By Katie Ziegler
State and local election officials are on the front lines of an ever-evolving fight to keep our systems of democracy safe from cybersecurity attacks.
California Assemblymember Jacqui Irwin (D) led a discussion at the NCSL Capitol Forum about the work necessary to maintain the integrity of elections. Matthew Masterson, with the U.S. Election Assistance Commission, and Ben Spear, with the Multi-State Information Sharing & Analysis Center, broke the large, cumbersome topic into five helpful steps.
Step One: Identify. Election officials and state legislators should spend time understanding the existing cybersecurity network in place. What are the policies and procedures on the books today, and how long ago were they put in place? Do they need updating? What systems are you using, what outside systems do you depend upon, which vendors do you work with?
Step Two: Protect. Here, Spear and Masterson explained that while a state may have excellent security provisions in place, the human element is capable of undermining them. Those who want to protect elections must include user training as part of that comprehensive protection. Employees need recurring, real-world training about security procedures and the consequences of mistakes, in addition to using access controls like two-factor authentication.
Masterson joked, “The biggest threat to elections is cat videos – people love clicking on them” (thus making themselves vulnerable to phishing scams). Masterson noted that the average age of a poll worker is 61, and suggested that election officials consider recruiting future poll workers from pools of college students and young professionals with a high level of tech familiarity. Training programs for poll workers can be offered remotely, as has been done in Iowa.
Step Three: Detect. Consider how you are working to detect anomalies in the data. How are you auditing changes to voter registrations, for example? How are you maintaining awareness about data breaches from other sources that could lead to the ability to make changes to voter registrations? Spear remarked that many elections officials assume they won’t be targeted because their area is remote and “unimportant.” He emphasized that, for a hostile actor, any breach into a system is seen as the first step towards a bigger target.
Step Four: Respond. Review your incident response plan to ensure that everyone knows the steps. Who receives the initial notification of a possible breach? Who is on the response team? Do you share what you’ve learned, and with whom? Be sure to test these procedures, conduct exercises and report on what happened. Masterson noted that election officials are inherent contingency planners, which is great news.
The bad news, he continued, is that they haven’t always taken this contingency planning to the next level of cybersecurity threats. County election officials can be especially disadvantaged because they have the fewest resources to devote to technology solutions. Communication is key, too, between local and state officials, and the executive and legislative branches, so that all area of government affected by a potential breach are receiving the same information. During the last election cycle, Masterson noted, Arizona and Illinois did a great job of sharing their experiences.
Step Five: Recover. If a breach occurs, Spear cautioned, your state will have no choice but to weather it and continue moving forward. All of the planning outlined in the previous steps will go a long way to making the process as smooth as possible.
It is critical for election officials to communicate with voters that elections are safe and secure. Consider working with the media now to publicize the steps you are taking to lay the groundwork for the next election. Work with third-party validators like state legislators and ask them to communicate security that is in place.
Finally, Spear and Masterson urged state legislators to take on the important role of educating their constituents about cybersecurity and some best practices for consumers to follow. The more aware the public is of cyberthreats and how to guard against them, the safer our elections infrastructure will be. Given that the most common request election officials hear, “Why can’t we vote on the internet yet?,” isn’t coming to pass anytime soon, we’ll continue to work with what we have, which is, all things considered, a pretty great system.
Katie Ziegler is the program manager of NCSL's Women's Legislative Network.