by Brian Engle, CISO
It would seem that the debate on the Hill over how much funding is needed for securing elections ended before it began. Congress provided funding in the Omnibus budget bill to the tune of approximately $380 million this spring, an allocation that will be divided proportionately among the states. For most states the amount they receive will be a good start but not enough to tackle everything they will need to do to secure elections.
The media has created a cloud of confusion around election hacking, voter fraud and public influence. In this climate of speculation and uncertainty at the macro level, those responsible for conducting free and fair elections at the micro level are suffering from paralysis. Election officials on the front lines find themselves faced with potential threats from adversaries they’ve never had to consider before, and in the absence of top-level cybersecurity strategies from the highest levels of government – those who have already had to contend with these adversaries – local election organizations are unsure where to begin to build up adequate defenses.
To complicate matters, there is precious little time left for action. While it may be worthwhile to further the debate of funding, the midterm elections are only months away. Those who work the elections are immersed in a continual cycle of events and other elections, including primaries. They have limited time to implement the sizable investments in defense and detection capabilities needed to stand up to nation state attackers.
Keeping an Eye on the Whole Picture
Counties have a high degree of awareness that election security and cybersecurity are critical. They have been at the forefront of securing elections for a long time. In general, however, attention has been highly focused on vote casting while the 2016 election showed us that our focus needs to expand beyond that one aspect of the voting process.
The front line is manned by organizations with tiny staffs and budgets. They ensure accuracy in vote casting and tabulation, areas that all current indications show have not been invalidated or successfully tampered with. In the 2016 election cycle we saw cybercrime occurring on the edges using social media and processes that indirectly support and enable the ballot box process – attacks that started long before the lines form at the polling place. Consequently, risk postures must include the speculation cast upon the entirety of the election process.
Variety and Complexity Require an Ongoing Approach
Responsibility for conducting elections in the United States falls to more than 3000 counties. Each is unique. Each has their own way of managing the process and timeline of events that occur during the 364 days outside of election day. The variations among these organizations is so complex, executing a strategy can’t be subject to a one-time budget injection that can only cover a portion of the state’s highest priorities. In short, counties and states simply aren’t currently positioned to boil the ocean of cybersecurity risk now facing them. Progress must be ongoing and incremental.
A top-level government strategy would help to support the initiatives that are needed at the front-lines. But the way forward must meet each organization where they are today to adequately address the key risks facing counties and the states that support them. One size does not fit all, and one funding allocation doesn’t enable ongoing risk management.
To develop a strategy, scope the funding requirements, and arm counties with the capabilities needed to stand guard on the evolving cybercrime battleground, election organizations must first start with a full, and most importantly, accurate picture of their risks. Once we remove the speculation, doubt and uncertainty created by unknowns and incomplete information we can confidently guard the integrity of our elections with a comprehensive set of protections. Funding will then be a matter of execution on priorities and acceptable levels of risk, and only then will a clear picture emerge of how much is enough.