Meanwhile, the threats are increasing. A Senate panel report said Russia likely targeted election systems in all 50 states in the 2016 election, and experts believe Russia successfully accessed the systems of multiple state and local electoral boards (though there was no evidence of ballot tampering). The US intelligence community says Russia and Iran ran influence campaigns in 2018 and 2020. And officials worry about the dangers of state-sponsored attacks from China and North Korea, increasingly active global ransomware groups, and new perils posed by aggrieved insiders. FBI Director Christopher Wray recently warned that Russia “can walk and chew gum” at the same time—meaning that the Kremlin could both wage war in Ukraine and meddle with American elections.
US Cyber Command and the National Security Agency have reestablished a voting security group ahead of the midterms to detect such threats, but individual states still run the operations on the ground. It’s a risky approach, says David Levine, a former elections director for Ada County, Idaho, who’s now a fellow at the Alliance for Securing Democracy. “Asking state and local election officials to single-handedly hold the line against sophisticated adversaries like Russia, China, and Iran is simply a bad bet,” he says.
The country’s voting infrastructure also faces internal challenges. Harassment and threats in the wake of Trump’s unfounded fraud claims have seen some election workers quit. Levine and others have mourned what he calls “an exodus” of talent.
The backers of Ohio’s volunteer militia, which was created with unanimous support by state legislators, believe it will help solve some of these problems. It’s relatively cheap, with standards that are still exacting. About one-third of applicants don’t end up joining. And once they sign on, they’re tasked not just with responding to crises but conducting training and security assessments to reduce vulnerabilities.
Several states are following suit. California, Texas, Oklahoma, South Carolina, and Maryland are all establishing civilian cyber volunteer response teams. Michigan and Wisconsin already have such groups, though unlike Ohio they can’t be called up under National Guard authorities. Virginia and Indiana are trying to set up similar programs, and Colorado, Montana, Washington, and West Virginia are all interested, according to a June paper from the National Governors Association
“The phone’s been ringing off the hook,” says Major General Harris, who’s responsible for the command of Ohio’s National Guard. “There’s a lot of interest in standing up this kind of cyber reserve.” Chip Daniels, of the South Carolina National Guard, is among the emissaries from other states who recently traveled to Ohio to observe the volunteers’ work. “We’re light-years behind these guys,” he says. In mid-July, 19 members of the Ohio reserve attended a three-day exercise in Cincinnati dedicated to thwarting cyberattacks against the state. They hunted for digital breadcrumbs left by a fictional disgruntled employee who defaced state websites, tracked down theoretical thieves who mined a municipal online data trove, and battled malware that a foreign country had secreted onto county computer networks. The exercise was “wildly successful,” says Richard Harknett, a University of Cincinnati professor who was a key thinker behind the reserve and whose work has helped inform US Cyber Command’s more aggressive stance in recent years.
Harris has already called on the civilian reserve at least twice. In February 2021, a volunteer spent four days helping respond to a ransomware attack on an Ohio government agency. And earlier this year, six volunteers put in time over the course of several weeks after a separate attack. “It was incredible,” says Aaron Bleile, a 31-year-old state employee with a background in cyber forensics, who was called in to help on one of the responses.
Harris is braced for more such events in the future. “We Americans tend to think we’re at war or we’re at peace,” he says. Instead, there’s a kind of simmering struggle taking place as cyberattacks against the US increase in scale and scope. Says Harris: “The truth of the matter is we’re in competition now.”