electionlineWeekly on How States are (Planning on) Spending Federal Cybersecurity Funds

[Image via marketingland]

Mindy Moretti’s latest electionlineWeekly newsletter takes a look at how states are thinking about spending their share of the $380 million in federal funds for election cybersecurity included in the recent federal omnibus budget bill. Take a look:

Earlier this year, the president signed Consolidated Appropriations Act of 2018 into law, the law includes $380 million in grants for states to improve their cybersecurity. To-date 32 states, America Samoa and the U.S. Virgin Islands have applied for their HAVA funds.

Although states are allowed to draw down on their available funds in phases, most states seem to be applying for—and receiving—all their funds at one time. Once states have applied for their funds they have 90-days to provide a narrative on what they will be spending the money on.

Part of the requirement for receiving the federal funds is a 5 percent match from states. How elections officials are getting those matches varies. Some states are relying on their Legislatures to allocate the funding and others are using existing funds allocated in state budgets.

The Election Infrastructure Subsector (EIS) Government Coordinating Council has provided a white paper of sorts on what states and counties should consider when planning their spending. The document is “intended to raise awareness of resources and helpful practices that can assist election officials to do more with the resources afforded to them. The document covers cyber navigators, common vulnerabilities and improving jurisdictions overall cybersecurity posture. The paper also includes a section on vendor selections.

In addition to the GCC considerations, a group of security experts/former elections officials/academics (and Democracy Fund Senior Advisor Tammy Patrick), sent a letter to all 50 states, the District of Columbia and the territories urging them to follow a list of best practices when considering how to spend their funds.

The National Conference of State Legislatures also has a some suggestions for how states should spend their money.

So with all these ideas in mind, what exactly are states spending their money on? Because many states are still working on their narratives, some of this is subject to change, but it’s a wide array of expenditures.

In New Mexico, the state intends to use the HAVA funds to make further election security advancements including creating and staffing an Election Security Program within the secretary of state’s office.

“Our new Election Security Program will be tasked with expanding our election continuity plans and security assessments and assisting counties with security assessments and equipment needs,” explained Joey Keefe, spokesman for the secretary of state’s office.

According to Nikki Charlson, deputy state administrator with the Maryland State Board of Elections, the state will spend its funding on training, upgrades to IT infrastructure, on-going security assessments and the development of a multi-year cybersecurity plan.

Colorado is “thinking outside the box” in how it will spend its funding.

“Even prior to 2016, Colorado had excellent security procedures and software in place, including dual-factor authentication, cybersecurity software for county systems, voter registration monitoring systems, training, firewalls, etc., explained Judd Choate, director of elections in the secretary of state’s office. “We are looking social media monitoring software to make sure that if people threaten attacks or make claims about our elections, we can counteract those claims quickly. And, obviously we are looking at other, even more sophisticated protections for our voter registration system.”

The state already has a number of ideas in the works including a September 6 table top exercise that will bring together 200+ county election officials, election IT personnel and county PIOs. The daylong session, which the state is calling Elections Wargames, will include a two-hour TTX and follow-up training.

According to Steve Trout, director of elections for the state Oregon, the state will be spending its funds on survivability and redundancy. If there is a denial of service attack, or an attack on the electrical grid Trout said the state needs to make sure it has a backup system to switch over to in order to ensure continued operations and services. These funds will help with that.

A majority of Vermont’s money will be spent at the state level, however it will be used to purchase system, like the accessible voting system and new voting machines and services, such as cyber training. These will then be provided by the state to the towns.

“Further cyber security training for local officials and safeguards on their access point to the election management system,” explained Secretary of State Jim Condos. “And yes, these funds will help take care of that need by paying for ongoing training and for implementation of “two-factor authentication” for the local clerks’ login procedure.”

West Virginia has already submitted their narative ( WV_HAVA_Narrative_Letter.compressed-1.pdf )to the U.S. Election Assistance Commission. In the narrative, Secretary of State Mac Warner outlines the state’s plans to spend their funds. Interestingly, Warner writes:

“On a personal note regarding current and future HAVA funds made available by the federal government, I find it important that West Virginia’s long-term preparations for cybersecurity protections and maintenances of our Statewide Voter Registration System should be funded with a dedicated source from our state budgets; not short-term federal funds that may not exist in the future.”

Warner notes that he is however grateful for the federal funds to bolster local cyber and physical security.

Many, but not all of the states are keeping the funds at a centralized level which has caused some consternation amongst the counties.

“It makes sense that the states use a lot of the HAVA funds to help secure the statewide voter registration databases (since the majority of states have state offices that are responsible for VR databases, and these databases are more likely to be a target of an attack),” said Ricky Hatch, clerk/auditor for Weber County, Utah and division director for the elections division of the International Association of Government Officials (IGO) “However, there’s a lot more to security than just the VR database, and public trust is at the top of the list. Voters trust local officials more than state or federal officials.  Local officials are the name and the face of elections, and should receive support (including resources, training, and outreach) to help shore up public confidence in elections.”

Maryland’s Charlson said it made sense for the state to keep the money centrally located given the state’s election structure.

“Because of how we administer elections in Maryland, we have the ability and infrastructure in place to procure goods and services for the local election officials, pay invoices, and receive reimbursement for those invoices,” Charlson said. “With this process, we can use federal funds to pay for goods or services for the local election officials, rather than transferring the funds to the local election officials.  Centralized management of the funds worked well with the original allocation of HAVA funds.”

These spending decisions are significant, given public awareness (and concern) about the issue of cybersecurity and the associated pressure for states to demonstrate not only that they take the threat seriously but that they are doing something about it. Indeed, this federal funding will almost certainly result in sustained pressure for state and local policymakers to continue supporting cybersecurity activities. As DHS’ Matt Masterson told the Washington Post:

“That money was a really important step from Congress. I was really pleased to see that because it’s an infusion to help the states get started with many of the things that need to be done,” he said. “But in the end it’s going to take an ongoing commitment from all levels. States and locals run elections, so that means state and local funders — county commissioners, legislators — need to be committed to funding elections because there’s always going to be this need to resource elections in order to keep them secure and maintain a resilient process.”

Obviously, this is a huge issue for election officials nationwide in 2018 and beyond. Thanks to Mindy for her legwork in tracking down the plans in numerous states – and to state and local election officials across America who continually work to harden the nation’s election system from outside interference. Stay tuned …

Be the first to comment on "electionlineWeekly on How States are (Planning on) Spending Federal Cybersecurity Funds"

Leave a comment

Your email address will not be published.