In the national conversation about securing the upcoming U.S. elections against hacking and other cyberthreats, there’s something missing: The discussion has centered around states — but the elections are run by counties.
It is county officials, not state ones, who across most of the country staff polling places, check voter registration databases and set up the machines that tally the vote. Crucially, once the election is over, they also transmit those tallies to the state capital for tabulation into the final results.
“In most states, the actual administration of the elections, the deployment of the machines, falls to the county government,” says Matt Masterson, senior cybersecurity adviser at the U.S. Department of Homeland Security.
And ultimately, counties must implement cybersecurity measures to protect those machines from intruders.
Fairfax County, Va., Isolates and Updates Voting Computers
For county governments, the key is to follow simple cybersecurity principles and reduce attack surfaces by avoiding connecting election systems to the internet wherever possible, Fairfax County, Va., CISO Michael Dent tells StateTech.
“My advice about elections is: Put as little as possible of it online. Minimize that footprint,” he says. He explained that the PCs used by his county’s election officials to upload vote totals on election night were kept isolated from the internet and not used for any other purpose. “Those machines are not used for anything else, and there’s no internet connection there,” he says, calling them “probably the most securely protected endpoints we have.”
“Our attack surface is extremely small,” Dent says.
Fairfax is the “fourth or fifth largest” county in the country, Dent says, adding that his security team of 10 full-timers and four contractors would be working around the clock on election day. “We’ll be on the wall looking and making sure we’re secure.”
Dent has faith in his team to ensure the elections wouldn’t be hacked. “I’m very confident. I have to knock on wood, but I’m very confident that we haven’t had issues and we won’t,” he says.
The most important steps counties can take are simple hygiene measures that “don’t have to cost a ton of money. It’s a time issue and a resource issue, but as far as buying solutions, you don’t necessarily have to do that,” Dent says.
Few counties have the resources of Fairfax County, but Dent points to the free advice and assistance county governments of all sizes could get from DHS and other federal initiatives. “If you’re in a leadership position in a government today and you can’t marshal the resources, and we get to election night and your election system gets hacked, that’s on you. Shame on you for allowing it to happen,” he says.
“We’ve known since the last election when the next one would be; you’ve had all that time to prepare. That’s a leadership issue and an accountability issue,” Dent says.
Local Jurisdictions Get Help from Federal Partners
As chairman of the U.S. Election Assistance Commission until earlier this year, Masterson led federal efforts to aid state and local governments in staging national elections, including drafting voluntary technical standards for voting machines and vote-tallying systems. After his term at the EAC ended, he was appointed a senior cybersecurity adviser within the National Protection and Programs Directorate, the DHS element whose job it is to protect America’s most vital national networks from hackers, terrorists and foreign enemies.
The national conversation around protecting election systems has focused on the states, with controversies like the lawsuit aiming to force Georgia to require a paper backup for the state’s electronic voting machines dominating the headlines. But Masterson says DHS has worked to reach local election officials in “literally thousands of jurisdictions” through the newly minted Elections Infrastructure Information Sharing and Analysis Council working with groups like the International Association of Government Officials and attending conferences of county election officials.
Although cybersecurity best practices and standards can and do filter down from the state level to county election officials, “The best way to reach these folks is directly,” he says.
To this end, DHS has launched what it calls the “Last Mile Project,” Masterson explains, working with state governments like Iowa’s to produce county-specific guidance posters to hammer home cybersecurity messages for local governments, no matter how large or small.
When it comes to the systems that county officials use to report their results on election night — not to mention the email and internet access they employ the rest of the year — “many county election offices are reliant on the county government IT infrastructure,” according to Masterson.
Counties Face Outdated IT, Manpower Challenges on Cybersecurity
County IT infrastructure in many cases is out of date and desperately under-resourced, says Alan Shark, executive director and CEO of the Public Technology Institute, and a senior technology adviser to the National Association of Counties.
“Many counties still haven’t fully recovered” from the financial blows dealt by the great recession of 2008-09, Shark says. County governments have deferred system upgrades, “but that doesn’t mean you can defer it forever.” Some county systems are reaching “end of life,” when vendors will cease supporting them.
“The government sector lags the private sector” in more than just technology, Shark says, noting that local government suffers from “legacy thinking.”
“We still have a third of counties where the technology director is reporting to the chief financial officer, and that’s because automation began with the administrative functions of the government.” Moreover, the human capital crisis afflicting cybersecurity in general is especially acute in local government, Shark says.
“Some rural areas are hard-pressed to find and keep good IT people. We have a lot of people who are retiring. They’re leaving, and it’s very hard for counties to recruit younger people because government service is not looked at as it was before,” Shark says.