election security

Shoring up defenses for the midterm elections

With 2018's first state primary elections starting in March, election officials are working with federal authorities to maximize the integrity of their voting systems. 

MORE INFO

Elections: Another unsecured enterprise application?

With IT systems underpinning elections infrastructure, state officials are taking different approaches to secure their systems against growing threats. Read more.

Are states prepared to protect the next election from hackers?

A House panel heard from several experts who offered recommendations on securing elections infrastructure. Read more.

Draft guidelines tackle voting security

The latest Voluntary Voting Systems Guidelines widen the scope of election security to include voter registration and pre-election practices. Read more.

The Department of Homeland Security is providing risk and vulnerability scans of election systems for state and local agencies.  But so far, DHS has only completed five scans out of 14 state and three local agencies that have requested the two-week examinations, according to a Feb. 14 Associated Press article.

In June 2017, DHS officials announced that Russian hackers had probed election systems in 21 different states during the 2016 election, but DHS did not provide top state election officials with specific information on hacking attempts until three months later -- in part because many state and local officials lacked the security clearances to access DHS information on how state and local election systems had been compromised.  Only half of the senior state election officials have received federal security clearances this year, per the AP.

The security risk created by inadequate information sharing between federal and state officials is compounded by state and local agencies need to replace outdated election equipment. 

According to a survey of election officials by the Brennan Center for Justice, 33 states will need to replace their voting machines by 2020, but most lack the resources to do so. The Help America Vote Act of 2002 provided nearly $3.5 billion for voting system upgrades, but by the end of 2016, just $4.3 million in funding was left.

To help states secure their election systems, House Democrats introduced legislation on Feb. 14 to secure election infrastructure by buying voting machines that use paper backups and covering the costs of staffing, training and risk and vulnerability assessments.  The Election Security Act also directs DHS to expedite security clearances for state election officials and start scans within 90 days of receiving requests.

In December, a bipartisan group of lawmakers led by Sen. James Lankford (R-Okla.) introduced similar legislation to provide grants to states moving from paperless electronic voting machines to those with paper records.

But with the first state primaries only weeks away, some agencies cannot wait for federal support. A new report from the Belfer Center for Science and International Affairs in Harvard’s Kennedy School of Government can help officials establish a baseline for their cybersecurity needs.

The State and Local Election Cybersecurity Playbook provides a 10 best practices for bolstering defenses:

  1. Create a proactive security culture by issuing guidance on the necessity of cybersecurity standards and encouraging teams to develop detailed cyber incident response plans.
  2. Treat elections as interconnected systems by safeguarding all computers and digital devices that interact with the election process through centralized device security management.
  3. Maintain paper vote records to create an auditable trail for every vote cast to help determine if vote counts have been maliciously altered.
  4. Use audits to demonstrate transparency and maintain trust in the elections process.
  5. Implement strong passwords and two-factor authentication to prevent malicious actors from accessing networks.
  6. Control and actively manage account access to restrict the number of systems that hackers can access.
  7. Prioritize and isolate sensitive data and systems where vulnerabilities will cause the most damage.
  8. Monitor, log and back up data to aid attack detection or system recovery after an incident.
  9. Require vendors to prioritize security and provide system breach notifications immediately after they become aware of it.
  10. Build public trust and open communications to counter information operators that want to cast doubt on the security of elections systems.

Read the full report here.

About the Author

Sara Friedman is a reporter/producer for GCN, covering cloud, cybersecurity and a wide range of other public-sector IT topics.

Before joining GCN, Friedman was a reporter for Gambling Compliance, where she covered state issues related to casinos, lotteries and fantasy sports. She has also written for Communications Daily and Washington Internet Daily on state telecom and cloud computing. Friedman is a graduate of Ithaca College, where she studied journalism, politics and international communications.

Friedman can be contacted at sfriedman@gcn.com or follow her on Twitter @SaraEFriedman.

Click here for previous articles by Friedman.


Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.