New election cybersecurity funding likely to be only a stopgap
The recent $380 million of federal funding to replace paperless voting machinery and improve cybersecurity is desperately needed, but it is unlikely to ensure the long-term cybersecurity of U.S. election technology.
The big picture: At best, the one-time spending will provide a catalyst for election organizations to gain basic cybersecurity competence. At worst, though, the money will be spent on discretionary purchases (e.g., digital pollbooks or new PC hardware) that only appear helpful and that, without proper security-centric integration, may increase the systems’ exposure to attacks.
The funds help states accomplish three goals:
- Pay for replacing unreliable paperless voting systems. While new systems provide paper trails, however, they rely on the same vulnerable hardware design.
- Design trustworthy, transparent processes for ballot audits. Audits can detect anomalies, but only if they adopt proven practices statewide.
- Fund election organizations to undergo post-election audit training, a process that will take years to implement. Anomaly detection is valuable, but doesn't impede adversaries from using stolen information to discredit an election.
The other side: This funding could also help states' election organizations pay for cybersecurity services, but likely for one-time events, such as basic training for non-technical staff (e.g., defending against phishing) or contracting cybersecurity professionals.
While professional IT services and training would mitigate some of the risk, none of these solutions will address U.S. election technology's fundamental vulnerability. And after 2018, election organizations will remain just as under-resourced to defend against adversaries as they were before.
The bottom line: In order to protect our democracy, the nation must start an intellectually honest discussion about how to design, develop and deliver a new election technology infrastructure.
John Sebes is a co-founder of the OSET Institute and CTO of its TrustTheVote Project. William Crowell is a former deputy director of the National Security Agency and a partner at Alsop Louie Partners.