What if the greatest threat to our election security isn't Russian hackers? What if it's actually well-intentioned Americans?
Phishing attacks account for more than 90 percent of data breaches. Imagine a scenario in which a campaign operative opens a seemingly harmless email, supposedly from her email provider, asking her to change her password. She clicks on the link, follows the instructions and unintentionally gives an unknown cyber actor access to her entire email database, including contacts, strategy memos and other privileged communication. Now stop imagining, because this happened to a high-ranking Hillary Clinton campaign official during the 2016 election.
This isn't to minimize the legitimate and serious threat to elections posed by Russian and other state-backed hackers. During the 2016 election cycle, Kremlin-connected hackers targeted election systems in 21 states and succeeded in breaching a voter database in Illinois. While voter data remained intact, the fact that Russian hackers managed to finagle their way into Illinois' system should raise alarms.
But many malicious cyberactivities, such as the phishing scenario described above, simply take advantage of innocent mistakes made by Americans. Our elections systems face myriad security risks. Despite efforts to increase funding for election security, many of these risks will still exist when the voters go to the polls in November. But one issue election administrators still have time to address is the lack of adequate security training for poll workers and others who manage our elections at the ground level.
While problems with voting technology can bedevil any election — as was amply illustrated by the chaos surrounding this week's Iowa Democratic caucuses — human error is a major vulnerability in any voting system. Tales of worker error in elections range from optical scanners left unplugged to distribution of ballots to the wrong precinct. One study of poll workers in California reported several such breaches of standard operating procedures, including leaving a memory card with vote totals at the polling site at the end of the day and leaving the door to a ballot box unlocked.
A majority of poll workers are older than 60, which is unsurprising given that most people under that age are too busy with work or school to take off the time. And without proper training, many older poll workers lack an adept understanding of technology and cybersecurity. This leads to an insecure voting environment.
Additional training may sound discouraging to counties that already struggle to recruit poll workers, and local governments may feel that additional time commitments will only exacerbate that problem and increase their financial burdens. This could explain why election officials in Arizona, Michigan and Pennsylvania told NBC that they never received cybersecurity training.
But basic cybersecurity training need not be particularly expensive, and there are free resources available for local governments to improve election security. Last May, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency released an "Election Infrastructure Security Resource Guide," which lists cybersecurity assessment services that are available without cost to state and local election jurisdictions. One of those services is an assessment of an organization's susceptibility to phishing operations. State and local election officials can also access cybersecurity resources and share threat information through groups such as the Elections Infrastructure Information Sharing and Analysis Center.
Human error is the No. 1 threat to the cybersecurity of our democratic process. When we don't take threats to our election infrastructure seriously, we invite enemies of democracy into our computer systems.