The state turns to private-sector professionals to fend off cyberattacks on voting systems.
August 17, 2022
By Katrina Manson
- “Already, other states are seeking to copy Ohio’s model as they race to catch up with the threat of ransomware hacks, election interference, and other punishing cyberattacks, both foreign and domestic.” - Bloomberg News
- “We’re light-years behind these guys.” - Chip Daniels, South Carolina National Guard, after a recent trip to Ohio
Chris Riling says he “could never join the military.” He’s 37, has cerebral palsy, and wouldn’t have managed basic training, he says.
Yet he recently swore an oath to protect the country and obey his commanding officers. At any moment, Ohio’s governor can call him up for active duty reporting to the state’s National Guard. And if he missteps, he can be tried under the Ohio Code of Military Justice.
That’s because Riling, a systems architect at Cisco Systems Inc., is a volunteer for a novel kind of civilian reserve—a group of mostly private-sector tech professionals tasked with combating cyberattacks in the state. Right now, in the runup to the midterms, the group’s focus is election integrity: Voting-related hacking attempts could have disastrous implications for American democracy if successful, and cash-strapped state and local governments are often ill-equipped to face down new technological threats. Already, other states are seeking to copy Ohio’s model as they race to catch up with the threat of ransomware hacks, election interference, and other punishing cyberattacks, both foreign and domestic.
Created just before the pandemic, the Ohio Cyber Reserve has assembled 80 members who can be called up under the command of Major General John Harris of the National Guard. They work mostly in cybersecurity by day and moonlight as crime-fighting reservists on weekends and Tuesday evenings from 6 p.m. to 9 p.m. The program already has state funding to expand to 200 people and could ultimately grow to 500, organizers say. Most members take leave from work to fulfill their reserve duties and receive travel expenses for training.
The idea that election security could be bolstered by unpaid militia members is an indication of just how much strain local officials face. In the US, states and smaller jurisdictions run elections—including federal ones—often with few resources, limited know-how, and divergent approaches. Ohio alone has 88 county election boards, and Michigan has 1,603 local election officials. Cyber protection levels across the US range from advanced threat detection and remediation all the way down to nonexistent IT departments.
“There are 50 different ways of running elections throughout this country,” says Frank LaRose, Ohio’s Republican secretary of state. He and other experts say the separate systems help prevent large-scale attacks, but the approach can mean some jurisdictions are more vulnerable. As a state senator, LaRose supported the creation of the reserve as a flexible response team and sometimes calls it the “Geek Squad.” Jen Easterly, director of the federal Cybersecurity and Infrastructure Security Agency, recently said that Ohio is “a model for what the rest of country needs to be doing to keep their elections safe and secure.”
Ohio’s electronic militia is a rare point of bipartisan agreement in a political landscape riven by disagreements over real and imagined threats to the ballot box. Even as some Republican leaders in states and in Congress focus on former President Donald Trump’s baseless claims about 2020 fraud, there are real challenges facing the country’s election systems. Cybersecurity officials say the outcome of a vote has never been compromised, but the specter of digital tampering looms large. New US guidelines advise against enabling wireless connectivity and connecting voting and tabulation machines to the internet—however, cybersecurity experts say those machines could still theoretically be “hackable” through sophisticated attacks or specialized malware. Online voter registration databases and other aspects of polling are more vulnerable, and have been breached in the past.
In Ohio, a critical swing state, the stakes of election security are particularly high. “It is clear that any little thing that happens in an election is going to be used to drive narratives of distrust and doubt,” says Matthew Masterson, a former Ohio election official and previous chairman of the US Election Assistance Commission. But throughout the US, election officials “still can’t get the level of support that they need,” he says.
In May, the Massachusetts Institute of Technology Election Data and Science Lab said voting administration remains underfunded in much of the country, describing even federal funding as “infrequent and reactive.” Washington agencies offer some free tools and services to local authorities, but those efforts have been criticized for being insufficient in the past, and federal support has sometimes run up against local suspicion.
Meanwhile, the threats are increasing. A Senate panel report said Russia likely targeted election systems in all 50 states in the 2016 election, and experts believe Russia successfully accessed the systems of multiple state and local electoral boards (though there was no evidence of ballot tampering). The US intelligence community says Russia and Iran ran influence campaigns in 2018 and 2020. And officials worry about the dangers of state-sponsored attacks from China and North Korea, increasingly active global ransomware groups, and new perils posed by aggrieved insiders. FBI Director Christopher Wray recently warned that Russia “can walk and chew gum” at the same time—meaning that the Kremlin could both wage war in Ukraine and meddle with American elections.
US Cyber Command and the National Security Agency have reestablished a voting security group ahead of the midterms to detect such threats, but individual states still run the operations on the ground. It’s a risky approach, says David Levine, a former elections director for Ada County, Idaho, who’s now a fellow at the Alliance for Securing Democracy. “Asking state and local election officials to single-handedly hold the line against sophisticated adversaries like Russia, China, and Iran is simply a bad bet,” he says.
The country’s voting infrastructure also faces internal challenges. Harassment and threats in the wake of Trump’s unfounded fraud claims have seen some election workers quit. Levine and others have mourned what he calls “an exodus” of talent.
The backers of Ohio’s volunteer militia, which was created with unanimous support by state legislators, believe it will help solve some of these problems. It’s relatively cheap, with standards that are still exacting. About one-third of applicants don’t end up joining. And once they sign on, they’re tasked not just with responding to crises but conducting training and security assessments to reduce vulnerabilities.
Several states are following suit. California, Texas, Oklahoma, South Carolina, and Maryland are all establishing civilian cyber volunteer response teams. Michigan and Wisconsin already have such groups, though unlike Ohio they can’t be called up under National Guard authorities. Virginia and Indiana are trying to set up similar programs, and Colorado, Montana, Washington, and West Virginia are all interested, according to a June paper from the National Governors Association.
“The phone’s been ringing off the hook,” says Major General Harris, who’s responsible for the command of Ohio’s National Guard. “There’s a lot of interest in standing up this kind of cyber reserve.” Chip Daniels, of the South Carolina National Guard, is among the emissaries from other states who recently traveled to Ohio to observe the volunteers’ work. “We’re light-years behind these guys,” he says. In mid-July, 19 members of the Ohio reserve attended a three-day exercise in Cincinnati dedicated to thwarting cyberattacks against the state. They hunted for digital breadcrumbs left by a fictional disgruntled employee who defaced state websites, tracked down theoretical thieves who mined a municipal online data trove, and battled malware that a foreign country had secreted onto county computer networks. The exercise was “wildly successful,” says Richard Harknett, a University of Cincinnati professor who was a key thinker behind the reserve and whose work has helped inform US Cyber Command’s more aggressive stance in recent years.
Harris has already called on the civilian reserve at least twice. In February 2021, a volunteer spent four days helping respond to a ransomware attack on an Ohio government agency. And earlier this year, six volunteers put in time over the course of several weeks after a separate attack. “It was incredible,” says Aaron Bleile, a 31-year-old state employee with a background in cyber forensics, who was called in to help on one of the responses.
Harris is braced for more such events in the future. “We Americans tend to think we’re at war or we’re at peace,” he says. Instead, there’s a kind of simmering struggle taking place as cyberattacks against the US increase in scale and scope. Says Harris: “The truth of the matter is we’re in competition now.”
# # #