Secure Election Systems Demand Vigilance Beyond Election Day
“Election systems” are thought of as the hardware and software needed to collect votes and report them on Election Day. In fact, these systems operate year-round, so securing them from cyber threat actors requires equal vigilance.
If you search Google for “Election Systems Security” you will receive over one hundred million results. Narrowing that down to “Election Systems Cyber Security” will return sixty-eight million results. Much more manageable, I’m sure. The point is that there has been so much content delivered to the internet on the topic of election systems security that it is now becoming difficult to see the forest for the trees; to see what is really important and what is not. As with many complex issues it is valuable to first go back upstream and figure out the root causes. In this case, what exactly are state and local jurisdictions dealing with with regard to “election systems security”. To this end, here are several things to consider.
All Elections are local. Although states are heavily involved in setting the rules and policies for administering elections, and in choosing election technology, in most states local jurisdictions administer and conduct the processes of an election. More than 8,000 jurisdictions across the country currently have responsibility of conducting elections. Election security must therefore begin at the local level but be supported at every level. The federal government can allocate funding to the states to improve election security, but that funding must then be further allocated to counties and cities. In many cases the information security infrastructure at the local level - including the necessary human resources - may be insufficient to implement a cybersecurity solution, regardless of how affordable it might be. Luckily, there are solutions available via the federal government in order to assist localities in using election security funds efficiently. One of these solutions is the Continuous Diagnostic and Mitigation (CDM) program, which is accessible by state, local, and tribal governments to gain access to cost-effective cybersecurity tools. More on that later.
Election systems are not isolated from other citizen data. Relationship diagrams like the one below often accompany a definition of “election system”: register, verify registration, vote, count the votes, and report results are the primary steps that are cited. In those one hundred million Google responses it is likely that there are nearly as many references to a process that looks like the one below. It would thus appear that the process is static, existing only for a single election cycle and presenting a limited attack surface to threat actors. The result is that voting public has no concept of the actual complexity of the system that counts and reports their vote.
Threat actors actually have a much richer target environment than what is typically presented in the static election system model. This is true because at the core of an election system lie a number of other critical sources of citizen data and interfaces to that data: motor vehicle registration, driver license, and corrections data, and judicial records are examples of potential sources of voter registration inputs. Any database that either shares data with or takes information from the voter registration database must be considered part of the election system and therefore be protected as such. The following diagram presents a more complete view of an “election system”, acknowledging the interfaces to “State/Local Databases” and calling out motor vehicle data specifically, in part because this in the one election system interface that the public is most aware of.
Election systems operate 24x7x365 and not just on Election Day. An election system is the sum of many parts and not a stand-alone application. Therefore, it operates on the schedule of its most active component. It is unlikely that all the systems that interface with voter registration will be updated in real time, but updates will occur frequently, which means that threats can present themselves at any time, whether it be during an election cycle or otherwise.
As an example, take the motor vehicle data called out in the diagram above. The demands on government to improve service to a “retail level” have certainly been successful at motor vehicle departments across the country. A share of this improvement has come from the adoption of a myriad of self-service options that make it much easier to make changes to driver license and vehicle registration information online. These service enhancements have improved the customer experience by improving the productivity of branch offices. However, these same productivity enhancements may also have an adverse effect on the integrity of election systems. Consider the concept of “deep fakes” as a possible scenario. Threat actors could access motor vehicle information and alter addresses to change voting precinct assignments or blatantly acquire fictitious voter registrations by way of bogus driver license issuance. Either way, the political makeup of a precinct or district could be changed gradually over time. This information, if made public and the right moment in the election cycle, could encourage or discourage voter turnout to the advantage of a particular candidate or political party. The integrity of the voter registration would appear to be pristine, but one of the sources of voter registration data would be compromised, thus compromising the entire election system. And because motor vehicle data bases must be updated frequently to accommodate public safety requirements, the changes to the voting rolls would be happening in near real-time.
Voting machines are not the issue. It bears repeating that voting machines themselves have little bearing on the potential cyber vulnerability of election systems. Voting machines are stand-alone instruments like a mailbox. Dropping a letter in the mailbox doesn’t change the information contained in the letter. However, if someone purposefully alters or destroys that letter or its contents after it leaves the mailbox it may impact how the information is received by the ultimate addressee. Submitting your vote at the voting machine is like mailing a letter. It is only after the individual votes are extracted from the voting machine and transmitted that they are subject to alteration or deletion and potentially affecting the outcome of the election. Replacing voting machines may be necessary in order to ensure that the most current technology is in use, but that new technology has a negligible effect on the overall integrity of election systems.
There is a resource in place to help address election system security at all levels of government. As mentioned earlier, CDM is a US Department of Homeland Security program available to state, local and tribal governments that provides both a methodology for implementation and a vehicle for purchasing cybersecurity tools (read about North Carolina's CDM project). The implementation methodology includes four phases, each addressing a specific set of potential vulnerabilities: network assets, network access, network activities, and network data. The goal of each phase is to identify and prioritize vulnerabilities and configuration compliance issues within that phase. This gives local governments that administer elections cybersecurity a work plan to follow for addressing the cyber threat to elections. Just as importantly, it can provide elected officials confidence that appropriate actions are being taken to make best use of the federal funding that has been received. Finally, it is a process that can easily be explained to the public, taking some of the mystery out of the election security discussion.
Elections systems are a more complex data ecosystem than is recognized by the general public. Large public databases managed by state governments are used to develop the voter registration data that are then used by local governments to manage the election process at the polls, including the collection of votes and the reporting of vote totals. This entire process is included in the definition of “election system” and should therefore all be subject to the same level of cybersecurity best practices. The CDM program can ensure that all levels of government involved in elections – state, county and municipal – have access to both a common implementation methodology and an affordable source of cybersecurity tools to ensure the integrity of our most critical American democratic process. DHS has provided some useful training and educational information regarding CDM that offer additional details about the program.
In the next installment of this series, I will take a look at ways that state and local governments can match funding streams to the 24X7X365 demands of the modern election ecosystem.
About the Author
Steve Smith leads the state and local business development efforts at Tenable, a company that uses advanced analytics and predictive prioritization to help state and local government reduce exposure to cyber risk. His thirty-five-year professional career includes assignments as an active duty Navy surface warfare officer, in various executive roles at three Fortune 500 companies, as president of a non-profit, and as a senior policy maker in state government. Steve was appointed by President George W. Bush to the National Advisory Council on Minority Health and Health Disparities of the National Institutes of Health where he served from 2008-2012. He currently serves as an appointee of Mayor Buddy Dyer to the Orlando Housing Authority board of commissioners, where his primary interest is the reduction of veteran homelessness and the development of housing alternatives that allow for better coordination of veteran benefits.
An Ohio native, Steve received a BA in Finance from Baldwin-Wallace College and his MBA from the Rochester Institute of Technology. He is a member of the American Legion and the Veterans of Foreign Wars.