Despite the $380 million in federal grants made to states to update the security of their election systems, we are still woefully unprepared to deal with potential attacks on our essential digital voting infrastructure. With the 2020 election cycle fast approaching, there is tremendous urgency to address the underlying issues that jeopardize the sanctity of our elections.
As former director of cyber operations and chief information security officer for the U.S. Air Force, as well as with my more recent experience working in the cybersecurity sector, I have a fairly unique perspective on how our state governments should be addressing election security. In my view, the main cause of our cybersecurity-unpreparedness is that we are not looking at the problem holistically, nor are we fully appreciating the complexity involved. Solutions being posed only address part of the problem and inevitably fall short, thus putting our democracy at serious risk.
States are ultimately responsible for election systems and their security, but cybersecurity solutions vendors can also contribute to this effort. Below are four steps that state governments should take, working with the technology community, to effectively address vulnerabilities in the voting system and better protect our democratic process through cybersecurity practices, people and technology.
1. Mandate transparency from e-voting hardware and software providers about security of their software and require them to identify security vulnerabilities.
What I’m talking about is mandating cybersecurity hygiene, much in the same way that companies require cybersecurity hygiene of the organizations with which they do business or form partnerships. There is a broad range of commercial providers of election system technology, each playing a different role in the overall e-voting system ecosystem — some of which have begun offering free, open-source versions of their software to governments — making it critical for providers to be transparent about potential vulnerabilities in their systems. Similar to how Microsoft releases patches and upgrades when new threats are discovered to offer users greater protections, this needs to happen in our election system as well. As part of this transparency, ongoing monitoring and measurement of the effectiveness of each component also needs to be conducted, which leads to my next point.
2. Instate continuous, automated measurement and monitoring of the effectiveness of security controls.
States need to understand how systems are protecting against new and existing vulnerabilities, and this needs to be automatically monitored on an ongoing basis with cooperation from each software provider. Too often, assumptions are made that security technology and protocols are working as they’re supposed to — but given the complexity of IT environments, the number of software elements that need to work together and the volume of network and access changes made every day, misconfigurations that compromise performance are common. To ensure optimal performance of the overall security environment requires quantifiable measurement and evidence that controls are working as they should.
3. Limit access for government employees to certain portions of the election system based on role and need.
In the business world, insider threats pose greater risks to organizations than external forces, and the same can be true for governments. External threats are absolutely still an issue, but it’s also important to take a cautious approach to the type of access to different systems that is permitted to government employees. We call this a “layered defense” approach, where measures are put in place to prevent the likelihood of a lateral attack on one or more aspects of the voting system — including the voter registration database, which is part of states’ Department of Motor Vehicles networks. By limiting access to each system based on an individual’s role and need, cyberattacks on these systems are less likely.
4. Create greater alignment between state CIOs, CISOs and secretaries of state, and allow more oversight into security protocols and the systems and technology being used.
Across many states, the secretary of state oversees the state election process, which includes testing and certifying the systems and technology used for electronic voting. Each state also has a chief information officer and chief information security officer, who typically don’t have a direct relationship with the secretary of state. I see this as an obvious need for change. At the very least, state CIOs and CISOs should be more involved in addressing election security, working alongside the secretary of state and election commissions as they strive to better understand the evolving cyber threat landscape and put the right solutions in place to address potential threats. But a more closely aligned relationship between all of them in taking the above outlined steps will also drive more efficiencies, more consistencies and a more uniform approach to election security.
A trusted electoral system is the very foundation of American democracy. With less than the strictest security protocols and controls in place, and by looking at each component in the e-voting system in isolation rather than holistically, we run the risk of a compromised election outcome that can result in the loss of faith in our democracy.
Earl D. Matthews, Maj. Gen. (Ret), CISSP, is the chief strategy officer for the cybersecurity company Verodin and the former director of cyber operations and chief information security officer for the U.S. Air Force.