AI Industry Innovations , AI Technologies , AI-Based Attacks
Proof of Concept: Securing Elections in the Age of AI
CISOs Discuss AI Scams, Cyberthreats and Election Security Defenses Anna Delaney (annamadeline) • February 27, 2024In the latest "Proof of Concept," Jeff Brown, CISO for the state of Connecticut, and Lester Godsey, CISO for Maricopa County, Arizona, join ISMG editors to discuss AI-related threats to election security, safeguarding against cyber and physical threats and coordinating efforts for complete security.
See Also: Securing the Data & AI Landscape with DSPM and DDR
The panelists - Brown; Godsey; Anna Delaney, director of productions; and Tom Field, senior vice president of editorial - discuss:
- The primary AI-related threats to election security, such as deepfakes and social engineering - and how to safeguard against them;
- Insights gained from recent cyberthreats to election security and the evolving defense strategies deployed to mitigate them;
- The intersection of cyberthreats and physical threats in elections.
Brown previously served as CISO for life and retirement at AIG and held senior information security leadership roles at BNY Mellon, GE Capital, Citigroup, Goldman Sachs and Merrill Lynch.
Godsey has over 27 years of experience in higher education and local government IT. He has spoken at local, state and national conferences on telecommunications, project management, cybersecurity and data and has taught at the college level for over 12 years in the areas of technology, business, project management and cybersecurity.
Don't miss our previous installments of "Proof of Concept", including the Dec. 8 edition on navigating software liability and the Jan. 31 edition on how to ensure that AI systems are ethical.
Transcript
Anna Delaney: Hello, this is Proof of Concept, a talk show where we invite leading experts to discuss the cybersecurity and privacy challenges of today and tomorrow, and how we can potentially solve them. We are your hosts. I'm Anna Delaney, director of productions at ISMG.
Tom Field: I'm Tom Field, senior vice president of editorial at ISMG. Anna, always a pleasure to see you.
Delaney: Always a pleasure. And today, Tom, we're diving into a very, very important topic - election security. This year, can you believe it, over 50 countries are set to hold national elections. And that's impacting half of the world's population. And of course, all eyes are on the potential rematch between President Joe Biden and former President Donald Trump in the U.S. election. But amid the anticipation, there are significant hurdles to overcome. Are there not, Tom?
Field: There are, and this one scares me, I've got to tell you. I mean, we've paid attention to this certainly before 2016. The smaller elections of 2016 was a big wake up call for many of us in terms of a foreign nation-states attempting to influence election outcomes. 2020 was successful and enabled in terms of being able to turn back attempts to commit fraud, but was significant in attempts to commit fraud. This one scares me. It scares me with the advent of gen AI, and with the advent of deepfakes, I mean, you and I have both seen deepfakes. I've seen myself deepfaked in some of your panels where people have used audio of me or they've translated interviews I've conducted. So it looks like I'm conducting them in languages. I don't speak on an everyday basis; frightens me the power of what can be done and is that anybody's fingertips as I say frequently - there's no barrier to entry. Anybody that wants to get in and try to mess with influence has that opportunity.
Delaney: And at scale, but just before we get to AI, we've also heard that state election officials are expressing frustration over the lack of federal funding to bolster election security measures from securing systems to updating equipment to training staff, resources are in short supply. And it's not just about the money, there are plenty of threats to contend with. Cyberattacks, as you said, and criminal ransomware groups, and of course, AI, and it's a bit of a double-edged sword, Tom, because AI has both the power to enhance and undermine election integrity. I think we just don't know and I think this maybe is a learning opportunity, because we don't know how this technology might be exploited and potentially disrupt elections.
Field: Anna, what frightens me is that we've seen in the U.S. certainly, that all it takes is for someone to say no, those election results are fraudulent. And there's a mass of people that will believe that. What happens if cybercriminals or nation-states get in and meaningfully interfere with elections and influence voters? It just frightens me what people will believe and act upon.
Delaney: Yeah, for sure. But I did see some positive movement last week, where we've seen this recent commitment from a coalition of tech companies, major tech companies, including OpenAI, Microsoft, Meta Amazon, TikTok, X, all the big names and others, and they've pledged to limit the malicious use of deepfakes and other AI technologies in democratic elections. So what would that mean? What does that look like? They say they're developing tools for detecting, verifying and labeling synthetically generated or manipulated media. But again, I guess, we don't know. We don't know yet.
Field: Where are the funds to fix the naive voters?
Delaney: Where are the funds fix the naive voters? Good question. Well, maybe you should ask the experts. I mean, I think now is the time to introduce our esteemed guests. And they're deeply involved in the current election landscape, especially with the primaries on the horizon. So joining us today are Jeff Brown, CISO for the State of Connecticut and Lester Godsey, CCO for Maricopa County. Welcome, gentlemen. Welcome back.
Field: Welcome.
Jeff Brown: Thank you, Tom.
Delaney: Yeah, very good to see you both. And Tom, I think has the first question for you.
Field: He is going come right back to us talking about before, this whole devil, generative AI. Jeff, Lester, what are the primary AI-related threats to electoral security that you see or concern you today?
Lester Godsey: I'll go ahead and start. So from our perspective, we see ... I'm always hesitated to say traditional use, but what we're commonly seeing is AI being used to enhance existing attack vectors, so like phishing emails, things of that sort, and to your earlier point, during the introduction about deepfakes, and so in 2020, Maricopa County saw its fair share of deepfakes, but the quality was pretty poor, not overly believable. That's no longer the case. So we definitely see that. And then one of the more interesting uses of AI that we're seeing is not directly related to attacks. But we also are aware and we've seen, or we're aware that the technology exists where AI can be used to develop strategy. So creating strategies around mistakes and malformation attacks where there's no tool out there that's going to identify that, but I've seen firsthand how those tools can be weaponized to help people, you know, create a strategy. And so how do you combat that? Well, you know, the different ways in terms of preparedness, incident response and preparing for various different scenarios along those lines is the way to do that. But AI is jumpstarting those conversations in some cases.
Field: Jeff?
Brown: Yeah, very good. I think there's a, there's a couple of themes that I see. One is, you know, obviously, the misinformation and deep fakes, you know, but also just being able to do this at scale. And, you know, it's easy to think about things like chat, GBT, because that's so prominent, everybody knows about that. But I mean, there's also things that are now generating video and audio, and you know, all of this other stuff. And that can be very convincing. I mean, it is one thing to read an email that looks a little suspicious, maybe it's another thing to see a video of somebody like Pete, you know, actually talking and in the right voice in the right tone, and that is going to be, I think, really difficult to combat. You know, the challenges, I mean, you can you can create your own phishing email right now, without any tools. The challenge is now this is kind of open to everybody, right? So people, you know, maybe English as a second language. So, you know, suddenly we're starting to see better crafted fishes, you know, nation states, things like that, that we have to really worry about in this process. And, yeah, it's definitely some frightening stuff.
Field: So the past, I've had the opportunity to talk with our friends at CES and the FBI about their efforts to protect federal elections. Really privileged to speak with you at the state and the county level today. How do you address challenges in safeguarding elections against both cyber and physical threats?
Godsey: So that's a great question. And in our experience in Maricopa County, especially during the 2022 election cycle, and so not presidential, but we've seen a transition even from the 2020 election cycle to 2022. There's more of a convergence between cyber and physical threats, there's no real delineation. And oftentimes, what we see on social media in particular is an indication of potential kinetic threat more so than cyberthreats, at least in our experience. And so a good example of that is during the 2022 election cycle, we saw folks in Arizona, staking out ballot box locations, dressed in tactical armor with automatic weapons, and so we saw chatter on social media about that sort of activity as well, too. So that's posing a wholly, totally different set of problems for us. But it starts off in the cyber area, but it quickly morphed into physical or kinetic risk as a result. So that's been quite the challenge to say the least.
Field: I'm sure. Jeff, your experience?
Brown: Yes, you know, so, at the state level, this is really an interesting topic, because it really is a big team sport for us. So we have our federal partners, we have the election infrastructure, ISAC. So there's a special ISAC just for elections. We partner with the Secretary of the State who really runs the election process in Connecticut, and they are separate from us. But we work very closely together with all of these - the FBI, the multi-state ISAC - all of these different groups, and we typically will partner with them, we have virtual SOCs, and in some cases, we have physical SOCs where people are sharing the same space, sharing threat intelligence, sharing threat information. And yeah, we I mean, we always have to worry about not only, you know, the AI kind of things, and emails and stuff like that, but also physical threats that polling locations ... fortunately, those are relatively few in our experience, but they certainly can happen. A lot of that, you know, especially when we talk about the security of elections. I mean, it is a little known fact, but I mean, like there hasn't really been a known cyberattack that has materially changed the outcome of an election. And that's something that I think is really important, but it's so easy to just kind of like get stuff out there that says, oh, the polling location is on fire. There's riots, I mean, stuff like that scares people away. So influencing an election through those kinds of means is definitely possible. And that's something we monitor very closely. You know, we keep our eyes on social media, we keep our eyes on what people are actually reporting from the polling stations, the state, obviously, it gives a high level of support to the towns and municipalities, which are ultimately the ones actually with the polling locations. You know, it's a very distributed process, and there's a lot of different players involved. So I mean, we have that voter registration database that's under our purview. But you know, the actual elections are all boiled down to the towns and municipality levels. Some of those I mean, you know, it's easier to sort of understand why some of this stuff is so hard to hack remotely. I mean, like, you know, I'll give you an example my town, which is Fairfield, Connecticut. Like your little pencil, you fill in the dots, I mean, if you're going to hack that you have to show up in person, that's a really high risk activity to do. And there's a reason that, you know, a lot of people have shied away from like fully automating, fully online kind of elections, because that stuff is so critical that you know, not having a physical tab of the votes, not being able to go back and do an audit of what people actually voted for it. Those are those are big problems. And I think that that's really slowed the whole desire to move and sort of automate the whole process and put it all in computer systems. It's actually beneficial, I think, to us that we're still somewhat in the stone ages when it comes to elections across all states.
Field: Well said, Anna, you've got some questions as well.
Delaney: I do indeed, this has been excellent so far. So maybe starting with you, Jeff, on this one. I'd love to delve into past experience here. So what lessons has your jurisdiction learned from recent cyberattacks and cyberthreats rather to election security, and any insights you could share on specific challenges and lessons learned from them?
Brown: Yeah, and you know, we're in a really interesting position in that the National Guard in Connecticut has a significant cyber presence. And that's not true in every state. But you know, our National Guard has a significant cyber presence. There's 169 towns in Connecticut, I think we've assessed now 168, you know, and physically, the National Guard has actually showed up at polling locations and talked to the municipalities, we have actual evidence of like, you know, what does security look like? And all of that was coordinated under the Secretary of the State, which is fantastic, because now you don't have to say, Well, we think it's like this, or we assume it's like that we know for sure, we have real data that we can kind of go to and gives us just a deeper understanding of things. Every year, you'll see things like, you know, voter registration, databases being sold on the dark web and things like that. And I think a lot of people, this is scammers, sometimes scamming scammers, you know, in many cases, you can actually request a copy of the voter registration database. And that's something that is available to the general public, usually for a fee. And then what happens is you have enterprising individuals who say that they've hacked something, or they've taken it, and they're selling it online, to people who could have just basically requested it. So I mean, there's, there's an element of transparency, and it's a balance between cybersecurity and the amount of transparency that we have to have in elections. You know, and that's something that we take very seriously. So it's just so many different pieces that I mean, it really is such a distributed system. It's a team sport, when we do this, we've already been meeting quite often on this subject with all of the all of the folks involved our state police headquarters, you know, all of the different players in this working closely with Secretaries of the state to make sure that, that we're ready, that that threat intelligence is being shared. I think that's another one. You know, we, we often talk about nation states. And yes, that's a big threat to elections, but don't underestimate some of the local elections can get very contentious. And, you know, those are those are challenges too. You know, they're all things that we have to keep an eye on.
Delaney: So what have you learned from past election experience?
Godsey: I've learned more than I probably have ever wanted to, But joking aside, so just to kind of build upon what Jeff was talking about. So the intelligence sharing has been critical. And so over the course of the elections from 2016, to 2020, to even 2022. We have upgraded we continue to enhance and upgrade our communication protocols. And so, actually, the state of Arizona under their department of Secretary of State Department has enacted protocols based off of what Maricopa County has done to ensure day of election and leading up to election, all 15 counties in Arizona are communicating certain components on what they're seeing from a network perspective, from a media perspective from other elements from a cyber risk perspective. So, which is great and so that's something that hadn't previously been done amongst all the counties. And so, because in Arizona, the way that voting services are provided are typically through the counties. So the municipalities are not responsible for that is a county function. And so, so that's one aspect. We continue to enhance our incident response playbooks, we have bespoke custom playbooks based off of election preparedness, because we've had to do that. And so for example, one, one component that we added, officially as part of our 2020 election that we're moving into this year, as well, is threat of insider threat. And so we unfortunately have seen evidence of folks, in a lot of cases on social media, where the way elections work oftentimes is it's a very seasonal sort of activity. So as you get closer to elections, recorder's offices are those that responsible for elections will, will put a call out for volunteers, or part time employees to kind of bolster staff to address the dress the needs. And so we've seen on social media, specific calls about infiltrating for lack of better description, the recorder functions. And so now, because we've seen that we've had a step up our game with regards to processes, as well as technology to look for potential insider threat. And we have seen evidence and if caught that sort of activity as well. And so we're not unique that way, there's been plenty of stories about insider threats, with other organizations here in the United States. So that's another aspect. And then frankly, we continue to do things where we try to minimize kind of the attack surface, if you will. So one of the hard lessons learned in Maricopa County is people who have their, their personal presence on social media and being targeted via LinkedIn, for example, just based off of affiliation, so we've we we've had to do things like create custom, educational awareness within the organization on how to secure your social media, and to minimize the potential risks because we had a situation where somebody affiliated with elections, their profile picture had their family in the background. And so they and their family, by extension, were not directly but the insinuation of a threat was made on social media. And so those are things that we've had to contend with, and just continue to enhance and, and just address what the risk landscape looks like is fifth, specifically around elections. And so it's been a it's unfortunate, we have to do all those things, but it's a necessity in this day and age. So you mentioned.
Delaney: The incident response, playbooks, insider threats and education, but have you actually had to adapt? And how have you adapted your defenses to counter evolving cyber threats?
Godsey: Absolutely. And so we've done that on a myriad of different levels. And so from a application development perspective, we we've had, you know, from a cyber perspective, especially in 2020, we've we saw every type of attack that is normally out there. So DDoS attack, we saw passive active networking attempts, we've saw intrusion attempts, obviously, we've seen vendor supply chain based attacks. So we saw a situation where in 2020, a third party SaaS service that I won't mention their name, but they're used by lots of government agencies to engage with the public. We saw interesting intelligence coming out of a fusion center on the East Coast that talked about there's some anomalous behavior being reported, we looked into it. And so the long story short is, it was believed that there was a bot attack against this platform that we happen to us, as well as multiple other agencies that were artificially creating accounts. And we believe that the intention behind that from our federal partners sharing this was to, to affect the sentiment in preparation for the 2020 election cycle. And so so we've adapted to all those sorts of things with whether it's the specific tool sets, so like the insider threat, we've implemented some specific technology along those lines. But then, in addition to insider threat, we've conducted tabletop exercises involving the Secretary State, our elected officials, as well as it and the recorders office, on preparing when those sorts of things occur, how do we respond? So it's not just a defensive approach, but it's also we're taking we're taking the position that if these things do occur, how do we respond accordingly? And so it runs both from a process people process and technology perspective in terms of how we've adapted over the course of our experience in dealing with elections.
Delaney: And Jeff, how have you adapted your defenses?
Brown: Yeah, likewise, Um, you know, and that those are some great points, because I think, you know, it's easy to get a little overly focused on nation state attackers and things like that. But I mean, insider threats are very real, you know, much more localized threats are also very real. So a lot of how we've been doing things, tabletop exercises, boilers are just so, so good and so powerful. I mean, that, you know, updating your incident response playbooks, really making sure that we're sharing information. And then one of the one of the interesting things that sort of happened during the COVID pandemic was, it was the first time ever that we had to sort of go remote with the elections monitoring process. And rather than having that be a weakness, it's actually turned into a strength for us, you know, we've been able to monitor much longer, you know, we have people that are, you know, watching days and days and almost weeks ahead of time, and you know, we just have a lot of that focus on all of the different things that can go wrong. And again, it's a highly distributed process. And it's like that in every state, because ultimately, you're down and polling locations in specific towns, and you have to kind of roll all that stuff up to this to the state level, and then ultimately to the federal level for federal elections. So there's a lot of players involved in I think, making sure that communication is good, making sure that we're sharing information sharing threat intelligence, and that we have some idea of what we're going to do if something does go wrong. By anticipating what kind of problems can happen, what would we do getting those playbooks in place? And, you know, ultimately, making sure that a bunch of very different than various groups you know, we have representation from CISA, from HHS, from the FBI, all of these different areas, they have to behave and act as one team. And it's always great to see this stuff coming together, this will be my fourth election cycle on so it's really good to see just how well everybody partners and communicates and works together on this.
Delaney: Excellent. Well, I'm pausing back over to Tom, this final question.
Field: Excellent. Now, I'm going to come back to something you talked about earlier. Last, you talked about the convergence of cyber and physical threats? Where have you seen instances of cyber threats intersecting with physical security and elections? What are some of the responses you've undertaken? Of course, Jeff, and welcome your perspective as well.
Godsey: Unfortunately, I have more examples than we have time to discuss. But a couple that come in come to mind is we've seen a situation where post 2020 elections, so during that election, the recorder, the previous recorder, who was Democrat had lost and then the new, the newly elected recorders, Republican and so after that election, we saw we ran across because again, we're constantly monitoring the various different media outlets, the web, and that sort of thing, dark web, etc. We came across a few and on Research Forum, for example, where they put together a 30 page dossier about our newly elected recorder. And so that went back all the way to his college years. And so we were able to share that information and their awareness that there was opposition research being put together. And again, nothing inherently illegal about that. It's just publicly available information. But at the same time that having that level of awareness that there's a group of individuals who are digging through your past, obviously raises the level of cyber threat and so and also the potential a physical threat. So we've run across those sorts of things. We've also seen from a convergence between what we do from a monitoring perspective and how that translates into physical threats. Again, during the 2020 elections, for example, we saw that social media platforms were being used for logistics planning as well. So it was a situation where they're using social media platforms to coordinate a caravan of volunteers that would follow election staff between facilities as they were doing their work, if you will. And so that was a situation where based off of our cyber activities, were able to do them, provide guidance to them and say, Hey, there's a distinct possibility that there's going to be people following staff, please be cognizant of that. We're also able to tell them when they were planning on trying to do these sorts of activities as well, too. So unfortunately, that's just a small sampling of the kinds of things that we've seen, and frankly, what we continue to expect to see with this election cycle as well. And so that's the reason why, you know, from our perspective, we're less concerned about delineating between the cyber risks and being the ones to be involved versus physical risks and throwing that over the wall. So we've kind of learned through our, our intelligence gathering, if you will, that, that line is pretty much non-existent. It's just a matter of who do we need to talk to? And who do we need to inform of that risk when it's the scope?
Field: Well said, Jeff, do you find that there are no boundaries as well?
Brown: Yeah, there's, there's a lot of challenges, I think with this. And I think when, when I look at it, like, what's kind of the most obvious things, it's always phishing and spear phishing campaigns targeting either election officials, IT staff, key vendors, you know, just trying to get access to things like voter registration, databases, election management systems, like anything that they can do. And of course, email. It's, it's scalable, right, everybody has it, you know, it's easy to launch an attack that way, we also have to worry about stuff, just, you know, just availability assistance. So things like ransomware attacks, obviously can come into play. But I mean, we, we've been fortunate that we're not aware of any of those that have materially impacted cyber in Connecticut in particular. But, you know, we always see activity around this stuff. And again, there's just so much attention that we put on it, you know, this, this will tie up my team for like a good solid week of elections, monitoring, and just all the preparation that goes into this. And again, tabletop exercises, just looking at what's happened in other states, also very important. I mean, like, you know, I can't emphasize enough how important it is for us all to share information. So we are typically, you know, typically the federal government will run some, you know, run some just getting people together and talking and secure facilities and things like that, in terms of just what they're seeing what we need to be worried about, and what's in the real world. Because I mean, what you don't want to do is you don't want to end up chasing sort of phantom threads about you know, if you've seen something in one state, all the other states need to know about that, too. So information sharing is huge. It's so key in this.
Field: Excellent point. And a thank you to bring us on.
Delaney: Thank you so much. Well, you mentioned information sharing there. So I'd love to know more about how you coordinate efforts across cyber and physical security for this comprehensive election security, whether it be initiatives or communication channels or protocols. So maybe, Jeff, you want to weigh in on that one.
Brown: Sure. Um, you know, a lot of the a lot of the conversations are actually led by our Department of Emergency Services, our state police headquarters, you know, that that, that handles a lot of the physical security, obviously, they're a key player in this, right, because if there is a problem that requires somebody law enforcement to show up in person, we also have the FBI and others that give us a lot of coverage with this kind of stuff. So there's, there's a whole host of players that we can tap into. And, you know, I think a lot of it is about detecting that something's happening, and then responding very quickly, not trying to figure it out in the heat of the moment. So we plan what happens, we have our playbooks, and then we make sure that we're executing on those as well. But I mean, again, I think the biggest takeaway here is it's a big team sport, and it takes a lot of people working together to get it right.
Delaney: So how does it compare in Maricopa County?
Godsey: Its similar variations on a theme, I mean, it's a consistent message, and it certainly applies to us. In our case, especially leading up and day of election, what we wind up doing is we leverage our state fusion center, right. And so that way, we don't have to worry about reaching out to all the other agencies that are participatory, we have a single, we have a single source that we report to, on occasion will talk, especially day of election, you know, I may talk to the FBI or our CISO or something like that. But by and large, we have a regular reporting structure based off our election playbooks. And so we communicate regularly with the state fusion center, things that we've done to update that is we've also enhanced what our internal reporting is along those lines. So for example, when we see anytime, not just elections, but when we see credible evidence of potential physical risks, we have a distinct different protocol on how we report that to our security services group, as well as depending on the nature that that's a committee so that might involve our facilities management, as well, safety services. But that's a situation where unfortunately, some of our elected have had to hire physical security services because of threats that they've received. So we've updated our protocols to reflect that so that that information gets to the appropriate folks. So they have all the information they need to make those kinds of decisions. And so we find it it's a combination of the IOC s and the other just status will report to the fusion center. And then we have a separate kind of baked in protocol for all the internal entities, including our management leadership, things of that sort. That way, they can also let their elected officials know during elections, how things are going. So it's a process that's existed for years now that we continue to enhance based off of the changing players that are involved as well as the different threats that we see.
Delaney: Well, I know we've just touched the surface. But this has been hugely informative, incredibly valuable to us and our audience. So thank you so much both years, Lester and Jeff.
Field: Indeed. Thank you.
Godsey: Thank you.
Brown: Thank you.
Delaney: Hopefully you'll come back again soon. I know it's very busy time and a busy few months but we'd love to hear how you doing and progress. Thanks so much for watching. Until next time.