The 2022 Media Guide to Busting Election Security Myths

By Tom Gann · October 25, 2022

The 2020 election and the political turmoil of January 6, 2021 focused media attention on the threat of conspiracies to future elections. Such disinformation stands to poison citizen confidence in the democratic process itself.

As the U.S. approaches the 2022 midterm elections, traditional and social media entities must stand with federal, state and local government bodies to challenge the numerous election cybersecurity myths election deniers have propagated since 2020.

Media play a particularly important role in this effort in that they are often the first to spot, analyze and make sense of breaking news events. They are in a unique position to question and filter out emerging election claims before myths gain momentum across hundreds of outlets and communication channels.

The U.S. government has developed and publicized several information sources to help citizens and government officials guard against election disinformation. But this latest in Trellix’s series of 2022 Election Security blogs seeks to put guidance from government officials in simple terms to help media spot, question and bust eight election security myths with the potential to emerge in the coming critical weeks leading up to and after November’s midterm elections.

Myth 1: All hardware and software vulnerabilities are election security vulnerabilities

For the last few years, threat researchers have tested election voting machines and related software systems for security vulnerabilities. While they have identified several issues in these technologies, these discoveries are not evidence of exploitation by cyber attackers. Nor are they evidence in and of themselves of election systems being compromised, let alone voter data or vote counts being changed.

Indeed, the Cybersecurity and Infrastructure Security Agency (CISA) has asserted there is no evidence that such vulnerabilities have “contributed to any voting system deleting, losing or changing votes.”

As a best practice, threat researchers inform software developers and hardware manufacturers of vulnerabilities prior to publicizing to allow providers to fix the vulnerabilities before their existence is broadcast to potential hackers. This process commonly referred to as “responsible disclosure” is what the Trellix Advanced Research Center utilizes, ensuring all vendors are aware of a vulnerability well ahead of threat actors.

State and county governments are then informed security updates are available and prompted to implement patches in a timely manner.

Furthermore, election officials can implement cybersecurity solutions, process procedures and other measures to manage and mitigate cyberattacks resulting from vulnerabilities yet to be discovered.

Myth Buster Questions:

• What technical evidence is there to prove the vulnerability was exploited and elections impacted?
• Has the technology provider implemented software updates to fix the vulnerability?
• If not, has the provider provided customers mitigation guidance to minimize the issue until a patch can be delivered and deployed?
• What measures are in place to ensure protection from undiscovered vulnerabilities?

Myth 2: Any social media account claiming to represent candidates, political parties or government election boards should be trusted

As we saw in our last blog in this series, it is possible for malicious actors to use techniques like fake phishing emails to assume a legitimate party’s identity and mislead or even compromise users.

Bad actors can also set up hundreds of fake social media accounts to impersonate people or organizations involved in the electoral process. These bogus social media accounts can be used to slander the entities they claim to represent with abusive language and other offensive content, or simply mislead voters with disinformation about where and how to vote.

CISA advises users of Facebook, Instagram, Twitter and Snapchat to look for checkmarks on social accounts to verify their identity. Voters should also fully leverage each social network’s “report” functions to investigate these accounts’ legitimacy.

Myth Buster Questions:

• Does the account create genuine content or merely reshare content from other accounts?
• Does the organization or individual it claims to represent validate the social account as legitimate?
• What steps must the social networks take to validate and, if necessary, take down these questionable accounts?

Myth 3: Voting systems are not reviewed or tested and can be easily manipulated

There have been rumors claiming voting hardware and software systems have not been tested for performance and accuracy and can be easily manipulated. The fact is these systems do undergo testing from federal, state, and local election authorities to ensure they will not be manipulated.

Federal and state testing and certification, testing prior to procurement, acceptance testing, and pre- and post-election logic and accuracy testing help “detect and protect against malicious or anomalous software issues.” Systems can be tested to ensure federal and state standards for accuracy, privacy and accessibility following the Voluntary Voting System Guidelines set by the U.S. Election Assistance Commission.

Myth Buster Questions:

• What evidence is there to prove these systems have been manipulated?
• What evidence is there to suggest any malicious or anomalous behavior in the election systems in question?
• When did these systems undergo performance, accuracy and risk assessment testing?
• What post-election audits are planned to check these systems’ performance?

Myth 4: Voter data leaks mean voter registration databases are compromised

It is possible a malicious actor could disclose information that appears to be leaked from voter registration records. The actor’s intent is to undermine confidence in the electoral process by claiming to have access to the databases that hold sensitive personal information.

However, because a significant amount of voter registration information can be obtained from public or semi-public sources, the simple presentation of this data does not prove government databases have been compromised. Nor does it prove election systems been compromised.

Media can challenge these claims by probing into how widely available the disclosed information is to actors willing to gather and weaponize it.

Myth Buster Questions:

• Is there any evidence of a security incident within the networks of the government in question?
• Where could this information be found outside of the voter registration databases in the public domain?
• How easy would it be for a determined threat actor to gather or simply purchase such information from legitimate sources (telemarketer services, etc.)?

Myth 5: Voter registration website or polling place lookup website outages mean election systems are compromised

State and local government websites are prone to suffer outages particularly during periods of heavy usage. Because of this, it is incorrect to assume service disruptions or outages confirm any government IT systems or election systems tied to them have been the victim of a cyberattack impacting the election process.

While threat actors could launch distributed denial of service (DDoS) attacks, maliciously disrupting website performance for the purpose of undermining confidence in the registration system and the electoral process overall, any number of network issues related to hardware, software, cloud, or other IT performance issues could also be the cause of website outages.

Myth Buster Questions:

• Was the website outage the result of service performance issues or a distributed denial of service (DDoS) attack?
• How long was the website out of service?
• How many if any people experienced issues accessing the website?
• How quickly was the government able to restore these services?
• Was there any impact to voters’ records or lasting impact to their ability to register because of this incident?

Myth 6: If election night results shift to the other party over ensuing days and weeks, election systems have been compromised and votes changed

In 2020, millions of Americans came to believe election night results were changed either by corrupt election workers or a cyber actor compromising state-level tabulating systems to add fraudulent votes. While these scenarios held no merit, it is certainly possible similar scenarios could occur in future elections should candidates’ leads shrink and fade into deficits as absentee votes surpass day-of votes over time.

Voters must understand the process whereby election results are not final until certification, meaning election night reporting is unofficial until all ballot counting is completed.

Media can challenge the election night conspiracy theories by pressing those claiming irregularities with facts related to each state’s specific ballot counting processes and by pressing them for evidence of foul play.

Myth Buster Question:

• Do you have evidence the vote lead changed due to a cyber incident and not the legitimate processing of all legal ballots?

Myth 7: If election night reporting websites experience outages, are vandalized, or display incorrect results, vote counts have been lost or manipulated

Election night reporting websites are unofficial and their numbers subject to change until final results are certified. However, it is possible during a highly charged election period for citizens to believe election processes are being disrupted or compromised if such sites experience outages, are vandalized, or display inaccurate results.

These sites reflect a snapshot of disclosed results and not the ongoing work of the election systems themselves. Outages resulting from high volumes of interested voters or interference by malicious third parties do not constitute incidents which could disrupt the ongoing backend processes or change final election results.

Media must stand with election officials during these high stress hours and advise voters to remain calm by considering these incidents in context.

Myth Buster Questions:

• Were these website outages the result of high volumes of voters seeking the latest election results?
• Were these website outages or defacements the work of a malicious actor?
• How long did it take for the government to restore control over the website and its content?
• Was the malicious activity limited to impacting the website?

Myth 8: A ransomware attack or data breach means election infrastructure has been compromised

While unlikely, it is possible threat actors could compromise some area of a state or local government’s IT systems and even lock down a portion of those systems with ransomware or other malware. While very serious events, these incidents will not necessarily impact the IT systems specifically responsible for supporting the jurisdiction’s elections.

The adversary will no doubt count on a lack of visibility into such incidents to create a space soon to be filled with worst case scenarios, rumors and conspiracy theories.

Government networks can be vast and multipurpose even at the county level, particularly those large enough to be worthy of such attacks. A high-profile attack such as this does not signify the entity has been unable to accurately perform its electoral functions.

These governments have set up physical contingencies to back up their digital election infrastructure, including paper-based provisional ballots, poll books, and ballot receipts. These can be audited to ensure very citizen’s vote has been counted.

Media need only to focus on these backup measures to maintain or restore voter’s confidence through what could otherwise be viewed as catastrophic election cyber incidents.

Myth Buster Questions:

• Which government systems were impacted by this cyber incident?
• Which systems were not impacted by this cyber incident?
• How quickly was the government able to restore its IT capabilities?
• What backup contingencies does the government have in place to ensure all votes were counted despite this incident?

United We Must Stand

Today, Americans find themselves in a hyper contentious political environment where lies can pile up faster than truths. This is particularly so where media consumers tend to prefer self-validating versions of the news to the full story.

Fighting off election disinformation requires both public and private sector actors work together to bust these and other election myths. The media themselves have a very important responsibility in this effort to ask the tough questions upfront, early and often before myths gain traction.

To succeed, government, industry and the media must stand united, working together through whatever turbulence may come to pass.