Election officials say they’re adopting a ‘security first’ mindset heading into 2020

Election and government IT officials said this week they’re making cybersecurity their top priority as they overhaul their voting systems amid continued fallout from foreign attempts to interfere in the 2016 presidential elections.

While the most visible changes are coming in the form of bulk replacement of outdated voting machines, states are also revising their communications protocols, overhauling voter registration systems and redoubling efforts to help smaller and more resource-strapped local governments get up to speed, officials said Wednesday at a National Governors Association cybersecurity conference in Shreveport, Louisiana.

Robert Giles, the director of the New Jersey Division of Elections, told the conference audience of state-government IT and security administrators that his state had been scheduled to launch a new statewide voter registration system in 2017, but delayed it after an early evaluation of the new system revealed vulnerabilities.

“We pulled it back to do security first, then bells and whistles,” Giles said.

The new system, which will include online registration for the first time in New Jersey’s history, is now set to launch in August, funded in part by a $10.2 million federal grant from the U.S. Election Assistance Commission in the wake of the Russian government’s campaign to disrupt the 2016 election by attempting to hack states’ voter files and election-related systems.

‘We have come a long way’

By all accounts, the relationship between election and cybersecurity officials has improved, but it’s still a new one. Three years ago, the NGA speakers said, election supervisors didn’t know which IT or law enforcement agencies to call in the event of an apparent cyberattack, and vice versa.

“One of the problems we had in our fusion center is that we were all in dissimilar places,” said Phil Bates, Utah’s chief information security officer. “So if something went wrong, people didn’t know who to call.”

The Utah Cyber Center opened in 2016, shortly before that year’s presidential primaries, but it’s matured since then, including with the simple but crucial step of offering a single contact for state, county or municipal officials reporting an issue. Consolidating intergovernmental communications made it easier for information to flow to the Department of Technology Services, Department of Public Safety, National Guard and other agencies represented at the center, Bates said.

Bates also credited other information-sharing efforts, especially the Multi-State Information Sharing and Analysis Center, or MS-ISAC, and its sister organization, the Elections Infrastructure Information Sharing and Analysis Center, which was created in early 2018 after the federal government designated elections systems as part of the nation’s critical infrastructure.

The EI-ISAC has also been the fastest-growing ISAC, with all 50 states and more than 1,600 local elections authorities having joined in a little over a year, said Matt Masterson, a DHS senior adviser on election security. But the EI-ISAC still has a long way to go, he said, with 8,800 local election jurisdictions across the country.

And the task of bringing federal and interstate collaboration into an otherwise decentralized election process was bumpy at times, though Louisiana Secretary of State Kyle Ardoin said states have adjusted to the new reality.

“We were a bit taken aback and opposed to elections being made part of the infrastructure system, but we have come a long way in partnership with DHS and our sister states,” he said.

Updating the voter file at McDonald’s

The next big challenge will be to ensure that all the new resources allocated by federal and state agencies filter down to the smallest rungs of government that administrate the democratic process, Masterson said. Part of the challenge is financial, and Giles said his office has established procedures to help New Jersey’s 21 counties get a slice of the state’s EAC grant by undergoing a cybersecurity assessment from the state IT agency.

Nearly half of the state’s county governments have signed up for those assessments so far, and Giles said he is also outfitting every county election board with an Albert sensor, a device that scans for unauthorized network intrusions, ahead of the 2020 election cycle. Ardoin said Louisiana’s clerks of court are also getting the sensors, which are sold by the Center for Internet Security, a nonprofit in Upstate New York that operates the MS-ISAC and EI-ISAC.

But offering grant money and distributing hardware isn’t sufficient, Masterson said. States also need to provide election officials with IT support, he said, especially in the communities that lack robust technology budgets.

“I went to a township in Michigan where the elections director was using McDonald’s Wi-Fi to update the voter registration database,” he said. “That’s not their fault. That’s our fault for not providing enough support.”

Masterson went on to praise officials in Iowa, where Secretary of State Paul Pate’s office has partnered with the state chief information officer to offer weekly vulnerability scans and regular training exercises to the 99 county auditors that run elections in that state. He also praised Washington, where members of the National Guard deploy across the state, particularly in the sparse, rural counties far from Seattle. Masterson said he’s hoping to see similar collaboration elsewhere as the next election approaches.

“We’re looking at any way to protect 2020, to build partnerships with you and the private sector, to exchange information to manage the risk,” he said.