Expanding the Definition of “Election Systems” also Expands Cyber Security Funding Options

Expanding the definition of “election systems” to include all of the primary and secondary interfaces to voter registration databases can also expand the number of funding sources available for the acquisition of tools and services to protect these interfaces.
Steve Smith , Tenable | September 6, 2019 AT 4:00 PM
Shutterstock

In our previous article, the concept of elections systems as an integrated ecosystem of both specific (voter registration, vote collection, results reporting) and general (citizen data from multiple agencies) applications was presented. The point was that elections systems exist in perpetuity and not just in and around an election cycle and that data associated with elections are submitted and in process all year every year.

The perpetual nature of the elections systems ecosystem has not traditionally been addressed with matching funding streams. The federal government has been reactive, appropriating funds via the Help America Vote Act (HAVA) on as as-needed basis, as in the aftermath of situations like the 2016 federal election, in which alleged vote tampering was reported. HAVA funding reaches state and local governments too late to take action in the current election cycle and results in the creation of reserve funds that remain until they can be effectively be utilized for future election cycles. State and local governments rely heavily on federal funding like HAVA funding to make large-scale investments in elections systems, which often further delays the impact these investments can have due to long and time-consuming procurement processes.

The upshot of all of this is that elections funding is almost always made in arrears, so state and local governments respond by creating reserve funds that are then used to address the following election cycle. In reality, these funds are fungible, and should be used to address the 24X7X365 nature of elections systems, especially in the area of cyber security. The following are three recommendations for state governments to consider that may allow them to better match the funding availability for cyber security investments to the timeframes in which they are most needed.

Apply Help America Vote Act (HAVA) funding to secure all interfaces with elections systems. Any system that can interface with the voter registration database – or a system that interfaces with one of those systems – should be considered part of the election system and be secured appropriately. That’s because an unaddressed vulnerability in any connected system can affect the entire election system. Using HAVA to purchase cyber tools to protect all interfaces is fundamental to protecting elections systems.

Cyber threats follow something similar to the Second Law of Thermodynamics, which states that heat will always flow toward cold and isn’t reversible without intervention. The “intervention” in this case is a threat actor looking at a “cold” component of an information system and manipulating it in order to access the “hot” component that they are attempting to access. This can be illustrated by using your own PII as an example. If a threat actor wants to access your work-related data they may first to look for vulnerabilities in non-work-related access points and exploit them. For example, a threat actor may attempt to obtain the password to your frequent-shopper card and use it to access your work-related applications. The same concept could be used to access a “cold” application that interfaces with the voter registration system. The state library may interface with a motor vehicle database in order to collect fines. The motor vehicle system connects with the voter registration database. An exploit to a vulnerability in the library system could, therefore, lead directly to the voter registration system. Interpreting “election system” to include all interfaces or connected systems justifies utilizing HAVA funds to secure all of the components of that system. Include cyber security in the mandatory scope of work in all database projects that include PII or PHI. Historically, state agencies issuing requests for proposals (RFPs) related to information systems that utilize PII and PHI to process transactions have not set specific scope of work requirements pertaining to cybersecurity. Compliance with federal cost allocation requirements is one reason why this has been the case. If the federal government is assuming a large share of the development costs of these projects, it will require a detailed cost buildup. Including a cybersecurity component to a request for federal matching funds means adding these costs to the advanced planning document (APD) that states must submit to gain funding approval. One state has addressed this challenge by including existing state cybersecurity compliance statutes directly into their state purchasing statutes. These standards are largely based on the Center for Information Security (CIS) controls. Any information technology acquisition is therefore required to meet these standards, per se, making them a permanent part of any acquisition. This will prove helpful in gaining the necessary federal approvals and essentially building in funding for additional cyber security tools and activities. In essence, it creates “pay-as-you-go” cyber security funding through these technology acquisitions.

Use an election system set-aside for DHS grant funding. Presidential Policy Directive 21 (2013) clearly defined sixteen critical infrastructure sectors that must be addressed to ensure national security. In 2017 DHS established election systems as a CI sub-sector. DHS encourages states to “facilitate cooperation across sectors and sub-sectors” to include funding sources. Grants made by DHS to states to address any CI component are therefore potentially applicable to elections systems. These DHS grants are claimed by multiple public safety and information security agencies within those states, with the cyber security funding typically landing in state fusion centers or state homeland security agencies. In part, this is due to the fact that election systems are generally the responsibility of a single agency, for example the secretary of state, without a direct reporting relationship to the state’s chief information officer or chief information security officer. This means that the agency acquiring the bulk of the state’s cyber security tools and services may not prioritize election security in their acquisition planning. However, this can be easily addressed by establishing state-specific priorities within the sixteen CI sectors defined by DHS. An executive order creating a “set aside” to protect “democratic processes” for any DHS grant that is received would guarantee a predictable stream of funding for update cyber security activities.

Conclusion

Including within the definition of “elections systems” any connected interfaces or systems is key to ensuring the security of the elections process. However, the funding allocated for election system security has historically been reactionary, resulting in a constant lag between identified threats and the tools and resources necessary to address those threat. The need, therefore, is funding that mimics the accounting principle of “matching”, which ensures that revenues are matched to the time period in which costs occur. To accomplish this, this article has suggested three steps that expand the applicability of existing funding streams to allow for similar matching to take place. First, Help America Vote Act (HAVA) funds should be considered applicable to all information system applications that link directly or indirectly to the election system. This will ensure that appropriate security tools are in place year-round to protect the integrity of those related data sources. Second, states should consider including recognized cyber security standards in the scope of work required of vendors in all information systems acquisitions to ensure an ongoing upgrade of cyber tools and best practices. This will create a “pay-as-you-go” set of funding for those projects that involved enhance federal government participation. Finally, making “democratic processes” a “first dollar” set-aside for each DHS grant made to a state will guarantee that election systems are funded each time any other critical infrastructure sector is funded.

About the Author

Steve Smith leads the state and local business development efforts at Tenable, the Cyber Exposure company which helps government agencies manage, measure and reduce their cyber risk in the digital era. His thirty-five year professional career includes assignments as an active duty Navy surface warfare officer, in various executive roles at three Fortune 500 companies, as president of a non-profit, and as a senior policy maker in state government.  Steve was appointed by President George W. Bush to the National Advisory Council on Minority Health and Health Disparities of the National Institutes of Health where he served from 2008-2012.  He currently serves as an appointee of Mayor Buddy Dyer to the Orlando Housing Authority board of commissioners, where his primary interest is the reduction of veteran homelessness and the development of housing alternatives that allow for better coordination of veteran benefits.

An Ohio native, Steve received a BA in Finance from Baldwin-Wallace College and his MBA from the Rochester Institute of Technology. He is a member of the American Legion and the Veterans of Foreign Wars.