What have we learned from the 2016 presidential election? We have learned that our operation, which is composed of obsolete computers for our election system, is not un-hackable. We now understand we must protect voting districts, from small-town America to major metropolitan areas, from internal and external manipulation. For the sake of local, general and primary elections as a nation, we must come together. Instead of being divided by parties, we must unite under the premise of cybersecurity to maintain our voting system’s integrity. Each state doing its own processes will not work; our efforts have to be synchronized and looked at from simple, complicated and complex problem sets. 

Our adversary’s main objectives are to erode the American people’s trust by placing doubt in the integrity of our multifaceted election system. The buzzword “meddling” has been used to describe our adversary since November 8, 2016, and they have had a significant amount of time to perfect their strategy to include propaganda on social platforms to discourage voting. Within the cybersecurity realm, we must leave no stone unturned and ensure that everyone involved understands the threats within our elections process. We must take a look, and associate risk and mitigation factors at all levels, from early voting to absentee ballots to paper ballots scanned by electronic machines, which are all sent to a central location controlled by databases in which we must take strict precautions that the data at no point is manipulated.

What does right look like?

We cannot look at cybersecurity as a hurdle to jump or sidestep but as a necessary precaution put in place to maintain public faith and integrity of our election process. This essential precaution has to start with knowing what right looks like. It all begins with elected officials taking ownership and making sure their staff is prepared for the evolving cyberthreats.

Policies are the foundation for preparing for these threats, more specifically, standard operating procedures (SOPs) and best business practices (BBPs). These documents should not be tucked away in a desk drawer, collecting dust and only updated with new dates and signatures. They have to be living documents with buy-in from the top down and adhered to the same way.  

Preparing for cyberthreats does not come without new and ever-changing challenges, which include severely resource-constrained environments, and a pandemic. We have to think outside the box with secure and innovative methods to accomplish a successful, safe election. The elephant in the room is the task of securely performing interagency data sharing without it becoming an issue of national security. Also, if an incident does arise, the cyber-teams need to be well versed, have rehearsed tabletop exercises (TTXs), and possess enough resources to respond and accurately report, mitigate and pass on eradication techniques promptly without delaying or compromising the election process. 

Steps to Drafting Effective Policies

Drafting clear and actionable policies seems to be the biggest hurdle for many government agencies. So, where do teams start? I’ve identified some of the stumbling blocks I’ve seen, and I strongly recommend beginning with the following steps: 

  1. Prioritize the policy list and define the problem that the policy needs to address
  2. Get input from subject matter experts (SMEs) from the departments affected by the policy
  3. Seek input from legal counsel and review regulations
  4. Draft the policy
  5. Have all stakeholders review documents
  6. Get final legal and regulatory review of policies
  7. Have senior management sign off
  8. Establish memorandums of understanding (MOUs) and nondisclosure agreements (NDAs)
  9. Educate and train employees on the policies
  10. Establish policy review cycles
  11. Publish the policies so they are accessible to everyone

The Cost of Doing Business

Organizations want to stay on the cutting edge of technology, but large portions of funds are not always available. Unfortunately, budgets can differ each year to assist with the scarcity of funds; President Donald J. Trump signed the Consolidation Appropriations Act of 2020 on December 20, 2019, which included the Help America Vote Act (HAVA), providing funding to departments and agencies to include the Department of Homeland Security (DHS), and enhance technology, to provide improvements to election security. To receive funds from the act, organizations will need to follow the template from the State Request for CARES fund on the U.S. Election Assistance Commission’s website.

Nevertheless, with the available funds, we have to prevent well-financed and capable adversaries from implanting malware, releasing vote-altering software and tampering with voting machines’ proprietary software. We have to understand the complexities to combat this threat fully. We have to work in unison, placing egos and parties aside to stay resourced and capable of fortifying our election process, from adversaries that remain unseen and fight in the form of ones and zeros. We must embrace this challenge head-on. This doesn’t stop after the November election, but is a constant process requiring continuous improvement.

Contributors: