Elections: The Hidden Cybersecurity Danger for Governments
The news is replete with alleged actions of foreign governments and hackers trying to impact the democratic election process in the United States. It is incumbent upon the state and local governments to ensure the security of all elections.
November 01, 2018 at 01:56 AM
7 minute read
Ballot box
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
The news is replete with alleged actions of foreign governments and hackers trying to impact the democratic election process in the United States. What most people do not realize is that almost all elections, even national elections for the office of President, are actually run by state and local governments. As such, it is incumbent upon the state and local governments to ensure the security of all elections, which underpin the faith and trust in our democracy and our democratic process.
While there are many technical things that can be done to ensure the integrity of elections and the voting process, this article will attempt to focus on more holistic approaches to the security of elections. I note that the ideas expressed herein should not be thought of as an exhaustive list but more as a beginning for thinking about security measures.
Voting Machines
Voting machines should provide some kind of vote verification and authentication. While many machines provide an audit function, these audits are only as good as the security around the software and hardware that underpins the voting machines. As such, all voting machines should have a mechanism to create a paper record of a vote cast by a citizen. These paper records can then be used by the electoral board of the state or municipality to audit and authenticate all voting records.
If there is no paper record, the entity running the election is at the mercy of the data provided by the voting machines' software and hardware for not only the vote count but also the information used to conduct an audit. If the hardware or software has been compromised and miscounts or somehow otherwise alters a vote, that same compromise will probably rear its head in the audit, making such an audit virtually useless.
Passwords
All electoral systems, including voting machines, should have a requirement for very strong passwords with two-factor authentication. Many hacks on electoral systems, and on cyber systems in general, begin with stolen credentials. If two-factor authentication is not implemented, those stolen credentials can lead to havoc being reeked upon the electoral process.
Two-factor authentication, which requires a user to know both a password and to possess a second device that authenticates them, allows for much more robust security in general. No software or hardware should be accessible without a strong password protocol and two-factor authentication. These requirements alone can go a long way towards strengthening both hardware and software from outside attacks.
Limited Access
Electoral commissions should limit access to software and hardware systems only to those who require access to those systems. Additionally, all sensitive data should be isolated, and networks should be segregated so that a breach in one part of a network does not automatically lead to a breach of the entire network.
With respect to who should have access to software and hardware, election authorities should take a long hard look at not only who needs access to the systems in general, but also to what parts of the system they should have access. This limited access can control the amount of damage created by any one person and can also limit the damage should a breach of a person's access credentials occurs.
Vendors
Election authorities should require their vendors to prioritize security. When speaking of election machines and the electoral process, limiting both access to the software and physical access to election machines should be a high priority. As such, maintenance crews, janitorial services and other personnel should have restricted access to rooms containing voting equipment. Additionally, any equipment at a polling place should be secured under lock and key with key holders being trusted personnel.
Penetration Testing
Election officials should regularly test the integrity of their networks and the process. This includes regular penetration testing, network vulnerability testing, access control audits and post-election audits. All of these will combine to help to ensure the integrity of the network, and more importantly, assure the public of the integrity of the electoral process.
Understand Your Network
Electoral officials should understand the entirety of the network that supports the voting process and look for weaknesses in that greater network. For example, if voter rolls are authenticated through driver's licenses at the Department of Motor Vehicles (DMV), those networks present a potential weakness. As such, the DMV's networks should be subject to the same security protocols and testing as the actual electoral voting networks. Only with this type of holistic network approach can the integrity of the voting process be ensured.
Personnel Training
All electoral authorities should seek to create a holistic security culture. This type of culture should start at the top and permeate throughout the electoral staff and those that support the electoral process. Like most breaches, a breach in the electoral process will probably originate with a human error. As such, it is important to continuously train all associated personnel not only with cybersecurity protocols, but also physical security protocols. Additionally, this holistic security mindset should be regularly reinforced and tested to ensure not only compliance with applicable policies and procedures but also with what many people call “common sense” actions.
Incident Response Plan
All electoral authorities should have a detailed cyber incident response plan. This plan should be well thought out and tested regularly with all involved personnel. This plan should outline what should happen in the event of a breach, who should be notified, what other resources should be brought to bear, and how communications should be handled. Additionally, this plan should be regularly tested through cybersecurity tabletop exercises, which will allow the parties to understand what they should do in a controlled environment before something actually happens. As it is often said in battle, when the bullets start flying is not the time to figure out what you would do.
Conclusion
Many of the processes that pertain to how local and municipal authorities should deal with cybersecurity are the same as how any enterprises should deal with cybersecurity. First and foremost, there should be a culture of security created throughout the organization. Additionally, testing and auditing should be a regular part of the process of running elections. Lastly, election authorities should have a detailed response plan so that they will know what to do in the event of a breach or an emergency.
That said, unlike other businesses, the integrity of the electoral process is the underpinning to our democracy. It is incumbent upon all of us to ensure that we are doing all that we can to protect this process.
*****
Roy E. Hadley, Jr. is an attorney with Adams and Reese (Atlanta) who serves as independent counsel to companies, governments, and boards on cyber matters, helping them understand and mitigate legal risks and exposures to protect themselves and those they serve. He has previously served in the corporate roles of general counsel and chief privacy officer, as well as special counsel to the president of the American Bar Association and special assistant attorney general for the state of Georgia. He may be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Internal GC Hires Rebounded in '24, but Companies Still Drawn to Outside Candidates
4 minute read
Dissenter Blasts 4th Circuit Majority Decision Upholding Meta's Section 230 Defense
5 minute read
From Laggards to Tech Founders: Law Firm Innovation Is Flourishing
Trending Stories
- 1ACC CLO Survey Waves Warning Flags for Boards
- 2States Accuse Trump of Thwarting Court's Funding Restoration Order
- 3Microsoft Becomes Latest Tech Company to Face Claims of Stealing Marketing Commissions From Influencers
- 4Coral Gables Attorney Busted for Stalking Lawyer
- 5Trump's DOJ Delays Releasing Jan. 6 FBI Agents List Under Consent Order
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
