Apr 13 2020

Election Security 2020: States Secure Election Systems with Help from Feds

The Department of Homeland Security and the U.S. Election Assistance Commission help states mitigate potential cybersecurity threats.

In 2017, the U.S. Department of Homeland Security designated voting systems as critical infrastructure, which has made a big difference in the resources available to states to secure elections.

Paul Pate, Iowa Secretary of State and president of the National Association of Secretaries of State, says, “with a little work, we were able to make the connection to federal resources,” although things were bumpy at the start.

State and local election officials aren’t being left in the dark, despite the general decentralized nature of elections in the U.S. With key federal agencies giving states tools they never had before and allowing states to share information and potential threats with federal agencies, officials all over the country are working together to make sure voting is technically secure. 

For states, the DHS’ Cybersecurity and Infrastructure Security Agency can conduct cybersecurity assessments on local election systems, attack detection and prevention; share information about attacks and threats; and train cybersecurity personnel on election matters. The “tabletop in a box” cybersecurity exercises — a 58-page guide that lets states run their own scenarios — became available in 2018.

“They’ve been good about coming in and doing a complete review of our process and giving us a report card that says where we need to beef up our efforts,” Pate says. If an attack is happening in another state, other states know about it through DHS. “They’ve played a big role in helping create the connection,” Pate says. 

The Elections Information and Infrastructure Information Sharing and Analysis Center (EI-ISAC), of which all states are members, offers a host of resources, including weekly news alerts, cybersecurity spotlights, election security self-assessments, election security checklists, incident report checklists and tabletop exercises. They also run a malicious code analysis platform, which is a web-based service that lets members report suspicious activity. 

“If something’s happening in another state, we would really like to know about it. We want to know about it because they’re likely coming to knock on our door,” Pate says. 

Election Administration Clearinghouse Shares Info with States

The 2002 Help America Vote Act, which created the U.S. Election Assistance Commission, plus the DHS critical infrastructure designation, ensured that federal and state officials were on the same page, with appropriate resources, to secure the 2020 elections.

The EAC is a federal clearinghouse for election information, says Benjamin Hovland, EAC chairman, and that’s critical because U.S. elections are decentralized. The organization provides resources on voting accessibility and voter registration, but also cybersecurity and specific election security resources.

“We are the only federal agency that is solely dedicated to thinking about how to improve election administration in this country,” he says. “That gives us a vantage point of understanding election official capacity.” 

Biweekly calls with federal and state stakeholders allow federal and local election officials to touch base on issues of the day, he says.

“We’re able to share information on what people are doing or hearing and compare notes, then try to work together to identify a shared voice where we can ensure people are getting trusted source information and actionable information they can use. That did not exist before and is a big difference between 2016 and now.”

The EAC publishes regular updates on voting system analysis, and a resource page about coordinating with voter system manufacturers (which now also includes tips on cleaning voting machines in light of COVID-19).

“I think good election administration comes down to good governance and customer service, and so in the cyber realm, that means taking care of the basics and making sure patches are done and upgrades are done,” Hovland says.

“It’s really important to understand that we now have working relations,” Hovland adds. “We’ve got names of people. They know who we are, and we have a better sense of what we can ask for and get that resource from them. These were all very significant accomplishments.”

MORE FROM STATETECH: Read this infographic to discover how to protect voter information.

Training and Exercises Prepare States for Worst-Case Scenarios

CISA helps states detect suspicious activity that may indicate an attempt to attack a voting system. And the DHS tabletop in a box explores various scenarios to help states prepare to defend their networks.

Such scenarios may include news and social media manipulation, spear phishing campaigns, disruption of voter registration information systems and processes, denial of service attacks and web defacements, malware infections on electronic voting machines and election management system software, and the exploitation of state and county board election networks.

“A pretty broad example would be, you show up on Election Day and you don’t have internet access,” Robert Giles, director of the New Jersey Division of Elections, told radio station NJ101.5. New Jersey ran the tabletop exercises in all 21 of its counties last September. “There will be cyber incidents, police/fire-type incidents, natural disaster incidents.”

New Jersey officials used $9.8 million obtained through Help America Vote Act provisions to pay for the exercises, another example of state-federal cooperation.

The training “is an extraordinarily good thing,” Christine Hanlon, clerk for Monmouth County, N.J., tells NJ Spotlight. “This is forcing all election officials to deal with scenarios we may not have planned for. It’s critically important that we are prepared, and if it’s not in our plan, we need to add it.”

Keeping communication between local officials and federal agencies is key to keeping elections secure.

“The most important thing is to get the local election officials to the people who can help them best address the issue,” Matt Masterson, senior cybersecurity adviser for CISA, said at a National Association of Secretaries of State meeting in February, according to StateScoop. “Put together the contacts needed for each one of the systems; in some places you have 10 or more vendors. There ensues debate if it’s a voter registration problem or an e-pollbook problem.”

SDI Productions/Getty Images

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.