Many experts on election security say the key to more secure ballots is to move away from electronic voting machines toward models that produce paper records of votes. But it takes more than just that, a former federal cybersecurity strategist said Wednesday at a conference for city and county officials.
Mike Garcia, now a consultant with the Center for Internet Security, told the group of about 40 that attempts to undermine the U.S. electoral process are going to target more than just ballot boxes.
“Voting machines aren’t the only place you can undermine the election process,” Garcia said at the Public Technology Institute event in Washington. “Adversaries are going to find weaknesses anywhere.”
There’s no evidence hackers manipulated the casting or tabulation of any votes in 2016, but federal officials have said Russian agents attempted to infiltrate election systems in 21 states during the last presidential election. Even with ballot security in greater focus ahead of this year’s elections and the 2020 presidential race, though, Garcia said the local officials who oversee voting are still outmatched.
“We have nation-state-level adversaries, but decentralized elections, so we don’t have nation-state-level responses,” Garcia said.
While the federal Election Assistance Commission plans to distribute $380 million to help states strengthen their voting systems’ integrity, Garcia said there are a number of other measures local governments can take. By his count, there are more than 8,000 jurisdictions around the country that administer elections, and many of them lack the resources to develop robust cyberdefenses.
“There are no good IT staff in some of these smaller counties,” Garcia said. “The entire thing is outsourced. So how do you write good contracts? Doing anything to improve elections will be looked at favorably by EAC, but EAC didn’t give any priorities.”
Garcia recommended 10 steps election authorities can take. The first is to join CIS’s Elections Infrastructure Information Sharing and Analysis Center, which has about 550 member governments, including 47 states. (Arkansas, Massachusetts and New Hampshire are the hold-outs.) Beyond that, the recommendations are similar to what information security officials suggest for all kinds of government systems: routine security and vulnerability assessments, incident-response plans and employee training, reviewing vendor contracts.
The Center for Internet Security also recently published a handbook containing an 88-item checklist for how local governments can achieve better election security. Some steps, like implementing security assessments, can be put in place this year, Garcia said. Others, like reviewing contracts and replacing hardware, will take longer. Garcia said CIS is also releasing a self-assessment tool next month that EI-ISAC members can use to see how they’re meeting the handbook’s recommendations.
Meanwhile, states are moving at different paces in accepting the EAC’s offer. Maryland announced last month it will use the $7 million it’s getting from the EAC on new election-security positions and statewide employee training before this year’s elections. But Florida’s top elections official said Wednesday that the state will not be getting any of the $19 million the EAC is offering until after this November, to the consternation of several county officials who want to shore up their systems before then.
Though election processes vary from state to state and county to county, Garcia stressed at Wednesday’s conference they carry the same consequence — and low margin for error.
“We don’t have a backup for election day,” he said.