Results of the Election Cybersecurity Scorecard, published by the Center for Strategic & International Studies (CSIS), found that states average a C- in election security. In a live webcast from the CSIS headquarters today, panelists discussed the results of the scorecard and what it means for election security. The panel looked at the progress made since the 2016 election and the gaps that remain.
In evaluating election security, CSIS identified four categories: campaigns, voter registration and election management systems, voting systems and election night reporting. The scorecard ranked threats by four degrees ranging from moderate to extreme.
According to the scorecard, the greatest threats exist in the ongoing attacks that target campaigns. “In 2018, cyber attacks by Russian hackers have allegedly targeted multiple Congressional campaigns, including Senator Claire McCaskill,” the CSIS wrote. Of all four categories, campaigns had the highest risk, with a "severe" rating.
In part, the inconsistency of security is a contributing factor to the severe risk level. “Cybersecurity practices for political campaigns remain inconsistent, although efforts by Department of Homeland Security (DHS) and the FBI to provide cybersecurity training and support to campaigns have had some effect. Extremely tight budgets, mostly-volunteer staffs, poor cybersecurity awareness, and the use of distributed, ad-hoc systems by campaigns have made improving campaign security difficult in spite of significant publicity around attacks on campaigns and campaign officials, particularly for local and state elections,” the scorecard said.
In the remaining three categories, the risk is serious, though the CSIS found that security in voter registration and election management systems and voting systems is improving. However, the security of election night reporting was rated as "weak."
Overall, the CSIS found that while elections in the US are vulnerable to cyber-threats, “we are not investing in strong security.” Despite the lack of investment and the continued attempts to exploit vulnerabilities in campaigns and voting systems, progress is being made.
CSIS found that 44 states participated in a DHS exercise to practice incident response plans and information sharing. In addition, all 50 states are now members of Multi-State Information Sharing & Analysis Center (MS-ISAC), and 548 state and local election organizations are members of Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC).
“The real risk here is around system vulnerabilities. The first step in protecting these critical systems is admitting that they are all vulnerable and looking for one tool or piece of software is not the answer," said Jon Check, senior director, cyber protection solutions, Raytheon. "While reports show that it would be extremely difficult for an adversary to change the outcome of a national election by hacking into voting machines and changing enough votes, past hacks have proven our election integrity is far from secure.
"But it’s not all doom and gloom. The more data we mine and conversations we start around election security, the more we can help solve the awareness issue. We need to build back confidence in the security of our systems, which will involve industry and government partnerships to harden voting systems and build up better network resiliency. It will take a combination of these partnerships, good cyber-hygiene and proven tools to ensure secured elections and restore our citizens faith in our electoral process.”