Earlier this week, a top cybersecurity official at the U.S. Department of Homeland Security told lawmakers in Congress that Russia likely tried to target every state in the run-up to the 2016 election.
“I would suspect that the Russians scanned all 50 states,” said Christopher Krebs, undersecretary for DHS’ National Protection and Programs Directorate, according to CBS News, adding, “Twenty-one was the number we were able to see.” At a hearing of the House Committee on Homeland Security, Krebs said that the 2018 midterms “remain a potential target for Russian actors,” but that “the intelligence community has yet to see any evidence of a robust campaign aimed at tampering with our election infrastructure along the lines of 2016 or influencing the makeup of the House or Senate races,” USA Today reports.
Undoubtedly, election security remains a hot topic for state and local governments as primary elections continue and the November elections near. What can county governments do to secure their election infrastructure and give residents confidence that the voter rolls (not to mention their votes) are secure?
County IT leaders and IT security experts said that they should seek to limit network access to election infrastructure, seek advice and services from information-sharing organizations, work closely with vendor partners and practice cybersecurity drills. Speaking a panel at the National Association of Counties 83rd Annual Conference and Exposition in Nashville, Tenn., the officials emphasized that IT departments play a critical role in election security.
“IT should be involved now and from election to election, straight across,” said Jennifer Kady, director of security solutions for the U.S. public sector market at IBM Security.
As more technology gets infused into the election process, IT becomes that much more critical, said Donald Parente, assistant vice president of engineering and architecture for public sector at AT&T. IT is “as critical as the person who has the key to the building that the election is held in,” he said, and IT staff must ensure that all election equipment is secure and connected properly.
Segment Election Equipment from the Public Internet
For Glenn Angstadt, CIO of Chester County, Pa., a key element of election security is separating — or “air-gapping” — critical infrastructure from the public internet. He noted on the panel that the county has a setup of four workstations and one server for counting election votes, and those systems are not accessible except from a local network.
Chester County does need to get connectivity to the internet to connect with the Pennsylvania Secretary of State’s office, Angstadt said. The county has developed a “high-technology thumb drive” that staff plug into the Election Staff Management System server to extract information, and then plug into an internet-connected device that is used one time to transmit the data. They are then disposed of so that “after that, nothing else is getting back into the voting processing system.”
Parente agreed with Angstadt’s approach. “Keeping those devices off the internet has to be the most important thing we can do,” he said. “If you can’t see it, you can’t hack it.”
Parente also said that counties could set up VPNs for election equipment or use a wireless Access Point Name, or APN, to allow counties to “carve out a section of the cellular network” that is dedicated just to their organization, in which the data packets never flow to the internet itself.
Partner with Info-Sharing Organizations and Vendors
Andrew Dolan, director of stakeholder engagement at the Multi-State Information Sharing and Analysis Center, which seeks to improve the overall cybersecurity posture of the nation’s state, local, tribal and territorial governments, said the MS-ISAC can provide counties with numerous resources.
Those include incident response services, forensic advisories on cybersecurity vulnerabilities, tabletop exercises that IT teams can run, and monitoring of IP addresses and web domains. All of these services are “opt-in,” meaning counties can use just one service, or dozens of them.
Rita Reynolds, CIO of the County Commissioners Association of Pennsylvania, said a takeaway for county leaders should be that “if you are not a member of MS-ISAC, go back and join.”
Every county has a different perspective and budget, Kady said, but often they run into election issues, not because of a malicious attack, but because a process wasn’t followed or a data field wasn’t handled correctly by a piece of software.
Counties must conduct due diligence of technology partners for election equipment and conduct cybersecurity exercises to test for vulnerabilities, she said. Counties need to work closely with vendors before, during and after elections. Not performing these basics can lead to debacles after elections, she said, adding, “You need to have a playbook in place.”
Blockchain Shows Potential to Verify Voting
Three of the panelists — Parente, Dolan and Kady — said they thought blockchain technology had the potential to help secure elections in the future.
The digital ledger technology “will be more about logging and verifying the actual tabulation than about the storage of data,” Dolan said, noting that “voter registration databases are not going away any time soon.”
Counties still need to perform traditional IT security for those databases, including intrusion detection and training of end users, he said.
Kady said blockchain can provide a “transparent chain of custody” of the voting data. She acknowledged “it will take some time” for the technology to develop and counties to get used to it, but that blockchain will be an element of the “next generation of how we need to think about our elections.”
Follow StateTech magazine's coverage of the NACo 2018 conference at our conference landing page.