This article is the 1st of a two-part series on the state of America’s election infrastructure security with less than 4-months left to 2018 midterm election. Here I discuss the current situation and progress, and in the next post I evaluate preparedness for the upcoming midterm in 110 days.
While a portion of our readers are already well familiar with this topic, a larger population of more recent readers are still coming to speed with the facts, issues, and nuances of election technology infrastructure and the challenges of its security. So at one level for some this will seem like a very pedestrian article; for others and new supporters in particular, this will help set a foundation of understanding of where we are, and where we as a nation need to get to in order to restore confidence in elections and their outcomes.
As the November midterms approach, many citizens are worried about the integrity of America’s elections. In 2016, we now know Russia targeted at least 21 states with cyber operations, and according to then-CIA director Mike Pompeo and Director of National Intelligence Dan Coats, Russia will be back in 2018. These assessments beg the question: Since Russia will probably try to disrupt our elections again, are we ready?
The U.S. has made good progress in the awareness of election security issues; however, less progress has been made on the nationwide adoption of improved election integrity practices. To reach a tolerable level of security this coming November, we will need to take serious steps to increase resiliency measures.
The step with the most media coverage is a bill that appropriated $380 million to updating voting systems. The legislation offers grants to states so that they can replace deteriorating voting systems, and it comes with some important stipulations. The voting systems that states procure using the money must be "auditable," which means there must a paper trail. Some voting systems are better than others. For example, there are systems that allow voters to mark a ballot by hand or by machine, which is then optically scanned and counted, and there are systems that generate paper records. The former is preferable to the latter as the voter is unable to verify that the paper record matches what they marked, however, both are a significant improvement over the voting systems that many states are still using.
This grant program is a good start, but some election officials worry that it is not enough. Elections are run by the states, and procurement of election equipment often falls to county or city governments. For highly populated and resource-rich counties such as San Francisco county, which is starting to fund its own election infrastructure project, it is easier to pay for necessary equipment and staff. For poorer and less populous counties, however, it becomes a much more difficult task—they require more federal and state assistance. Election systems are expensive, in part due to the oligopolistic-tending market structure of election vendors — not to mention the human resource costs.
New legislation that would reorganize the Department of Homeland Security (DHS) also offers the potential for forward progress, although it has yet to pass. The Cybersecurity and Infrastructure Security Agency Act would change the name and mandate of the existing National Programs Protection Directorate (NPPD) to the proposed Cybersecurity and Infrastructure Security Agency (CISA). This new agency would be authorized with powers akin to the Federal Emergency Management Agency (FEMA). The change, endorsed by the Under Secretary of the NPPD Christopher Krebs, would reduce redundancy within DHS and provide more clarity in its role of protecting critical infrastructure from cyber-attacks.
Even if the bill fails to pass, there has already been significant progress on the part of DHS. Under Secretary Krebs has been clear about NPPD’s role in providing cyber security assistance to critical infrastructure operators, including election officials. And with backing from DHS, the Center for Internet Security established an election infrastructure information sharing and analysis center (EI-ISAC) that allows all 50 states to share best practices and potential threats with each other and DHS. As a result, trust and communication between the states and DHS is increasing. Krebs also informed Congress that DHS had quadrupled its insight into state elections since February, allowing the agency to better detect election interference and report it to state and local election officials.
In addition to policy developments, there have been important shifts in the dialogue regarding election security. Policy makers are beginning to recognize the importance of audits in providing election integrity. With voter-verified paper trails, election officials can cross reference the digitally recorded records with paper ballots to ensure that ballots are counted as cast. Risk limiting audits make this process less burdensome on counties. Policy-makers and government officials are also beginning to recognize that the cyber security threat is inextricably tied to the threat of information operations, something the OSET Institute has previously discussed.
There is also a growing acceptance among election stakeholders that our current voting systems were designed and deployed with fundamental security flaws. This is partially because they were never designed for the current threat environment, or even with the thought of cybersecurity in mind. Policy-makers were not worried about state-sponsored attacks on America’s voting systems the last time funds were appropriated for voting systems, so they used computer systems with architectural security flaws and thought nothing of it.
Now Congress and DHS are taking notice. DHS has begun using the national labs to perform risk assessment tests, and Congress is considering appropriations for more research and development in voting systems. These measures will help pave the way to improved election security.
Federal and state governments are taking important steps to address both the short and long-term vulnerabilities in our election infrastructure. There is still more work to be done, but we should commend the efforts of state and local election officials who are on the front lines of democracy, as well as DHS and Congress, who have begun to take seriously the threat of foreign interference in our elections.
Next up, I address whether this progress is sufficient to prepare our election infrastructure for the November midterms, now 110-days away.