Elections: The Hidden Cybersecurity Danger for Governments
The news is replete with alleged actions of foreign governments and hackers trying to impact the democratic election process in the United States. It is incumbent upon the state and local governments to ensure the security of all elections.
November 01, 2018 at 01:56 AM
7 minute read
The original version of this story was published on Law.com
Ballot box
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
The news is replete with alleged actions of foreign governments and hackers trying to impact the democratic election process in the United States. What most people do not realize is that almost all elections, even national elections for the office of President, are actually run by state and local governments. As such, it is incumbent upon the state and local governments to ensure the security of all elections, which underpin the faith and trust in our democracy and our democratic process.
While there are many technical things that can be done to ensure the integrity of elections and the voting process, this article will attempt to focus on more holistic approaches to the security of elections. I note that the ideas expressed herein should not be thought of as an exhaustive list but more as a beginning for thinking about security measures.
|Voting Machines
Voting machines should provide some kind of vote verification and authentication. While many machines provide an audit function, these audits are only as good as the security around the software and hardware that underpins the voting machines. As such, all voting machines should have a mechanism to create a paper record of a vote cast by a citizen. These paper records can then be used by the electoral board of the state or municipality to audit and authenticate all voting records.
If there is no paper record, the entity running the election is at the mercy of the data provided by the voting machines' software and hardware for not only the vote count but also the information used to conduct an audit. If the hardware or software has been compromised and miscounts or somehow otherwise alters a vote, that same compromise will probably rear its head in the audit, making such an audit virtually useless.
|Passwords
All electoral systems, including voting machines, should have a requirement for very strong passwords with two-factor authentication. Many hacks on electoral systems, and on cyber systems in general, begin with stolen credentials. If two-factor authentication is not implemented, those stolen credentials can lead to havoc being reeked upon the electoral process.
Two-factor authentication, which requires a user to know both a password and to possess a second device that authenticates them, allows for much more robust security in general. No software or hardware should be accessible without a strong password protocol and two-factor authentication. These requirements alone can go a long way towards strengthening both hardware and software from outside attacks.
|Limited Access
Electoral commissions should limit access to software and hardware systems only to those who require access to those systems. Additionally, all sensitive data should be isolated, and networks should be segregated so that a breach in one part of a network does not automatically lead to a breach of the entire network.
With respect to who should have access to software and hardware, election authorities should take a long hard look at not only who needs access to the systems in general, but also to what parts of the system they should have access. This limited access can control the amount of damage created by any one person and can also limit the damage should a breach of a person's access credentials occurs.
|Vendors
Election authorities should require their vendors to prioritize security. When speaking of election machines and the electoral process, limiting both access to the software and physical access to election machines should be a high priority. As such, maintenance crews, janitorial services and other personnel should have restricted access to rooms containing voting equipment. Additionally, any equipment at a polling place should be secured under lock and key with key holders being trusted personnel.
|Penetration Testing
Election officials should regularly test the integrity of their networks and the process. This includes regular penetration testing, network vulnerability testing, access control audits and post-election audits. All of these will combine to help to ensure the integrity of the network, and more importantly, assure the public of the integrity of the electoral process.
|Understand Your Network
Electoral officials should understand the entirety of the network that supports the voting process and look for weaknesses in that greater network. For example, if voter rolls are authenticated through driver's licenses at the Department of Motor Vehicles (DMV), those networks present a potential weakness. As such, the DMV's networks should be subject to the same security protocols and testing as the actual electoral voting networks. Only with this type of holistic network approach can the integrity of the voting process be ensured.
|Personnel Training
All electoral authorities should seek to create a holistic security culture. This type of culture should start at the top and permeate throughout the electoral staff and those that support the electoral process. Like most breaches, a breach in the electoral process will probably originate with a human error. As such, it is important to continuously train all associated personnel not only with cybersecurity protocols, but also physical security protocols. Additionally, this holistic security mindset should be regularly reinforced and tested to ensure not only compliance with applicable policies and procedures but also with what many people call “common sense” actions.
|Incident Response Plan
All electoral authorities should have a detailed cyber incident response plan. This plan should be well thought out and tested regularly with all involved personnel. This plan should outline what should happen in the event of a breach, who should be notified, what other resources should be brought to bear, and how communications should be handled. Additionally, this plan should be regularly tested through cybersecurity tabletop exercises, which will allow the parties to understand what they should do in a controlled environment before something actually happens. As it is often said in battle, when the bullets start flying is not the time to figure out what you would do.
|Conclusion
Many of the processes that pertain to how local and municipal authorities should deal with cybersecurity are the same as how any enterprises should deal with cybersecurity. First and foremost, there should be a culture of security created throughout the organization. Additionally, testing and auditing should be a regular part of the process of running elections. Lastly, election authorities should have a detailed response plan so that they will know what to do in the event of a breach or an emergency.
That said, unlike other businesses, the integrity of the electoral process is the underpinning to our democracy. It is incumbent upon all of us to ensure that we are doing all that we can to protect this process.
*****
Roy E. Hadley, Jr. is an attorney with Adams and Reese (Atlanta) who serves as independent counsel to companies, governments, and boards on cyber matters, helping them understand and mitigate legal risks and exposures to protect themselves and those they serve. He has previously served in the corporate roles of general counsel and chief privacy officer, as well as special counsel to the president of the American Bar Association and special assistant attorney general for the state of Georgia. He may be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
'Sharp and Profound' Policy Shifts Prompt DC Law Firms to Evaluate Opportunities, Challenges
5 minute read
Trump Likely to Keep Up Antitrust Enforcement, but Dial Back the Antagonism
5 minute read
Big Law Lawyers Fan Out for Election Day Volunteering in Call Centers and Litigation
7 minute readTrending Stories
- 1Infant Formula Judge Sanctions Kirkland's Jim Hurst: 'Overtly Crossed the Lines'
- 2Trump's Return to the White House: The Legal Industry Reacts
- 3Election 2024: Nationwide Judicial Races and Ballot Measures to Watch
- 4Climate Disputes, International Arbitration, and State Court Limitations for Global Issues
- 5Judicial Face-Off: Navigating the Ethical and Efficient Use of AI in Legal Practice [CLE Pending]
- 6How Much Does the Frequency of Retirement Withdrawals Matter?
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
