W2 Communications and cybersecurity solutions provider ForeScout presented a timely panel discussion on Election Security as part of DC CyberWeek. The conversation was moderated by Federal News Network’s Sean Kelley; panelists included Susannah Goodman, Director of Election Security at Common Cause; Chris Wlaschin, Vice President of Systems Security at Election Systems & Software; and Shawn Rodriguez, ForeScout’s Vice President of State and Local Government and Education. Even with such a diverse panel, there were some common themes on the state of election infrastructure security and a shared commitment to preserving voting integrity.
Here are a few highlights:
- Perhaps the most heartening perspective expressed was that voting integrity is not a partisan issue – advocates from both sides of the aisle strongly believe in voting as critical to our national ethos and in the need to preserve public faith in the process. Goodman noted that Common Cause regularly hears trans-partisan, across-the-board concerns around this issue, and collaborates with progressive and conservative groups to address them.
- Election technology is as vulnerable as any other technology, and must be protected accordingly. Everyone must understand and accept that breaches simply aren’t preventable – what’s important is how an organization responds after they occur.
- Rodriguez emphasized the importance of basic cyber hygiene for the voting network. He mentioned how his clients often don’t even know the extent of the devices on their networks, making maintenance challenging. He cited one example of a mid-sized municipality estimating they had between 7,000 and 8,000 networked devices, but in actuality had 22,000 devices. The additional 14,000 devices were used by groups other than the election commission, but still touched the network thereby increasing risk.
- Wlaschin stressed the need for resiliency, explaining that just one compromised component could render the results from a machine or group of machines vulnerable. He noted that as election officials have for years done contingency planning for things like Election Day power outages or fires, they now must develop best practices for cyber attacks as well.
- All panelists – even Wlaschin, whose company makes voting equipment – advocated for a paper-inclusive system that enables a verifiable audit trail. Currently, voting infrastructure varies state-to-state, using a combination of paper, optical scanning, direct recording and even punch cards; thirteen states have fully paperless systems. That doesn’t reconcile well with voter doubts about election integrity. A recent NPR/Marist poll showed one in three Americans think a foreign country will try to change mid-term election votes. Practically, a paper-inclusive system is seen as the only true way to overcome those concerns and ensure public trust in the electoral system.
- With the diverse world views between federal and state/local governments, there is resistance to election technology infrastructure being regarded as critical infrastructure. Entities like the Department of Homeland Security and the Center for Internet Security see it as such, opening the door to more exposure and funding; but Goodman explained that states resist federal edicts and perceptions of over-reach, making for a slow change in beliefs. However, the disruptions during the 2016 elections and subsequent voter concerns are helping to advance this shift.
- To that end, there is a reserved interest in how states should best make use of the $380M in Help America Vote Act (HAVA) election security grants authorized under last March’s Consolidated Appropriations Act. This new appropriation allows for enhancing voting technology and making election security improvements, including worker training. Many states are holding onto their allocation for 2018 to see what is needed, then will make more significant investments for 2020. With 9,000 local jurisdictions, this amount of funding won’t make a significant impact at the local level, leaving Rodriguez and Wlaschin to advocate for additional, sustained grants that help keep pace with continual changes in technology.
All of the panelists emphasized that campaign security officers and election officials should take greater advantage of federally and commercially provided services designed to help bolster voting security: for example, DHS cyber hygiene training services, “albert” intrusion detection sensors, and even free advisory services from companies like Microsoft and others. Acknowledging the reality of cyber attacks and the inevitability of breaches will help election leaders come to terms with the preparations and action plans that will be required to ensure the integrity of the vote.
The panel discussion concluded with moderator Kelley asking the audience how many preferred voting to stay paper-centric; almost everyone in attendance raised their hand.