Supporting Election Systems Security Beyond the Election Cycle
Voting is the most fundamental democratic process. It is also the most valuable public service an eligible voter can perform. You can define “voting” without using the term “election system,” but you can’t define “election system” without using the term “voting.” Supporting the processes that allow voting to occur in a secure manner extends beyond simply ensuring that the election system and its inputs are protected from threat actors. The following are several ways to support election systems security between election cycles.
Supporting additional dedicated cyberfunding, especially in local government. The 2018 Deloitte-NASCIO Cybersecurity Study included input from the chief information security officers (CISOs) of all 50 states. It reported that the No. 1 issue CISOs face is a lack of cybersecurity funding. State governments have recently reported they spend approximately 3 percent of their statewide IT budgets on cybersecurity. At the local level this spending is even lower, with rates in the 1 percent to 2 percent range. These local expenditures are particularly concerning because of the recent wave of ransomware attacks on local government and their resulting disruption of delivery of public services. Local services such as public transportation, public safety, and public utilities affect local populations most immediately and most broadly, and an interruption to these services would be wide-ranging. However, the funding available to protect these critical services is miniscule compared to the size of the cyberattack surface that is presented to threat actors. It is imperative that additional funding be provided and dedicated to local government for cybersecurity requirements and treated as an extension of the essential services provided to the public.
Promoting good cyberhygiene practices as a public service that improves election security. Public service announcements (PSAs) are common in state and local government. Billboards announce public safety campaigns (e.g., “Click it or Ticket” for seat belt compliance) and local public radio stations ask residents to comply with city ordinances (e.g., “Don’t Blow It, Bag It” to keep debris out of storm drains). Regardless of the nature of the cause, all PSAs include a call to action that appeals to a sense of community purpose. With the recent history of election tampering well known by many citizens, initiating a public service campaign related to cybersecurity and elections will likely resonate.
State and local governments should address cyber-related elections interference by defining and promoting cyberhygiene best practices. With IoT-based citizen services increasing exponentially, there is a concurrent increase in the number of devices connected to government networks. The result is a corresponding increase in potential cybervulnerabilities that can be exploited by threat actors. Thankfully, basic cyberhygiene best practices such as effective password management, installing virus protection on connected devices, and avoiding email phishing attacks can go a long way to keeping government networks secure. Utilizing PSAs to emphasize these best practices as necessary for conducting fair elections both educates the public about the positive effects of good cyberhygiene and provides a channel for delivering information about specific cybersecurity threats and how to avoid them.
Supporting the development of a cyber workforce capable of securing future elections. The nonprofit information technology trade association CompTIA has reported that of the many thousands of cybersecurity jobs that are currently unfilled in the public sector, nearly three-quarters of them are “non-technical” analyst positions. This fact is largely unknown by the general public, who see cybersecurity occupations as requiring a significant amount of math and science training. In fact, CompTIA has suggested that bifurcating cybersecurity career paths to acknowledge the need for both non-technical and technical skill sets may be one of the keys to reducing the current number of vacancies in cyber-specific roles. The long-term security of election systems depends on having qualified staff available to address threats, and this means finding a solution to the chronic cyberlabor shortage. One first step is for state and local governments to use an existing resource — public education — as part of this solution.
County and municipal governments can take advantage of cyber workforce development opportunities that also create economic opportunities for their residents. First, by promoting cybersecurity training in K-12 education, they can prepare students with both scientific and non-scientific aptitudes for a rewarding career, including with public-sector organizations in their own communities. Second, making their workforces more cyber-capable allows local governments to promote them to businesses that are including access to these skilled cyber technicians and analysts as a part of their decision-making process related to site selection or expansion. Promoting cybereducation can therefore both increase the talent pool from which to manage future threats to public processes like elections while also potentially increasing the tax base upon which to draw the funding to support employment of additional cyber professionals.
Since the 2016 presidential election, much has been written about how to better secure election systems from predation by threat actors on the dark web. For good reason, much of the content related to this subject has focused on the technical aspects of information security and the public policy initiatives involved in applying technical solutions effectively. However, there are other activities that can be pursued that will also impact the future security of election systems and should be considered by state and local governments and those that serve them. First, supporting additional cybersecurity funding, be it federal or state, is of utmost importance. The ability to secure our most important democratic process is challenged by a lack of resources. Second, cybersecurity should be promoted as a public service opportunity, and one that supports state and local government directly by ensuring that fair elections can be conducted. Finally, by promoting the development of a cyber-capable workforce through public education initiatives, state and local governments can potentially train their next-generation election security professionals while also generating the funding to provide this training through increased economic development opportunities.
Fittingly, this last article in our three-part series will appear during October, which is Cybersecurity Awareness Month. It is intended as an appeal to all stakeholders in the election process to increase their awareness of the actions they can take to enhance the security of election systems and improve the integrity of the elections process. Hopefully, we will heed the call.
About the Author
Steve Smith leads the state and local business development efforts at Tenable, the Cyber Exposure company which helps government agencies manage, measure and reduce their cyber risk in the digital era. His thirty-five year professional career includes assignments as an active duty Navy surface warfare officer, in various executive roles at three Fortune 500 companies, as president of a non-profit, and as a senior policy maker in state government. Steve was appointed by President George W. Bush to the National Advisory Council on Minority Health and Health Disparities of the National Institutes of Health where he served from 2008-2012. He currently serves as an appointee of Mayor Buddy Dyer to the Orlando Housing Authority board of commissioners, where his primary interest is the reduction of veteran homelessness and the development of housing alternatives that allow for better coordination of veteran benefits.
An Ohio native, Steve received a BA in Finance from Baldwin-Wallace College and his MBA from the Rochester Institute of Technology. He is a member of the American Legion and the Veterans of Foreign Wars.
This content is made possible by our sponsors; it is not written by and does not necessarily reflect the views of e.Republic’s editorial staff.