Samuel S. Visner
Director, National Cybersecurity Federally Funded Research and Development Center (FFRDC), MITRE,
The cybersecurity of our country’s election systems has never been more important and, we have learned, never been a more significant target of nation-state adversaries. Reports from the Department of Justice and others detail efforts to undermine confidence in our election systems, and – more importantly – in one of the fundamental institutions of our democracy.
The election “ecosystem” is complex, comprising voting machines, tabulation systems, voter registration databases, ePollbooks, election-night reporting, and social media. Each of these presents its own vulnerabilities, and each merits the attention of election officials and cybersecurity experts.
Voter registration databases are vital to knowing who is supposed to vote in what polling place and jurisdiction; data in these systems reflect our fundamental right to vote. However, some of these databases are “legacy” systems, the security of which should be modernized and tightened.
Identifying problem areas
The Help America Vote Act of 2002 requires computerized voter registration systems, however, such systems may be vulnerable to cyberattacks that target the integrity and availability of data. Ransomware – holding voter registration data hostage – is among threats to consider, as is the potential to destroy or alter registration data.
Hardening our systems is not enough; the ability to recover swiftly and support scheduled election activities is vital.
Complicating matters is the increasingly connected nature of voter registration systems, which is mostly intended to ease and automate voter registration. Meeting that challenge requires an approach that considers both voter registration systems and their connectivity, the data on which these systems depend, and the need for these systems to be transparent.
System update
MITRE, a not-for-profit corporation founded in 1958 to devoted to serving in the public interest and building a safer world, is working on one aspect of this ecosystem: voter registration databases. MITRE’s engineers have developed high-level cybersecurity recommendations and architecture, which is freely available, to strengthen the security of voter registration databases, building on more than 60 years of system engineering experience.
Our efforts are founded on the need to recover gracefully from any failure or error with the voter registration system in a timely manner that allows eligible voters to cast the correct ballot. Sound architectural principles can help us sustain confidence in these systems, including the ability to trace, log, and audit changes to voter registration data.
Effective systems should be accompanied by policies for management, disclosure, and remediation of vulnerabilities. In addition, system resilience will depend on policies and procedures that are sufficiently flexible to weather cyberattacks.
State election officials are working hard to prepare for the next round of elections. In doing so, they must contend with a tight schedule and the need to make cybersecurity choices based on technologies that are immediately available, work together properly, and are practical. The recommendations and architecture developed by MITRE’s engineers can help election officials meet these requirements.For more information, contact [email protected].
Samuel S. Visner, Director, National Cybersecurity Federally Funded Research and Development Center (FFRDC), MITRE, [email protected]