All hands on election security
- By Derek B. Johnson, Mark Rockwell
- Aug 20, 2018
With the 2018 midterm elections just around the corner, much of the federal guidance and legislative proposals to protect election systems currently under consideration may have limited impact at best this year.
The Secure Elections Act and the PAVE Act would implement a number of best-practice policies related to cybersecurity and vote tabulation, but their provisions -- to fund replacements for obsolete or out-of-support voting machines and to require states to use paper ballots or conduct risk-limiting audits -- could take years to implement.
The Department of Homeland Security's proposal to speed up security clearances for state and local election officials could have had an impact had they been passed earlier, but it too will provide few tangible benefits at this late date.
Sen. Ron Wyden (D-Ore.) and Rep. Earl Blumenauer (D-Ore.), sponsors of the PAVE Act, warned in an Aug. 17 press conference that voting machine manufacturers and some state election officials are seeking to influence Congress to water down the Secure Elections Act as much as possible.
"Essentially a coalition of the voting machine companies and some of the secretaries of state who insist on these inexcusable systems, they're going to try to drag their feet in the Senate Rules Committee," Wyden said. "There are real opportunities here to protect voters now."
The Election Assistance Commission is working on new voting system standards that include improved technical guidance around cybersecurity, but they must be voluntarily adopted by states and voting machine manufacturers.
Another practical resource for states looking to harden defenses around election security before November may come from the private and non-profit sectors. Last week, the Brennan Center for Justice released a playbook for election officials focused around preventing and recovering from technological failures and cyberattacks. Many of the recommendations assume that officials will be working with older, paperless voting machines in some form. The Center for Democracy and Technology has also started releasing a series of field guides for election administrators focused on implementing basic but effective cybersecurity practices within a legacy technology environment.
Hands-on readiness training
DHS recently completed a three-day "National Exercise on Election Security." The tabletop exercise, the agency said in a statement, simulated scenarios of voter system interference to get participants talking potential impacts to voter confidence, voting operations and the integrity of elections.
The training program drew representatives from 44 state governments and the District of Columbia, the Election Assistance Commission, Department of Defense, Department of Justice, Office of the Director of National Intelligence, National Institute of Standards and Technology, National Security Agency and the U.S. Cyber Command.
The exercise showed the groups how DHS activates and operates its shared threat data and response capabilities, the agency said. It also illustrated how threat information from the federal government and the Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) could be leveraged to defend systems as well as the processes DHS uses to identify threats or incidents.
The agency said the exercise also demonstrated how state election officials can ask federal agencies for help if county and state resources are exhausted. The drill emphasized the significance of having a plan in place that delineates the roles of federal, state and local entities in their response to a cyber incident in the election infrastructure.
In May, DHS officials met with representatives of New York's state and county governments in Albany County for the first of six tabletop exercises focused on protecting New York's electoral systems against cyberattacks.
Local officials were presented with scenarios featuring social media manipulation, a distributed denial-of-serivce attack and a website hack that were designed to assess the jurisdictions' abilities to identify and manage a cyber incident and share information about it with the appropriate authorities.
This article combines two stories that were first posted to FCW, a sibling site to GCN.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at [email protected] or follow him on Twitter at @MRockwell4.