Maricopa County CISO Lester Godsey shares his experiences overseeing information security in a hotly contested presidential election
The close-run 2020 presidential election in Maricopa County, Arizona’s most populous county and fourth-largest by population in the US, drew political and media attention from all over the world.
Maricopa County and the State of Arizona were ‘must-win’ territories for both of the major parties. During the election, Maricopa County saw a spike in misinformation and disinformation spread on social media, as well as a spate of more ‘conventional’ cyber attacks.
For example, It became national news when the unfounded claim that government-issued felt-tip pens were being used to suppress the Republican vote in Maricopa County went viral on local Facebook pages. ‘Sharpiegate’, as it came to be known, is a case study on how quickly political misinformation can spread online, and the confusion it can cause.
In this episode of the Business of InfoSec Podcast, Maricopa County CISO Lester Godsey argues that governments and businesses must invest in strategies designed to mitigate the negative consequences of misinformation and disinformation spread on social media.
“From my perspective, hands down, [mis- and disinformation on social media] was the biggest problem that we faced [during the election],” Godsey says. “And again, keeping in mind, we addressed a myriad of cyber incidents for the 2020 election.”
Defining Mis- and Disinformation
It’s important, Godsey says, to accurately describe the difference between mis- and disinformation if we are to understand the nature of the threat they pose.
“The delineation between mis- and disinformation is critical because the fundamental difference behind the two is intent,” Godsey says. “And so intent plays a pivotal role in ascertaining what the risk level is to an organization.”
While social media had an enormous potential to amplify incorrect information or misinformation, online, misinformation is not created with the intention of deception.
“The issue with disinformation is there’s active intent to knowingly spread false information,” Godsey says. “That in itself is telling with respect to what the intent is, and the desired outcome of the person, group, or nation-state that’s doing that.”
Unfortunately, much mis- and disinformation online does not require evidence or ‘proof’ for it to damage election integrity. Often, it strategically plays into the preconceived notions of the reader.
“The whole issue with election integrity is [that] what we have seen, unfortunately, is you don’t have to have evidence of malfeasance in order to have a similar outcome,” Godsey says. “You just need to get enough people to adopt and embrace that thought, whether it’s correct or not. And it just takes on a life of its own.”
Tracking Cyber and Kinetic Threats
During the election, Maricopa County was targeted by cyber threats ranging from advanced persistent threat actors, scanning attempts from various nations and DDoS attacks.
However, some of the most concerning threats came in real-time from the spread of misinformation and disinformation on social media. A trend that continues to this day.
“Unfortunately we continue to see today the use of social media to stir up and promote mis- and disinformation, as well as use that platform to coordinate kinetic events or physical events,” Godsey says.
For example, on election day social media was used to coordinate ‘caravans’ of election watchers to follow election staff as they traveled between official locations, due to a belief that something nefarious might be happening.
Godsey is keen to point out that as a representative of the state, he and all of his colleagues have taken an oath to protect and defend the US constitution. However, as a CISO he also has a responsibility to consider the safety of his systems and staff.
“We certainly respect and encourage people to demonstrate their right to peacefully protest,” Godsey says. “But conversely, from a cybersecurity perspective, our bread and butter is centered around risk.”
He continues: “One of the things that we found out as a result of our response to the 2020 election was social media, in particular, was not only an indicator of increased cybersecurity risk to the organization but also physical or kinetic risk.”
Lessons for the Wider World of Cybersecurity
While Godsey’s experience of monitoring the effects of social media on cyber and kinetic risk is centered on public sector governance and election integrity, he believes that there are lessons to be learned for cybersecurity executives in other fields.
“We look at social media as a source of intelligence, meaning we can’t ignore social media as a platform and a source of information to determine what the potential risk is to us as an organization,” Godsey says.
He continues: “While obviously [incident response] plays a pivotal role in election preparedness, social media needs to be part of any information security program’s arsenal.”
Godsey points out that trust is at the root of positive relationships between governments and private businesses and the public. In the modern information environment, social media can make it or break it.
“I would argue any organization that values anything should be concerned about social media. Whether it’s the bottom line, whether it’s your reputation or brand or a combination thereof,” Godsey concludes.