The Cybersecurity and Infrastructure Security Agency’s former lead election security official is recommending comprehensive changes to protect the ballot in future elections, from physical safety upgrades for election workers and federal agency revamps to mandated disclosure of cyber incidents.
A report published Thursday from former CISA election adviser Matt Masterson, who now works for Stanford’s Internet Observatory Cyber Policy Center, is a response to the complications that surrounded the 2020 elections. Namely, 2020 was marred by misinformation that undermined public faith in elections, inconsistent funding to mitigate IT vulnerabilities and threats against election officials, the report concludes.
The battle over the 2020 presidential race rages on, with the GOP pushing partisan election reviews in several states despite numerous recounts that concluded with Joe Biden as the victor.
“Our democracy is in trouble,” Masterson told CyberScoop. “We are in a downward spiral of distrust of the process. If we don’t make meaningful changes both to how we administer elections but also how we talk to voters and how we hold people accountable for blatantly lying and spreading misinformation, the incentive structure will be such that the reward of pursuing the grift — of spreading the mis- and disinformation — will be greater than the consequences, and we’ll continue to see it.”
That report that Masterson co-wrote accompanies an “oral history” of the 2020 election, featuring interviews with election leaders around the country.
“Although it has been nearly a year since the election, the long-term consequences — the damages to our democracy and institutions — of 2020 are far from certain,” the Stanford Internet Observatory history states.
The report recommends a reorganization of the Election Assistance Commission, where commissioners riven by partisan disputes have failed to give state and local election officials the support they need. It proposes eliminating the commissioners’ positions entirely, placing control of the agency in the hands of an executive director subject to oversight by EAC advisory boards.
“It is time to recognize the EAC for what it is: a poorly structured agency that has little ability to do more than the bare minimum to fulfill its mission,” the report reads. Masterson, besides his role at the Department of Homeland Security’s CISA, also once worked at the EAC.
The EAC disputed the report’s conclusions about the EAC, saying past issues instead emerged from underfunding or the lack of a quorum as commissioners awaited confirmation. Even with still-low funding levels, the agency pointed to advancements like updating its voluntary voting system guidelines for the first time in 15 years, and said Masterson wasn’t an unbiased observer.
“This recommendation is mainly authored by Matt Masterson and can’t in good faith be viewed as an impartial recommendation from a respected academic institution,” EAC Chairman Don Palmer said in a statement to CyberScoop. “Mr. Masterson was a former EAC Commissioner, and he now is employed by Stanford. Personal animus over the dysfunction he participated in should not interfere with the importance of the good election work the Commission is currently doing.”
To better safeguard election officials who faced physical threats from supporters of former President Donald Trump who claimed, without evidence, that the 2020 election results were fraudulent, the report suggests increased criminal penalties for threats or violent acts against election staffers. It also suggests better threat information sharing, identity protection assurances and physical security and doxxing prevention training.
Among those facing death threats after the election was former CISA Director Chris Krebs, who said he was “bombarded” with them after Trump attorney Joseph diGenova said on conservative network Newsmax that Krebs should be “drawn and quartered” and “taken out at dawn and shot” for defending the integrity of the 2020 ballot.
Some of the report’s recommendations are staples of election security advocacy: regular, reliable federal grants to state and local governments; expanded use of risk-limiting audits; and publication of baseline, minimum cybersecurity standards for election vendors.
Those proposals have already proven difficult to pull off in Congress and state legislatures, given partisan divides where Republicans have largely resisted such efforts. Some plans require less coordinated federal or state action, such as civic education campaigns at all levels of government to counter misinformation and disinformation about elections.
Others could piggyback on existing debates over when critical infrastructure owners have to notify the federal government about major cyber incidents, such as the report’s recommendation that state and local election officials and election vendors report breaches to CISA and the FBI.
Masterson said that one of the big things people should draw from the report is that election workers stood their ground despite all the troubles.
“They looked a global pandemic in the eye, risked their own health and safety, in order to administer the elections,” he said. “And then, when faced with threats and just massive amounts of mis- and dis-info, stood up in the face of that and pushed back, and that’s Democrats and Republicans alike.”
Updated, 10/14/21: to include response from the EAC.