Ever since the 2016 elections, the news is filled with speculation about potential threats to our electoral process, the cornerstone of our democracy. From nation-state actors to criminals, politically motivated groups and terrorists, there is a plethora of bad actors who reportedly could try to infiltrate our elections. This reality has prompted states and the federal government to focus even more attention and resources on the security of our election process.
While the work of securing elections is not new to election officials or their staff, it has certainly intensified during the past two years. As we saw last week at the EAC Election Readiness Summit on Capitol Hill, election officials from across the nation have proven themselves more than capable of managing these threats in the lead up to the 2018 midterm elections, increasing the security and resiliency of their systems and forming national and regional partnerships to improve information sharing and cyber protections. And federal agencies, including the U.S. Election Assistance Commission (EAC), Department of Homeland Security, FBI, and others are ready to help.
This week, the EAC will share features on election cybersecurity initiatives in Florida, New York, Iowa and West Virginia. Four states that are using innovative approaches to secure their elections and strengthen the resilience of their systems.
Many of the efforts featured this week and others like them were made possible by $380 million in new Help America Vote Act (HAVA) funding contained within the Consolidated Appropriations Act of 2018. In all, thirty-six percent of the funds contained within the omnibus will be spent by 41 states to improve election cybersecurity. The EAC is proud of our work to distribute HAVA funds to states in a way that was both rapid and responsible. However, the Commission’s impact on election security goes beyond the distribution of federal funds. The EAC is committed to helping states harden their systems and build in resiliency with a multi-layered approach that addresses three main threats: cyber, physical and human.
With regard to cyber, the EAC has provided states with election technology and security glossaries, checklists, and best practices. For example, a glossary of cybersecurity terms was developed so everyone involved in elections is speaking the same language. The EAC’s Testing & Certification team also developed and provided “Election Official as IT Manager,” a training about managing the increasingly complex technical demands of administering contemporary elections, free of charge to hundreds of election officials in thirteen states. Members of the EAC developed The State and Local Election Cybersecurity Playbook with the Belfer Center for Science and International Affairs at the Harvard Kennedy School. The Commission participates in and leads tabletop exercises, which simulate worst case scenarios for election officials to test incident response plans, and ultimately increase awareness and preparedness. The EAC also provides materials on contingency planning and convenes discussions with leading election officials on election security and makes them publicly available to educate both administrators and the general public.
Since the designation of elections as Critical Infrastructure, the EAC worked closely with The Department of Homeland Security and key election stakeholders to establish the Elections Government Coordinating Council (GCC) and the Sector Coordinating Council (SCC) to facilitate information sharing on emerging threats. Both councils were functioning before 2018, less than one year after the Critical Infrastructure designation. The goal of these councils, and other information sharing mechanisms, is to ensure election officials receive information in a form that is both useful and timely enough to make it actionable.
The Commission also works to educate the public about the many layers of security within elections with resources. This year, the Commission created an Election Security video and presenter materials. The Commission also increased its public outreach with events, online campaigns, new materials and articles, all with the goal of educating voters and increasing confidence in the election process.
There is also the important issue of physical security, which includes polling sites, as well as secure storage for equipment and data. There are a variety of issues that need to be considered when addressing physical security. These issues go beyond locks on doors and can range from preparation for natural disasters, such as flooding or fires to weather and environmental conditions, including humidity, salt, mold and extreme temperatures. And then of course, there is security at the polls, including proper traffic flow, privacy, clear roles and responsibilities for poll workers and tamper resistant voting equipment. Recognizing the importance of these issues, the EAC also provides training and shares best practices on these physical security issues.
Last, but certainly not least, there is a need to address the human element to security. States are actively engaged in training programs to educate their election officials about cyber threats. The goal here is the make the human firewall as strong as the electronic firewall. Through trainings on phishing scams, tabletop exercises, security protocols, password protections and communications with voters, we can build that firewall with employees as well. The EAC and its federal partners are also available to assist in this important work.
As we look ahead to the coming week’s features and explore ways states are working to prepare for 2018 and beyond, the EAC also encourages readers to further explore these issues at /electionsecurity/.