State of U.S. Election Security
…addressed the patch schedule conflicts with EAC certification. “We should be focusing on how to remove disincentives created by requiring recertification after patching or updating the system,” said Badanes. “In our perception there is a lack of clarity about if and how a security update could be applied without triggering recertification.”
“We should stop giving administrators the choice between using systems with known vulnerabilities and taking their systems out of certification,” Badanes added.
Ardoin added that ongoing support costs will continue to drain state election security budgets. When EAC Commissioner Hicks asked what else the federal government could do to help secure the 2020 and 2022 elections, Ardoin replied: “Can you convince Microsoft not to charge us? That would be a good start. It’s pretty expensive, our part is $300 per unit for a three-year period.”
While these problems affect a large number of states, Jerome Lovato, director of testing and certification at U.S. Election Assistance Commission (EAC) said “not all voting systems operate on Windows, there are also Linux, Android, and other operating systems” in play.
Unaddressed Fundamentals
Like their private sector counterparts, the public sector sees gaps in covering the security basics.
“Like the rest of the people here, we see a need to do the fundamentals,” said DHS’ Hale. Specifically, he cited maintaining system integrity with exploit detection, sound email security practices, and strong incident response plans as crucial.
Matt Scholl, chief of Computer Security Division at National Institute of Standards and Technology (NIST) reminded everyone present that reputational risk is as important as security risk. In the end, public trust means everything. NIST provides guidance, toolsets, metrics, and information to aid state and local governments (as well as many other entities) in securing technology and infrastructure.
MSSP and Security Provider Takeaways
For MSSP and security providers looking to strengthen their election security offerings, or add a competitive edge, for existing or potential state and local government customers, the following insights gleaned from the Forum panelists and subsequent Q&A sessions may be helpful:
- Look for ways to manage patches that will still keep systems secure without delaying election timelines and deadlines or break EAC certification. If you can solve this issue, you’ll likely be an instant vendor favorite.
- Understand that each state does things differently so there’s no such thing as a one-size-fits-all security plan. For example, the Honorable Denise Merrill, Secretary of State for Connecticut said her state has no counties. It’s all towns, most of which are small. Everything is decentralized there which makes hacking threats all but meaningless in terms of changing election outcomes. But it also calls for a change in security tactics offered to states with counties. Think about customizing your offerings for every state and local government.
- Remember to offer coverage of the fundamentals from email phishing training to alert fatigue management, and everything in-between that’s considered to be the basics.
- Some states use voting systems with no audit capabilities or paper ballot backups. Consider offering the means to verify vote counts and to provide a secure audit trail.
- Page 1
- Page 2