02/12/2019 | News release | Distributed by Public on 02/12/2019 00:34
Secure and resilient election infrastructure is the cornerstone of a thriving and reliable democratic system of government. The U.S. is grappling with how to best equip state and local election officials to secure their election infrastructure and assuage public concerns after the targeted cyberattacks and influence operations levied against U.S. elections in 2016. While there is no evidence of compromise to voting systems during the 2018 U.S. midterm election season, influence operations continued and there were attempts to hack other election infrastructure. Securing election infrastructure is a complex problem that necessitates a lot of coordination between federal, state, and local election officials and out of the box thinking about what is part of and feeds election infrastructure. The complexity of the problem, resource limitations, and time constraints require short, medium, and long-term solutions to build resilience. Strategically sharing resources can help election officials build resilience in the short and medium term by acting as a force multiplier.
Securing election infrastructure is a complex problem that necessitates a lot of coordination between federal, state, and local election officials and out of the box thinking about what is part of and feeds election infrastructure.
As highlighted in the DEF CON 26 Voting Village Report, there are four major election infrastructure vulnerabilities: supply chain insecurity, remote hacking, the ease of hacking election infrastructure, and vulnerabilities not being fixed. The application of these vulnerabilities is often clearly related to voting machines, but other election infrastructure like public-facing websites, voter registration systems, and campaign infrastructure are also vulnerable to attacks. For example, malicious actors shutting down Tennessee 's public-facing election website and hacked into Georgia's voter registration system during the 2018 midterm election season. Similar to the 2016 Democratic National Committee hack, these incidents highlight the susceptibility of the patchwork of systems and people that feed a U.S. election. This presents a number of nonobvious vulnerabilities that may start small but have cascading effects and far-reaching impact.
Elections are run at the local level, but they feed local, state, and national elections, which further complicates the environment by adding a matrix of stakeholders unfamiliar with the threat landscape. This complex environment has made distributing resources and information to local election officials difficult, as they attempt to navigate bureaucracy, their state's views on elections, and adapting guidance to their unique infrastructure. Shared resources can be an important means for state and local election officials to maximize budget, expertise, and the time from now until the 2020 election season.
There are three short-term and strategic opportunities to share resources and build resilience as longer-term efforts work to educate stakeholders, secure infrastructure, and secure long-term resources. Each must be considered based on the infrastructure, resources, current threat landscape, and risk profile of the state or locality. One or more of these, however, may be beneficial as election officials prepare for the 2020 election season.
Shared Services Contracts
Shared service contracts between localities and/or states can reduce the overhead to identify and procure new products and services and enhance vendor management and accountability while creating economies of scale. This will require a means to evaluate the risks to establishing shared infrastructure, the differences in current infrastructure, and the efficiencies gained. However, a strategic sharing agreement that accounts for risk and builds in controls and safeguards can reduce spending, reduce load on stakeholders and subject matter experts, and provide helpful data to officials and vendors. Officials should not enter into too many shared service contracts with the same partners because the disparate nature of our election systems is one of the features that protects us from a large-scale attack. Sharing must be limited and strategic.
It is important to note that state budgets will be cemented by the middle of 2019 for 2020, therefore exploring shared service contracts should be a focus for early 2019.
Shared Expert Resources
A major gap for many localities is the absence of dedicated cybersecurity subject matter expertise. State and county Chief Inofrmtion Security Officers are supporting localities to the best of their ability, but may not have the bandwidth to adequately support each locality with their other job responsibilities and the varied needs of each locality. States should consider building share expert resources whose responsibility is to provide cybersecurity expertise across localities. For example, Illinois is hiring 'cyber navigators' with cybersecurity expertise to assess vulnerabilities and support local jurisdictions as they implement election security best practices. This program is core to building resilience across the state by 2020. States can use 2018 HAVA Election Security funds to sponsor or seed these forces.
Leverage Existing Infrastructure
Most states have a fusion center that operates as a focal point for state or major urban areas for the receipt, analysis, gathering, and sharing of threat-related information between federal; state, local, tribal, territorial (SLTT); and private sector partners. Fusion centers are information sharing hubs that are already plugged into relevant state and Department of Homeland Security (DHS) cyber resources. Collocating election security taskforces or otherwise actively collaborating with fusion centers, national guard cyber forces, university resources, and other relevant cyber resources is important to understand what 'normal' looks like so officials are able to identify deviations quickly and escalate, as necessary. A few states have begun similar initiatives. For example, Washington, Colorado, Ohio, and South Carolina have brought their National Guards into the election defense process. Leveraging existing resources, which includes existing communication channles, not only capitalizes on institutional memory and reduces cost, it presents a good opportunity for multidisciplinary cross-collaboration in preparation for and response to election security incidents.
Resource sharing can also facilitate the building of trusted networks that further enhance security.
There is a lot of work that remains to improve the security posture of the U.S. election infrastructure. These shared resource options create efficiencies and act as a force multiplier of current resources. Resource sharing can also facilitate the building of trusted networks that further enhance security. State and local election officials should seek to leverage existing channels to ensure these trusted networks include both domestic and international allies as cyber threats are global. Transatlantic partners are combating similar threats to election infrastructure and voter confidence from similar adversaries. Information sharing with allies related to election security is an opportunity to identify new attack vectors, understand adversary tools, techniques, and procedures, identify patterns, and share lessons learned. Because the European Union also operates in an environment where there is a great degree of variation across member states, understanding how they share resources may be helpful when evaluating when and how to leverage these shared resource options. State and local officials, DHS, the Election Assistance Commission, and other stakeholders have made a lot of progress in recent years, but progress is slowed by bureaucracy, lack of resources, and other previously mentioned hurdles. Given the urgency and immediacy of the next election cycle and the increase in voter turnout, it is more important than ever that states evaluate and strategically deploy short-term solutions, as discussed here, to maximize the resources available to protect the integrity of U.S. elections.