Last month, Congress authorized $380 million in federal funding for states to improve the administration of elections and enhance election security. The Election Assistance Commission (EAC) is now distributing the funds.
While the EAC did not issue detailed requirements for how the funding must be used, the purpose of the grant funds is to replace paperless electronic voting machines with paper-based voting systems, implement robust post-election audits, or make important cybersecurity and technical upgrades to election infrastructure.
While the priorities for many states differ, many experts are recommending careful consideration of cybersecurity improvements.
In addition to focusing on the critical areas of potential exploitation, states should also consider the entire election process framework and infrastructure as their election “Threat Surface”, and consider investments that will establish a stronger, scalable and sustainable approach to improving election security.
In particular, implementing a Cyber Risk Management platform will enable states to prioritize vulnerabilities based on threat intelligence and support the more effective prioritization of cyber threats to their election entire Threat Surface, not just the voting machines. This allows a proactive and predictive approach, focusing the right resources on the highest risks first.
Each state is guaranteed at least $3 million in grant funding with additional funding available based on a state’s population. When receiving a grant, states must commit to match federal funding by at least 5 percent as part of their state budgets within a two-year period. Now is the time to consider an investment that will both provide immediate impact and long-term value; a Cyber Risk Management platform.
Replacing paperless voting machines is not enough, according to election security expert University of Michigan Professor J. Alex Halderman. Professor Halderman believes that the security measures election officials say protect voting machines from being hacked are not as effective as advertised.
Last year the Department of Homeland Security notified 21 states that Russian hackers had probed some aspect of their election infrastructure — in most cases the voter registration systems — for vulnerabilities. In a handful of states, hackers penetrated the systems.
“An adversary could probe the election systems in all the close states, look for the ones that have the biggest weaknesses and strike there, and thereby flip a few of those swing states,” Halderman said.
Professor Halderman explained that while voting machines are not supposed to be connected to the internet, providing an “air gap” between the machines and hackers, there are other ways machines can be hacked. Voting machines do need to be programmed with new ballots for each new election. In many cases that process is done using external memory cards processed on a separate computer, sometimes by an outsourced third party.
“Experienced attackers could penetrate the systems of the organizations responsible for programming the ballots and infect their devices with malware that could change vote counts, thus leaping across the air gap”, Halderman said.
There’s little visibility into how officials or third parties manage the ballot programming process and whether they use cybersecurity best practices.1
Other election experts like Joe Kiniry, CEO and Chief Scientist of Free & Fair, recommend that states need to invest in cyber assessments of voter registration databases and internet-facing applications, and other actions to strengthen their cyber defenses.2
As states consider their election security priorities, establishing a solid Cyber Risk Management foundation as a basis for other election security improvements offers the highest value and best return.
Switching to paper-based voting systems is certainly a priority, but all other actions like post-election audits, cybersecurity training for election officials and strengthening cybersecurity for election systems will be much more effective if done within the framework of a comprehensive Cyber Risk Management program.
States with the right voting machines and auditing safeguards are free to spend what’s left of their federal funding for election security. Investing in a Cyber Risk Management platform will enable states to prioritize vulnerabilities and support more effective prioritization of cyber threats to their election entire Threat Surface.
On March 1, 2018, Arizona Gov. Doug Ducey (R) issued an executive order creating an Arizona Cybersecurity Team (https://statescoop.com/arizona-gov-ducey-orders-creation-of-arizona-cybersecurity-team) charged with improving the state’s cybersecurity capabilities through collaboration and information sharing between experts from the public and private sector on cybersecurity best practices.