Breaking News

Part II: Ensuring Election Day Results with Security and Integrity

As discussed last week, many states are failing to take appropriate responsibility – not only to ensure that our voting machines work, but that they’re secure. Is there hope that we can still encourage a change before November? As with anything else, change is often difficult and time consuming.

We don’t have much choice, however – because our current defenses are so poor, that recently it took an 11-year-old child less than 10 minutes to hack a replica of a Florida election website. That doesn’t bode well for Florida, as an indication of the security work still to be done, and it’s just one example. It does beg another question – are we confident that any state is investing in security?

Too many states are still running older applications on their systems, and by itself, that’s bad news to security experts. However, some states are also actively inviting new ways to corrupt the voting process. Take West Virginia – this November, the state will become the first to allow military members stationed abroad to vote by smartphone – a decision that gives security experts nightmares. 

Currently, the cross-use of personal data by state agencies like the Department of Motor Vehicles (DMV) also presents privacy concerns, and we’ve only just begun to examine the security needs of our country-level protections – there’s still a lot of work to be done.

To address many of these vulnerabilities, application security must be prioritized and applied from the registration systems, through to the vote tabulation machines. We must insist that security best practices are documented and upheld, to trust the outcome of our future elections. The federal government could consider using electoral regulations and inspections to enforce use of security best practices. To be effective, the oversight program would have to be defined and funded, and the consequences or fines to non-compliant states would have to outweigh the costs to fix the problems. For many states, the budget to overhaul cybersecurity systems is simply not there.

Let’s face it, federal initiatives struggle because of funding and because every state’s priorities vary as much as its citizens. We know that any mandated voting systems security would require funding on multiple levels. The recent passage of the Secure Elections Act, with $380 million in funding to secure election systems, is just the tip of the iceberg and likely came too late to have a positive effect on this year’s midterms. We don’t need to look further than California for an example of how difficult and expensive this task is – the state chose to return to paper ballots, even though it has the massive technical resources of the Silicon Valley to rely on.  So the burning question remains– will states willingly prioritize their budgets to fund the needed security measures, or will it take a large-scale geopolitical event and a federal mandate to compel state governments to re-organize their priorities?

 

Tags: application security, cybersecurity