In January 2017, election infrastructure was designated as part of the nation’s critical infrastructure under the Government Facilities sector. According to the Department of Homeland Security, election infrastructure includes objects such as voter registration databases, voting systems, polling places, storage facilities, and IT infrastructure. To ensure elections are secure, investments must be made to strengthen our election infrastructure.
The need for election security escalated in 2016 when Logan Lamb, a young security researcher, discovered vulnerabilities in Georgia’s content management software. The vulnerability “exposed the information of some 6.7 million voters and would’ve given the hacker the ability to manipulate or delete any information within voting machines across the state” (GovTech). While it took Georgia months to acknowledge the issue, they attempted to secure their elections by giving election control to the Secretary of State and replacing voting machinery.
Although hacking elections used to be a hypothetical scenario, the last few election cycles have revealed how hackers are going to continue to target state and local elections.
Why State and Local Governments Should Care about Cybersecurity of Election Vendors
- Data Security – It is crucial that constituents trust their election process and feel confident their data will be used in the correct way. We must try to keep bad actors away from our data.
- Credibility – Fair and free elections are essential to American democracy. The Department of Homeland Security states, “The American people’s confidence in the value of their vote is principally reliant on the security and resilience of the infrastructure that makes the Nation’s elections possible.”
- Perception of State Government – Running elections is one of the greatest responsibilities of state government and constituents need to confident they are capable to do so.
5 Thing You Can Do to Secure Systems
1. Secure Existing Technology
Security officials should verify whether devices and applications used by government officials are secure. It is important that their devices and applications use multi-factor authentication and encryption capabilities (FireEye).
2. Test Current Plans
To identify gaps and vulnerabilities, it is crucial that local governments test their existing plans. Evaluating current plans will reveal potential entry points by which bad actors can access voting systems (FireEye).
3. Train local cybersecurity personnel
Since there are over 8,000 separate election offices, it is unreasonable to believe that each state and local election office can defend themselves against hostile nation-state actors. To increase election security, we must prioritize providing government employees with proper cybersecurity training (Brennan Center).
4. Expand threat information sharing
Security officials should implement mandatory reporting requirements and comprehensive threat assessments. If an attack occurs, the appropriate stakeholders should be notified immediately (American Progress).
5. Conduct a post-election audit
A “post-election audit” occurs when the number of paper ballots are compared to the electronic totals produced by each voting machine. The paper records should be used to confirm electronic tallies before the certification of election results. However, only 24 of the 42 states with paper records require a post-election audit prior to certification. Conducting audits would give states the ability to use paper ballots to correct totals to reflect voter’s choices if an attack occurred (Brennan Center).
How StateRAMP Helps
Election security is an important issue that is not disappearing anytime soon. As threats continue to evolve, governments must be prepared to adapt to the circumstances. StateRAMP’s mission is to promote cybersecurity best practices through education, advocacy, and policy development to support our members and improve the cyber posture of state and local governments and the citizens they serve. State, local, and tribal governments and agencies leveraging StateRAMP can be confident their third party cloud providers and vendors meet and maintain published national and state cybersecurity policies and standards.
Interested in learning more about StateRAMP?
Become a StateRAMP Government Member Today!