Election officials fear copycat attacks as ‘insider threats’ loom

Last updated on July 13, 2022

BATON ROUGE, La. — Election officials are confronting a wave of threats and security challenges coming from a troubling source: inside the election system itself.

In interviews on the sidelines of the National Association of Secretaries of State’s summer conference, a dozen chief election administrators detailed a growing number of “insider threats” leading to attempted or successful election security breaches aided by local officials. The most prominent was in Colorado, where a county clerk was indicted for her role in facilitating unauthorized access to voting machines. But there have been similar instances elsewhere, including in Pennsylvania, Michigan and Ohio.

Beyond security breaches, other insider efforts to undermine elections have sprouted. In New Mexico last month, the board of commissioners in Otero County — a predominantly Republican county along the state’s southern border with Texas — refused to certify primary election results, citing unfounded claims about the security of voting machines that are rooted in conspiracy theories about hacked election equipment from the 2020 election.

“What’s clear is this is a nationally coordinated effort,” said Michigan Secretary of State Jocelyn Benson, a Democrat. “It’s multi-year, multi-faceted … not just pressuring election officials, but pressuring local elected officials as well.”

Election officials fear the handful of publicly disclosed incidents over the last two years are only the start of a wave ahead of the 2022 and 2024 elections.

“It can create a domino effect, because if one county successfully manages to tank their election by not certifying it, we’re gonna see copycats,” said New Mexico Secretary of State Maggie Toulouse Oliver, a Democrat and former president of NASS who sued to force certification last month.

Kentucky Secretary of State Michael Adams, a Republican, said he’s seen the copycat trend already. “I read something in POLITICO about what’s going on in some other state and then three days later, we get the same thing in our state,” he said.

Some election officials, while concerned about the breaches around the country, said that similar problems haven’t popped up in their state. But others are preparing aggressively — especially in states that already suffered a notable breach.

“We always had various redundancies and protocols in place to minimize against the prospect of an insider threat … But I think how it’s changed is preparing,” said Colorado Secretary of State Jena Griswold, a Democrat.

After two well-publicized breaches in Colorado, Griswold pushed for a new law there that made it a felony to facilitate unauthorized access to voting equipment, among other things.

And officials say there has been a renewed focus on limiting the number of people who actually have access to election equipment, even while it is in storage, to cut down risk. “A lot of it is just making sure we are monitoring who has access to what,” said Iowa Secretary of State Paul Pate, a Republican and past president of NASS.

Secretaries have also pushed out new guidance following a wave of conspiracy-fueled post-election reviews that took place after 2020 — sometimes with the assistance of local officials, like in Pennsylvania, and sometimes over their fierce objections, like in Arizona.

“Our counties were like, ‘We’re getting inundated with calls for these crazy Arizona fraudits,” said Oregon Secretary of State Shemia Fagan, a Democrat. Fagan said she relied on guidance approved by NASS last year to direct Oregon counties on how to conduct audits.

Many secretaries who spoke to POLITICO expressed concern not just about malicious, intentional attempts by local officials, but also officials unintentionally aiding breach attempts.

Ohio Secretary of State Frank LaRose, a Republican, recently pushed out what he called his “security directive 3.0,” that came after an attempted breach in the state. He emphasized not only the importance of cybersecurity, but also “physical” and “human” security.

“A hacker can try to enter through your door,” LaRose said, raising an example of someone posing as a delivery person to try to gain access. “You got to constantly remind people, because human nature is ‘Oh, yeah, let I’ll somebody in the building.’”

Some officials noted that local authorities have, in the course of trying to reassure people who have doubts about election systems, accidentally created security threats by granting access to outsiders. Officials say that simply the act of turning over unfettered machine access to even well-intentioned outsiders could compromise election equipment, and would likely lead to voting equipment being decertified.

“There’s no way to vet who this third party is,” said Leigh Chapman, a Democrat serving as Pennsylvania’s acting secretary of the commonwealth. Counties are “being approached by external entities all the time. Since 2020, the landscape has become more complicated.”

Officials stressed the importance of pre- and post-election testing and audits, which are often public and mandated by state law, as a way to demonstrate the security of equipment without allowing access to the actual hardware and software behind it.

While election equipment like voting machines and ballot tabulators are almost universally not connected to the internet, officials still worry that other aspects of local county election systems, like internal computer networks or voter databases, are vulnerable to cyber threats.

“If you click on a bad email? We’re only as good as our weakest link,” said Minnesota Secretary of State Steve Simon, a Democrat. “It can be some county far away. It’s always possible that it could set in motion some unintended consequences that could affect other places.”

Secretaries say there has been an increased focus on working with state and federal agencies to repel both cyber and physical threats. “We have our [state] office of homeland security folks who check with our counties to make certain that they have their election infrastructure secure,” said New Jersey Secretary of State Tahesha Way, a Democrat who assumed the NASS presidency on Sunday. She also mentioned federal security partnerships.

Secretaries were quick to point out that, while breaches are serious security challenges, they aren’t necessarily jeopardizing statewide election systems. American elections are decentralized by nature, and there has been a general lack of sophistication from would-be breachers, they say.

Instead, some of the biggest concerns come from misinformation that arises out of a successful breach — and any copycat attacks they inspire.

“It would be very difficult for someone to completely disrupt what is happening statewide,” said Maine Secretary of State Shenna Bellows, a Democrat. “What’s concerning is that those stories start to undermine public confidence.”

Nearly universally, officials expressed concern about a brain drain in the industry that could exacerbate the problem of intentional and unintentional insider threats. Multiple secretaries said they were seeing dramatic turnover among local officials and senior staff.

“For the most part, as far as the motivations of the new clerks, I’m not concerned,” said Utah Lt. Gov. Deidre Henderson, a Republican who serves as her state’s chief election official. “What I am concerned about is making sure they’re adequately trained, especially when the staff that has been there for a long time, that understands the processes, are quitting as well.”

Henderson said she expects about a third of her state’s counties to have new clerks next year. Fagan, of Oregon, said her office has also seen an increase in retirements, with local officials worn down after the 2020 election and its aftermath.

“The job has really changed,” Fagan said. “To be treated day in and day out, from people in their community, as if their integrity is in question. It’s just a really heavy burden to carry.”

Several secretaries said they’ve been monitoring recent primaries for local election positions, checking to see if conspiracy theorists who believe the 2020 election was rigged won. Most said they have been pleasantly surprised to find relatively few candidates like that winning.

But election conspiracy theories have taken a deeper hold in state legislative races and secretary of state campaigns, with election deniers across the country forming a network to coordinate their statewide campaigns.

While they have suffered high-profile losses in Georgia and Colorado, the network has also tallied notable wins: Members of the coalition are the Republican nominees in states including Michigan, Nevada and New Mexico, with another major primary next month in Arizona.

“We were very fortunate in 2020 that no sitting secretary bought into the Stop the Steal effort,” Michigan’s Benson said. “I don’t think we’ll get that lucky again.”