Ohio secretary of state pushes new security directive for county election boards

Ohio Secretary of State Frank LaRose on Monday announced a new security directive for the state’s 88 boards of elections, targeting a broad range of protocols and security controls designed to safeguard election systems that enjoy diminished federal support.

In a May 29 directive, LaRose directs the state’s county boards of elections to strengthen their physical security, bolster their cybersecurity practices and comply with Americans with Disabilities Act requirements. The directive, the sixth to come from LaRose since he took office in 2019, covers a broad swath of tasks, from implementing cybersecurity awareness training to ensuring websites can withstand heavy traffic.

He notes in the directive that while similar work had previously been supported by federal funding from the Help America Vote Act, such funding sources can no longer be consistently relied upon. Instead, LaRose wrote, he’s asking Gov. Mike DeWine and the state legislature for funds — $10,000 per county — so counties will be able to implement his directive.

In a press release, LaRose explains that the measures are designed to “stay ahead of the bad guys.”

“We’ve positioned Ohio as the national leader on election integrity, and this new directive demonstrates our ongoing commitment to safeguarding our voting equipment and the systems that support it,” he said in the release.

Included in the directive is a requirement that all voting equipment be secured with dual-control lock systems, which LaRose said are designed so that equipment is always accessed by a “bipartisan team.” It calls for video monitoring systems to watch sensitive areas of voting facilities and for those systems to retain footage for 14 days.

Counties are also required to implement a host of cybersecurity measures, by Aug. 29. These include a requirement that counties use a vulnerability scanning service provided by the Department of Homeland Security. Counties are also required to review personnel information with the Multi-State Information Sharing and Analysis Center.

Though counties will have reduced access to federal funding, the directive notes several state services that will continue to be available, including access to regional “cyberliasons” who provide technical assistance, an endpoint detection and response system and compliance auditing conducted by LaRose’s chief information security officer.

LaRose’s directive notes other services to be provided by the state, including a malicious domain blocking and reporting service and the Albert network intrusion monitoring system, though both of these are provided through the MS-ISAC, which until recently depended heavily on federal funding. The center’s operator, the New York nonprofit Center for Internet Security, has said it will provide gap funding to continue operations, but the organization’s future is less solid than it was before Donald Trump took office for a second term and began gutting cybersecurity programs.

LaRose is requiring counties to shore up their websites, ensuring they hold valid security certificates, that all web systems are protected by firewalls and that their hosting can withstand heavy traffic during general elections. His office is also requiring that counties conduct vulnerability scans at least once a week, remediating critical and high vulnerability issues within 15 days and all others within 30 days. They must retain documentation of the scans for at least one year.