Election Day 2018: States’ Voting Cybersecurity Measures Are in the Spotlight

As voting gets underway, security measures put in place after the 2016 election are being put to the test.

Voters are streaming to the polls today across the country, from Maine to Alaska to Hawaii, and a key question is not what the results will be, but whether the vote itself will be secure. 

During the last election, Russian cyberattackers looking for vulnerabilities scanned 21 state election systems, including those in Illinois, over the 2016 campaigns. Since then, states and counties have taken steps to increase cybersecurity protections around voter registration systems and voting machines, increase information sharing and work with federal and local partners. States have also increased their investments in cybersecurity measures for their election IT systems, including purchases of multifactor authentication, perimeter sensors, email filtering and monitoring, threat scanning and more. 

Despite all of that, vulnerabilities remain. According to the Election Cybersecurity Scorecard, published by the Center for Strategic and International Studies think tank, states average a “C-” in election security. The CSIS report says that state and local governments have “underinvested in securing digital election systems” and that across the country, state and local officials “have limited staffs and budgets for security, and many of the most competitive races in 2018 are being held in some of the most vulnerable areas.”

State, local and federal officials say they have been taking aggressive measures to secure the vote and monitor for hacking and tampering efforts. 

Federal agencies including the Department of Homeland Security and the FBI have “opened a command center to help state or local election offices with any major cybersecurity problems that arise,” the Associated Press reports

“We’re light years ahead of where we were two years ago, and before that we were even further behind,” David Becker, a former Justice Department official and founder of the nonprofit Center for Election Innovation & Research tells The Wall Street Journal. “Not only do we now know the nature of the threat, but the systems today are more secure than they have ever been. That is not to say they are invulnerable — they never are.”

MORE FROM STATETECH: Find out how network segmentation can protect voting infrastructure! 

States Share Security Info and Work with Partners

To help coordinate information sharing among states about threats and give them access to cybersecurity resources, in March the Election Infrastructure Information Sharing and Analysis Center, or EI-ISAC, sprang into being. The center, backed by the DHS and run out of the nonprofit Center for Internet Security, works with trusted affiliates to conduct research and gather intelligence about cyberthreats targeting elections or elections-affiliated systems. 

The ES-ISAC sends out threat intelligence and also has been offering vulnerability assessments, incident response services and other cybersecurity protections. So far, the center has signed up all 50 state election boards and over 1,200 jurisdictions. There are more than 8,000 jurisdictions across the country responsible for the administration of elections, according to the National Association of Counties

The center, which was spun out of the Multi-State Information Sharing and Analysis Center, is deploying Albert sensors at the state level, and a number of states are exploring deploying them on the local level as well, according to Ben Spear, a senior intelligence analyst at the MS-ISAC who is running the ES-ISAC. Spear, speaking to StateScoop, says that the center has “a 24/7 security operations center where people can call in any time, and a forensics team that can provide incident response as needed.” 

As StateScoop reports: “In August, states disclosed their plans for their shares of $380 million in grants from the U.S. Election Assistance Commission. Some states are using their grants to purchase new voting equipment, others are using it to create full-time cybersecurity positions in election offices.” 

Some of that money will be used for long-term elections security measures. In the run-up to the 2018 midterms, many states have shifted around personnel to enhance cybersecurity. “We were able to bring them up to speed pretty quickly with staff transferring in from other roles,” Meagan Wolfe, the interim administrator of the Wisconsin Elections Commission, told StateScoop recently. 

MORE FROM STATETECH: Find out how network segmentation can protect voting infrastructure! 

States, Counties Put Voting Protections in Place

There are certainly gaps that exist in election security, and the Journal reports that “voting machines have been replaced or upgraded in some states, but others are relying on equipment that is outdated or has a known cyber vulnerability.”

Still, states say they have made strides to close gaps. “States all across the country are more prepared,” Wayne Williams, the secretary of state of Colorado, told the Journal. Williams has been among the most active in adopting electoral cybersecurity measures, the newspaper reports.

Indeed, as StateTech has previously reported:

Colorado is mitigating the risk of attacks by nation-states and other actors with stringent IT requirements and policies, says Trevor Timmons, Colorado Department of State CIO. “We require that counties have endpoint protection software and not just anti-virus, but advanced malware prevention software for any machine that accesses the voter database,” he says. To make it easier, Sophos software is made available to Colorado counties at no cost. On the database side, data is encrypted.

Other states are using their National Guard units to guard against cybersecurity threats to election systems. Washington Secretary of State Kim Wyman tells StateScoop that uniformed personnel “will have roles at the states security operations center alongside her civilian staff, running a series of threat assessments and vulnerability scans leading into Election Day.” 

“They only have to get it right once, and we have to get it right 24/7,” Wyman said in Seattle in October, according to the publication. “We are seeing activity. We assume every single threat could be someone trying to mess with our elections.”

Cybersecurity_IR_howstrong_700x220.jpg

jdwfoto/Getty Images
Nov 06 2018