Editor’s note: A recent ISACA survey found that 85 percent of technology professionals worldwide (and 86 percent in the US) are concerned about the ability of the public sector to conduct secure, reliable and accurate elections. ISACA board chair Rob Clyde explores the topic of election data integrity in more detail below.
The motivations of cybercriminals are as diverse as their forms of attacks. Many cybercriminals are after money, naturally, but plenty of other incentives exist, including the allure of exerting power and influence. Unfortunately, one of the most impactful ways to do so involves tampering with the integrity of elections, a rising concern in the United States and around the world.
While election security is not a new topic, it took on increased prominence in the US in the aftermath of the 2016 presidential election and has prominently surfaced again in the build-up to November’s midterm elections. Although allegations of nation-state interference in the US election process has commanded much of the media attention, protecting the overall data integrity of elections is a much more encompassing issue than any attempt by a nation-state to influence a particular election cycle or campaign. Working to enhance the reliability of the information systems and technology that assures data integrity in the electoral process will be an ongoing challenge requiring bipartisan attention and support from leaders at all levels of the government.
Encouragingly, this challenge is clearly on the radar of US elected officials, with a bill to establish the National Commission on the Cybersecurity of United States Election Systems and the Secure Elections Act among the efforts to drive toward solutions. A recently formed Task Force on Election Security, composed of members of the Homeland Security Committee and House Administration Committee, allowed for members from both committees to interact with election stakeholders, as well as cybersecurity and election infrastructure experts, to analyze the effectiveness of the US election system. The task force produced a final report and future recommendations, with the goal of maintaining free, fair and secure elections.
While the attention on this topic in Washington, D.C., is an important starting point, there must be extensive collaboration between federal agencies and the state officials who are charged with direct oversight of elections. Many state officials face the massive undertaking of securing elections with small IT staffs and few cybersecurity professionals on their teams. Given the high stakes involved and the growing complexities of the threat landscape, election systems require more dedicated resources to ensure the appropriate people, processes and technology are in place to stave off threats to election data integrity, whether intentional or otherwise. The federal government must provide the funding so that states are able to update vulnerable voting machines and modernize their IT infrastructures. Federal funding allowing for the training of election officials and poll workers about cyber risks would be another worthwhile investment. Further, since elections are generally run at the state level, states and federal agencies need to increase coordination to allow for real-time notifications of security breaches and threats. This could also present an opportunity for the government to tap into the capabilities of the private sector to strengthen election security.
Additionally, as the task force recommended, states should conduct post-election audits in order to ensure the election was not compromised, as well as identify and limit future risks. The implementation of post-election audits is an immediate step the government can take to limit future vulnerabilities while also strengthening public trust in the process – an important consideration that should not be overlooked.
One intriguing longer-term solution for election data integrity is the deployment of blockchain technology. Blockchain is now being embraced by many different sectors and agencies, and was recently used in West Virginia for absentee voting leading up to the midterms. Blockchain has the ability to secure a permanent record that is timestamped and signed, and can therefore not be altered in any way. Developing this cyberattack-resilient database could prove to be a critical step toward mitigating any potential manipulation or voting fraud.
While audit, governance, risk and information/cyber security professionals are charged with many important responsibilities, helping to solidify the data integrity of elections is among the most vital. In the US and around the world, fair and trustworthy elections are an indispensable component of free societies. Losing trust in the outcomes of elections would lead to a level of discord that would have a profoundly destabilizing impact. The events of the past few years have reinforced that protecting the integrity of the electoral system in this new era will require a significant investment in attention and resources. So be it. The alternative, taking our election security for granted, no longer is a viable path.