Putting Millions to Work for the Mid-Terms – How States Are Using Federal Dollars to Secure the 2018 Elections

 

Secretaries of State across the US got a pleasant surprise earlier in the year when the Federal government included $380 million into its omnibus spending bill that was approved by Congress and signed into law by the President in March.  Funded by the Help America Vote Act, the money has been provided to the States to improve their election processes and technologies. Although there is no explicit mention on the US Election Commission Site, the unspoken but common understanding is that these resources will be put in place prior to the 2018 mid-term elections so as to protect election infrastructure from interference by Russians or other nation state threats.  Unlike many cyber security threats that are open-ended and have no firm timeline to speak of, the mid-term election is in November of this year, so states have a finite amount of time to further improve their cyber security posture.

As part of the Federal funding, each state received some piece of the $380 million, roughly proportionate to the population of each state.  Although $380 million sounds like a huge number, once the $380 million is divided by 50 states, the number becomes far more modest. States were guaranteed $3 million in grant funding, with additional funding available based on a state’s population. States like Maryland, Montana, North Carolina and Oregon received under $10 million while the largest states, California and Texas, received $38 million and $24 million respectively.

To further put this in perspective, existing voting hardware and software represents billions in state spending, in fact, just in hardware only, the cost to refresh existing voting machines far outstretches the resources allocated to the States by the Federal government in this go around. If the scope of the problem isn’t yet clear, the local Elections Official in Bexar County, where I live, is one of 254 counties in the State of Texas. San Antonio is situated here, making it one of the larger urban counties in the State and there are over 700 precincts and 2,842 (count ‘em!) voting machines to maintain. That’s a huge number.

I’ve had the opportunity to speak with numerous election administrators across several states and what surprised me most are the common themes that arose from our discussions. Here are some of the highlights:

No One Wants to be “That Guy”! No one wants to be the John Podesta of 2018 (or 2020 for that matter). Although that seems to be a statement of the obvious, the looming sense of responsibility for State and local election officials exists across all states. Election officials understand that it’s not a fair fight when a nation state targets your state election infrastructure, so most are hoping they do enough to prepare themselves for a threat that is far more sophisticated than anything they’ve seen up to this point.

Biggest Bang for the Buck. Most election officials realize they have a limited amount of time to put Federal dollars to work, but they don’t want to spread the limited amount of money across too many needs. As we speak, election officials are trying to identify holes, make themselves more resilient, and implement technologies and practices that put them on a path to positive, long-term security posture.

Need to Consume as Much of DHS Service as Possible. The Department of Homeland Security is offering intrusion detection, information sharing, and other cyber security services to assist states in better understanding their cybersecurity risks. Most state officials realize DHS alone won’t protect them, but they know they should consume as much of DHS-offered goods and services lest they have a breach and are accused of not using freely-available resources.

Finding Trusted Partners to Augment DHS & Internal Resources. State and local election administrators are reaching out to industry partners to fill in gaps that might exist before the mid-term election. There are a finite number of qualified vendors that have some context around voting systems, so election officials are well served to have established relationships with key outside vendors prior to November.

Balancing the Need to Protect Centralized Resources vs. the Political Need to Spread Money Around. Although nation state attackers are most likely going to attack the weakest and most centralized assets, Secretaries of State are reluctant to hoard Federal monies to lock down their state voter registration and reporting infrastructure. Political realities will dictate that state officials will be forced to share some/much of the federal monies lest they incur a political backlash from local elected officials.

Whatever is Found Must be Fixed.  Every state will need time to fix any glaring holes or identified security deficiencies prior to November. State officials are working overtime in the summer so they have enough time in the early fall to fix what they find.

Focusing on 2018 but Set Course for 2020. Given the timeline, states understand the 2018 mid-term elections are a tune-up for the larger 2020 US Presidential election. What I heard over and over again was desire to upgrade technologies and security practices, but the deadline stretched well beyond November 2018.

No doubt much will transpire between now and November as states prepare for the mid-term election and further secure their voting infrastructure.  The artificial deadline puts some pressure on state and local election administrators to move fast. Unfortunately, states know that there is much work to do to prepare for the sophisticated attacks that a nation state is likely to unleash.


Want to learn more about the risks local elections officials might face from a foreign attack? Check out our latest webinar titled, “Securing Voting Infrastructure before the Mid-Term Elections”. This webinar provides an attacker’s view of a typical state-run election system and makes recommendations on where to focus limited time and resources in the run up of the 2018 mid-term election in November.

Have a question or want to join the conversation? Share your thoughts using the comments section below, or chat with me on Twitter using @johnbdickson.

About John Dickson

John Dickson is an internationally recognized security leader, entrepreneur and Principal at Denim Group, Ltd. He has nearly 20 years' hands-on experience in intrusion detection, network security and application security in the commercial, public and military sectors. As a Denim Group Principal, he helps executives and Chief Security Officers (CSO's) of Fortune 500 companies, including major financial institutions, launch and expand their critical application security initiatives.
More Posts by John Dickson

Leave a Reply

Your email address will not be published. Required fields are marked *