It's time to think of securing elections the same way we think about securing our businesses and government agencies. Election systems, like all other entities today, are open to cyberattack. So election and government officials have to learn from their corporate counterparts and put a plan in place to achieve a successful election.
"What I've been telling everyone as I speak to groups is that we have to run a successful election that people can trust even if we are hacked," says Noah Praetz, director of elections in the Cook County Clerk’s Office in Illinois. In an April 16 email sent out to his election colleagues in Illinois, Praetz outlined some best practices and options for local elections officials.
"What we need more than anything are professional security people, boots on the ground who can help institute best practices," Praetz says.
The federal Election Assistance Commission made available $380 million earlier this year for states to improve and modernize their election systems. But Praetz cautions that EAC only allocated funding for this year under the Help America Vote Act of 2002. He says much more is needed over successive years to deliver what’s needed to the nation’s 8,800 election districts.
While it's unclear that more financial help will be authorized beyond this year, the Department of Homeland Security has been more open in the past several weeks about the need for increased election security leading up to November's Congressional elections.
In testimony earlier this week before the House Committee on Oversight and Government Reform, undersecretary Christopher C. Krebs told lawmakers that DHS has prioritized voluntary cybersecurity assistance for election infrastructure similar to what's provided to numerous other sectors that have been designated as critical infrastructure, such as the financial sector, defense industry, and electric utilities. DHS designated election infrastructure a critical subsector in January 2017.
Krebs said DHS has been working with the EAC and other state and local partners to strengthen the security of election systems nationwide, noting in his testimony that DHS will continue to offer a broad range of services, such as cybersecurity hygiene scans, risk and vulnerability assessments, and incident response assistance.
The EAC money has served as a good start, but there are thousands of election districts across the country that are lucky to have one IT support person, let alone a $250,000-a-year threat hunter with a CISSP or other important security credentials. While DHS and other groups are available to help, there’s insufficient support for a much stronger national effort.
A comment from Maria Benson, communications director of the National Association of Secretaries of State, gives some insight into how difficult it would be to forge a national effort. When asked what the status was in Washington of developing a national set of guidelines for election security, Benson replied: "I do not have an opinion, nor does the association. Each state has the authority to decide how to run elections in a secure, fair manner."
In contrast, Harri Hursti, participant in the Voting Machine Hacking Village at DEFCON last year, and Cecile Shea, non-resident senior fellow for global security and diplomacy at the Chicago Council on Global Affairs, say there should be a much stronger effort at the federal level. Both Hursti and Shea say national guidelines can be developed in a way that offers states technology options, but still gives local districts control and the ability to do what suits them best.
For now, a group of Democratic Senators last month introduced the Protecting American Votes and Elections Act, legislation headed up by Sen. Ron Wyden (D-Ore.) that would require states to produce paper trails and mandatory audits. If passed into law, the bill would authorize $10 million to study, test, and develop accessible paper ballot voting, verification, casting mechanisms and devices, and voting best practices. The bill has only Democratic sponsors and no support from Republicans.
That's why Dark Reading took some time and talked to numerous state and local and industry officials to develop a feature that outlines some proactive steps governments (and private citizens) can take to make their elections this November more secure.
We talked to the following sources: Noah Praetz, director of elections, Cook County, Ill., Dr. Eman El-Sheikh, director of the Center for Cybersecurity, University of West Florida, Harri Hursti, a leader in the DEFCON election hacking effort, and Cecile Shea of the Chicago Council on Global Affairs. We also reached out and compiled valuable information via email with Harvard University's Belfer Center for Science and International Affairs, the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), the Brennan Center for Justice, and Sen. Wyden's office in Washington, D.C.