The front lines in defending the security and privacy of voting against enemies include the localities who manage the voting precinct on election day. The cities and counties need to be just as vigilant as states when it comes to protecting the vote.
In the past, the voting process wasn’t seen as a target for hackers, but the 2016 presidential elections revealed a new way of thinking. State actors have been determined to have at least attempted attacks in 31 states. There were indications that Durham County, North Carolina may have been targeted through an ePollBook hack that discouraged thousands of people from voting last November.
With the next mid-term elections just a year away, local election officials should develop a plan that focuses on five areas:
- Pick the right partners. Many localities use third parties to help maintain voting machines and manage some processes on voting day. Localities should evaluate these third parties based in large part on their capabilities and expertise with security and privacy practices. Employing a contractor to help assess the third party is a good option
- Ensure that votes are counted accurately and completely. If a city or county has not taken clear, conspicuous measures to ensure the public that the selection they make in the voting booth is being recorded and reported properly, then confidence in our elections will suffer.
Localities should start with an inventory of the people, processes and technologies they have in place. Examine current privacy and security procedures and identify any vulnerabilities. From that baseline, a locality can establish a roadmap for effective policies and procedures to protect against security breaches. Vulnerability assessment contractors can help.
- Shore up election audit processes. Counties must be able to ensure that their vote totals can be reviewed and audited. In the 2016 elections, there were recounts in five different states and allegations of voter fraud in two others where the recount process and the accuracy of voting machines were called into question. The inaccuracy and unreliability of the auditing process allowed for enough doubt that both parties started to question not only the credibility of the original vote count, but the electoral process itself.
In every precinct, physical security processes for the voting machines and the machine zeroizing processes need to be fully repeatable and well-designed. Localities need a proven chain of custody, with everything recorded, audited and handled much like a court document. Tightening up those processes, and in some cases the technologies, is key to making sure the vote is accurate and that any recounts will find the same number of votes as the first count.
- Properly vet any new voting eligibility management systems. When new systems are introduced into the election infrastructure, new avenues of attack can come with them. When a locality makes a change or an addition, it is important to assess the new technology for any new vulnerabilities that attackers can exploit. Proper security procedures must be a priority during the implementation process.
- Educate. Most of the time, the easiest part of the system to exploit is the human being that sits in the middle of it. If a county or city focuses on its systems while neglecting to educate everyone in its network about how to recognize a hacker’s ploys, it is inviting the same consequences that has befallen many public sector organizations.
The Russian attack on the 2016 presidential election highlighted the vulnerabilities of our election process and procedures. With the mid-term elections only a year away, we all still have significant work to do to prevent future tampering.
About the Author
Eric Hodge is director of consulting at CyberScout.