While the electorate may be divided on many issues, the government entities tasked with managing election logistics are united in their concern about security at the polls. Whether those fears are centered around foreign influence, voter registration fraud, or voting machine vulnerabilities, security is top of mind as we head into another campaign season.
Recent studies have shown that faith in the election process itself is steadily eroding. For example, a Dimensional Research/Venafi survey conducted last year found that just 2 percent of IT security professionals were confident that local, state, and federal government officials could detect election infrastructure attacks. Additionally, 93 percent of respondents are concerned about cyberattacks targeting election infrastructure, and 81 percent reported they thought cybercriminals will target software, hardware, and election data.
Providing further evidence that concerns over voting security are well-founded, was DEF CON’s third annual Voting Village event, during which hackers compromised every single one of the 100 voting machines they had access to, often using basic techniques.
All of this puts local municipalities and boards of elections in a quandary: Electronic voting systems have made it more cost-effective and efficient to organize and manage elections. However, there are apparent vulnerabilities in these systems that must be addressed to ensure the integrity of the results and to help improve the confidence of voters that their vote really does count.
So what can MSPs do to help secure the vote? The following are a few recommendations:
1Follow election security best practices
The Center for Democracy and Technology (CDT) published guidelines for securing election systems and provides essential updates on emerging legislation and best practices. Earlier this year, the U.S. Senate approved $250 million to help states purchase more secure voting machines, but they did not define what “secure” means.
MSPs with county and municipal government clients can help election officials improve voting security in several ways. In some localities, MSPs are not only managing security but also handling activities like software coding, testing, on-site support, and ballot printing.
2Test all election systems for security vulnerabilities
MSPs can conduct vulnerability testing for voter registration, ballot delivery, voting, and election management systems to help identify potential problems.
3Complete patch management and upgrades
Municipal IT staff are usually spread thin, and may not be up-to-date on the entire security threat landscape. In some cases, they may not even believe there is a threat. An MSP can help manage security patches and software updates, taking some of the pressure off of the internal technical staff and ensuring that all software is current before the election.
4Secure employee email accounts
Election officials and other municipal employees may have password-secured access to critical election systems and voter information. That makes them vulnerable to spear-phishing and account takeover attacks. Help protect them by using AI-based monitoring and security tools that can spot attacks that most security gateways don’t catch; enabling two-factor authentication; and, ensuring that password policies are aligned with guidelines established by NIST.
5Make sure voting machines are offline
A vital best practice is ensuring voting machines aren’t connected to a network. If county officials have installed remote monitoring and maintenance solutions to help manage the machines, however, those systems may provide an opening for hackers to tamper with the results. MSPs can provide guidance on how to eliminate those vulnerabilities.
6Secure the voter registration database
While voting machines should not be connected to the network, the voter registration data must be made available, updated, and managed online. Governments should secure these registration systems with monitoring tools that can help identify abnormal activity.
7Secure the voting machines
The annual DEF CON event revealed that many machines lack essential protection. In some cases, physical ports were left unsecured, passwords were set to default or not set at all, and the security features in the underlying hardware were either not used or, in some cases, disabled. MSPs can help their government clients by conducting complete audits of the equipment in advance of the election and ensuring that they are protected from on-site tampering.
8Conduct a post-election audit
MSPs can also help elections officials manage post-election audits using whatever combination of paper ballots and digital redundancy has been established. Those efforts should include comparing statistical samples of vote system totals to hand-counted paper ballot sets, and the testing and results should be publicized.
Election security is critical to ensuring a healthy democracy. Without faith in the election system infrastructure, voters lose faith in election results, and ultimately in the act of voting itself. By helping election officials follow industry best practices for securing their hardware and software, MSPs can help re-establish that faith.