Under the Twelfth Amendment of the US Constitution, the voting process is solely the responsibility of the states to conduct and manage. As you can imagine, the decentralization of how we manage our voting process has created a situation where there are 50 different concepts of how to execute our rights to vote in national elections. According to the National Conference of State Legislatures: “Those standards vary from state to state. Some states adopt federal standards, some develop their own standards and others use a hybrid of both approaches.”
It is important to first define what makes up the voting process in this context. That process includes:
Understandably, there is a lot of surface area for cyber threat actors to attack, both nation-state and criminal. It’s reasonable to imagine someone wanting to pad the roles of a critical voting district by gaining control of the voter registration rolls and creating fake registered voters for unqualified residents to vote. A more likely attack would be a conventional ransomware actor who decides to lock up the database just prior to voter registration cards being distributed. The most dangerous attack would be to compromise the software vendors who write code for the electronic voting machines that would allow a threat actor to create vote tallies that suit their needs, potentially for sale to the highest bidder.
When assessing the cyber risk of any business process, the attributes of the processes most vulnerable to attack and exploitation include:
America’s voting process, as defined above fits every one of those attributes. It is safe to assume that some state governments considered among the “have nots” in funding are cutting corners in every element of these business processes with security hardening and monitoring on top of the list of “too expensive to do right.”
So, what is the current recognized security framework for the voting process? In 2009, The National Institute of Standards and Technology (NIST) published the Draft Voluntary Voting Systems Guidelines, version 1.1. The key word in these guidelines that is concerning is “Voluntary.” This term was probably introduced as to not usurp the authorities of the states to manage voting processes in accordance with the US Constitution. This standard is also narrowly applied to just one element of the voting business processes described above, the actual act of “voting.” As in any complex business process, there are many other elements to managing national elections that are not covered in the NIST guidelines.
It appears the Election Assistance Commission, created by the “Help America Vote Act” in 2002 in the aftermath of the Bush v. Gore disputed election, has the lead in synchronizing this effort. However, like any federal commission, there will always be suspicions of motives due to partisanship and politics of the commission leadership.
So this is a wicked problem. How can the integrity and security of our 50 different voting processes be ensured? A powerful first step would be to eliminate the word “voluntary” for the NIST guideline — the word “guideline” already implies this term. Next, the guideline should be expanded to encompass the entire voting process or require that the states are held accountable to NIST 800-53 and the Cybersecurity Framework for every element of their voting infrastructure.
In addition, it should be required that all 50 states provide audited evidence to the Federal Election Commission that appropriate steps have been taken to secure the whole voting process. Finally, the creation of a national voting datacenter initiative where states pool limited resources to create a common environment that is protected along the NIST standards would be a giant leap.
The sanctity of the voting process is the essence of any democracy. Great care should be taken to protect data at every level of the process so that all citizens have the confidence that a fair election has occurred and that the voice of the people has been heard.
Jeff Schilling, a retired U.S. Army colonel, is Armor's chief security officer. He is responsible for the cyber and physical security programs for the corporate environment and customer-focused capabilities. His areas of responsibilities include security operation, governance ... View Full Bio