Election Cybersecurity Funding: How Much Is Enough?

Check List on Screen

by Brian Engle, CISO

It would seem that the debate on the Hill over how much funding is needed for securing elections ended before it began. Congress provided funding in the Omnibus budget bill to the tune of approximately $380 million this spring, an allocation that will be divided proportionately among the states. For most states the amount they receive will be a good start but not enough to tackle everything they will need to do to secure elections.

The media has created a cloud of confusion around election hacking, voter fraud and public influence. In this climate of speculation and uncertainty at the macro level, those responsible for conducting free and fair elections at the micro level are suffering from paralysis. Election officials on the front lines find themselves faced with potential threats from adversaries they’ve never had to consider before, and in the absence of top-level cybersecurity strategies from the highest levels of government – those who have already had to contend with these adversaries – local election organizations are unsure where to begin to build up adequate defenses.

To complicate matters, there is precious little time left for action. While it may be worthwhile to further the debate of funding, the midterm elections are only months away. Those who work the elections are immersed in a continual cycle of events and other elections, including primaries.   They have limited time to implement the sizable investments in defense and detection capabilities needed to stand up to nation state attackers.

Keeping an Eye on the Whole Picture

Counties have a high degree of awareness that election security and cybersecurity are critical. They have been at the forefront of securing elections for a long time. In general, however, attention has been highly focused on vote casting while the 2016 election showed us that our focus needs to expand beyond that one aspect of the voting process.

The front line is manned by organizations with tiny staffs and budgets. They ensure accuracy in vote casting and tabulation, areas that all current indications show have not been invalidated or successfully tampered with. In the 2016 election cycle we saw cybercrime occurring on the edges using social media and processes that indirectly support and enable the ballot box process – attacks that started long before the lines form at the polling place. Consequently, risk postures must include the speculation cast upon the entirety of the election process.

Variety and Complexity Require an Ongoing Approach

Responsibility for conducting elections in the United States falls to more than 3000 counties. Each is unique. Each has their own way of managing the process and timeline of events that occur during the 364 days outside of election day. The variations among these organizations is so complex, executing a strategy can’t be subject to a one-time budget injection that can only cover a portion of the state’s highest priorities. In short, counties and states simply aren’t currently positioned to boil the ocean of cybersecurity risk now facing them. Progress must be ongoing and incremental.

A top-level government strategy would help to support the initiatives that are needed at the front-lines. But the way forward must meet each organization where they are today to adequately address the key risks facing counties and the states that support them. One size does not fit all, and one funding allocation doesn’t enable ongoing risk management.

To develop a strategy, scope the funding requirements, and arm counties with the capabilities needed to stand guard on the evolving cybercrime battleground, election organizations must first start with a full, and most importantly, accurate picture of their risks. Once we remove the speculation, doubt and uncertainty created by unknowns and incomplete information we can confidently guard the integrity of our elections with a comprehensive set of protections. Funding will then be a matter of execution on priorities and acceptable levels of risk, and only then will a clear picture emerge of how much is enough.

About the author

Brian Engle

Brian Engle is the CISO and Director of Advisory Services, a role in which he leads the delivery of strategic consulting services for CyberDefenses's growing client base with risk management support, information security program assessment and cybersecurity program maturity evolution. Prior to working at CyberDefenses, he was the founder and CEO of Riskceptional Strategies, a consulting firm focused on enabling the development of successful strategies for implementing, operating, and evolving risk-based cybersecurity programs. Brian’s previous information security roles include Executive Director of Retail Cyber Intelligence Sharing Center (R-CISC), CISO and Cybersecurity Coordinator for the State of Texas, CISO for Texas Health and Human Services Commission, CISO for Temple-Inland, Manager of Information Security Assurance for Guaranty Bank, and Senior Information Security Analyst for Silicon Laboratories. Brian has been a professional within Information Security and Information Technology for over 25 years, and serves as a past president and Lifetime Board of Directors member of the ISSA Capitol of Texas Chapter, is a member of ISACA, and holds CISSP and CISA certifications.