What happens if, on Election Day, a storm knocks out power. Or a ruptured gas main forces the evacuation of a polling place. Or a hostile nation creates mayhem by sending out misinformation?
New Jersey county election, law enforcement and technology officials spent all day Tuesday preparing for those and a host of other potential disruptions at a conference in Princeton.
The New Jersey Election Security and Preparedness Tabletop Exercise brought together some 400 people from all 21 counties, a number of state and federal agencies and 14 other states. Its goal was seeing that officials have at least planned for every foreseeable glitch — or cyberattack — that could prevent a smooth and complete vote in the 2020 presidential election.
“Every person here plays an integral role in protecting the most fundamental American right — the right to vote in free and fair elections,” said Secretary of State Tahesha Way in opening the exercises, co-sponsored by the state’s Division of Elections and its Office of Homeland Security and Preparedness. “We recognize that there are serious threats that would interfere with this right and undermine the confidence of the American people … Therefore, we have great responsibilities.”
A whole new world for election officials
The exercise followed by just a week a reported meeting with officials from the U.S. Department of Homeland Security and representatives of tech giants Facebook, Google, Twitter and Microsoft. The gathering was reportedly called in an effort to prevent a repeat of the kinds of disinformation and influencing of the American electorate by Russia — as well as the hacking of the Democratic National Committee and attempts to breach state election security — that happened in 2016.
Those threats have changed the way officials prepare for elections. Now just providing for the security of voting machines and having enough provisional ballots printed are not enough. Officials must also plan for dealing with malware or ransomware infecting county election officials’ computers, and social-media posts giving disinformation about polling times and locations. In addition to ballot counters, county election officials now must designate workers to monitor online posts, looking for and correcting falsehoods.
New Jersey used a small portion of the $9.8 million it got from the federal Help America Vote Act to run the exercises, providing some 20 scenarios election officials may face in the run-up to the election, on Election Day or immediately following it.
The exercises are especially important in New Jersey, where 19 of 21 counties use electronic voting machines that have no paper trail, so there is no way to verify whether the vote tallies are accurate. Way said the state’s voting system has never been hacked.
Each county sent a delegation that included officials from its clerk’s office, board of elections, information technology offices and law-enforcement agencies. They sat around tables reviewing contingency plans they have drafted to determine if they had properly planned for the situations presented, and to figure out how to better deal with some of the cases. The scenarios were presented quickly and had to be responded to within five minutes to simulate a real, high-pressure incident.
“This is an extraordinarily good thing,” said Christine Hanlon, Monmouth County clerk, who plans to conduct similar training for municipal clerks. “This is forcing all election officials to deal with scenarios we may not have planned for. It’s critically important that we are prepared, and if it’s not in our plan, we need to add it.”
While some of the scenarios seemed far-fetched, all were “things that have actually happened,” said Michael Geraghty, director of a state unit that tracks, analyzes and reports cyberthreats and is tasked with hardening the state against cyberattacks.
“We’re trying to make these as realistic as possible,” he said.
Lessons learned from Sandy
In one way, New Jersey election officials have already been tested in voting emergencies. Superstorm Sandy, which hit the state just days before the 2012 presidential election, washed away some polling places and darkened others, forcing state and county officials to get creative in making it possible for all those who wanted to cast a ballot to do so.
Geraghty, whose agency is called the New Jersey Cybersecurity and Communications Integration Cell, said election officials dealt with the storm’s impacts in real time and then went back and developed plans so they would be better prepared for the next disaster. “But the issue of cybersecurity is relatively new,” he added.
During the exercises, officials worked through a number of scenarios, natural and cyber-based. Here’s a sampling:
Way gave some officials a chance to experience another potentially unpleasant scenario herself — playing the role of a television reporter and peppering them with questions about one election disruption or another, invariably insinuating that the official’s response was inadequate.
“She was a tough reporter, but I have had that happen before,” said Paula Sollami Covello, the Mercer County clerk, of the scenario about which she was questioned: vote-by-mail ballots not delivered on time because they had been left sitting in the post office.
Covello did not mind the grilling. “This is a great way to learn about the things we might not have anticipated,” she said.
Two high-profile speakers drove home the importance of the planning exercises.
Jeh Johnson, the Secretary of Homeland Security under President Obama and a Montclair resident, reinforced the seriousness of threats and election interference from countries like Russia.
“I regret to report that I believe it will get worse before it gets better, that cyber actors, criminals, nation-states are going to be increasingly aggressive, tenacious, ingenious, while those of us on the defense in the government and private sectors will struggle to keep up,” he said. “Cyberattacks, somewhere in this country, are launched not just daily, but hour by hour, minute by minute.”
Reason for hope
His message was not all bleak, though.
“By all accounts, the U.S. Department of Homeland Security is working effectively with all of you on election infrastructure and cyber security,” he said. “A lot of states are making very important and useful strides.”
Still, to better defend against attempts to attack or influence elections, Johnson called for increased investment in better technology, more tabletop exercises, better security by campaigns and for the public to develop “a greater skepticism when it comes to fake news and extremist views.”
Christopher Krebs, director of DHS’s year-old Cybersecurity and Infrastructure Security Agency, said federal officials are working both defensively and offensively against attacks.
“There are absolutely powerful levers the federal government has to protect elections,” he said. “We are defending democracy. This is the line. We are holding the line.”
Evaluators spent the day working with county officials and taking notes. State officials will be going back to each county to talk over the results and help them further strengthen their contingency plans.
“At the end of the day, we’re going to do whatever [is necessary] to protect our systems,” said Jared Maples, director of Homeland Security and Preparedness for the state, “and make sure the message is out there: New Jersey, you do have a free and fair election system.”