Cybersecurity

Kudos to Congress for Taking Election Security Seriously

By Paul Rosenzweig
Thursday, March 22, 2018, 5:33 PM

By now most are familiar with the contours of Russian efforts to influence our elections.  The use of social media by Russian (and also, apparently, by the Trump campaign) have resonated with many.

Lost in the shuffle, however, has been an equally important concern – the apparently frequent but unsuccessful efforts by malicious Russian actors to penetrate the security of the American electoral infrastructure.  In broad strokes, the election system begins with voter registration, and that registration is then maintained in a data base which forms the basis for precinct level voter lists (known typically as “voting books”).  Individuals who are in a local voting book are then authorized to cast a ballot on election day (or, alternatively, by mail prior to election day).  These ballots are tallied in a tabulation that sums the individual voting preferences to identify a winner.  Finally, sometimes, though not always, that final tabulation is subject to a post-election review, whether through statistical analysis or a recount.  Each step along the way involves the collection, storage and transformation of data – data that, in the end, is potentially subject to cyber intrusion through degradation, disruption, denial or destruction.

Happily Congress has begun to react to the potential for disruption.  The House version of the Omnibus spending bill includes $380 million for Election Assistance Commission grants to states “.”

While that broad mandate has yet to be defined, one can easily imagine the funding being used for a host of security improvements.  For example, this funding might go to assist in the purchase of electronic voting machines that maintain physical paper voting records.  In an understandable reaction to the “hanging chad” problems of the 2000 election, America moved to electronic voting systems.  But without a paper back up record an audit of the vote is not feasible.  As one analyst put it:

The money can also help fund States to adopt other relatively simple, standard protective measures.  Not all will be feasible for every election system, of course, but all State and local election boards should be encouraged to implement as many of them as feasible.  For example, log-ins to critical databases should require two-factor authentication to reduce the possibility of malicious access; where feasible election records should be encrypted; and where feasible remote access to election systems via virtual private networks (VPNs) should be restricted or eliminated altogether. These are not novel ideas – they simply are ones which have not been on the radar screen for most election agencies and whose implementation will require time and money.  With this funding bill, Congress has promised the money.

In addition, the spending bill also moves toward effort to give greater capability to law enforcement to counter the Russian efforts directly.  It increases funding for the FBI, with some money to be used for “.” The Department of Homeland Security title also specifies funding “.”

Often Congress is derided for failing to act.  That’s perfectly fair.  But we should, likewise, recognize when it has done the right thing.  These steps to protect American elections are just the beginning – but it is important to recognize that they are steps in the right direction.

Topics: