More than one-third of the $380 million the federal Election Assistance Commission is distributing to states this year will go toward bolstering the cybersecurity of voting systems, the commission said Tuesday when it released spending plans from 52 of 55 states and territories.
The plans come less than three months before the first nationwide elections since U.S. intelligence agencies revealed that Russian hackers attempted to penetrate the networks of election authorities in at least 21 states during the 2016 presidential cycle. They also come a week after the Department of Homeland Security convened a three-day election-security drill for officials from 44 states and the District of Columbia.
“Just five months after Congress appropriated these vital funds, states and territories have money in the bank and new plans in place to protect the security, accessibility and efficiency of federal elections,” EAC Chairman Thomas Hicks said in a press release.
States were also required to put up matching funds of their own, equaling 5 percent of their federal grants. While the most money is being spent on cybersecurity upgrades — including training, routine scans and risk assessments, and threat mitigation tools — significant portions of the $380 million will also go toward new voting equipment, rebuilding voter registration systems and developing post-election audit practices. A few measures may be in place in time for this November’s vote, though most are not expected to be completed until 2020.
“This’ll be a fascinating exercise in democracy,” said John Dickson, a principal at the Denim Group, a cybersecurity consulting firm in Texas. “They’re all doing something different, which is interesting, and we’ll only know who was right in November or two years from now.”
State election officials who’ve visited Congress this year have thanked lawmakers for approving the funds, though they’ve also said the $380 million is a slim fraction of what’s actually needed to make voting more secure. More money any time soon is unlikely; Senate Republicans earlier this month blocked a bill that would’ve distributed another $250 million.
Down payments on new equipment
The plans released Tuesday are as varied as the states that submitted them. Six states plan to spend every dollar they’re receiving on new voting equipment, including Delaware and Louisiana, two of the five states that exclusively use electronic ballot machines that do not produce paper backups. Those types of machines draw critiques from election-security analysts, who generally advocate for devices that can be audited.
But the EAC money, which was authorized by Congress in March, would only amount to a modest down payment on new voting machines. Pennsylvania, which uses a mix of voting machine styles, including paperless touchscreens, plans to use 100 percent of its $13.5 million award on new equipment, though a statewide replacement of every machine in time for the 2020 election is expected to cost $125 million .
Pennsylvania has given its 67 counties until December 31, 2019, to choose new voting machines — specifically those capable of producing a reviewable paper trail — from a list of approved vendors. The state will use its EAC dollars to partially reimburse counties, based proportionally on the number of registered voters in each one.
“Over the last year, experts across the country and the world have issued strong warnings about the risks and vulnerabilities we face from both cyber threats and aging voting systems,” Robert Torres, Pennsylvania’s acting secretary of the commonwealth, wrote in his grant document. “These experts are urging states to take action as quickly as possible to replace older voting machines with updated voting systems that produce a paper trail and have enhanced security and accessibility, as well as to conduct robust post-election audits.”
Small doesn’t have to mean weak
Other states are planning a more balanced approach for their grants. Texas, for instance, intends to spend 49 percent of its $24.4 million award on cybersecurity. The office of Secretary of State Rolando B. Pablos says that it will work with the state Department of Information Resources to provide security products to election officials across Texas’ 254 counties starting this summer and continuing through 2020.
As the state’s managed security service provider, DIR will offer security tools — such as malware detection, firewall services and threat assessments — to counties that request assistance. The assessments and training courses will be free of charge, while fees for other services will be based on each county’s size.
Assistance to sparsely populated rural counties — which are less likely to have robust IT staffs, let alone professionals who can focus on election cybersecurity — is a common thread across the plans states submitted. While Texas’ 254 counties include some of the nation’s most populous, such as Harris (Houston), Travis (Austin) and Bexar (San Antonio), 150 have populations of less than 25,000.
Giving a boost to smaller jurisdictions is also a priority of the $8.3 million spending plan in Washington state, which spans Seattle’s King County, which has more than 1.2 million registered voters, to Garfield County, with just 1,594 voters in the state’s rural southeastern corner. As a state where nearly 100 percent of ballots are mailed in, Washington does not need to worry about voting machines, but it still has to secure its voter registration databases and other systems that could potentially be accessed by unauthorized users.
To that end, Secretary of State Kim Wyman plans to use Washington’s EAC grant to staff up a security operations center within her office capable of reviewing and protecting state- and county-maintained election systems.
“The biggest challenge is that counties that are medium to smaller have the least access to IT personnel and infrastructure,” Wyman told StateScoop. “We wanted to be able to provide that IT support, and this money is allowing us to do that and bringing up this cyber unit came out of that idea. Our system is only going to be as strong as our weakest link, and we wanted to be able to provide support to our smallest counties.”
Wyman said her office’s new SOC will be headed by a chief information security officer and a supporting staff of as many as four new employees. The new team will be responsible for monitoring for and responding to threats against voting systems across the state, as well as training election workers on cyberhygiene, especially in the counties with the fewest IT resources.
“We’ll be spending more of our time on the smaller to medium size counties,” Wyman said. “This goes hand in hand with our effort to build our new system.”
That new system also includes using the EAC money to place firewalls, two-factor authentication and intrusion sensors — such as Albert monitors, devices that detect malicious network activity — in all 39 counties’ election bureaus before November.
‘Not just people’
With the new SOC in Wyman’s department, Washington is one of nearly a dozen states creating new positions or offices dedicated to election cybersecurity. New Jersey, which released details of its $10.2 million plan last Friday, is using some of that money to add an election specialist to statewide cybersecurity office. And California Secretary of State Alex Padilla announced earlier this year his department is building a new Office of Election Cybersecurity . (Though most of California’s plan for its $34.5 million in EAC money will go toward new voting equipment to be rolled out by 2020.)
Following cybersecurity and ballot equipment, overhauling voter registration databases was the next-biggest target for states. In many cases, those files are kept on systems that haven’t been updated in years. Wyman said Washington’s voter database was last upgraded in the mid-2000s using the first wave of federal funds authorized by the Help America Vote Act, the 2002 law that created the EAC. The state database, as well as local files maintained by counties, were built on software that is now least a decade old. Wyman said a new statewide system will be finished next year.
Three states — New York, Illinois and Wisconsin — are putting their entire EAC grants into cybersecurity.
“We had been working on this subject since the original 2016 FBI alerts,” Robert A. Brehm, a co-executive director of the New York State Board of Elections, told StateScoop. “In that election cycle we had put together a state team working with DHS and FBI, at least to look at where we were and what we needed to do.”
New York, which received $19.5 million from the EAC, is also setting up a cybersecurity group focused on elections. The state’s new Secure Elections Center, part of the Board of Elections, will be headed up by a dedicated CISO with an eight-person staff, ranging from an IT specialist to support the statewide voter registration list to liaisons between the board’s headquarters in Albany and the state’s 62 counties.
“The center’s not just people,” Brehm said. “It’s a resource for county boards so we can provide training. We’ve offered training and baseline cyberhygiene training.”
Brehm added that the board convened six regional tabletop drills for county election officials across the state. New York also plans to use its EAC money on implementing network monitoring and threat mitigation services at county election offices where such tools are not already in place.
And even though New York is one of the most diverse states in the country in terms of both geography and population, Brehm said the biggest and smallest counties face similar challenges when it comes to securing elections.
“From our observations and conversations, everyone could do a little bit better,” he said. “We’ve heard from counties of all sizes, resources are always a problem. We did a survey, and it showed we need a uniform baseline of data to do mitigation services.”
Illinois, meanwhile, is receiving its $13.2 million grant in the wake of a federal indictment of 12 Russian intelligence officers on a variety of hacking charges stemming from the 2016 election, including the theft of personal information of 500,000 individuals from the state’s voter registration database. Although there’s no evidence that intrusion affected the outcome of the election in Illinois, it put state election officials on notice to beef up their security.
In accordance with an election-security law signed in June by Gov. Bruce Rauner, the Illinois State Board of Elections will partner with the Department of Information Technology to spend $6.9 million on firewalls, intrusion detectors and round-the-clock security monitoring at every county election office over the next two to three years. The two agencies will also develop a “Cyber Navigator” program to assign staff to advise local elections authorities on security practices.
Illinois will parcel out the remainder of its EAC funds as cybersecurity grants to local officials. The Board of Elections declined to comment further on its spending plan.
While many states’ plans for their grant include cybersecurity components that can be rolled out this year, they’re being implemented in a race against ongoing foreign activity. Federal officials have warned states multiple times this year that Russian intelligence operatives continue to target election infrastructure .
Dickson, the cybersecurity consultant, said the money states are getting is just a jumping-off point in the fight to safeguard voting systems.
“The starting point is a technical deficit,” he said. “Some of the states already have [two-factor authentication and network monitoring], but I would argue those are bread-and-butter things. I would call that playing catch-up. Don’t tout that as saying you’re done.”