The recent $380 million of federal funding to replace paperless voting machinery and improve cybersecurity is desperately needed, but it is unlikely to ensure the long-term cybersecurity of U.S. election technology. The big picture: At best, the one-time spending will provide a catalyst for election organizations to gain basic cybersecurity competence. At worst, though, the money will be spent on discretionary purchases (e.g., digital pollbooks or new PC hardware) that only appear helpful and that, without proper security-centric integration, may increase the systems’ exposure to attacks.
The funds help states accomplish three goals:
- Pay for replacing unreliable paperless voting systems. While new systems provide paper trails, however, they rely on the same vulnerable hardware design.
- Design trustworthy, transparent processes for ballot audits. Audits can detect anomalies, but only if they adopt proven practices statewide.
- Fund election organizations to undergo post-election audit training, a process that will take years to implement. Anomaly detection is valuable, but doesn’t impede adversaries from using stolen information to discredit an election.While professional IT services and training would mitigate some of the risk, none of these solutions will address U.S. election technology’s fundamental vulnerability. And after 2018, election organizations will remain just as under-resourced to defend against adversaries as they were before.
The other side: This funding could also help states’ election organizations pay for cybersecurity services, but likely for one-time events, such as basic training for non-technical staff (e.g., defending against phishing) or contracting cybersecurity professionals.
The bottom line: In order to protect our democracy, the nation must start an intellectually honest discussion about how to design, develop and deliver a new election technology infrastructure.