Shopping List: NCSL’s Canvass on Recommendations to States for Cybersecurity Spending
[Image via citygirlplanners]
The latest issue of the National Conference of State Legislatures’ Canvass newsletter has a great piece on the recommendations and suggestions being made to states for the $380 million in cybersecurity funds made available in the federal omnibus spending bill. Take a look:
It’s your birthday and you’re 10 years old. You get a nice card from your grandparents with $10 in it. You begin to think of all the cool ways you could spend your new “fortune.” However, you soon realize everyone else has plans for your money too. Your friends, your siblings, even your parents, start to make suggestions—but their desires don’t necessarily match your own.
States might be feeling something similar now. In March 2018 Congress passed the federal omnibus appropriations bill, which included $380 million for states to use to improve their elections systems. States quickly began to think about how best to put that money to use—and soon enough everyone else has plans for that money too.
The federal Help America Vote Act (HAVA) was passed in 2002 to help states improve voting systems and the voting process after issues were identified during the 2000 election. HAVA included substantial appropriations to the states to accomplish that goal, most of which was used long ago. The $380 million included in this year’s appropriations bill was the final chunk of promised HAVA money. Similar to the original disbursements, each state gets a base award of $3 million, with additional funds based on the voting age population of the state.
[N]ine states will receive the base amount of $3 million. At the upper end, California will receive just over $34.5 million. To receive these funds, states must provide a 5 percent match of the offered amount. Although these funds are finding a warm welcome, states now have the difficult choice of determining how to best spend the new money. And lots of suggestions on how to do so.
The funds are “for activities to improve the administration of elections for Federal office, including to enhance election technology and make election security improvements,” according to the U.S. Election Assistance Commission (EAC), the agency that will disburse the funds. The EAC explicitly outlines six possible uses for those funds (see below). They also require a 2- 3-page overview by states to demonstrate the activities that will be supported with the funds. Although the EAC has been clear on the uses of the money, other groups and individuals have also made recommendations ranging in cost and impact on election security.
“Secretaries of state are excited about these HAVA funds,” said Indiana Secretary of State Connie Lawson, president of the National Association of Secretaries of State (NASS). “But it is important for these groups to keep in mind that each state is unique and cannot complete all the recommendations being made.” According to Maria (Dill) Benson, NASS’s Director of Communication, the organization has heard that some states will be using the new funds to: migrate to a cloud system for data and backups, implement/conduct post-election audits, hire cyber security staff, upgrade election systems, and implement physical and cyber security upgrades.
So, what are all these recommendations floating around and what do they mean for states and elections? NCSL has pulled highlights and common factors from them:
Replace Voting Equipment—A common topic in elections, many states are working with voting equipment that was purchased with the original disbursement of HAVA funds over 10 years ago. Now, with heightened security concerns, many election security experts are once again urging states to require new equipment that either uses paper ballots or leaves a paper audit trail. Still, election systems are quite expensive. Louisiana has received three bids to replace its aging equipment, which is estimated to cost the state anywhere from $40 to $60 million. Pennsylvania is also looking to replace its voting equipment to the possible tune of $125 million. Even if these estimates are on the high end, that’s a tough price tag to swallow.
Post-election Audits—Post-election audits have been picking up steam over the past two years. Forty states and the District of Columbia have an audit process of one variation or another. For states without audits, the recommendation is to implement one. For those states that already require an audit, these reports suggest moving toward more robust systems. After Colorado debuted its statewide risk limiting audit (RLA) in 2017, RLAs are being held by many as a gold standard. RLAs require that a certain number of ballots be audited to statistically show that if a full recount was conducted, it would confirm the original results. Although impressive, RLAs are easier said than done.
Cybersecurity Training—Cybersecurity is not everyone’s forte and, unfortunately, humans are part of the problem. Transforming election staff to cyber informed election staff requires first and for most, that they are knowledgeable. For example, phishing, spear-phishing and whaling are all malicious attempts to obtain personal information to gain access to important systems. The ability to recognize that something may be suspicious takes an understanding of what to look for and the knowledge of how to proceed. Through that knowledge the office/staff can develop an attitude or cyber-secure culture, recognizing that they are a target. Lastly, proper behavior needs to be practiced and enforced, whether that’s through phishing tests, cybersecurity checklists, or two-factor authentication.
Many states have been offering training, which is good. However, it shouldn’t be a one-off test, but a continual process to strive to be better. As they say, the chain is only as strong as its weakest link.
Upgrade/Fortify Security Systems—Outside of the equipment for casting and counting ballots, many other technological components are involved in the election infrastructure. From servers housing voter data to the firewalls protecting the network, many moving pieces may need an upgrade or could be fortified.
Voter registration systems are vulnerable and have already been the target of attacks. The Senate Intelligence Committee released an interim report on May 8 noting that malicious, Russian-affiliated, cyber actors targeted at least 18 state’s election systems. In some states, they were able to gain access to elements of the election infrastructure and were in a position to alter or delete voter registration records—not that there is evidence any data was changed. Aside from more traditional data breaches like Equifax, the ability of a malicious actor to alter or delete voter records could cause problems if it were to occur on Election Day.
The Rhode Island secretary of state’s office released a report to the legislatures of their recommendations for the $3 million. Number one on their list is an upgrade to their central voter registration system. “We are taking measures right now, but that (central voter registration upgrade) will not happen until after 2018,” said Rhode Island Secretary of State Nellie Gorbea, noting that the project will take time.
Two other possible areas that may be ready for upgrade or fortification are electronic poll books (e-poll books), and establishing baseline security standards generally. E-poll books are usually a laptop or tablet, located at precincts, that allow poll workers to lookup voters, scan driver licenses, notify poll workers if someone has previously voted, and much more. These systems can be linked and communicate with each other over a network. The ability to keep this communication safe and secure is important to maintaining the functions of e-poll books. More so, of the roughly 33 states that have jurisdictions that use e-poll books, only eight states currently certify their e-poll books at the state level.
The piecemeal and state-by-state approach to American elections can be a strength, but here it may be a weakness. Because voting equipment and elections are done primarily at the local level, standardized security standards may not be present as each local jurisdiction buys different equipment with different standards. Standardized requirements can help better protect data and systems by closing potential security gaps and reducing risks through prevention or the mitigation of attacks.
Cybersecurity Staff/Training—Knowledgeable staff is just as important, if not more important, than equipment upgrades. From the state to the city level, there are many people who have a hand in elections, and each one could be a target. The ability to spot and properly handle these attempts and others, requires training for staff across all levels.
As for hiring cybersecurity experts, according to some reports, a global shortage of 3.5 million cybersecurity professionals is projected by the year 2021. The ability to hire and retain experienced staff to help direct security efforts and train other staff will be difficult and does not come on the cheap.
While all these recommendations are useful, $380 million won’t cover everything. As Indiana’s Secretary Lawson noted, each state will have different priorities. In some states, projects may already be in the works and the money will go towards furthering those goals. Other states are reaching out to local election officials to determine how to best help their local counterparts. In states with old equipment, replacing voting equipment may be the top priority—but in states that have done so recently, such as Rhode Island, upgrading voter registration systems may be at the top of the list.
Still, as with many things in life, it is often recommended to start small; $3 million, $5 million or $10 million dollars may not fulfill all the needs of state and local election officials, but it can fulfill some. The accomplishments of this money may not be the biggest, or sexiest projects, but may be those that have the greatest security impact for the least financial impact.
It’s your 10th birthday and you just got $10. Who do you listen to?
There’s no doubt these decisions will be difficult for states – but nowhere near as difficult as trying to address cybersecurity needs with no funds at all. Thanks to Dylan Lynch and Wendy Underhill at NCSL for this overview – and best of luck to election officials in deciding where to spend that money from Uncle Sam. Stay tuned!