As the country digests the results of this year’s midterm elections, the concerns that were raised about the potential risk of cybersecurity threats to our voting systems remain. This year, Congress passed the Consolidated Appropriations Act of 2018 to make nearly $400 million available to the states to improve their administration of federal elections. I’ve met with secretaries of state, state IT leaders and local government officials across the country who were intensely focused on how to use this assistance to shore up election systems cybersecurity. Having served in state IT leadership for much of my career, I know how important it is to spend resources wisely and emphasize solutions that address the core issues of a challenge, versus simply applying a Band-Aid to solve it. Because our voting system is multifaceted, potential solutions to the election security challenge require a deeper focus on infrastructure. Even though the election is over, states should see election security as a year-round effort. States are the architects and supervisors of their respective election systems, and they execute this important constituent service in varying ways. Some states vote exclusively by mail, while others rely exclusively on electronic voting machines. Other states have a combination of voting options available to constituents in different localities.
Regardless of how or when states collect votes, they use similar technology for voting infrastructure. Like other constituent services, state agencies store, manage and monitor voter identification data electronically.
States run websites which house voter resources, often including calendars and polling locations. Voter registration can be done electronically in many parts of the country or through agencies such as the state’s department of motor vehicles. Government employees who input new registrations by mail or paper still must process them using computers and networks.
This means the election system has many components that are vulnerable entry points. Most states are aware of these realities and are focused on three areas: reducing online election systems vulnerability, enhancing security for Election Day operations and providing cybersecurity training for employees.
That’s a good start, but we also have to remember that while states oversee their elections centrally, they rely heavily on local counties and municipalities to administer them. If, for example, local administrators are working on unsecured or untrusted devices or networks, or have their credentials stolen, then the system remains open to great risk.