This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
The news is replete with alleged actions of foreign governments and hackers trying to impact the democratic election process in the United States. What most people do not realize is that almost all elections, even national elections for the office of President, are actually run by state and local governments. As such, it is incumbent upon the state and local governments to ensure the security of all elections, which underpin the faith and trust in our democracy and our democratic process.
While there are many technical things that can be done to ensure the integrity of elections and the voting process, this article will attempt to focus on more holistic approaches to the security of elections. I note that the ideas expressed herein should not be thought of as an exhaustive list but more as a beginning for thinking about security measures.
Voting machines should provide some kind of vote verification and authentication. While many machines provide an audit function, these audits are only as good as the security around the software and hardware that underpins the voting machines. As such, all voting machines should have a mechanism to create a paper record of a vote cast by a citizen. These paper records can then be used by the electoral board of the state or municipality to audit and authenticate all voting records.
If there is no paper record, the entity running the election is at the mercy of the data provided by the voting machines’ software and hardware for not only the vote count but also the information used to conduct an audit. If the hardware or software has been compromised and miscounts or somehow otherwise alters a vote, that same compromise will probably rear its head in the audit, making such an audit virtually useless.
All electoral systems, including voting machines, should have a requirement for very strong passwords with two-factor authentication. Many hacks on electoral systems, and on cyber systems in general, begin with stolen credentials. If two-factor authentication is not implemented, those stolen credentials can lead to havoc being reeked upon the electoral process.
Two-factor authentication, which requires a user to know both a password and to possess a second device that authenticates them, allows for much more robust security in general. No software or hardware should be accessible without a strong password protocol and two-factor authentication. These requirements alone can go a long way towards strengthening both hardware and software from outside attacks.
Electoral commissions should limit access to software and hardware systems only to those who require access to those systems. Additionally, all sensitive data should be isolated, and networks should be segregated so that a breach in one part of a network does not automatically lead to a breach of the entire network.
With respect to who should have access to software and hardware, election authorities should take a long hard look at not only who needs access to the systems in general, but also to what parts of the system they should have access. This limited access can control the amount of damage created by any one person and can also limit the damage should a breach of a person’s access credentials occurs.
Election authorities should require their vendors to prioritize security. When speaking of election machines and the electoral process, limiting both access to the software and physical access to election machines should be a high priority. As such, maintenance crews, janitorial services and other personnel should have restricted access to rooms containing voting equipment. Additionally, any equipment at a polling place should be secured under lock and key with key holders being trusted personnel.
Election officials should regularly test the integrity of their networks and the process. This includes regular penetration testing, network vulnerability testing, access control audits and post-election audits. All of these will combine to help to ensure the integrity of the network, and more importantly, assure the public of the integrity of the electoral process.
Understand Your Network
Electoral officials should understand the entirety of the network that supports the voting process and look for weaknesses in that greater network. For example, if voter rolls are authenticated through driver’s licenses at the Department of Motor Vehicles (DMV), those networks present a potential weakness. As such, the DMV’s networks should be subject to the same security protocols and testing as the actual electoral voting networks. Only with this type of holistic network approach can the integrity of the voting process be ensured.
All electoral authorities should seek to create a holistic security culture. This type of culture should start at the top and permeate throughout the electoral staff and those that support the electoral process. Like most breaches, a breach in the electoral process will probably originate with a human error. As such, it is important to continuously train all associated personnel not only with cybersecurity protocols, but also physical security protocols. Additionally, this holistic security mindset should be regularly reinforced and tested to ensure not only compliance with applicable policies and procedures but also with what many people call “common sense” actions.
Incident Response Plan
All electoral authorities should have a detailed cyber incident response plan. This plan should be well thought out and tested regularly with all involved personnel. This plan should outline what should happen in the event of a breach, who should be notified, what other resources should be brought to bear, and how communications should be handled. Additionally, this plan should be regularly tested through cybersecurity tabletop exercises, which will allow the parties to understand what they should do in a controlled environment before something actually happens. As it is often said in battle, when the bullets start flying is not the time to figure out what you would do.
Many of the processes that pertain to how local and municipal authorities should deal with cybersecurity are the same as how any enterprises should deal with cybersecurity. First and foremost, there should be a culture of security created throughout the organization. Additionally, testing and auditing should be a regular part of the process of running elections. Lastly, election authorities should have a detailed response plan so that they will know what to do in the event of a breach or an emergency.
That said, unlike other businesses, the integrity of the electoral process is the underpinning to our democracy. It is incumbent upon all of us to ensure that we are doing all that we can to protect this process.
Roy E. Hadley, Jr. is an attorney with Adams and Reese (Atlanta) who serves as independent counsel to companies, governments, and boards on cyber matters, helping them understand and mitigate legal risks and exposures to protect themselves and those they serve. He has previously served in the corporate roles of general counsel and chief privacy officer, as well as special counsel to the president of the American Bar Association and special assistant attorney general for the state of Georgia. He may be reached at Roy.Hadley@arlaw.com.