Lessons learned from 2016 election season

Best listening experience is on Chrome, Firefox or Safari. Subscribe to CyberChat with Sean Kelley on iTunes or PodcastOne.

In part two of the Cyber Chat election security show, host Sean Kelley discussed what agencies have learned from the last election and what they are doing to ensure the election is not only secure, but that American voters can still have confidence in the process. He was joined by:

  • John Gilligan, Chief Executive at Center for Internet Security;
  • Matthew Masterson, Senior Cybersecurity Advisor at DHS for Election Security;
  • Chris Wlaschin, Former HHS CISO and Vice President of System Security for Election Systems and Software.

Gilligan said its not enough anymore for agencies to just ensure that the votes cast are adequately measured. He said potential interference in 2016 opened the election community’s eyes to another factor they had not experienced before: Deliberate attacks against voting infrastructure.

“What ended up happening out of these attacks had no impact, and in fact was quickly recovered, but the public perception of this attack resulted in loss of confidence in the overall elections process, Gilligan said. “It then became obvious to the elections community that it’s not just sufficient to capture the votes.. We have to ensure that the entirety of the elections infrastructure from voter registration to poll books, to election management, to election reporting results all work properly, because any hiccup in any element could potentially erode the confidence of the American public.”

From left, John Gilligan, Sean Kelley, Matthew Masterson and Chris Wlaschin

In fact, many have expressed a belief that the election system would be better off a paper-driven system. Kelley asked: Is it based on a problem with the cybersecurity and election technology or just media hype?

Masterson said its more than that. It’s a challenge the election community has dealt with since the passage of the Help America Vote Act (HAVA) — passed in 2003 — which introduced technology to the process.

“It’s a really challenging question, because what you’re talking about is the need to modernize because a process that isn’t modern … that doesn’t offer that level of accessibility to voters is one that voters will also lack confidence in, right? It needs to be available and usable for voters,” Masterson said. “So balancing the risks that some technology brings with the need for resilience and redundancy is a challenge that we face.”

With the upcoming election, It’s even more important that election offices expect that something may go wrong and are prepared with contingency plans — including keeping auditable records of votes cast, such as paper ballots or receipts.

State and Federal cooperation has increased significantly since 2016.  DHS is working with all 50 states of the states are regularly sharing information with DHS from the field. Masterson said this is the best source of information about what kind of threat is present, what kind of activities may be targeting their systems and why they’re coming to DHS to receive that support and services.

Takeaways:

  1. The Center for Internet Security has put sensors out in the field on the election networks to look for potential attacks and intrusions and CIS is very proactive in working with local jurisdictions trying to improve their security. In 2016 there were a handful of those sensors deployed on state networks looking at traffic targeting election infrastructure. Now 103 of those sensors are deployed across the country in 42 states.
  2. In addition to sensors, there are secure chat rooms where most of the election community’s offices are connected with CIS, DHS and other federal resources. Through this, election officials will be able to in real time look at events, deal with questions if there’s something that happens in the media, make sure everybody is aware of whether it’s a false report or respond to threats.
  3. The HAVA also created the Election Assistance Commission. The one federal agency dedicated to working exclusively with state and local election officials in the community.
  4. The EAC has serves three key roles:
    • Clearinghouse of information with best practices for state and local officials — from cybersecurity to voter registration to post-election results.
    • Focuses on accessibility, making sure that all voters (even those with disabilities or who are serving in the military overseas) have full access to the process and are able to cast their votes privately and independently
    • Tests voting systems with a voluntary certification process