The Election Security Conversation: Hype or Headlines?

The election cybersecurity conversation

You’ve likely seen the media coverage describing the current state of election security, and if you only read the headlines the news isn’t good. From coverage of teenagers hacking election databases in ten minutes at DefCon Voting Village  to hackers’ ability to easily manipulate votes on voting machines, the headlines paint a bleak picture. On the other side of the discussion, headlines from government and election officials refute these results by saying that the hacked systems are woefully inaccurate and insecure replicas of systems in unrealistic environments. They claim that the simulated systems bear no resemblance to current state election systems and environments. Unfortunately, the alarmist rhetoric on one hand and immediate discounting on the other do not lead to productive outcomes.

Beware of Broad Statements

In a stale-mate situation like this, it’s important to remember that macro-level statements are inaccurate because the granular facts matter. While it’s true that the DefCon environments which include Las Vegas hotel lobbies and election support website renderings are not indicative of the entirety of the Country’s election infrastructure, don’t mistake these results as invalid. They contain relevant indicators that there is room for improvement and that we should definitely ask questions and take actions to strengthen election security. This is a case where the details do matter. Elections occur at the micro level which means that is where we need to focus our efforts.

Sign Up to Receive Our Monthly Newsletter: Election Security In the News
Sign up here

Our nation’s election infrastructure is a lot like our food supply – it is a connected and dependent ecosystem of local and regional elements that have enough separation to ensure they are not easily defeated in one fell swoop. It is nearly impossible to disrupt the nation’s food supply, but a small town is relatively easy to disrupt. Likewise, a county-by-county approach to affecting an election doesn’t poison the entire country’s election system. But when it’s your community affected, it matters a lot.

The Answers Are in the Details

The reason that our elections are secure at a macro level is the distributed nature of how they are conducted; likewise, the reason they are insecure is also because of the distributed nature that fragments the functions into parts that are vulnerable to attack. We have seen that motivated attackers are targeting many aspects of the election process, mostly local races and congressional districts which further emphasizes the point that our attention should be homed in at the micro level. However, we’re not going to get better at the micro level unless we look at the facts and listen to the details. The message may be a mess and the messengers may be getting a lot of the facts wrong, but we all need to listen and evaluate the merits without discounting the alarm bells we hear ringing.

About the author

Brian Engle

Brian Engle is the CISO and Director of Advisory Services, a role in which he leads the delivery of strategic consulting services for CyberDefenses's growing client base with risk management support, information security program assessment and cybersecurity program maturity evolution. Prior to working at CyberDefenses, he was the founder and CEO of Riskceptional Strategies, a consulting firm focused on enabling the development of successful strategies for implementing, operating, and evolving risk-based cybersecurity programs. Brian’s previous information security roles include Executive Director of Retail Cyber Intelligence Sharing Center (R-CISC), CISO and Cybersecurity Coordinator for the State of Texas, CISO for Texas Health and Human Services Commission, CISO for Temple-Inland, Manager of Information Security Assurance for Guaranty Bank, and Senior Information Security Analyst for Silicon Laboratories. Brian has been a professional within Information Security and Information Technology for over 25 years, and serves as a past president and Lifetime Board of Directors member of the ISSA Capitol of Texas Chapter, is a member of ISACA, and holds CISSP and CISA certifications.