Securing US Elections Against Cyber Threats

Securing US Elections Against Cyber Threats

September 2020 Perspective EXPERT INSIGHTS ON A TIMELY POLICY ISSUE QUENTIN E. HODGSON, MARYGAIL K. BRAUNER, EDWARD W. CHAN Securing U.S. Elections Against Cyber Threats Considerations for Supply Chain Risk Management n January 9, 2020, the U.S. House of Representatives Committee on House Administration heard testimony from the chief exec- utive officers of Election Systems and Software (ES&S), Hart InterCivic, and Dominion Voting Systems, the three largest O 1 vendors of U.S. election equipment. The committee chair asked each of the three leaders whether their companies’ equipment contained compo- nents from either Russia or China, basing her question on a recent Interos report that stated that 20 percent of the components in one major elec- tion equipment vendor’s machine came from China.2 All three executives noted that they use Chinese-manufactured components in their election equipment, in part because they did not have viable domestic sources for these components.3 The hearing reflects a broader concern about the exposure that technology supply chains have to China, combined with a widening focus on election security in the United States that gained C O R P O R A T I O N prominence following Russian interference in the election officials around the country to offer cyber- 2016 elections but has extended to encompass many security services and advice. As part of that work, worries about foreign actors’ ability to interfere with CISA convened two advisory councils, one of gov- a core component of American democracy. ernment officials from the federal, state, and local In January 2017, then–Secretary of Homeland levels in a government coordinating council (GCC) Security Jeh Johnson declared election infrastruc- and the other drawing from the election system ture to be part of the nation’s critical infrastruc- vendor community in a sector coordinating council ture, designating it a subsector of the Government (SCC). The initial Election Infrastructure Subsector- Facilities critical infrastructure sector.4 Since that Specific Plan approved in 2018 called for the GCC to designation, the federal government, through the “partner with the SCC to facilitate election security Cybersecurity and Infrastructure Security Agency improvements across the election supply chain.”5 (CISA), has placed significant emphasis on election This initiative prompts questions on what improv- system cybersecurity, reaching out to state and local ing security in the election supply chain entails and how DHS and others can work with both the vendor Abbreviations community and election officials to achieve this objective. BOKN Business Open Knowledge Network CISA Cybersecurity and Infrastructure Security This Perspective focuses on the cybersecurity Agency risk to election supply chains. We start with a brief DHS U.S. Department of Homeland Security discussion of election infrastructure and the stake- DoD U.S. Department of Defense holders involved. We then examine what cyber EAC U.S. Election Assistance Commission ERIC Electronic Registration Information Center supply chain risk management (SCRM) means in ES&S Election Systems and Software the context of U.S. election systems. Finally, we GCC government coordinating council explore how traditional frameworks for SCRM can HAVA Help America Vote Act of 2002 be adapted to meet the needs of the election com- ICT information and communication technology munity in the United States. IR interagency or internal report NIST National Institute of Standards and It is important to note that SCRM is only one of Technology several issues that the United States faces in secur- PII personally identifiable information ing its elections. As many analysts have noted else- SCC sector coordinating council where, disinformation campaigns, mail fraud, and SCRM supply chain risk management SP special publication cyber threats to election systems are very real and potentially more-likely threats than supply chain 2 concerns are.6 But, as we explore in this Perspective, and, therefore, a jurisdiction’s ability to buy elec- the potential for scaling attacks to affect a broad tion equipment. This is an additional concern for swath of the American election landscape makes election officials, particularly as they plan for the the supply chain an attractive avenue for adversaries 2020 general election and beyond in the face of and therefore cannot be ignored. potential continued effects caused by the COVID-19 SCRM is a broad discipline that addresses a pandemic.7 variety of potential risks, such as disruptions stem- To understand how cyber SCRM applies to ming from natural disasters, political upheaval, election systems, we start with a look at the election or public health emergencies, such as coronavirus system’s cyber infrastructure. An election system is disease 2019 (COVID-19). This Perspective focuses really a series of computers and digital and analog on the deliberate targeting of election system supply components each performing specific tasks that chains through cyber means. We do not address may be networked together while in use or when other supply chain disruptions, such as the inabil- programmed. Figure 1 provides an overview of a ity to get raw materials, parts, or components in a generic election system, highlighting the system timely fashion. These are things that would affect a components and interactions across components. manufacturer’s ability to make election equipment FIGURE 1 Components of an Election System Registration Pollbook Voting machine Mail Tabulation Website Voter Ballot Ballot registration preparation mailing Pollbook Voting machine Ballot Tabulation preparation preparation return preparation Voting machine Tabulation use, Tabulation use, Aggregation, Pollbook use Website use precinct central state 3 The start of the process is voter registration, system equipment and services, and researchers and which involves creating, populating, and maintain- advocacy groups. ing a database of records of eligible voters. Voter registration information is used to populate poll- State and Local Officials books for verifying each voter at a polling center or precinct and providing them with the correct The U.S. Constitution makes each state responsi- ballot. In preparation for an election, ballots and ble for establishing the times, places, and manner 9 voting machines are prepared by laying out contests in which it chooses representatives and senators, using software and programming voting machines. as well as how it appoints electors for choosing the 10 During an election, voters may use voting machines president and vice president. As a practical mat- of various types (e.g., ballot-marking devices for ter, this has led to each state establishing its own paper ballots, direct-recording electronic machines structures and processes for overseeing elections, that record choices directly to digital media). Paper including the degree of centralization or devolution, ballots are scanned using high-speed scanners. the types of technology to use, and what forms of Then, ballots are tabulated and results reported voting are allowed (e.g., early voting, vote by mail). through formal election night reporting channels, as This puts state and local legislatures, elected offi- well as through postings of results on websites. cials, and election officials at the center of decisions about what equipment to purchase and how to implement election infrastructure. Given the diver- Stakeholders in Election Security sity in size and resources, state and local officials Although every voter has a stake in and should be also have varying levels of influence over the supply concerned about election security, the role of the chain in terms of purchasing power and regulatory voter is primarily to voice their concerns to elec- roles. For example, although California is the largest tion officials, policymakers, and elected leaders. In U.S. state by population, it also devolves significant this section, we briefly review the roles of the other authority to its local jurisdictions and therefore does primary stakeholders in election cyber SCRM. not speak with one voice to the vendor commu- 11 We discuss the considerations that inform their nity. Georgia, on the other hand, has centralized responsibilities and how they interact with other governance at the state level, including equipment stakeholders. We address state and local election purchases, which allows the state to negotiate with officials,8 federal stakeholders, vendors of election vendors with a single voice. Election officials do not make these choices unilaterally. However, they 4 must justify budgets; work with other parts of state as noted previously, as well as creating the Elections and local government; and engage state governors, Infrastructure Information Sharing and Analysis legislatures, and county boards on legislation and Center at the Center for Internet Security.13 budgets. EAC, an independent, bipartisan commis- sion established with the passage of the 2002 Help 14 Federal Officials America Vote Act (HAVA), develops guidance to meet HAVA requirements, creates voluntary guide- At the federal level, the principal stakeholders lines for voting systems, shares information on elec- involved in assisting state and local governments tion administration, accredits testing laboratories, to secure their election systems are CISA, the U.S. and certifies voting systems.15 Election Assistance Commission (EAC), and the NIST issues guidance and develops cybersecu- National

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    34 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us