Insider Interference: U.S. Agencies Highlight Threat Insiders Can Pose to Election Security
U.S. President Biden won the 2020 presidential election with 306 Electoral College votes and a four-point margin in the popular vote.
Then U.S. President Donald Trump and his supporters, however, immediately began spreading falsehoods that Trump had won the election. These allegations spurred some elected officials to begin questioning the accuracy of the election results in their states, including Colorado Clerk Tina Peters.
Using her access as an election official to election equipment, Peters allowed a man posing as a county employee to photograph election system hard drives before and after software upgrades in May 2021. She also let a former surfer affiliated with conspiracy theorist Mike Lindell watch software updates and copy hard drives using another person’s security badge.
“She was elected specifically to be the safeguard and then became the threat by sneaking people into the room with machines who weren't supposed to be in there, filming the passwords that she wasn't supposed to have access to, passing them on to other people,” said Dan Rubinstein, 21st judicial district attorney who led the prosecution against Peters, in an interview with Colorado Public Radio.
In August 2024, Peters was convicted on three counts of attempting to influence a public servant, first-degree official misconduct, violation of duty, failing to comply with the secretary of state, and one count of conspiracy to commit criminal impersonation. She is scheduled for sentencing on 3 October.
“The breach Peters was charged of orchestrating heightened concerns over potential insider threats, in which rogue election workers sympathetic to partisan lies could use their access and knowledge to launch an attack from within,” according to the Associated Press.
Earlier this year, the FBI, the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Justice (DOJ), and the Election Assistance Commission shared guidance about addressing insider threats in the 2024 election cycle.
The agencies have historically worked together to safeguard election infrastructure from cyber, physical, and insider threats. They found no evidence that malicious actors changed, altered, or deleted votes—or impacted the outcome of past elections. But this year could be different if security practitioners are caught off guard.
“Over the past several years, the election infrastructure community has experienced multiple instances of election system access control compromises conducted by insider threats,” according to guidance from the agencies. “While there is no evidence that malicious actors impacted election outcomes, it is important that election stakeholders at all levels are aware of the risks posed by insider threats and the steps that they can take to identify and mitigate these threats.”
Threats to Watch
In the United States, state and local officials are responsible for administering elections—including ones for federal offices. This means that a wide range of people, from election workers to vendors to contractors to volunteers, carry out responsibilities for elections and pose a unique insider threat risk.
These individuals could be acting of their own volition, but they could also be motivated by foreign adversaries to compromise the electoral process.
U.S. intelligence agencies have tracked a growing number of foreign adversaries interested in monitoring election networks and attempting to influence or interfere with U.S. elections. In the 2024 Annual Threat Assessment of the U.S. Intelligence Community, the U.S. Office of the Director of National Intelligence (ODNI) said the People’s Republic of China (PRC) might attempt to influence U.S. elections because of a desire to sideline critics of China and to magnify societal divisions.
“PRC actors have increased their capabilities to conduct covert influence operations and disseminate information,” the ODNI wrote. “Even if Beijing sets limits on these activities, individuals not under its direct supervision may attempt election influence activities they perceive are in line with Beijing’s goals.”
ODNI is also watching malicious actors connected with Russia, since the country is anticipated to attempt to affect the 2024 election outcome to support its interests—such as limiting support to Ukraine.
Russia is the “most active foreign threat to our elections,” said Director of National Intelligence Avril Haines in testimony before Congress in May 2024. “The Russian government’s goals in such influence operations tend to include eroding trust in U.S. democratic institutions, exacerbating sociopolitical divisions in the United States, and degrading Western support to Iran.”
Another actor on this front is Iran, especially since in 2022 Iranian cyber actors obtained—or attempted to obtain—U.S. voter information, sent threatening emails to voters, and disseminated information about elections. The ODNI anticipates that these actors have evolved their techniques to combine cyber and influence operations in campaigns that could be deployed during the 2024 election cycle.
In testimony and a statement published in July 2024, Haines said that Iran is becoming “increasingly aggressive in their foreign influence efforts, seeking to stoke discord and undermine confidence in our democratic institutions, as we have seen them do in the past, including in prior election cycles.”
The ODNI has also observed Iranian government actors attempting to take advantage of protests of the war in Gaza, posing as activists online to encourage protests, and, in some cases, provide financial support to protestors.
Americans “who are being targeted by this Iranian campaign may not be aware that they are interacting with or receiving support from a foreign government,” Haines said. “We urge all Americans to remain vigilant as they engage online with accounts and actors they do not personally know.”
In their guidance, the agencies assessed the threat of a foreign adversary getting access to election infrastructure through an insider as minimal, but a “perceived normalization of election influence or interference” in 2024 could push adversaries to take more significant action leveraging insiders, the guidance said.
For instance, a foreign adversary might gain insider access by “exploiting a targeted insider’s ideological views, providing financial incentives, or using proxy organizations or diplomatic presence to establish contact with an individual already in a position of trust or would be willing to seek out and acquire a position on behalf of the foreign actor,” according to the guidance.
Adversaries might also consider blackmailing or coercing insiders to leverage their access, such as conducting surveillance on a person with access to gather data on financial debts, illegal activity, or embarrassing habits.
Once an insider is willing to act, adversaries could use the individual to get access to election systems to expose voters’ personal information, limit voters’ ability to access accurate information on Election Day, or make election systems inaccessible to the public or election workers.
“In addition, adversaries could also employ insiders to assist with their malign influence operations to undermine American confidence in the security and integrity of the elections process,” the guidance explained. “An insider could provide an adversary with material to develop or amplify messaging challenging election system security, results, or operations.”
Indicators of Compromise
Insider threats often exhibit red flags that security practitioners should be aware of so they can respond proactively.
When it comes to elections, the agencies provided a list of unique warning signs that practitioners should watch for. These include attempts to alter or destroy ballots or documentation without prior approval; accessing systems, equipment, or facilities without need or authorization; turning off security systems; disregarding two-person rule requirements; taking proprietary material home in any form or copying proprietary material without need or authorization; remotely access computer networks at strange times; disregarding computer policies on installing personal software or hardware; and intimidating or threatening other staff.
The agencies also recommended that election administrators and partners work together to create an insider threat mitigation program to identify gaps in current practices and create a more informed approach to risk management.
“Organizational culture should also reinforce proactive reporting of employee concerns and security issues as a core component of securing the environment,” the guidance explained. “From this foundation, a successful insider threat mitigation program should implement practices, strategies, and systems that limit and track access across organizational functions ...Preventative measures against insider threats also contribute to detecting threats by establishing transparent, auditable election systems and processes, and then identifying outliers or anomalies for investigation.”
For election security practitioners, the agencies said insider threat mitigation programs should include standard operating procedures for completing tasks, such as requiring a two-person minimum for sensitive tasks.
The agencies also suggested implementing physical and digital access control systems to detect and prevent insider threats, with access privileges changing leading up to Election Day or other key dates to reduce the potential for harm to physical or digital systems. This should include access logs and control forms to assist with post-incident investigations or serve as evidence.
One challenge around access control for election workers is access to the voter registrations database system, according to the guidance. “It is important for jurisdictions and state offices to work together to regularly confirm and update a list of authorized users and associated privileges,” it said.
Election insider threat programs should have chain of custody procedures to track physical and digital assets, documenting each time the asset was handled and who was responsible for that interaction. Programs should also implement Zero Trust security, verifying every request for access and potentially creating a two-person rule or bipartisan teams when accessing sensitive resources.
Finally, all incidents of insider threat activity should be reported to the appropriate authorities to be investigated or documented to reduce the likelihood of similar activity in the future.
“Altogether, these measures support the integrity, reliability, and security of an election, providing the evidence to build public confidence in the process,” the guidance explained.
Want to read this article in print? Visit the ASIS Hub at GSX in Orlando, Florida, later this month to pick up a special printed edition of Security Management.