[Image via LinkedIn]
Brian Hancock of the U.S. Election Assistance Commission has a new blog post that looks at the suddenly-popular and always-vital topic of election cybersecurity and makes the important observation that improved security not only requires policymakers and election officials to think big, but also requires them to think small:
Every election has a set of outcomes. Usually it’s winners and losers, but occasionally – and perhaps not coincidentally in presidential elections – there are also outcomes that shape our perceptions about the fairness and efficacy of our elections. In 2000, it was the hanging chad and the role of the Electoral College. In 2012, it was long lines. And in 2016, it was cybersecurity.
Once an issue is introduced into the election ecosphere, it often remains a permanent and recurring part of the landscape. For example, a recent Google search of the words “cybersecurity elections” produced over 12 million hits. And at nearly every election-related forum I’ve attended during the past year, cybersecurity was a key topic of discussion.
The 2016 election elevated the profile of election security issues and demonstrated a need for state and local election officials not only to reassess their readiness, but to educate the public about this important work and the role it plays in securing elections.
Election officials are ready to tackle this challenge because security is at the heart of nearly everything they have always done. Election officials have long understood the importance of securing paper ballots and voter registration log books. They are the ones who secure the physical spaces used to store election equipment when it’s not in use, who enforce dual control when necessary, who use seals, doors, and locks to ensure the integrity of the process. They have always been on the front lines of securing the vote.
In an age of advanced technology, election security has taken on new dimensions. Today’s election office is also an information technology office. Election officials know that security measures must include steps to secure data and establish strict protocols about who has access to systems that house the data. Designing better and more effective cybersecurity policies for election administration begins by understanding what makes the election space so different, so challenging in regards to security. Elections are executed at the county or township level. Effective state and/or federal policy has to be able to push the solution or solutions down to geographically, technologically, economically and culturally diverse populations. Managing solutions in this environment is a daunting challenge, and securing elections will not be easy, cheap or fast.
Since cybersecurity issues will continue to be a factor in the future, those of us charged with helping election officials find ways to best secure their systems must be mindful of the complex nature of this work. If there is any “easy” lift in all of this, it will be at the top of the organizational structure – incorporating and improving practices for disseminating federal cybersecurity information, improving federal testing of voting systems, securing state electors list as a part of the state voter registration system, and assisting with other high-level, centralized systems.
Of greater concern is at the bottom of the organization structure, the county and township elections office. Creating centralized security procedures that can be tailored for a small number of uniform systems impacting every voter is an ideal set of circumstances. Creating flexible, scalable strategies that can be implemented at the end-points of the election hierarchy, where resources are scarce, training is sporadic, and turnover of personnel endemic, is the real challenge. This last mile, if you will, of the election administration hierarchy leads to the thousands of election offices scattered around the U.S. and those end points must be secured. [emphasis added]
Adding to this challenge is an acknowledgement that the effort to implement change will be impacted by state and local legal statutes, budgets and existing contracts. For example:
- At the state level, statutes, rules, contracts, policies and procedures that focus on election security will have to be crafted, vetted, implemented and evaluated through a cybersecurity lens as a regular part of election “clean up” legislation and after-election assessment.
- State officials, as well as local boards and commissions, will need to review and modify rules and procedures to find new ways to make elections more secure.
- Thousands of local jurisdictions across the nation will also review contracts and assess vendor capabilities to guarantee the security of their equipment and processes.
- State and local boards will evaluate policies and training procedures at the local level and quickly implement modifications.
The proverb that a chain is as only strong as its weakest link is certainly applicable to our efforts to secure elections. There are thousands of links in the chain of election administration and each one is important. We must use a similar approach to that taken for other national priorities, such as physical infrastructure. For example, there are over 600,000 bridges in the U.S. If we only maintain the bridges in the affluent counties where there are population concentrations, and we neglect bridges in poorer, rural counties, our highway system ceases to function for purposes of commerce and national defense. Similarly, our greatest vulnerability in overall election integrity comes in our medium to small counties where resources are particularly scarce.
Like our nation’s physical infrastructure, elections will cease to work as a basis for our democracy unless they work for the entire country regardless of location or resources. Larger counties will have IT work forces to aid in implementing any new election related cybersecurity procedures. Smaller counties will not have this luxury, so creating cybersecurity policy that works across this spectrum of resources – at that last mile –is a challenge we must meet. The EAC stands ready to lead that effort and to assist election jurisdictions by listening to their cybersecurity concerns and responding with tangible security solutions.
Thanks to Brian for this thoughtful and important reminder that election security doesn’t work for any of us unless it works for all of us. There is still much work to be done – especially getting Congress’ attention and turning it into action (and funding) – but it’s encouraging to see the EAC taking the lead both in recognizing the problem and working out a solution. Stay tuned …