being done from home, upping security risks.

Jake Braun

“Russia’s interference in the 2016 U.S. presidential election provided an urgent and long-overdue wake-up call that U.S. election infrastructure is vulnerable to manipulation by foreign actors,” wrote Jake Braun, a lecturer at Harris Public Policy and executive director of the CPI, in his 2019 book Democracy in Danger: How Hackers and Activists Exposed Fatal Flaws in the Election System.

“Election integrity,” Braun wrote, “has never been at greater risk.” That, said Hanley, has CPI leadership “crossing fingers and toes” – and calling the Election Cyber Surge for help – heading toward Nov. 3.

CPI leaders point to what they describe as positive developments since 2016, including more voting with paper backups as well as more ballot audits. But nothing can make local election officials a match for nation-state hackers. And officials face many hurdles as they seek to button-down elections, including an acute shortage of cybersecurity technologists.

Today, CPI leadership said, there are 500,000 open positions across the cybersecurity industry, meaning election organizations are competing with the likes of JPMorgan Chase and Google for talent. That competition is especially intense outside of urban areas.

Free cyber assessments offered by organizations and agencies such as the Department of Homeland Security (DHS) are another post-2016 plus, as are the widely available election cybersecurity best practice checklists.

“But,” Hanley said, “there is nobody out there who’s actually saying ‘OK, now we’re going to give you folks who can do this stuff for you. They can take your cyber assessment and fix things or take your checklist and start implementing it.’ And so that’s specifically why we set this up, to fill that human capital gap.”

As it fills that void, the Election Cyber Surge also pays special attention to providing experts to underserved communities such as those that are majority Latino or African-American, communities that are already facing hard realities that make voting harder.

Meanwhile, election officials’ needs so far span from “super low-tech to super high-tech,” Hanley said, and include sometimes labyrinthine government obstacles, some of them highly practical.

An example of a “super low-tech” need would be an election administrator who wanted to improve security – but had local IT infrastructure controlled by the county government and election IT infrastructure controlled by the state government. The Election Cyber Surge put her in touch with volunteers who had worked in cybersecurity for state and local governments as well as with federal experts. They helped her determine what to do and how to get it done. 

“Super high-tech” needs include a cyber-savvy administrator – a regular at the DEF CON Hacking Conference– who wants to use blockchain technology. 

DEF CON Voting Village

CPI has been active in the election cybersecurity space by running the Voting Village at DEF CON, where hackers break into decommissioned voting equipment (usually with great ease) so vulnerabilities can be detailed in reports shared with machine vendors and election officials.

A report will also follow this first Election Cyber Surge cycle, though no proprietary information will be shared. A database of vulnerabilities, questions, and problems addressed is also being developed.

“What we’re trying to do,” Hanley, said, “is get in deep with a handful of these election officials to figure out what works, what doesn’t, what they need, what they don’t need, and then be able to really learn from that and do it even better next year and the year after.”

Harris’ backing of the Election Cyber Surge is supplemented by financial assistance from groups including Microsoft and Craig Newmark Philanthropies. Election Cyber Surge leadership also has coordinated with the DHS, the House Committee on Homeland Security,  and the National Association of Secretaries of State