Cybersecurity: “Detect, Defend, and Recover” at Heart of EAC’s Work

Oct 26, 2017
Earlier this week, I had the opportunity to address members of Congress about the work the U.S. Election Assistance Commission is doing to help America vote. My remarks came just days before the 15th anniversary of the Help America Vote Act (HAVA), which was enacted on October 29, 2002. That legislation created the EAC and remains the steadfast compass for our commission’s work.
It’s not surprising that Congress has a strong interest in the EAC’s work to assist state and local election officials as they work to strengthen cybersecurity protections. As I stated in Tuesday’s Congressional meeting, every state in the nation must take this threat seriously and recognize that we are operating in a new threat environment. Election officials across the country should assume that hackers – whether foreign or domestic – have already and/or will scan election systems for vulnerabilities. This is certainly the case for other government entities, as well as most major industries and businesses in the nation. Election systems are no different.
This current threat environment underscores the importance of implementing cybersecurity strategies that allow election officials to detect threats before a breach occurs, defend cyber assets should a hacker attack, and quickly recover if the attack is successful. The EAC is assisting states with this work by helping them understand and leverage all available cybersecurity resources to protect their election systems and assets as they prepare for future elections.
For example, we’ve played a key role in helping election officials understand and leverage the Department of Homeland Security’s designation of elections infrastructure as critical infrastructure. A DHS designation of something as critical infrastructure brings increased federal resources into a sector to provide for increased protection of cyber-systems and more effective information sharing. The EAC has worked extensively with DHS to help it understand the election industry and to identify resources that would be beneficial to election officials. We have worked alongside election officials and private sector election technology companies to help them understand the designation and how to leverage the resources that it brings. This work has included two types of activities: (1) facilitating and participating in meetings between election officials, DHS, and other key players in the cybersecurity landscape and (2) producing and participating in the production of educational and foundational documents and materials. Our work was instrumental in the successful establishment of the sector’s Government Coordinating Council earlier this month and we look forward to what lies ahead.
But bringing key players together and helping them to establish the foundation for how Critical Infrastructure will work is only part of the EAC’s efforts to help election officials strengthen their cybersecurity. The EAC has also:
A couple of the EAC’s commissioners have also worked with the Belfer Center at Harvard University that developed a tabletop playbook and training for states to use.  We hope to work with private sector partners’ like Google, Facebook, Microsoft and others to provide services to local election officials to provide additional cybersecurity help and an Incident Response Communications playbook.
Lastly, the next generation of Voluntary Voting System Guidelines (VVSG 2.0) that will guide the EAC’s testing and certification work was proposed and adopted by the commission’s Technical Guidelines Development Committee (TGDC) in September. The next step is to share the guidelines with members of the EAC’s Board of Advisors and Standards Board, who will review and provide comments on the proposed guidelines. Following the board reviews, there will be a 90-day period for public comment on the proposed guidelines. The VVSG 2.0 will guide the standards for voting machines for years to come. 
The EAC is proud of the work it has done to help the nation prepare to defend itself against cyber threats, and it is excited to continue to carry this most-important charge. Stay tuned to for more information about this work, as well as additional resources

Blog Authors