How secure is the election process?

The 2016 elections left a swirl of unanswered questions around election security. In a two-part series, host Sean Kelley discusses the state of cybersecurity as it pertains to the election of our future leaders. He’s joined by:

• John Gilligan, chief executive at Center for Internet Security
• Matthew Masterson, senior cybersecurity advisor of Election Security at the Homeland Security Department
• Chris Wlaschin, former CISO at the Health and Human Services Department and current vice president of System Security for Election Systems and Software.

There are approximately 9,000 election jurisdictions in the U.S., with an almost equal number of different technologies and configurations that could be employed during elections. According to the Brennan Center for Justice, 13 states have machines that produce no auditable paper trail, which is crucial in rooting out irregularities or hacks. And five states use paperless machines statewide that also don’t have an audit trail.

Close to 80 percent of the votes cast in 2016 had an auditable record associated with them. But, Masterson said, Homeland Security Secretary Kirstjen Nielsen wants 100 percent of the votes in 2020 to have an auditable record.

Masterson said it can be achieved through the practice of defense in depth. “There is no silver bullet to protect systems, but [you can] create layers of security such as physical, network and application security. DHS utilizes this approach when working with state and local officials to build a resilient election process, so that when incidents occur, they are not only able to detect them, but also recover from them while maintaining the integrity of the process,” Masterson said.

“DEF CON [an international hacker convention] stood up voting villages and procured legacy voting equipment and brought in security researchers with unfettered access to understand the vulnerabilities that reside in these technologies. In many cases, this equipment had been produced in the early 2000s. While some of it is still in operation in some of our election jurisdictions today, those election jurisdictions shine when it comes to protecting this legacy equipment and ensuring that elections that are conducted on this legacy equipment can be trusted,” Wlaschin said.

The biggest misconception regarding elections and election security is the idea that election machines are reachable through the internet, which would make them hackable. “The election industry works really hard to design, test, and deliver voting machines, tabulations and election management systems that are up to EAC standards,” Wlaschin said.

Hundreds of elections occur throughout the year with safe, secure and trustworthy results. But that doesn’t mean U.S. election infrastructure is where it needs to be. “The $380 million distributed by the Election Assistance Commission should be considered a down payment on continued and regular recurring investment in our election infrastructure,” Wlaschin said.

Top Takeaways:

1. DEF CON provides valuable access for election security researchers to understand the vulnerabilities of a wide range of technologies; mainly voting villages.
2. Federal, state and local officials need to work together to understand risks to the systems and work together to build that defense in depth to build a resilient election process.
3. The Center for Internet Security has resources available such as the 3 Steps to Secure your Election Infrastructure Today , as well as the Election Security Handbook.
4. In 2016, 80 percent of votes cast had an auditable record associated with them, whether that’s a paper ballot, or a receipt.
5. In March 2018, the president signed a bill that gave $380 million to states to invest in election security infrastructure.
6. Voting machines that the public interact with are not reachable from the internet.
7. Hundreds of elections are held throughout any given year.