Most states maintain aging election equipment, including voting machines. But many have boosted investments in cybersecurity measures for their election IT systems, including purchases of multifactor authentication, perimeter sensors, email filtering and monitoring, threat scanning and information sharing systems.
There is more they could be doing to enhance voting machine security, including via network segmentation, zero-trust network architectures and next-generation firewalls. They can also employ cloud-based security services in the short term for the 2018 election if those larger architectural changes cannot be made in time.
And while external cyberattacks are the biggest threat to state boards of elections, state officials also should be concerned about security risks within their systems related to contractors, vendors and other partners.
The Risk to Election Equipment Vendors
“One place we need more transparency is in the private-sector portion of elections,” explains Edgardo Cortés, election security adviser at New York University School of Law’s Brennan Center for Justice.
The vendors that sell the equipment and the companies that support it are at risk for supply chain issues, explains Cortés, who worked as Virginia’s commissioner of elections.
Election agencies should ask all vendors about the security standards and processes they have in place for their equipment, electronic commerce and employees, according to Cortés.
“I recently heard about an election equipment vendor that was the victim of a very sophisticated spear phishing campaign. Once the bad actors are inside your vendor’s network, they can pull information that can be used against an agency,” he says.
What States Can Do to Protect Voting Machine Partners
There are several concrete steps that states and partners at the county and local level can do to inoculate themselves from such risks.
Earlier this year at the National Association of Counties’ 83rd Annual Conference and Exposition, several county CISOs offered their best practices for guarding against supply chain risks, which can be applied at the state level as well.
First, states need to have a vetting process when they purchase voting solutions and products, and ensure that they adhere to the state’s own standards and policies.
Darren May, CISO for Tarrant County, Texas, said the county has an acceptable-use policy for its IT solutions. Government users are not allowed to bring software or hardware from home into the county’s IT environment, he said, adding that the county has a “tight vetting system.”
If someone is trying to buy an IT service, the request is routed through the county’s enterprise resource planning system. May and the county’s IT business manager review those requests to ensure that any software is on the county’s whitelist and determine whether the county already has such a solution in-house. “We will literally hold up a purchase order,” he said.
Currently, 21 states and the Multi-State Information Sharing and Analysis Center use the “Framework for Improving Critical Infrastructure Cybersecurity,” also known as the Cybersecurity Framework, which is managed by the National Institute of Standards and Technology.
The framework classifies cybersecurity activities into five major functions: identify, protect, detect, respond and recover. The CSF then provides policies, standards and best practices for organizations to follow as they implement and manage each of those five cybersecurity functions.
States also need to hold voting equipment vendors accountable, and they should be able to show IT leaders where their solutions are manufactured, who is manufacturing them, and which entities have access to any software that goes into the products.