By Eric Hodge
 

The localities that manage the voting precincts on Election Day are now on the front lines in defending the security and privacy of voting against enemies. While most of the focus has been on states, the cities and counties need to be just as vigilant as states when it comes to protecting the vote.

In the past, the voting process wasn’t seen as a target for hackers, but the 2016 presidential elections revealed a new way of thinking. Foreign actors attempted attacks on voting in 31 states. For example, Durham County, North Carolina may have been targeted through an ePoll Book hack that discouraged thousands of people from voting last November.

With the 2018 mid-term elections just a year away, local election officials should develop a plan that focuses on five areas:

1. Pick the right partners. Many localities use third parties to help maintain their voting machines and manage some processes on voting day. Localities should evaluate whether these third parties have capabilities and expertise in security and privacy practices. Employing a contractor to assess the third party is a good option.

2. Ensure that votes are counted accurately and completely. If a city or county has not taken clear, conspicuous measures to reassure the public that the selection they make in the voting booth is recorded and reported properly, confidence in our elections will suffer.

Localities should start with an inventory of the people, processes and technologies they have in place. Examine current privacy and security procedures and identify any vulnerabilities. From that baseline, a locality can establish a roadmap for effective policies and procedures to protect against security breaches. Vulnerability assessment contractors can help in this step of the process.

3. Shore up election audit processes. Counties must be able to ensure that their vote totals can be reviewed and audited. In the 2016 elections, there were recounts in five different states and allegations of voter fraud in two others where the accuracy of voting machines and the recount process were called into question. The unreliability of the auditing process led both parties to question not only the credibility of the original vote count, but the electoral process itself.

In every precinct, processes to ensure the physical security of voting machines and the machine zeroing processes need to be fully repeatable and well-designed. Localities need a proven chain of custody, with everything recorded, audited and handled much like a court document. Tightening up those processes, and in some cases the technologies, is key to making sure the vote is accurate and that any recounts will find the same number of votes as the first count.

4. Properly vet any new voting eligibility management systems. When new systems are introduced into the election infrastructure, they can bring new avenues of attack.  It is important to assess any new technology for vulnerabilities that attackers can exploit. Proper security procedures must be a priority during the implementation process.

5. Educate. People are often the easiest part of the system for hackers to exploit. Many public sector organizations have been hacked by phishing attacks delivered in emails, for instance. If a county or city focuses on its systems while neglecting to educate everyone in its network about how to recognize a hacker’s ploys, it is inviting trouble.

The Russian attack on the 2016 presidential election highlighted the vulnerabilities of our election process and procedures. With the mid-term elections only a year away, we have significant work to do to prevent future tampering.

Eric Hodge is Director of Consulting at CyberScout (www.cyberscout.com), a provider of identity and data defense services. For more than two decades, Eric has been instrumental in helping organizations develop and build their cyber security practice.