EAC Provides Important Election Security Info to States
The Election Assistance Commission is a federal clearing house for election information, says Benjamin Hovland, EAC chairman, and that’s critical because U.S. elections are decentralized. The organization provides resources on voting accessibility and voter registration, but also cybersecurity and specific election security resources.
“We are the only federal agency that is solely dedicated to thinking about how to improve election administration in this country,” he says. “That gives us a vantage point of understanding election official capacity.”
Biweekly calls with federal and state stakeholders allow federal and local election officials to touch base on issues of the day, he says.
“We’re able to share information on what people are doing or hearing and compare notes, then try to work together to identify a shared voice where we can ensure people are getting trusted source information and actionable information they can use. That did not exist before and is a big difference between 2016 and now.”
The EAC publishes regular updates on voting system analysis, and a resource page about coordinating with voter system manufacturers (which now also includes tips on cleaning voting machines in light of COVID-19).
“I think good election administration comes down to good governance and customer service, and so in the cyber realm, that means taking care of the basics and making sure patches are done and upgrades are done,” Hovland says.
Paul Pate, Iowa Secretary of State and president of the National Association of Secretaries of State, says that the 2017 critical infrastructure designation has made a world of difference to states. While things might have been bumpy as everyone adjusted, “with a little work, we were able to make the connection to federal resources,” he says.
‘Tabletop in a Box’ Teaches States to Confront Security Scenarios
“It’s really important to understand that we now have working relationships,” Hovland adds. “We’ve got names of people. They know who we are, and we have a better sense of what we can ask for and get those resources from them. These were all very significant accomplishments.”
For states, CISA can conduct cybersecurity assessments on local election systems, attack detection and prevention; share information about attacks and threats; and train cybersecurity personnel on election matters. The “tabletop in a box” cybersecurity exercises — a 58-page guide that lets states run their own scenarios — became available in 2018.
The scenarios include news and social media manipulation, spear phishing campaigns, disruption of voter registration information systems and processes, denial of service attacks and web defacements, malware infections on electronic voting machines and election management system software, and the exploitation of state and county board election networks.
“A pretty broad example would be, you show up on Election Day and you don’t have internet access,” Robert Giles, director of the New Jersey Division of Elections, told radio station NJ101.5. New Jersey ran the tabletop exercises in all 21 of its counties last September. “There will be cyber incidents, police/fire-type incidents, natural disaster incidents."
New Jersey officials used $9.8 million obtained through Help America Vote Act provisions to pay for the exercises, another example of state-federal cooperation.
The training has proved valuable, Krebs told NPR: “An election official who three or four years ago would have probably just blindly and blithely followed the instructions [in a phishing email or phone call] now is like, ‘Wait a second; that doesn’t sound right.’”
DHS, States Communicate Often on Election Security
Keeping communication between local officials and federal agencies is key to keeping elections secure.
“The most important thing is to get the local election officials to the people who can help them best address the issue,” Matt Masterson, senior cybersecurity adviser for CISA, told StateScoop.
Pate says that CISA has been good about reviewing state processes and providing feedback, and says that states have been kept apprised of attacks by DHS. “They’ve played a big role in helping create the connection,” he says.