election security (Bakhtiar Zein/Shutterstock)

Questions, concerns continue to swirl around election security

At an April 4 Election Assistance Commission public hearing, a senior Department of Homeland Security official sought to stress one thing: The designation of election systems as critical infrastructure doesn’t cut into states' autonomy.

Concerns over DHS control have simmered since then-Secretary Jeh Johnson first suggested the critical infrastructure designation last summer. Yet Neil Jenkins, DHS' director of the Enterprise Performance Management Office, said at the EAC hearing that his agency sees the National Association of Secretaries of State (NASS) Election Cybersecurity Task Force as the main point of contact for deciding when DHS system-scanning tools are needed.

Jenkins also said he sees the EAC as a critical point of contact for local officials who may be interested in utilizing DHS scanning and security products.

Robert Hanson, DHS' director of the prioritization and modeling at Office of Cyber and Infrastructure Analysis, added that many state and local governments already have turned to DHS for such support. In the lead up to 2016 elections, 33 states and 36 counties used DHS tools to determine potential vulnerabilities and get mitigation advice.  Hanson declined to share the specific list of customers and services with the EAC commissioners, saying that information was classified.

State and local officials, however, reiterated their concerns on the critical infrastructure designation. “While we are still strongly opposed, we are coming to the table reluctantly because the wheels are already in motion,” said Connecticut Secretary of State Denise Merrill, who also serves as president of NASS.

Merrill referenced two intrusions into state registration systems in Georgia and Indiana prior to last fall’s elections. However, no vote tallying systems were specifically targeted in either instance.

“Voting by internet-based systems is not a reality in the United States,” Merrill said.  “The 2016 cycle demonstrated that we are not really cyber at all except for our voter registration databases.”

The ability to hack election results is quite limited, DHS's Hanson agreed, due to the diversity of methods states and counties use to count votes.

Yet moving forward, he said, there could be an ability to hack electronic poll books, which could deny legitimate voters the ability to vote.  And the adoption of new voting technologies could introduce additional risk.

As machines purchased under the 2002 Help America Vote Act continue to be phased out of service, Hanson warned that new security flaws could be introduced if the replacement systems aren't properly vetted.  He said DHS is working to address that risk in three stages.

The first is settling on an agreed-upon characterization of election systems. DHS officials are not subject-matter experts when it comes to elections, he said. “We need to determine what are the election systems and why do we care about them,” said Hanson.

Second, DHS plans to apply its risk assessments through structured processes and methodologies that can be used to consistently examine the elections space.

Last, Hanson said, emerging risks will need to be addressed through more qualitative discussions.  Products such as electronic poll books are not widely adopted yet, he noted, and can't easily be factored into standardized assessments.

NASS, meanwhile, will continue to ask President Donald Trump’s administration to rescind the critical infrastructure designation for election systems, based on a February vote by its members.  

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at sfriedman@gcn.com or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.

inside gcn

  • security in the cloud (ShutterStock image)

    Cloud security is the agency’s responsibility

Reader Comments

Wed, Apr 5, 2017 Karen McKim Wisconsin

The intent of statements like "The ability to hack election results is quite limited." always puzzles me. I cannot help but notice that 'quite limited' is another way of saying 'possible.' So what are they trying to say? Is the risk so very limited that we can relax about manipulated election results? So that we can keep routinely swearing people into office on the basis of unverified voting-machines' output? If they are not saying these things, what's the point of saying that the risk is "quite limited?" And anyway, how does DHS know that voting-machine security is that good? Last I checked, no representative of DHS had done any oversight of my village's or county's voting-machine security efforts. DHS wouldn't even know it if my local election officials made a habit of passing the software around between the vendor, the county, and the municipalities between every election, or if they had installed wireless communications capability on the voting machines and the central county computer while not knowing a thing about how to tell whether it's being accessed remotely by someone else. (BTW, they are, in case DHS wants to look into that.)

Wed, Apr 5, 2017 DrK

I am concerned at why it has taken so long for government to finally address this problem. There have been numerous studies done which have shown the potential for hacking voting machines and systems. NO system should be introduced into the election process until it has been thouroughly evaluated by someone other than that system's manufacturer or sales organization. In addition, governments should undertake security reviews and processes of manual systems as well. I have seen voter fraud undertaken in municipalities where there was not an automated process. The voting process is too important to leave unsecured.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group