The security of our elections is top of mind for practically every voter in the US. With the state primaries underway, all eyes are on our electronic (and in some cases mobile) voting systems to understand if malicious attacks are happening — and if our systems are able to defend against them. Most experts agree that we are unprepared and underfunded when it comes to securing our elections — which should concern us all.
A big problem is that when we look at the entire ecosystem of the national election process, we don't treat it the same way we treat business systems. This is a mistake. Voting is a business of our state governments. And the most valuable asset for states is voter information — similar to the customer information and data assets of a for-profit business (which are increasingly safeguarded by data privacy regulations). To modernize our current model of election management, trust, and security, it's important to examine three interrelated pillars for state governments: technology, people, and attitudes.
1. Technology: Making Cybersecurity More Proactive
To address the growing security threats that many players in the broader election system ecosystem face, proactive cybersecurity technology and policy must take center stage in three important ways:
Cybersecurity hygiene of individual companies and agencies
Greater transparency and data-driven assessments of election system hardware and software providers should be mandated in order to measure each company's cybersecurity hygiene against an established baseline. In addition, there needs to be increased monitoring of the deployment and implementation of technology in state and local election systems to ensure that misconfigurations aren't creating additional vulnerabilities.
A "layered defense" approach to cybersecurity
Given the complicated, interdependent nature of government systems and databases, security measures should be established to minimize the likelihood of an attack — particularly from internal staff. For example, an ill-intentioned employee could access and hack a state voter registration database through a vulnerability in the Department of Motor Vehicles network. Implementation of a layered defense approach and incorporating a "least privileged principle" that limits an individual's access to only very specific parts of a network or election system makes internal access more difficult and successful hacking more unlikely.
Ongoing validation of effectiveness of security controls
As is true in the business world, any government agency or organization playing a role in the election ecosystem cannot afford to assume that established security technology and protocols always work as they're supposed to. With such a complex array of interrelated software elements from multiple vendors, each with different settings and procedures, and with continually changing network and access protocols, ongoing changes in the IT environment – what I call "environmental drift" — can negatively affect security performance. When left unchecked, there is tremendous risk that security controls will not provide the necessary defenses when an attack occurs. Frequent and regular evaluations to validate the effectiveness of security controls should be a key component of the overall process.
2. People: New Roles and Relationships for the state CIO and CISO
Typically, the role of chief elections officer is filled by the secretary of state, who oversees testing and certifying all voting equipment for security, accuracy, reliability, and accessibility. States also have a CIO and a CISO, but they don't currently have a formal direct working relationship with the secretary of state or state elections commissions. I believe that they should — especially now, with the prominence of e-voting. State CIOs and CISOs can be of tremendous value to the secretary of state and election commissions in helping them understand the evolving cybersecurity threat landscape, while tracking its potential threat impact on a daily basis.
Governors should also have cyber-protection teams that know how to scan the environment for the bad guys and look for flaws, before an attack occurs. The right place for this cybersecurity resource to exist and collaborate with the state CIO and CISO would be in "Fusion Centers" set up to deal with any kind of emergency, regardless of origin. I have seen this work already underway in Michigan, Virginia, Rhode Island, and Louisiana, and believe other states should follow their lead.
3. Attitudes: Moving from Naivete to Thoughtful Experimentation
There are several attitude challenges that we face today. While most state and local governments understand that threats are out there and vulnerabilities exist, they don't understand their nature or magnitude, or how best to address them. At the local level, there is often a perception that individual precincts are too small to be viable targets. In a democracy where every vote must count, a broader mindset is required. And when security technology is brought in as the solution, there is too often an overreliance placed on it and a false assumption that it's working as it's supposed to in order to protect election integrity. When cyber hygiene is one of the top priorities in business organizations today, why should state/local election systems be different?
There are forward-looking states experimenting with electronic and mobile voting to reflect current technology and cultural change — with a dual purpose of deterring voter fraud and boosting voter turnout. Initiatives and experiments to enable people to vote by mobile phone — anywhere, anytime — require deep attention to proactive cybersecurity and digital identity. In the 2018 midterm elections, West Virginia became the first state to introduce purely online voting for overseas military voters with a mobile app that used blockchain technology, with identity authentication through a fingerprint or facial recognition. With the security concerns inherent to this kind of experiment, more research should be done and trials conducted to make mobile voting a more viable way for people to vote.
From Ideas to Action
To increase trust, accountability, and security around our election process and systems, it will take a combined and concerted effort from many different parties — on both the state and local government side as well as from the technology community. State governments and election officials should take the lead, but others involved in the process share an equal responsibility — from the federal government and technology companies in both the election systems and cybersecurity spaces, all the way down to individual citizens. Only when we all come together can we ensure that every vote counts.
- Don't Let Iowa Bring Our Elections Back to the Stone Age
- 5 Measures to Harden Election Technology
- Forget Hacks... Ransomware, Phishing Are Election Year's Real Threats
- How Enterprises Are Attacking the Cybersecurity Problem