Even though state governments and county election boards were largely successful in warding off cyberattacks during the 2018 elections, the FBI warned last month that Russia continues to try to interfere in American elections, with FBI Director Christopher Wray calling it a “significant counterintelligence threat.”
With that in mind, state governments are likely going to continue to bolster their cyber defenses ahead of the 2020 election. Last year, the U.S. Election Assistance Commission allocated $380 million to the states through the next election to improve voting security.
However, an EAC audit released last month found that states and territories spent just 8 percent — $31.4 million — of that $380 million through Sept. 30, 2018. The good news is that more than half of that total, $18.3 million, was spent on cybersecurity improvements. And the EAC report says that, based on the states and territories’ outlines and plans for spending their election security funds, “the vast majority of states and territories plan to spend their allotted funds within the next two or three years.”
How States Are Bolstering Election Cybersecurity
While the total amount of money states have burned through may seem small, they have been busy investing in technology, personnel and new defenses, including vulnerability scans and advanced firewalls. For example, according to the EAC audit, Washington state put in place advanced firewall protection for the state’s centralized election system and installed an advanced threat detection and prevention appliance, though the vendor was not named.
The state also “acquired a database storage device on the Voter Registration system that has back-up and recovery capabilities.”
Rhode Island implemented a platform for its centralized voter registration system that encrypts all data within it and invested in another system that monitors for and protects the registration system from ransomware. The state also purchased a system that “provides real-time analysis of security threats, sends alerts if issues are detected and quarantines devices if there is abnormal activity.”
Many of those kinds of efforts are likely going to continue in 2019 and into 2020.
“There hasn’t been a lot of money spent, but there is a lot of activity,” Mark Abbott, the commission’s grants director, told StateScoop.
Many of the local grants will be used to help small counties, which generally lack robust information technology resources, to beef up the information security around their electronic pollbooks, election-night reporting systems and websites that feature information for voters.
“Congress should also share in longer-term funding for things like regular risk assessments and necessary repairs and upgrades for critical infrastructure, as well as grants for cybersecurity resources that are directed to local election offices, which are frequently under-resourced relative to their state counterparts,” Lawrence Norden, deputy director of the Democracy Program at the Brennan Center for Justice at the New York University School of Law, argued in congressional testimony in May, according to Fast Company.
The EAC audit makes clear that states’ election cybersecurity work will continue.
Illinois plans to use its remaining $13.3 million in funding for a cybersecurity information sharing program, hiring a cyber navigator/adviser, “providing cybersecurity resources for local election authorities and implementing a statewide network to provide centralized monitoring, mitigation and security services,” the audit says.
Maryland intends to “replace and upgrade voting equipment, perform election audits, upgrade voter registration system servers and software in off-election years and enhance system monitoring activities, mitigating cyber vulnerabilities, refining an incident management plan and providing training,” according to the audit.
Some large states are getting particularly ambitious. New York and Texas are undertaking what Abbott described to StateScoop as a “mammoth exercise” to conduct cybersecurity assessments for all of their counties, many of which are rural and lack lots of cybersecurity resources or personnel.