Cybersecurity and the importance of cyber hygiene took front and center stage during the 2016 U.S. Presidential Election campaign season. Voter database systems were compromised, national political parties were breached, and the Democratic candidate's campaign was hacked via a phishing email.
To address the problem and increase election security before the 2018 midterm elections, Congress authorized $380 million for the U.S. Election Assistance Commission (EAC) to issue to U.S. states and territories.
"This much-needed funding will provide states with essential resources to secure and improve election systems," said EAC Chairman Thomas Hicks in a statement. "The EAC is committed to making these funds available as soon as feasibly possible, and we fully expect this money will be deployed in meaningful ways to support the 2018 elections."
The funds were made available via grants and could be used to improve the administration of U.S. federal elections, including for enhancing election technology and improving election security.
Specifically, recipients could use the funds to replace voting equipment with technology that creates a verified paper record; implement a post-election audit system; upgrade election-related computer systems to address cyber vulnerabilities; put election officials through cybersecurity training; implement cybersecurity best practices for election systems; or fund other activities to improve the security of elections.
The EAC used a voting age population formula to determine how much of the $380 million each state and territory was eligible for, with the smallest receiving $3 million. New York, for instance, requested and received $19.5 million in May 2018 to make improvements to its election systems.
However, some are skeptical about the amount of money made available to the states and territories and the impact—if any—it will have on election security overall.
John Dickson, principal at the cyber firm Denim Group, says there are two risks that election officials are attempting to address with the funds: technical risk and political risk.
"Because they have a limited amount of time to put these resources to work, it's almost obvious that you would focus on the crown jewels—you'd spend at the state level protecting the infrastructure at the state level," Dickson explains. "The problem is, the voting machines out there are crazy—there are thousands of them—so if you were to just disburse the money to all the counties, it would have no meaningful impact. But, politically, the secretaries of state can't hoard the money."
Dickson, a former U.S. Navy intelligence officer who lives in San Antonio, has met with election officials from Texas, Missouri, and Kansas, and had conversations with officials from an additional 12 U.S. states.
Most of these conversations have focused on how to beef up election security in the limited time leading up to the November midterm elections.
"A common theme I've heard was that they are going to try to spend it in a wise way but recognize that this might be as much about the 2020 election as it is the 2018 midterm elections," Dickson says. "Right now, there are 50 different states that are looking to do this 50 different ways. It's an exercise in democracy watching how this plays out."
While each state and territory will take its own approach to spending the funds, Dickson cautions against spending all of the money on hardware—such as upgraded voting machines that create paper trails of votes.
"A major mistake would be to spend it all on hardware," Dickson says. "The amount of money they would have to spend, there's no way they would make a dent in that."
For instance, in Dickson's own county there are 2,842 voting machines. Each new machine would cost at least $300, and to replace all of them at that price point would be almost $900,000. And that's just a single county in Texas, which received $24.4 million for the entire state.
"In fact I don't think the attackers are going to go after the endpoint because it's just easier to hit the aggregation points," Dickson adds.
To better understand the security threats to elections, many election officials are turning to the U.S. Department of Homeland Security (DHS), which classified election infrastructure as critical infrastructure in January 2017 prior to U.S. President Donald Trump's inauguration.
"Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law," said then DHS Secretary Jeh Johnson in a statement.
Included in DHS's definition of election infrastructure are voter registration databases and associated IT systems; IT infrastructure and systems used to manage elections; voting systems and associated infrastructure; storage facilities for election and voting system infrastructure; and polling places—including early voting locations.
"I have reached this determination so that election infrastructure will, on a more formal and enduring basis, be a priority for cybersecurity assistance and protections that the Department of Homeland Security provides to a range of private and public-sector entities," Johnson said.
Classifying election infrastructure as critical infrastructure also allowed DHS to grant individuals security clearances to give them more access to threat indicator information, and to establish an Elections Information Sharing and Analysis Center (E-ISAC).
DHS is using the E-ISAC to share cyber threat indicators, vulnerability information, risk analysis, best practices, and guidance with more than 700 members across the United States.
While DHS has goals and benchmarks to achieve prior to the November midterms, it's also seeking to lay a strong foundation for the 2020 U.S. presidential election and beyond. On that list of goals is to begin to conduct exercises with federal partners, and state and local governments—like exercises done to test the resilience of the electric grid and other critical infrastructure sectors.
Not included in DHS's definition of election infrastructure that raises concerns, however, are campaigns and political committees. Dickson finds this worrisome because in the lead-up to the 2016 U.S. presidential election, both major political parties—the Democrats and the Republicans—were targeted.
Democratic candidate former U.S. Secretary of State Hillary Clinton's campaign was breached by Russian hackers when her campaign chairman, John Podesta, opened a phishing email. The hackers used that access to obtain emails sent between campaign staffers that were then distributed widely online in the run-up to the election.
And just before Security Management's press time, the U.S. Department of Justice charged 12 Russian intelligence officers with hacking Democratic officials.
"We know that the goal of the conspirators was to have an impact on the election," said Deputy Attorney General Rod Rosenstein in a statement about the charges, which included conspiracy to commit an offense against the United States by releasing stolen documents to interfere with the 2016 presidential election, aggravated identity theft, conspiracy to launder money, and conspiracy to commit an offense against the United States by attempting to hack state boards of elections, secretaries of state, and U.S. companies that supplied software to administer elections.
To address this threat, DHS did partner with the Harvard Belfer Center's Defending Digital Democracy project to release The Cybersecurity Campaign Playbook because it says that all campaigns, at all levels, have been hacked.
"While the recommendations in this playbook apply universally, it is primarily intended for campaigns that do not have the resources to hire full-time, professional cybersecurity staff," according to the playbook. "We offer basic building blocks to a cybersecurity risk mitigation strategy that people without technical training can implement."
Those building blocks include a checklist for all campaigns: setting the tone that cybersecurity is taken seriously; using cloud services to store information; using two-factor authentication for all important accounts; creating strong passwords; and having a plan in case the campaign is breached.
"It's important that cybersecurity is tightly integrated into HR and IT work, since correctly onboarding staff, provisioning hardware, and controlling permissions will be critical to your strategy," according to the playbook.
The playbook also includes guidance for steps all campaigns should take to increase their security, such as establishing a strong information security culture, to enhanced steps that can be taken later, such as hiring a dedicated IT professional.
Defending Digital Democracy released its first playbook in November 2017 and followed it up with a playbook for European elections.
However, some are skeptical that campaigns will follow through with the recommendations made in the playbooks to enhance their security—making them vulnerable.
"It makes sense to the 2020 presidential campaigns for either major party and maybe super big senatorial races," Dickson says, adding that he thinks it's unlikely that smaller campaigns will adopt similar practices.
Representatives from the Defending Digital Democracy project did not return requests for comment prior to Security Management's press time.