Less than a year out from the 2020 election, state and local election security personnel are gearing up to defend against cyber threats. But while these officials work directly with the Department of Homeland Security to protect this critical infrastructure, in many cases they face limited resources on a scale not seen in the federal government.
More than 40 states have a secretary of state that serves as the chief election official, but in Wisconsin, an administrator is appointed by a bipartisan commission to serve in that role.
Meagan Wolfe, the administrator of the Wisconsin Elections Commission, said Wisconsin is the most decentralized election administration system in the country.
The state runs elections at the municipal level, whereas most other states run elections at the county level. However, resources for these offices can run thin and two-thirds of Wisconsin’s election officials work part-time.
“A lot of them don’t have any type of IT support at the local level, which is very different than some of the county-based systems. The clerk might be the sole employee of that jurisdiction,” Wolfe said at the Cybersecurity Coalition’s CyberNext D.C. conference.
Lindsey Forson, the Cybersecurity Program Manager at the National Association of Secretaries of State, said all 50 states cooperate with DHS on cybersecurity services, but the way states work with federal partners can vary greatly.
“A lot of states are working with their National Guards, but some states have many more legal constraints than others. Some states’ guards are much more developed in terms of cyber teams than others, so the ability to utilize that resource varies greatly across the states,” Forson said.
Although all 50 states work with DHS in some way, Forson said there is some hesitation in some states about having the federal government scan systems and run penetration tests.
David Stafford, the supervisor of elections in Escambia County, Florida, said election security vendors need to understand the wide spectrum of resources that individual counties may have for cyber defense.
“You have to understand where your customer fits on that spectrum, because if you’re coming to pitch something to Miami-Dade County, it’s going to be very different than coming into a small or medium-sized county … a one-size-fits-all approach simply doesn’t work,” Stafford said.
Now more than ever, there is a plethora of federal resources for state and local election security officials, but Wolfe said it’s important to know that those resources will remain sustainable in the years to come.
“What we always try to remind our locals about is that there is no finish line when it comes to election security. The goals, the objectives, the tools and resources that we use are going to change every single day. And if we get into the business of starting to say that there’s going to be sort of an end game, or there’s one single goal, I think we’d be in trouble because that landscape does change on a daily basis,” Wolfe said. “We want to set ourselves up for long-term success. The challenges that we face for cybersecurity are not going to go away anytime soon.”
Forson said states have made a lot of progress in election security since 2016, especially in getting individual states and individual jurisdictions to take steps to secure their systems.
“Substantial progress has been made in terms of information-sharing inter-governmentally [and] establishing the election infrastructure,” she said.
The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), she said, has also been a valuable resource for states. But building trust between various levels of government remains a challenge.
“We still do a lot of work around connecting our members to federal partners and getting questions answered about what is the FBI doing with the intelligence they receive. How do we get that? How do we ensure that the information is getting back out in a timely fashion? And so, we’re still doing a lot of work around that to improve that,” Forson said.
State and local cyber officials continue to face challenges finding trusted vendors and research partners, but Wolfe said the key to building trust between the public and private sectors is to develop responsible partnerships.
“Cybersecurity is one of those arenas where you have the opportunity to really exploit people’s fears and emotional response to not understanding something, and being able to leverage that to make a profit. I think it’s always our hope, especially in this new landscape for elections security, that we’re able to rise above a lot of that — to be able to responsibly partner in a way that gets states the things that they need … so that we can protect our democracy,” Wolfe said.